Secure Socket Layer (SSL)

TCP/IP Protocol Stack Application Layer HTTP Transport UDP Layer TCP ICMP UDP LDAP IMAP DNS NFS PING TELNET HTTP Transport Layer TCP Network Layer IP Physical Layer IP packet

Protocols IP (Internet Protocol) has IP address (32 bits, network + host portions) ICMP (Internet Control Message Protocol) control IP traffic TCP (Transmission Control Protocol) implements virtual circuit for reliable connection-oriented comm. UDP (User Datagram Protocol) implements connectionless comm. HTTP -- for WWW LDAP – directory access IMAP – access email over Internet TELNET -- for remote login DNS -- translates names into IP addresses NFS -- network file system, for sharing files among systems PING -- checks other machines

Let us find out the routers when we shop on-line When we connect from campus computers to http://www.amazon.com/ via IE or Netscape, our packets have a long trip to get there:

Such IP Tracing is available on sites like http://visualroute Such IP Tracing is available on sites like http://visualroute.visualware.com and http://samspade.org/

Location of SSL Application Layer HTTP Transport Layer TCP Network IP IP packet Physical Layer

SSL v.s. IPSec and others Application App Layer Transport TCP Layer IKE (ISAKMP/Oakley in IPSec), S/MIME, Kerberos, Proxies, SET, PGP Application Layer App Transport Layer SSL, TLS, SOCKS TCP AH, ESP (in IPSec), Packet filtering, Network Layer IP Tunneling (L2TP, PPTP, L2F), CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP Data link Layer Network driver

X.509 public key certificate 1 Version 2 Serial number 3 Sign. alg. identifier 4 Issuer 5 Period of validity 6 Subject 7 Subject’s public key 8 Issuer unique ID 9 Subject unique ID 10 Extensions 11 Signature

Flow of actions in SSL Authenticate the server to the client. Allow the client and server to select the cryptographic algorithms they both support. Optionally authenticate the client to the server. Use public-key encryption to generate shared secrets. Establish an encrypted SSL connection.

Capabilities of SSL To establish an encrypted, not necessarily authenticated, communication channel between a client and a server. To authenticate the server, and establish an secure channel (the case of RSA). To authenticate the server, and establish an secure channel (general case, incl RSA). To authenticate the server AND the client, and establish an authenticated secure channel. Less preferred preferred

Establish encrypted, but unauthenticated, channel (1) ClientHello (Browser) Client (Web) Server ServerHello, ServerKeyExchange, ServerHelloDone (2) ClientKeyExchange, ChangeCipherSpec, Finished (3) ChangeCipherSpec, Finished (4)

4 moves & 9 messages in SSL 1  ClientHello C proposes SSL options 2  ServerHello S selects the SSL options 3 ServerKeyExchange S sends its public key 4 ServerHelloDone S sends its part of negotiation 5 ClientKeyExchange C sends session key, encrypted with S’s public key 6 ChangeCipherSpec C agrees on negotiated/activated options for all future messages 7 Finished C sends an authentication message to allow S to verify the activated options 8 S agrees on activated options for all future messages 9 S sends an authentication message to allow C to verify the activated options

1. ClientHello (C  S) Version RandonNumber Session ID CipherSuites Identifies the highest version of the SSL protocol that the client can support RandonNumber 32-bit random number used to seed the cryptographic computation Session ID Identifies a specific SSL session CipherSuites A list of cryptographic parameters/schemes that the client can support CompressionMethods Identifies data compression methods that the client can support

2. ServerHello (C  S) Version RandonNumber Session ID CipherSuites Identifies the highest version of the SSL protocol to be used for this communication RandonNumber 32-bit random number used to seed the cryptographic computation Session ID Identifies a specific SSL session CipherSuites The cryptographic parameters/schemes to be used CompressionMethods The data compression methods to be used

3. ServerKeyExchange (C  S) Contains the (public) key information Exact format depends on the particular public key algorithm selected Not encrypted !

4. ServerHelloDone (C  S) Contains no information, other than that it’s done !

5. ClientKeyExchange (C  S) Client tells the server key information for symmetric ciphers to be used Encrypted using the server’s public key !

6 & 8. ChangeCipherSpec (C  S & C  S) After the message #5, a preliminary SSL negotiation is complete, and both parties are ready to use security services negotiated These 2 messages are to explicitly indicate that security services should now be invoked In other words, to activate the options

7 & 9. Finished To authenticate Key information Contents of all previous SSL handshake messages exchanged between the 2 parties A special value to indicate whether the sender is a client or a server

Establish encrypted channel, with server being authenticated (1) ClientHello (Browser) Client (Web) Server ServerHello, Certificate, ServerKeyExchange, ServerHelloDone (2) ClientKeyExchange, ChangeCipherSpec, Finished (3) ChangeCipherSpec, Finished (4)

Certificate message from server Contains a certificate chain beginning with the server’s public key certificate and ending with the root certificate authority’s certificate The client browser usually has well known CA certificates preloaded The certificate contains Internet domain name of the server which must be verified by the client

Advantages Separating encryption from authentication Applicable to not only RSA but also other digital signature-only schemes such as DSS Preferred to the previous technique which did NOT separate encryption from authentication (ServerKeyExchange is signed using the server’s private key, for the client to verify using the server’s matching public key !)

Establish encrypted channel, with mutual authentication (1) ClientHello (Browser) Client (Web) Server ServerHello, Certificate, CertificateRequest, ServerHelloDone (2) Certificate, ClientKeyExchange, CertificateVerify, ChangeCipherSpec, Finished (3) ChangeCipherSpec, Finished (4)

CertificateRequest (C  S) CertificateTypes A list of certificate types acceptable to the server DistinguishedNames A list of distinguished names of certificate authorities acceptable to the server (X.500 names) (the server MUST authenticate itself, ie, must have “Certificate” from S to C)

Certificate (C  S) The client’s public key is used for signature verification only, not for encryption If the client does not have a certificate, it sends a “NoCertificateAlert”

CertificateVerify (C  S) The client signs Key information Contents of all previous SSL handshake messages exchanged between them The server verifies the identify of the client using its public key

Cryptographic algorithms supported by SSL v3.0 Public key encryption/key-distribution RSA, Diffie-Hellman Digital signature RSA, DSS Symmetric ciphers RC2, RC4, DES, 3DES, IDEA, FORTEZZA 1-Way hash MD5, SHA

Securing other applications using SSL … HTTP LDAP IMAP FTP SSL TCP IP IP packet

SSL Components of SSL HTTP Record Layer TCP Change Cipher Alert Hand- shake Appli- cation SSL Record Layer TCP

References for SSL Open source for SSL developers http://www.openssl.org/