Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Similar presentations


Presentation on theme: "@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013

2 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Overview Goal -- secure connection between client and server Data confidentiality Data integrity Source authentication Secure a connection vs. secure a datagram(message/packet) Connectionless security service  PGP  secure a single message transmission Connection-oriented security service  SSL  Connection  reliable data transmission  Secure a data stream  Data in this stream share the same key(s)  Need handshake for key establishment SSL is built on top of TCP Link Network Transport Application SSL PGP TCP

3 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Security Solution Overview How? Authentication  public-key based authentication Confidentiality  Symmetric encryption Integrity  Symmetric-key based MAC Two Main “Phases” Handshake Data communication Authentication Key Distribution Data Communication Certificate Shared secret key 1 for encryption Shared secret key 2 for MAC Initialization vector for mode of operation

4 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Data Communication with Confidentiality and Integrity Application data fragment MAC Encrypted Buffer TCP

5 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Authentication and Key Distribution Before we get into the detailed design Who should get authenticated?  Server? Client? Both?  Let’s start with server authentication What are the authentication mechanisms?  Symmetric-key, asymmetric-key  Let’s go with asymmetric-key-based authentication  And public-key-based key distribution

6 @Yuan Xue (yuan.xue@vanderbilt.edu) Public-Key-Based Secret Key Distribution Goal: Alice and Bob shares a secret key, no one else Comment: Bob does not need to know Alice’s identity Let’s look at a simple solution Alice Bob KU B E[KU B, K s ] Any security problem?

7 @Yuan Xue (yuan.xue@vanderbilt.edu) Let’s see how SSL solve the problem…

8 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Authentication and Secret Key Establishment Use public key to distribute secret key Use certificate to authenticate Bob, bind Bob with his public key K = Hash (S, R Alice, R Bob ) Nonce Pre-master Secret K = Hash (S, R Alice, R Bob ) Master Secret AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K Let’s go over all the previous attacks, would they work?

9 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Details Key hierarchy Master secret key: between client and server Session secret key: for each connection Choice of cryptographic algorithms Symmetric ciphers  Block ciphers: DES, 3DES, IDEA, etc  Stream ciphers: RC4 (RC4-40, RC4-128) MACs  HMAC? -- Well … a similar one, replace XOR with concatenation  Either MD5 or SHA-1 How does Bob know what ciphers Alice wants to use? Other considerations Authentication of client What if RSA can not be used?

10 @Yuan Xue (yuan.xue@vanderbilt.edu) Finally … Full Version of SSL SSL consists of two layers of protocols SSL Record Protocol  Basic security services to higher layer protocols, e.g., HTTP SSL Handshake Protocol  Server and client authenticate each other  Negotiate encryption, MAC algorithm, and cryptographic keys SSL Change Cipher Spec Protocol SSL Alert Protocol Confidentiality Message integrity Management of SSL exchange SMTP, etc

11 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL session vs. SSL connection Session state  Session ID  Master secret key  Cipher spec data encryption algorithm (DES, IDEA..) hash function (MD5, SHA-1, … ) cryptographic attribute (hash size)  peer certificate  compression method  Is resumable Whether the session can be used to initiate new connections Session Connection Connection state  Server and client random  Server write MAC secret The secret key used in MAC send by the server  Client write MAC secret  Server write key Encryption key for data encrypted by the server and decrypted by the client  Client write key  Initialization vectors  Seq number

12 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Record Protocol Services Confidentiality – symmetric encryption Message Integrity – MAC Application data fragment MAC Encrypted compress Encrypted SSL record header Content type Version Compressed length

13 @Yuan Xue (yuan.xue@vanderbilt.edu) MAC Structure 36 in hex repeated 5C in hex repeated MAC(MAC_write_secret,M) = H[(MAC_write_secret || Pad2) ||H[(MAC_write_secret || Pad1) ||seq_num|| type||length||M]] Similar to HMAC Difference – SSL uses concatenation, HMAC uses XOR

14 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Handshake Protocol Function Client authenticates server; server authenticate client (optionally) Negotiate encryption, MAC algorithm, and cryptographic keys Message format Type: one of the 10 messages  Hell_request; client_hello; server_hello;etc.. Length Content: parameters

15 @Yuan Xue (yuan.xue@vanderbilt.edu)

16 Comparison AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K E(KU bob,S) Certificate, R Bob Secure communication via keys derived from K

