CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina

10/22/20072 Web Security Web is now widely used by business, government, and individuals But Internet and Web are vulnerable Have a variety of threats integrity confidentiality denial of service authentication Need to add security mechanisms

10/22/20073 Security Socket Layer (SSL) Security service at transport layer Originally developed by Netscape SSLv3 was designed with public input Subsequently became Internet standard known as Transport Layer Security (TLS) Use TCP to provide reliable end-to-end service

10/22/20074 SSL Services SSL provides Client-server authentication (public-key cryptography) Data traffic confidentiality Message authentication and integrity check SSL does not prevent Traffic analysis TCP implementation oriented attacks

10/22/20075 SSL State Information SSL session is stateful  SSL protocol must initialize and maintain session state information on either side of the session SSL session can be used for several connections  connection state information

10/22/20076 SSL Session State Information Session ID: chosen by the server to identify an active or resumable session state Peer certificate: certificate for peer entity (X.509 v. 3) Compression method: algorithm to compress data before encryption Cipher spec: specification of data encryption and MAC algorithms Master secret: 48-byte secret shared between client and server Is resumable: flag that indicates whether the session can be used to initiate new connections

10/22/20077 SSL Connection State Information Server and client random: byte sequences that are chosen by server and client for each connection Server write MAC secret: secret used for MAC on data written by server Client write MAC secret: secret used for MAC on data written by client Server write key: key used for data encryption by server and decryption by client Client write key: key used for encryption by client and decryption by server Initialization vector: for CBC block ciphers Sequence number: for both transmitted and received messages, maintained by each party

10/22/20078 SSL Protocol Architecture

10/22/20079 SSL Protocol SSL has two layers of protocols SSL Record Protocol Layered on top of a connection-oriented and reliable transport layer service Provides message origin authentication, data confidentiality, and data integrity SSL sub-protocols Layered on top of the SSL Record Protocol Provides support for SSL session and connection establishment

10/22/ SSL Record Protocol Receives data from higher layer protocols Provide two services confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption (optional) message integrity using a MAC with shared secret key similar to HMAC but with different padding

10/22/ SSL Record Protocol Operation

10/22/ SSL Record Format

10/22/ SSL Change Cipher Spec Protocol A single message with only one byte “1” Cause pending state to become current, hence updating the cipher suite in use

10/22/ SSL Alert Protocol Use two-byte message to convey SSL-related alerts to peer entity First byte is severity level warning(1) or fatal(2) Second byte is specific alert Always fatal: unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter Other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown Compressed and encrypted like all SSL data

10/22/ SSL Handshake Protocol Allow server and client to authenticate each other negotiate encryption and MAC algorithms negotiate cryptographic keys to be used Comprise a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish

10/22/ SSL Handshake Messages

10/22/ SSL Handshake 1.C  S: CLIENTHELLO 2.S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE 3.C  S:[CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH 4.S  C: CHANGECIPHERSPEC FINISH

10/22/ SSL Handshake CLIENTHELLO message is sent by the client When the client wants to establish a TCP connection to the server, When a HELLOREQUEST message is received, or When client wants to renegotiate security parameters of an existing connection Message content: Number of highest SSL understood by the client Client’s random structure (32-bit timestamp and 28-byte pseudorandom number) Session ID client wishes to use (ID is empty for new session) List of cipher suites the client supports List of compression methods the client supports 1.C  S: CLIENTHELLO

10/22/ Server processes CLIENTHELLO message Server responds to client with SERVERHELLO message: Server version number: lower version of that suggested by the client and the highest supported by the server Server’s random structure: 32-bit timestamp and 28-byte pseudorandom number Session ID: corresponding to this connection Cipher suite: selected by the server from client’s list Compression method: selected by the server from client’s list 2.S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE SSL Handshake

10/22/ Optional messages: CERTIFICATE: If the server is using certificate-based authentication May contain RSA public key  good for key exchange SERVERKEYEXCHANGE: If the client does not have certificate, has certificate that can only be used to verify digital signatures, or uses FORTEZZA token-based key exchange CERTIFICATEREQUEST: Server may request personal certificate to authenticate a client SSL Handshake 2.S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE }

10/22/ Client processing: Verifies site certification Valid site certification if the server’s name matches the host part of the URL the client wants to access Checks security parameters supplied by the SERVERHELLO 3.C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH SSL Handshake

10/22/ Client messages: CERTIFICATE If server requested a client authentication, client sends CLIENTKEYEXCHANGE Format depends on the key exchange algorithm selected by the server RSA: 48-byte premaster secret encrypted by the server’s public key Diffie-Hellman: public parameters between server and client in SERVERKEYEXCHANGE and CLIENTKEYEXCHANGE messages FORTEZZA: token-based key exchange based on public and private parameters Premaster key is transformed into a 48-byte master secret, stored in the session state SSL Handshake 3.C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH

10/22/ Client messages: CERTIFICATEVERIFY If client authentication is required Provides explicit verification of the user’s identity (personal certificate) CHANGECIPHERSPEC Completes key exchange and cipher specification FINISH Encrypted by the newly negotiated session key Verifies that the keys are properly installed in both sites SSL Handshake 3.C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH

10/22/ Server finishes handshake by sending CHANGECIPHERSPEC and FINISH messages After SSL handshake completes a secure connection is established to send application data encapsulated in SSL Record Protocol 4.S  C: CHANGECIPHERSPEC FINISH SSL Handshake

10/22/ SSL Handshake to Resume Session 1.C  S: C LIENT H ELLO 2.S  C: S ERVER H ELLO C HANGE C IPHER S PEC F INISH 3.C  S: C HANGE C IPHER S PEC F INISH

10/22/ Transport Layer Security (TLS) Specified as IETF standard RFC 2246 Similar to SSLv3 but with minor differences in record format version number use HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding

10/22/ SSL/TLS vs IPsec SSL/TLS and IPsec are very similar in that they both require negotiation of security parameters and both provide authentication and confidentiality However there are still differences SSL can be used to secure traffic going over TCP, while IPsec can be used to secure traffic going over IP, including UDP SSL requires modifying applications by replacing socket calls with SSL socket calls, but does not require modifying OS; IPsec can be added without modifying applications (although can be modified optionally to provide tailored service), but needs to change the IP stack in OS

10/22/ SSL/TLS vs IPsec ISAKMP requires both sides to authenticate each other, which is optional in SSL In some cases SSL can be tunneled through a proxy, while IPsec does not allow tunneling through intermediaries IPsec doesn’t work with a host behind a router performing network address translation (NAT); SSL has no problem with NAT

10/22/ Next Class Midterm exam! Oct. 17 in class 75 minutes About 10 questions Account for 20% toward final grade Review textbook, lecture slides and related papers discussed in class