Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography CS 555 Topic 34: SSL/TLS.

Published byGyles Blake Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptography CS 555 Topic 34: SSL/TLS."— Presentation transcript:

1 Cryptography CS 555 Topic 34: SSL/TLS

2 Recap Digital Signatures Attacks on Plain RSA Signatures RSA-FDH
Secure Identification Scheme + Fiat Shamir Transform Digital Signature Standard

3 What Does It Mean to “Secure Information”
Confidentiality (Security/Privacy) Only intended recipient can see the communication Integrity (Authenticity) The message was actually sent by the alleged sender I love you Alice… - Bob We need to break up -Bob Alice Bob

4 Signcryption: Authenticity + Confidentiality
Public Key: pk=(vk,ek) vk is used to verify messages ek is used to encrypt messages Secret Key: sk=(dk,sk) dk is used to decrypt messages sk is used to sign messages Goal: Design a mechanism that allows a sender S to send a message m to a receiver R Integrity Secrecy

5 Attempt 1: Encrypt then Authenticate
Sender S computes c= Enc 𝐞𝐤 𝐑 𝑚 and sends R 𝑆,𝑐, Sign 𝐬𝐤 𝐒 𝑐 Receiver R decrypts c and then validates the signature This is the approach we used to build Authenticated Encryption with MACs Any problems here?

6 Attempt 1: Encrypt then Authenticate
𝐵𝑜𝑏,𝑐, Sign 𝐬𝐤 𝐁 𝑐 Devil,𝑐, Sign 𝐬𝐤 𝐃𝐞𝐯𝐢𝐥 𝑐 I wrote you this poem… I wrote you this poem… Alice Bob

7 Attempt 1: Encrypt then Authenticate
Sender S computes c= Enc 𝐞𝐤 𝐑 𝑚 and sends R 𝑆,𝑐, Sign 𝐬𝐤 𝐒 𝑐 Receiver R decrypts c and then validates the signature This is the approach we used to build Authenticated Encryption with MACs Another Issue: How can R convince judge that sender S signed the message m? Judge can verify that S signed the ciphertext, but needs R’s key to decrypt c.

8 Attempt 2: Authenticate then Encrypt
Sender S computes σ= Sign 𝐬𝐤 𝐒 𝑚 and sends R 𝑆, Enc 𝐞𝐤 𝐑 𝑚∥σ Receiver R decrypts ciphertext to obtain m and then validates the signature σ Solve the issue of non-repudiation. Receiver obtains a signature σ for m Any other Issues?

9 Attempt 2: Authenticate then Encrypt
You are despicable Alice 𝐵𝑜𝑏, Enc 𝐞𝐤 𝐀𝐥𝐢𝐜𝐞 𝑚∥σ 𝐵𝑜𝑏, Enc 𝐞𝐤 𝐃𝐞𝐯𝐢𝐥 𝑚∥σ You are despicable Bob

10 Attempt 3: Sender S computes σ= Sign 𝐬𝐤 𝐒 𝑚∥𝑅 and sends R
𝑆, Enc 𝐞𝐤 𝐑 𝑆∥𝑚∥σ This works  So does encrypt then authenticate with c= Enc 𝐞𝐤 𝐑 𝑆∥𝑚 𝑆,𝑐, Sign 𝐬𝐤 𝐒 𝑐∥𝑅 Rule of Thumb: When signing a message with your secret key include identity of receiver When encrypting message with someone’s public key include your identity in message

11 Transport Security Layer (TLS)
Standardized protocol based on processor SSL (Secure Socket Layer) Used for https connections by your browser Multiple Versions TLS 1.0, 1.1, 1.2 (version 1.3 in progress ) We will focus only on high level details

12 Transport Security Layer (TLS)
First Goal: Agree on a set of keys For Confidentiality Also Authentication Handshake Precondition: Client has a subset of {pk1,…pkn} --- public keys for several Certificate Authorities Server has a key-pair (pks,sks) for a KEM Client C begins by sending S a message indicating Protocol Versions + Ciphertext suites that he can run A random “nonce” NC

