We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byLilly Hubert
Modified over 2 years ago
SSL Prof. Ravi Sandhu
2 © Ravi Sandhu CONTEXT Mid to late 90’s SSL 1.0 never released SSL 2.0 flawed SSL 3.0 complete redesign TLS from Netscape to IETF Competitors SET backed by credit card companies S-HTTP (as opposed to https) IPSEC backed by IETF committees SSH for secure remote access to Unix hosts
3 © Ravi Sandhu CRYPTOGRAPHIC SERVICES Confidentiality Encryption leaks profusely via side channels Authentication + Integrity No point having one without the other Non-repudiation Requires asymmetric cryptography
4 © Ravi Sandhu SYMMETRIC KEY ENCRYPTION Encryption Algorithm E Decryption Algorithm D Plain- text Plain- text Ciphertext INSECURE CHANNEL K K Symmetric Key shared by A and B CONFIDENTIAL AND AUTHENTICATED CHANNEL A A B B
5 © Ravi Sandhu SYMMETRIC KEY AUTHENTICATION MAC Algorithm M Verification Algorithm V Plain- text Yes/No Plaintext + MAC INSECURE CHANNEL K A A B B K MAC: Message Authentication Code CONFIDENTIAL AND AUTHENTICATED CHANNEL
6 © Ravi Sandhu ASYMMETRIC KEY ENCRYPTION Encryption Algorithm E Decryption Algorithm D Plain- text Plain- text Ciphertext INSECURE CHANNEL B's Public Key B's Private Key AUTHENTICATED CHANNEL A A B B
7 © Ravi Sandhu ASYMMETRIC KEY DIGITAL SIGNATURES Signature Algorithm S Verification Algorithm V Plain- text Yes/No Plaintext + Signature INSECURE CHANNEL A's Private Key A's Public Key AUTHENTICATED CHANNEL A A B B
8 © Ravi Sandhu SPEED OF ASYMMETRIC KEY VERSUS SYMMETRIC KEY Asymmetric key runs 2-3 orders of magnitude slower than symmetric key This large difference in speed is likely to remain independent of technology advances
9 © Ravi Sandhu MESSAGE DIGEST message digest algorithm original message no practical limit to size message digest 160 bit easyhard sign the message digest not the message
10 © Ravi Sandhu CHALLENGE RESPONSE AUTHENTICATION HOST WORK STATION NETWORK User ID Challenge Response
11 © Ravi Sandhu PUBLIC-KEY CERTIFICATES authenticated distribution of public- keys public-key encryption sender needs public key of receiver public-key digital signatures receiver needs public key of sender public-key key agreement either one or both need the other’s public key
12 © Ravi Sandhu X.509v1 CERTIFICATE authenticated distribution of public-keys VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE
13 © Ravi Sandhu X.509v1 CERTIFICATE 1 1234567891011121314 RSA+MD5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99-1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx SIGNATURE
14 © Ravi Sandhu CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE
15 © Ravi Sandhu X.509 CERTIFICATES X.509v1 very basic X.509v2 adds unique identifiers to prevent against reuse of X.500 names X.509v3 adds many extensions can be further extended
16 © Ravi Sandhu CERTIFICATE TRUST how to acquire public key of the issuer to verify signature whether or not to trust certificates signed by the issuer for this subject
17 © Ravi Sandhu SINGLE ROOT CA MODEL Root CA abcdefghijklmnop Root CA User
18 © Ravi Sandhu SINGLE ROOT CA MULTIPLE RA’s MODEL Root CA abcdefghijklmnop Root CA UserRA UserRA UserRA
19 © Ravi Sandhu MULTIPLE ROOT CA’s MODEL Root CA abcdefghijklmnop Root CA User Root CA Root CA Root CA User Root CA User
20 © Ravi Sandhu MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X Q A R ST CEGIKMO abcdefghijklmnop ESTABLISHED BROWSER MODEL
21 © Ravi Sandhu SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Geo-Political BankAcquirer CustomerMerchant
22 © Ravi Sandhu THE CERTIFICATE TRIANGLE user attributepublic-key X.509 identity certificate X.509 attribute certificate SPKI certificate
23 © Ravi Sandhu SSL SERVICES peer entity authentication data confidentiality data authentication and integrity compression/decompression generation/distribution of session keys integrated into protocol security parameter negotiation
24 © Ravi Sandhu SSL ARCHITECTURE SSL Record Protocol TCP IP SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP Other Application Protocols
25 © Ravi Sandhu APPLICATION PORTS https443 ssmtp465 snntp563 sldap636 spop3995 ftp-data889 ftps990 imaps991 telnets992 ircs993
26 © Ravi Sandhu SSL ARCHITECTURE Handshake protocol: complicated embodies key exchange & authentication 10 message types Record protocol: straightforward fragment, compress, MAC, encrypt Change Cipher Spec protocol: straightforward single 1 byte message with value 1 could be considered part of handshake protocol Alert protocol: straightforward 2 byte messages 1 byte alert level- fatal or warning; 1 byte alert code
