Presentation on theme: "Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)"— Presentation transcript:
Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
SSL De facto Standard for client-server security IETF RFC: The TLS Protocol Version 1.0 (RFC 2246) All commodity browsers support SSL Open implementations (e.g. SSLRef, SSLPlus, SSLava, SSLeay, openSSL, modSSL)
SSL/TLS Framework HTTP(S) TCP Hand- shake Change Cipher Applica tion Alert Record Layer Key Exchange Data Enc/Auth
SSL/TLS: ciphersuites Key Exchange- Algorithm Certificate Type ServerKey- Exchange ClientKey- Exchange Description RSARSA Encryption NoEncrypted premaster secret Client encrypts premaster secret with server's public key RSAExport (>512 Bit) RSA SigningYes (ephemeral RSAKey 512 Bit) Encrypted premaster secret Client encrypts premaster secret with server's ephemeral public key DHE-DSSDSS SigningYes (g s mod p) g c mod pDiffie-Hellman key exchange, Server signs (g s mod p) with DSS- signature.
SSL/TLS: ciphersuites Key Exchange Algorithm. Certificate Typ ServerKey- Exchange ClientKey- Exchange Description DHE-RSARSA SigningYes (g s mod p) g c mod pDiffie-Hellman Key exchange, Server signs (g s mod p) with RSA signature DH-DSSsigned DH, using DSS signature No (g s mod p in server certificate) g c mod pDiffie-Hellman key exchange with server's static DH exponent DH-RSAsigned DH, using RSA signature No (g s mod p in server certificate) g c mod pDiffie-Hellman key exchange with server's static DH exponent
TLS Renegotiation The spec allows a party (either I or R) to initiate a change cipher procedure by sending a special message, authenticated under the current session key. As a result, a new key is negotiated from scratch. There is no binding between the old and new keys – these are two independent sessions. Still the two sessions appear for applications as the same stream. Consequently, it is possible to attack the protocol:
TLS Renegotiation attack Client Attacker Server
TLS Renegotiation attack Client Attacker Server There is much work currently done at the IETF on how to fix the protocol. This is a great example for the importance of modeling and proof in practical crypto.
Your consent to our cookies if you continue to use this website.