Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Published byMarian Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013

2 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Overview Goal -- secure connection between client and server Data confidentiality Data integrity Source authentication Secure a connection vs. secure a datagram(message/packet) Connectionless security service  PGP  secure a single message transmission Connection-oriented security service  SSL  Connection  reliable data transmission  Secure a data stream  Data in this stream share the same key(s)  Need handshake for key establishment SSL is built on top of TCP Link Network Transport Application SSL PGP TCP

3 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Security Solution Overview How? Authentication  public-key based authentication Confidentiality  Symmetric encryption Integrity  Symmetric-key based MAC Two Main “Phases” Handshake Data communication Authentication Key Distribution Data Communication Certificate Shared secret key 1 for encryption Shared secret key 2 for MAC Initialization vector for mode of operation

4 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Data Communication with Confidentiality and Integrity Application data fragment MAC Encrypted Buffer TCP

5 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Authentication and Key Distribution Before we get into the detailed design Who should get authenticated?  Server? Client? Both?  Let’s start with server authentication What are the authentication mechanisms?  Symmetric-key, asymmetric-key  Let’s go with asymmetric-key-based authentication  And public-key-based key distribution

6 @Yuan Xue (yuan.xue@vanderbilt.edu) Public-Key-Based Secret Key Distribution Goal: Alice and Bob shares a secret key, no one else Comment: Bob does not need to know Alice’s identity Let’s look at a simple solution Alice Bob KU B E[KU B, K s ] Any security problem?

7 @Yuan Xue (yuan.xue@vanderbilt.edu) Let’s see how SSL solve the problem…

8 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Authentication and Secret Key Establishment Use public key to distribute secret key Use certificate to authenticate Bob, bind Bob with his public key K = Hash (S, R Alice, R Bob ) Nonce Pre-master Secret K = Hash (S, R Alice, R Bob ) Master Secret AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K Let’s go over all the previous attacks, would they work?

9 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Design Details Key hierarchy Master secret key: between client and server Session secret key: for each connection Choice of cryptographic algorithms Symmetric ciphers  Block ciphers: DES, 3DES, IDEA, etc  Stream ciphers: RC4 (RC4-40, RC4-128) MACs  HMAC? -- Well … a similar one, replace XOR with concatenation  Either MD5 or SHA-1 How does Bob know what ciphers Alice wants to use? Other considerations Authentication of client What if RSA can not be used?

10 @Yuan Xue (yuan.xue@vanderbilt.edu) Finally … Full Version of SSL SSL consists of two layers of protocols SSL Record Protocol  Basic security services to higher layer protocols, e.g., HTTP SSL Handshake Protocol  Server and client authenticate each other  Negotiate encryption, MAC algorithm, and cryptographic keys SSL Change Cipher Spec Protocol SSL Alert Protocol Confidentiality Message integrity Management of SSL exchange SMTP, etc

11 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL session vs. SSL connection Session state  Session ID  Master secret key  Cipher spec data encryption algorithm (DES, IDEA..) hash function (MD5, SHA-1, … ) cryptographic attribute (hash size)  peer certificate  compression method  Is resumable Whether the session can be used to initiate new connections Session Connection Connection state  Server and client random  Server write MAC secret The secret key used in MAC send by the server  Client write MAC secret  Server write key Encryption key for data encrypted by the server and decrypted by the client  Client write key  Initialization vectors  Seq number

12 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Record Protocol Services Confidentiality – symmetric encryption Message Integrity – MAC Application data fragment MAC Encrypted compress Encrypted SSL record header Content type Version Compressed length

13 @Yuan Xue (yuan.xue@vanderbilt.edu) MAC Structure 36 in hex repeated 5C in hex repeated MAC(MAC_write_secret,M) = H[(MAC_write_secret || Pad2) ||H[(MAC_write_secret || Pad1) ||seq_num|| type||length||M]] Similar to HMAC Difference – SSL uses concatenation, HMAC uses XOR

14 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL Handshake Protocol Function Client authenticates server; server authenticate client (optionally) Negotiate encryption, MAC algorithm, and cryptographic keys Message format Type: one of the 10 messages  Hell_request; client_hello; server_hello;etc.. Length Content: parameters

15 @Yuan Xue (yuan.xue@vanderbilt.edu)

16 Comparison AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K E(KU bob,S) Certificate, R Bob Secure communication via keys derived from K