27 © Ravi Sandhu SSL SESSION SSL session negotiated by handshake protocol session ID chosen by server X.509 public-key certificate of peer possibly null compression algorithm cipher spec encryption algorithm message digest algorithm master secret 48 byte shared secret is resumable flag can be used to initiate new connections each session is created with one connection, but additional connections within the session can be further created
28 © Ravi Sandhu SSL CONNECTION STATE connection end: client or server client and server random: 32 bytes each keys generated from master secret, client/server random client_write_MAC_secretserver_write_MAC_secret client_write_keyserver_write_key client_write_IVserver_write_IV compression state cipher state: initially IV, subsequently next feedback block sequence number: starts at 0, max 2 64 -1
29 © Ravi Sandhu SSL CONNECTION STATE 4 parts to state current read state current write state pending read state pending write state handshake protocol initially current state is empty either pending state can be made current and reinitialized to empty
30 © Ravi Sandhu SSL RECORD PROTOCOL 4 steps by sender (reversed by receiver) Fragmentation Compression MAC Encryption
31 © Ravi Sandhu SSL RECORD PROTOCOL each SSL record contains content type: 8 bits, only 4 defined change_cipher_spec alert handshake application_data protocol version number: 8 bits major, 8 bits minor length: max 16K bytes (actually 2 14 +2048) data payload: optionally compressed and encrypted message authentication code (MAC)
32 © Ravi Sandhu SSL HANDSHAKE PROTOCOL initially SSL session has null compression and cipher algorithms both are set by the handshake protocol at beginning of session handshake protocol may be repeated during the session
33 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Type: 1 byte 10 message types defined length: 3 bytes content
34 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
35 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Phase 1: Establish security capabilities Phase 2: Server authentication and key exchange Phase 3: Client authentication and key exchange Phase 4: Finish
36 © Ravi Sandhu SSL 1-WAY HANDSHAKE WITH RSA Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
37 © Ravi Sandhu SSL 2-WAY HANDSHAKE WITH RSA Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
38 © Ravi Sandhu SSL HANDSHAKE PROTOCOL these 9 handshake messages must occur in order shown optional messages can be eliminated 10th message explained later hello_request message change_cipher_spec is a separate 1 message protocol functionally it is just like a message in the handshake protocol
39 © Ravi Sandhu SSL HANDSHAKE PROTOCOL
40 © Ravi Sandhu SSL HANDSHAKE PROTOCOL hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient can be ignored by client if already negotiating a session don’t want to renegotiate a session client may respond with a no_renegotiation alert
41 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
42 © Ravi Sandhu SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES client hello 4 byte timestamp, 28 byte random value session ID: non-zero for new connection on existing session zero for new connection on new session client version: highest version cipher_suite list: ordered list compression list: ordered list
43 © Ravi Sandhu SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES server hello 32 byte random value session ID: new or reuse version lower of client suggested and highest supported cipher_suite list: single choice compression list: single choice
44 © Ravi Sandhu SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES cipher suite key exchange method RSA: requires receiver’s public-key certificates Fixed DH: requires both sides to have public-key certificates Ephemeral DH: signed ephemeral keys are exchanged, need signature keys and public-key certificates on both sides Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack Fortezza: Fortezza key exchange we will ignore Fortezza from here on
45 © Ravi Sandhu SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES cipher suite cipher spec CipherAlgorithm: RC4, RC2, DES, 3DES, DES40, IDEA, Fortezza MACAlgorithm: MD5 or SHA-1 CipherType: stream or block IsExportable: true or false HashSize: 0, 16 or 20 bytes Key Material: used to generate write keys IV Size: size of IV for CBC
46 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
47 © Ravi Sandhu SSL HANDSHAKE: PHASE 2 SERVER AUTHENTICATION & KEY EXCHANGE Certificate message server’s X.509v3 certificate followed by optional chain of certificates required for RSA, Fixed DH, Ephemeral DH but not for Anonymous DH Server Key Exchange message not needed for RSA, Fixed DH needed for Anonymous DH, Ephemeral DH needed for RSA where server has signature-only key server sends temporary RSA public encryption key to client