17 @Yuan Xue (yuan.xue@vanderbilt.edu) Nonce: Timestamp(32 bit) + random number(28 bit)  Prevent replay attack A client sends a client_hello message specifying highest TLS protocol version it supports a random number session ID a list of suggested cipher suites compression methods. T The server responds with a server_hello message containing chosen protocol version a random number (independent from the one from the client) chosen cipher suite compression method from the choices offered by the client. The server may also send a session id to perform a resumed handshake If client’s session ID is nonzero  server use the same one Otherwise  server picks a new session

18 @Yuan Xue (yuan.xue@vanderbilt.edu) CipherSuite Key exchange method RSA Fixed Diffie-Hellman: based on public parameter in server’s CA; fixed secret key Ephemeral Diffie-Hellman: one time secret key; most secure D-H options Anonymous Diffie-Hellman: no authentication, vulnerable to man-in-the-middle attacks CipherSpec Cipher Algorithm: RC4; RC2; DES, 3DES, … MAC Algorithm: MD5 or SHA-1 CipherType: MD5 or SHA-1 HashSize; IV Size (for CBC mode)…

19 @Yuan Xue (yuan.xue@vanderbilt.edu) Server authentication and key exchange Certificate message  Required for all authenticated key change, except anonymous D-H  For Fixed D-H, it contains servers public D-H parameters Server_key_exchange message  Not used when (1) fixed D-H, certificate has parameter; (2) RSA key exchange  Needed: (1) Anonymous D-H; (2) Ephemeral D-H; (3) RSA key exchange, but server only has a signature-only RSA key.  Plus a signature: hash (client.random||server.random||ServerParameters) Certificate_request message  If a non-anonymous server wants to authenticate client Server_hello_done message  No parameter

20 @Yuan Xue (yuan.xue@vanderbilt.edu) Goal: Client Authentication and Key exchange Client verifies CA from server Check server_hello parameters Certificate If server requested it Client_key_exchange – depend on the key exchange type RSA: generate 48-byte pre-master secret S, then encrypt  E(KU bob,S) Ephemeral or anonymous D-H: client ’ s public D-H parameters Fixed D-H: null, parameters are in certificate Certificate_verify Explicit verification of a client certificate; only sent following any client certificate that has signing capability

21 @Yuan Xue (yuan.xue@vanderbilt.edu) Change_cipher_spec Master Secret Creation Master_secret = MD5(pre_master_secret||SHA(`A ’ ||pre_master_secret||client.random||server.random ))|| MD5(pre_master_secret||SHA(`BB ’ ||pre_master_secret||client.random||server.random)) ||MD5(pre_master_secret||SHA(`CCC ’ ||pre_master_secret||client.random||server.ran dom)) Finished – verifies key exchange and authentication are successful The content of the finished message is the concatenation of two hash values  MD5(master_secret||pad2||MD5(handshake_msg||sender||master_secret||pad1))  SHA1(master_secret||pad2||SHA1(handshake_msg||sender||master_secret||pad1)) Generation of session keys (e.g., client write MAC secret … ) Remember HMAC? Change Cipher Spec Protocol

22 @Yuan Xue (yuan.xue@vanderbilt.edu) Protocol messages - WiredShark Output

23 @Yuan Xue (yuan.xue@vanderbilt.edu) Other two protocols Change Cipher Spec Protocol Use SSL record protocol Update the cipher suite to be used on this connection Alert Protocol Control and management protocol

24 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL vs. TLS Netscape originated SSL v2 in Navigator 1.1 in 1995 SSL v2 is flawed in a variety of ways SSL v3 is most commonly deployed IETF formed a TLS working group “The TLS protocol itself are based on the SSL 3.0 Protocol Specification as published by Netscape. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0)” TLS mandated the use of DSS instead of RSA Further Reading http://en.wikipedia.org/wiki/Transport_Layer_Security http://tools.ietf.org/html/rfc2246

25 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL in practice SSL is used in many services SSL protocol can be used to protect the transmission for any TCP/IP service. SSL protects the HTTP protocol  HTTPS  Details in Web Security Class SSL protects email sending and receiving (SMTP,POP3,etc)

26 @Yuan Xue (yuan.xue@vanderbilt.edu) Further Reading RFC2246 TLS: http://tools.ietf.org/html/rfc2246 RFC2818 HTTP over TLS: http://tools.ietf.org/html/rfc2818 http://www.ourshop.com/resources/ssl_step1.html http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html


Download ppt "@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013."

Similar presentations


Ads by Google