17 @Yuan Xue (yuan.xue@vanderbilt.edu) Nonce: Timestamp(32 bit) + random number(28 bit)  Prevent replay attack A client sends a client_hello message specifying highest TLS protocol version it supports a random number session ID a list of suggested cipher suites compression methods. T The server responds with a server_hello message containing chosen protocol version a random number (independent from the one from the client) chosen cipher suite compression method from the choices offered by the client. The server may also send a session id to perform a resumed handshake If client’s session ID is nonzero  server use the same one Otherwise  server picks a new session

18 @Yuan Xue (yuan.xue@vanderbilt.edu) CipherSuite Key exchange method RSA Fixed Diffie-Hellman: based on public parameter in server’s CA; fixed secret key Ephemeral Diffie-Hellman: one time secret key; most secure D-H options Anonymous Diffie-Hellman: no authentication, vulnerable to man-in-the-middle attacks CipherSpec Cipher Algorithm: RC4; RC2; DES, 3DES, … MAC Algorithm: MD5 or SHA-1 CipherType: MD5 or SHA-1 HashSize; IV Size (for CBC mode)…

19 @Yuan Xue (yuan.xue@vanderbilt.edu) Server authentication and key exchange Certificate message  Required for all authenticated key change, except anonymous D-H  For Fixed D-H, it contains servers public D-H parameters Server_key_exchange message  Not used when (1) fixed D-H, certificate has parameter; (2) RSA key exchange  Needed: (1) Anonymous D-H; (2) Ephemeral D-H; (3) RSA key exchange, but server only has a signature-only RSA key.  Plus a signature: hash (client.random||server.random||ServerParameters) Certificate_request message  If a non-anonymous server wants to authenticate client Server_hello_done message  No parameter

20 @Yuan Xue (yuan.xue@vanderbilt.edu) Goal: Client Authentication and Key exchange Client verifies CA from server Check server_hello parameters Certificate If server requested it Client_key_exchange – depend on the key exchange type RSA: generate 48-byte pre-master secret S, then encrypt  E(KU bob,S) Ephemeral or anonymous D-H: client ’ s public D-H parameters Fixed D-H: null, parameters are in certificate Certificate_verify Explicit verification of a client certificate; only sent following any client certificate that has signing capability

21 @Yuan Xue (yuan.xue@vanderbilt.edu) Change_cipher_spec Master Secret Creation Master_secret = MD5(pre_master_secret||SHA(`A ’ ||pre_master_secret||client.random||server.random ))|| MD5(pre_master_secret||SHA(`BB ’ ||pre_master_secret||client.random||server.random)) ||MD5(pre_master_secret||SHA(`CCC ’ ||pre_master_secret||client.random||server.ran dom)) Finished – verifies key exchange and authentication are successful The content of the finished message is the concatenation of two hash values  MD5(master_secret||pad2||MD5(handshake_msg||sender||master_secret||pad1))  SHA1(master_secret||pad2||SHA1(handshake_msg||sender||master_secret||pad1)) Generation of session keys (e.g., client write MAC secret … ) Remember HMAC? Change Cipher Spec Protocol

22 @Yuan Xue (yuan.xue@vanderbilt.edu) Protocol messages - WiredShark Output

23 @Yuan Xue (yuan.xue@vanderbilt.edu) Other two protocols Change Cipher Spec Protocol Use SSL record protocol Update the cipher suite to be used on this connection Alert Protocol Control and management protocol

24 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL vs. TLS Netscape originated SSL v2 in Navigator 1.1 in 1995 SSL v2 is flawed in a variety of ways SSL v3 is most commonly deployed IETF formed a TLS working group “The TLS protocol itself are based on the SSL 3.0 Protocol Specification as published by Netscape. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0)” TLS mandated the use of DSS instead of RSA Further Reading http://en.wikipedia.org/wiki/Transport_Layer_Security http://tools.ietf.org/html/rfc2246

25 @Yuan Xue (yuan.xue@vanderbilt.edu) SSL in practice SSL is used in many services SSL protocol can be used to protect the transmission for any TCP/IP service. SSL protects the HTTP protocol  HTTPS  Details in Web Security Class SSL protects email sending and receiving (SMTP,POP3,etc)

26 @Yuan Xue (yuan.xue@vanderbilt.edu) Further Reading RFC2246 TLS: http://tools.ietf.org/html/rfc2246 RFC2818 HTTP over TLS: http://tools.ietf.org/html/rfc2818 http://www.ourshop.com/resources/ssl_step1.html http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html

Download ppt "@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013."

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17

Similar presentations

Ads by Google