48 © Ravi Sandhu SSL HANDSHAKE: PHASE 2 SERVER AUTHENTICATION & KEY EXCHANGE Server Key Exchange message signed by the server signature is on hash of ClientHello.random, ServerHello.random Server Key Exchange parameters Certificate Request message request a certificate from client specifies Certificate Type and Certificate Authorities certificate type specifies public-key algorithm and use Server Done message ends phase 2, always required
49 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
50 © Ravi Sandhu SSL HANDSHAKE: PHASE 3 CLIENT AUTHENTICATION & KEY EXCHANGE Certificate message send if server has requested certificate and client has appropriate certificate otherwise send no_certificate alert Client Key Exchange message content depends on type of key exchange (see next slide) Certificate Verify message can be optionally sent following a client certificate with signing capability signs hash of master secret (established by key exchange) and all handshake messages so far provides evidence of possessing private key corresponding to certificate
51 © Ravi Sandhu SSL HANDSHAKE: PHASE 3 CLIENT AUTHENTICATION & KEY EXCHANGE Client Key Exchange message RSA client generates 48-byte pre-master secret, encrypts with server’s RSA public key (from server certificate or temporary key from Server Key Exchange message) Ephemeral or Anonymous DH client’s public DH value Fixed DH null, public key previously sent in Certificate Message
52 © Ravi Sandhu SSL HANDSHAKE: POST PHASE 3 CRYPTOGRAPHIC COMPUTATION 48 byte pre master secret RSA generated by client sent encrypted to server DH both sides compute the same value each side uses its own private value and the other sides public value
53 © Ravi Sandhu SSL HANDSHAKE: POST PHASE 3 CRYPTOGRAPHIC COMPUTATION PRF is composed of a sequence and nesting of HMACs
54 © Ravi Sandhu SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol
55 © Ravi Sandhu SSL HANDSHAKE: PHASE 4 FINISH Change Cipher Spec message not considered part of handshake protocol but in some sense is part of it Finished message sent under new algorithms and keys content is hash of all previous messages and master secret
56 © Ravi Sandhu SSL HANDSHAKE: PHASE 4 FINISH Change Cipher Spec message 1 byte message protected by current state copies pending state to current state sender copies write pending state to write current state receiver copies read pending state to read current state immediately send finished message under new current state
57 © Ravi Sandhu SSL HANDSHAKE: PHASE 4 FINISH Finished message
58 © Ravi Sandhu SSL ALERT PROTOCOL 2 byte alert messages 1 byte level fatal or warning 1 byte alert code
59 © Ravi Sandhu SSL ALERT MESSAGES
60 © Ravi Sandhu SSL ALERT MESSAGES always fatal unexpected_message bad_record_mac decompression_failure handshake_failure illegal_parameter
61 © Ravi Sandhu SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Record Protocol Handshake Protocol
62 © Ravi Sandhu SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com
63 © Ravi Sandhu SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com Mallory’s Web server BIMM Corporation www.host.com Server-side SSL
64 © Ravi Sandhu SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com Mallory’s Web server Server-side SSL BIMM Corporation Ultratrust Security Services www.host.com
65 © Ravi Sandhu CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Record Protocol Handshake Protocol
66 © Ravi Sandhu MAN IN THE MIDDLE MASQUARADING PREVENTED Bob Web browser www.host.com Web server Client-side SSL Ultratrust Security Services www.host.com Mallory’s Web server BIMM Corporation Client-side SSL Ultratrust Security Services www.host.com Client Side SSL end-to-end Ultratrust Security Services Bob BIMM Corporation Ultratrust Security Services Bob
67 © Ravi Sandhu SSL Deployed in broken form Guardian of e-commerce World’s most successful crypto protocol
ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Web security: SSL and TLS
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
1 Cryptography CSS 329 Lecture 13:SSL. 2 Lecture Outline SSL/TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Secure Socket Layer.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Lecture 6: Web security: SSL
Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Chapter 8 Web Security.
Web Security (SSL / TLS)
Web Security Network Systems Security
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Network Security Essentials Chapter 5
Cryptography and Network Security Chapter 17
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Secure Socket Layer (SSL)
Tunneling and Securing TCP Services Nathan Green.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Transport-level and Web Security (SSL / TLS, SSH)
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security Chapter 16
SSL/TLS (ch 19) IT443 – Network Security Administration Instructor: Bo Sheng 1.
© 2017 SlidePlayer.com Inc. All rights reserved.