Presentation is loading. Please wait.

Presentation is loading. Please wait.

8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.

Published byPeregrine Tate Modified over 8 years ago

Similar presentations

Presentation on theme: "8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server."— Presentation transcript:

1 8-1 CSE 4707/5850 Network Security (2) SSL/TLS

2 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server  Confidentiality: your query, the video you choose  Content from Google or YouTube has not been modified  Can you use Kerberos?

3 8-3 SSL/TLS  SSL (Secure Sockets Layer)  mechanisms: [Woo 1994], implementation: Netscape  SSL Version 3 released in 1996  TLS (Transport Layer Security)  Substitute SSL in 1999; standardized by IETF  TLS 1.0, RFC 2246, 1999  TLS 1.1, RFC 4346, 2006  TLS 1.2, RFC 5246, 2008  TLS 1.3, working draft as of now

4 8-4 Goals of SSL/TLS  Allows client and server to communicate while preventing eavesdropping and tampering  Provide  Confidentiality (symmetric key encryption)  Message integrity check (through MAC)  Authentication (public key crypto)

5 8-5 Usage of SSL/TLS  Implemented in all (major) web browsers  Widely used in web browsing, email, instant messaging, voice-over-IP (VoIP), …  Major web sites (including Google, YouTube, Facebook) use TLS  Available to all applications that use TCP

6 8-6 SSL/TLS and TCP/IP Application TCP IP normal application Application SSL/TLS TCP IP application with SSL  SSL/TLS provides application programming interface (API) to applications  C and Java SSL libraries/classes readily available

7 8-7 TLS  Handshake protocol  enables authentication and session key establishment  Record protocol  Uses the secret keys established in the handshake protocol to protect confidentiality, integrity, and authenticity of data exchange between the client and the server

8 8-8 TLS connection parameters  Connection end (client, server)  Bulk encryption algorithm  MAC algorithm  Compression algorithm  Master secret (48 bytes)  Client random (32 byte)  Server random (32 byte)

9 8-9 Handshake Protocol Overview  Runs between a client and a server  e.g., client: web browser, server: website  Negotiate version of the protocol and the set of cryptographic algorithms to be used  Interoperability between different implementations  Authenticate server and client (optional)  Use digital certificates to learn each other’s public keys and verify each other’s identity  Often only the server is authenticated  Use public keys to establish a shared secret

10 8-10 Handshake Protocol Diagram

11 8-11 ClientHello  Random structure (32 bytes)  Client Timestamp  Random 28 byte string  SessionID  can be empty / it is used for resuming a previous session  Ciphersuite list  List of cryptographic algorithms supported by the client  Key exchange algorithm, bulk encryption algorithm, MAC algorithm, and PRF  Compression list  List of compression algorithms

12 8-12 ClientHello Example

13 8-13 ServerHello

14 8-14 ServerHello Example

15 8-15 Server Certificate  server provides its certificate to authenticate its name on the public-key it provides to the client  Certificate type MUST be X.509v3, unless explicitly negotiated otherwise

16 8-16 Other messages from server  Certificate: server provides its certificate to authenticate its name on the public-key it provides to the client  Certificate type MUST be X.509v3, unless explicitly negotiated otherwise  ServerKeyExchange: will contain public key info in case the info in the Certificate message is not sufficient (or this message has not been provided at all)  CertificateRequest : will prompt the client to send a certificate to authenticate itself (typically not used)

17 8-17 ClientKeyExchange message  Used to set the premaster secret that will allow each side to agree upon the same pre-master secret.  By transmitting the RSA-encrypted secret or Diffie-Hellman parameters

18 8-18 Client Authentication  CertificateRequest : server will use this message to request a certificate-based authentication from the client.  Certificate : response to a CertificateRequest message. This will be sent before ClientKeyExchange

19 8-19 Client Authentication  CertificateRequest : server will use this message to request a certificate-based authentication from the client.  Certificate : response to a CertificateRequest message. This will be sent before ClientKeyExchange  CertificateVerify : if client’s certificate has signing capability, this message will be a digital signature of all handshake messages so far. This will be sent after ClientKeyExchange

