Presentation is loading. Please wait.

Presentation is loading. Please wait.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

Similar presentations

Presentation on theme: "December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College."— Presentation transcript:

1 December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College

2 December 2006Prof. Reuven Aviv, SSL2 Outline Introduction - Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) –SSL Architecture –SSL Record Protocol –Handshake Protocol –In Closing: What does the SSL Really Protect? Why the Web Service is special?

3 Introduction December 2006Prof. Reuven Aviv, SSL3

4 December 2006Prof. Reuven Aviv, SSL4 Introduction All businesses have Web sites Most public organizations have Web sites Many individuals have Web sites Business are enthusiastic about setting facilities on the Web for electronic commerce However: Internet and the Web Servers are vulnerable Demand for security increases What software options are available?

5 December 2006Prof. Reuven Aviv, SSL5 Web Security Options HTTP Client Server; Standard IPSec is applicable (later lecture) BUT – we need special security mechanism: The WEB is very visible. –It is the front end of business –Breaking into it makes bad business –What risks are (not) countered by SSL

6 December 2006Prof. Reuven Aviv, SSL6 Web Security risks & counter-measures Corrupt server or browser data – done by Trojans, ActiveX, Applets Corrupt data in transit and session hijacking –Cryptographic checksum, Encryption –web proxy Denial of Service: flooding server, DNS attacks –Network Mitigation procedures Impersonation of users, and programs –signatures

7 December 2006Prof. Reuven Aviv, SSL7 Approaches to network Security Advantages and Disadvantages?

8 December 2006Prof. Reuven Aviv, SSL8 Approaches to network Security IPSec – below TCP – transparent to applications (and users) –Only filtered packets incur overhead –General purpose client server security –Complex configuration (packet oriented)

9 December 2006Prof. Reuven Aviv, SSL9 Approaches to network Security SSL/TLS – above TCP –General purpose –but controllable by application –What does that mean? At the application layer: PGP, S/MIME –Specific, tailored to the application

10 Secure Socket Layer December 2006Prof. Reuven Aviv, SSL10

11 December 2006Prof. Reuven Aviv, SSL11 SSL (Secure Socket Layer) & TLS SSL: Netscape, later Microsoft –SSL 3.0 Submitted to IETF IETF  TLS: Transport Layer Security – essentially SSLv3.1 Free Implementations: SSLRef, OpenSSL SSL support included in Microsoft IIS & IE What technologies are used for Privacy, Inegrity, Authentication, Non- Repudiation?

12 December 2006Prof. Reuven Aviv, SSL12 SSL Services Privacy – via user defined encryption algorithms Integrity – user specified hash functions Authentication – using X.509.3 public key certificates, also Passwords, or none Non Repudiation – using signed messages

13 December 2006Prof. Reuven Aviv, SSL13 SSL/TLS Features I Separation of duties: encryption, authentication and data integrity use different keys (secrets) What are the benefits? decreasing risks & different key lengths Flexibility: authenticated connections with/without encryption Note: algorithm & keys determined by server, limited by both

14 December 2006Prof. Reuven Aviv, SSL14 SSL/TLS Features II Efficiency – use (slow) public key once to create “master secret”. “connection Secrets” on the fly Mutual Certificate based authentication Protect against MIM & Replay how? validating identities, sequencing messages and nonces

15 December 2006Prof. Reuven Aviv, SSL15 SSL Protocol Architecture SSL Record Protocol: transmission of blocks of data (records) between applications (e.g. HTTP) What are the purpose of the SSL Handshake & Alert protocols?

16 December 2006Prof. Reuven Aviv, SSL16 SSL Record Protocol Provides Services -- to whom?: Encryption Decryption of the payloads (TCP/HTTP, …) –conventional encryption algorithms (DES, AES,…) Message integrity – using MAC Via hash function secrets as agreed by a Handshake Protocol

17 December 2006Prof. Reuven Aviv, SSL17 SSL Record Protocol Operation What’s in the header?

18 December 2006Prof. Reuven Aviv, SSL18 Record Construction Compress Fragment Add Hash (MD5/SHA-1) of Fragment + Secret, Seq Num, Compression parameters Encrypt by (IDEA, DES, 3DES, RC4,…) Add a record header: –Payload Type (e.g. HTTP, Handshake, …) –Major/Minor version of SSL –Compressed Length of fragment why names of algorithms not in header?

19 December 2006Prof. Reuven Aviv, SSL19 SSL Record Format What is to be agreed by client/server during handshake?

20 December 2006Prof. Reuven Aviv, SSL20 What is to be agreed: Cipher Suit Key Exchange algorithm ID: Name of method to be used to create SSL Pre-Master Secret –One of four (e.g. D.H.), discussed below Cipher-Spec: Specifications of algorithms and parameters that will be used by the SSL Record Protocol to encrypt/authenticate

21 December 2006Prof. Reuven Aviv, SSL21 What’s in Cipher-Spec? Encryption Algorithms – RC4, AES, 3DES, … Cipher Type: Stream or Block IV size, Hash size in Bytes: 0, 16 (MD5), 20 (SHA-1),.. MAC Algorithm: HMAC-MD5 / HMAC-SHA-1 Key Materials: Sequence of Bytes –data used in creating Secrets

22 December 2006Prof. Reuven Aviv, SSL22 SSL: 6 Secrets two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC Procedure for derivation of secrets: Pre_Master_Secret (48 Bytes PMS): one time value Pre_master_secret  Master Secret  Secrets Several methods for deriving Pre_Master_Secret (PMS) Who calculates PMS / Master / Secrets?