20 8-20 Computing master secret  convert the pre_master_secret into the master_secret  Master secret 48 bytes master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) [0..47];

21 8-21 Key generation  master secret is expanded into a sequence of secure bytes  split into  client MAC key  server MAC key  client encryption key  server encryption key  client initialization vector (IV)  server initialization vector (IV)

22 8-22 Finished message  To verify key exchange and authentication processes were successful  It is the first message protected with the just negotiated algorithms, keys, and secrets  Recipients of Finished messages MUST verify that the contents are correct  By sending verify_data PRF(master_secret, finished_label, Hash(handshake_messages)) use all handshake msgs up to, but not including this msg

23 8-23 TLS Example

24 8-24 Alert protocol (RFC 2246)  When things go wrong an alert is generated  session ends or the recipient is given the opportunity to continue  What can go wrong  bad_certificate  unsupported_certificate  certificate_expired  handshake_failure  unknown_ca  …

25 8-25 Why need two random nonces?  Two random nonces  client.random in ClientHello  server.random in ServerHello  Deal with playback attacks  They are used to calculate master secret key  Different nonces lead to different master secret key, and hence different sub-keys

26 8-26 Why need Finished message? protect handshake from tampering (Finished messages are encrypted)  client typically offers range of algorithms, some strong, some weak  man-in-the middle could delete stronger algorithms from list  Server is forced to choose a weak algorithm

27 8-27 Certificate verification flaws (due to bad implementation)  Check validity of certificate but don’t check common name.  Check common name but fail to verify the whole chain of certificates.  Check everything but allow non-CA signing certificates to be used for issuing certificates.

28 8-28 Record Protocol data fragment data fragment MAC encrypted data and MAC encrypted data and MAC record header record header Divide data into fragments Each fragment up to 2 14 bytes (~16 Kbytes) Data and MAC encrypted using symmetric key Record header: content type; version; length

29 8-29 SSL/TLS record format content type SSL version length MAC data 1 byte 2 bytes3 bytes data and MAC encrypted (symmetric algorithm)

30 8-30 MAC in record  keyed MAC (e.g., HMAC) to protect message integrity  MAC includes sequence number to detect missing messages  Generated as MAC(MAC_write_key, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment); where "+" denotes concatenation  Question: why no need to include record sequence number explicitly in record?

31 8-31 handshake: ClientHello handshake: ServerHello handshake: Certificate handshake: ServerHelloDone handshake: ClientKeyExchange ChangeCipherSpec handshake: Finished ChangeCipherSpec handshake: Finished application_data Alert: warning, close_notify SSL/TLS connection TCP FIN follows everything henceforth is encrypted

32 8-32 Summary  SSL/TLS widely used protcol  De facto standard for Internet security  “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications”  Two main protocols  Handshake protocol  Record protocol

33 8-33 The Master Secret (48 bytes)

34 8-34 Version Rollback Attack C version s =2.0, suite s, N s, certificate for PK s, “ServerHelloDone” S C, version c =2.0, suites c, N c {Secret c } PKs C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include “Finished” messages) Server is fooled into thinking he is communicating with a client who supports only SSL 2.0 From Vitaly Shmatikov

35 8-35 Version Check in SSL 3.0 C version s =3.0, suite s, N s, certificate for PK s, “ServerHelloDone” S C, version c =3.0, suites c, N c {version c, secret c } PKs C and S share secret key material secret c at this point “Embed” version number into secret Check that received version is equal to the version in ClientHello switch to key derived from secret c, N c, N s switch to key derived from secret c, N c, N s From Vitaly Shmatikov

Download ppt "8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server."

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Web security: SSL and TLS

Web security: SSL and TLS
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SSL: Secure Sockets Layer

SSL: Secure Sockets Layer
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Internet Security Protocols

Internet Security Protocols
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Similar presentations

Ads by Google