23 December 2006Prof. Reuven Aviv, SSL23 What is to be agreed: PMS derivation method [1] RSA Method: Client creates PMS (random) send PMS to server encrypted by Server’s RSA public key –Client needs Server’s Public Key Certificate

24 December 2006Prof. Reuven Aviv, SSL24 PMS derivation methods [2] Anonymous Diffie Hellman Method q,  agreed by two sides Public keys (Y) are exchanged PMS (calculated by each party) = Y X (modq) No exchange of Certificates [3] Fixed Diffie Hellman Method Server is authenticated by a D.H. certificate (with D.H. public key). Rest is Anonymous D.H. Disadvantage relative to RSA method?

25 December 2006Prof. Reuven Aviv, SSL25 PMS derivation methods [4] Ephemeral Diffie Hellman Method: Most secure way - both parties are authenticated D.H. public keys are exchanged by messages signed by senders’ private keys (RSA) PMS is created by both parties Signing keys (RSA or DSS) keys are presented via Certificates, themselves signed by CAs

26 December 2006Prof. Reuven Aviv, SSL26 Handshake Protocol: full scenario

27 December 2006Prof. Reuven Aviv, SSL27 1. Hello Phase

28 December 2006Prof. Reuven Aviv, SSL28 Hello messages: Establishing Security Capabilities Client sends ClientHello (1) –ProtocolVersion (3.1 for TLS 1.0) –timestamp + random_num1 What are the purpose of these? Session ID What is the purpose of this? Lists of Cipher-Suites & Compression methods supported by client

29 December 2006Prof. Reuven Aviv, SSL29 Hello messages: Establishing Security Capabilities Server sends ServerHello (2) Protocol Version, Timestamp, random num2 –Session ID: new value (or, if updating, old) –Selected Cipher-Suite, compression method Is the PMS Derivation method determined at this stage?

30 December 2006Prof. Reuven Aviv, SSL30 2. Server Authentication & Key exchange Certificate (3): one (or more) X.509 certificate Certificate present public key, that will be used for encrypting secrets and/or signing Server client These are optional. Who determines if these Messages are sent?

31 December 2006Prof. Reuven Aviv, SSL31 Server Key_exchange_Message (4) Sent from the Server to provide its public key Not needed in RSA [1] or fixed D.H [3] methods – public key of Server was sent by Certificate (3) What is the content of this message? The Diffie Hellman public key (Y) Message required in the Anonymous D.H. [2] –Message not signed Why not?

32 December 2006Prof. Reuven Aviv, SSL32 Server Key_exchange_Message (4) Message required in the Ephemeral D.H [4] –Message signed by what? by RSA or DSS private key What is the signature? encrypted hash of D.H. parameters and the rand. in the Hello messages why? K RSA {hash(Cl.Hello.rand|| Ser.Hello.rand || D.H. parameters)}

33 December 2006Prof. Reuven Aviv, SSL33 End of Phase 2: Server In all methods except Anonymous D.H. [2] Server sends Ceritificate_Request (5) requesting Client to authenticate itself by Certificate(s) –List of types, usages & names of acceptable certificates & CAs Server sends ServerDone (6) message What will the client do?

34 December 2006Prof. Reuven Aviv, SSL34 End of Phase 2: Client Client Checks the acceptability of parameters in ServerHello (selected Cipher Suite & PMS method) Client checks receipt of the required certificates Client checks the validity of certificates

35 December 2006Prof. Reuven Aviv, SSL35 Phase 3: Client Authentication & Key Exchange What’s in Client_key_Exchange (8)? CertificateVerify (9): a signed hash of previous messages. What is the purpose of this? Client Server

36 December 2006Prof. Reuven Aviv, SSL36 ClientKeyExchange (8) Required. PMS calculated after this message Content depends on method of key generation: RSA [1]: Client generates a 48-byte PMS, encrypts with the certified Server’s public key Ephemeral [4] or Anonymous D.H. [2]: Client sends its public D.H. key (Y) Fixed D.H. (3): null, because Client’s public D.H. sent in previous message, Certificate (7) –In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS

37 December 2006Prof. Reuven Aviv, SSL37 Certificate_Verify (9) Sent by Client – if previously sent a Certificate with signing capabilities –i.e. Not Certificates with D.H. parameters Purpose: proving that the client in the negotiation and the owner of the certificate are the same entities What could be in this message?

38 December 2006Prof. Reuven Aviv, SSL38 Certificate_Verify (cont’d) Hash of collected shared knowledge –K Client {hash(Master_Secret || pad2 || hash (handshake_messages||Master_Secret||pad1))} Signed by Client Private key cannot be done by one who stole the Client certificate why?

39 December 2006Prof. Reuven Aviv, SSL39 4. Finish phase ChangeCipherSpec: –Let’s start using agreed Cipher-Suite Finished: hash of master secret, & other info –Using the agreed upon Cipher Suit

40 December 2006Prof. Reuven Aviv, SSL40 In closing: What does SSL really protect? It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform It does not solve the hard problems of E- Commerce: –DOS Attacks –Application Layer Attacks on the client and servers. A notable risk of the later is stealing credit cards

41 December 2006Prof. Reuven Aviv, SSL41 In closing: What does SSL really protect? These are “solved” by: – Multi-layer Enterprise security system (last lecture) –Policies of Credit cards companies (Canceling cards and returning charges

Download ppt "December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College."

Similar presentations

Ads by Google