13 Transport Security Layer (TLS)
Client C begins by sending S a message indicating Protocol Versions + Ciphertext suites that he can run A random “nonce” NC S responds by selecting the most recent version of the protocol it supports as well as an appropriate ciphersuite Also sends pkS and certificate 𝑐𝑒𝑟𝑡 𝑖→𝑆 (signed message form certificate authority i validating pkS) A nonce NS C checks to see if it has pki for CAi. Yes? Verify the certificate and ensure that it is not expired/revoked No? Abort/Ask Again

14 Transport Security Layer (TLS)
Client C begins by sending S a message indicating Protocol Versions + Ciphertext suites that he can run A random “nonce” NC S responds by selecting the most recent version of the protocol it supports as well as an appropriate ciphersuite Also sends pkS and certificate 𝑐𝑒𝑟𝑡 𝑖→𝑆 (signed message form certificate authority i validating pkS) A nonce NS C checks to see if it has pki for CAi. Assuming pkS is validated… C runs 𝑐,𝑝𝑚𝑘 ← Encaps 𝑝𝑘 𝑆 1 𝑛 (pmk is pre-master key) C sends c to S (who will later use c and skS to recover pmk) C computes mk=KDF(pmk,NC,NS) (mk is master key) C computes four keys kC,kC’,kS,kS’= PRG(mk) C computes 𝜏 𝐶 ← MAC 𝑚𝑘 𝑡𝑟𝑎𝑛𝑠𝑐𝑟𝑖𝑝𝑡 and sends 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 to S

15 Transport Security Layer (TLS)
Client Sends Message Sever Sends Message Encryption kC kS MAC kC’ kS’ Client C begins by sending S a message indicating Protocol Versions + Ciphertext suites that he can run A random “nonce” NC S responds by selecting the most recent version of the protocol it supports as well as an appropriate ciphersuite Also sends pkS and certificate 𝑐𝑒𝑟𝑡 𝑖→𝑆 (signed message form certificate authority i validating pkS) A nonce NS C checks to see if it has pki for CAi. Assuming pkS is validated… C runs 𝑐,𝑝𝑚𝑘 ← Encaps 𝑝𝑘 𝑆 1 𝑛 (pmk is pre-master key) C sends c to S who recovers pmk C computes mk=KDF(pmk,NC,NS) (mk is master key) C computes four keys kC,kC’,kS,kS’= PRG(mk) C computes 𝜏 𝐶 ← MAC 𝑚𝑘 𝑡𝑟𝑎𝑛𝑠𝑐𝑟𝑖𝑝𝑡 and sends 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 to S

16 Transport Security Layer (TLS)
C checks to see if it has pki for CAi. Assuming pkS is validated… C runs 𝑐,𝑝𝑚𝑘 ← Encaps 𝑝𝑘 𝑆 1 𝑛 (pmk is pre-master key) C sends c to S who recovers pmk C computes mk=KDF(pmk,NC,NS) (mk is master key) C computes four keys kC,kC’,kS,kS’= PRG(mk) C computes 𝜏 𝐶 ← MAC 𝑚𝑘 𝑡𝑟𝑎𝑛𝑠𝑐𝑟𝑖𝑝𝑡 and sends 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 to S Sever Computes 𝑝𝑚𝑘← Decaps 𝑠𝑘 𝑆 𝑐 Computes mk=KDF(pmk,NC,NS) (mk is master key) Computes four keys kC,kC’,kS,kS’= PRG(mk) Validates 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 by Decrypt 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 with to obtain 𝜏 𝐶 If Vrfy 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 ≠1 or Vrfy 𝑚𝑘 𝑡𝑟𝑎𝑛𝑠𝑐𝑟𝑖𝑝𝑡, 𝜏 𝐶 ≠1 then abort Otherwise server and client agree so far on communication

17 Transport Security Layer (TLS)
Sever Computes 𝑝𝑚𝑘← Decaps 𝑠𝑘 𝑆 𝑐 Computes mk=KDF(pmk,NC,NS) (mk is master key) Computes four keys kC,kC’,kS,kS’= PRG(mk) Validates 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 by Decrypt 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 with to obtain 𝜏 𝐶 If Vrfy 𝑘′ 𝑐 𝜏 𝐶 , MAC 𝑘′ 𝑐 𝐸𝑛𝑐 𝑘 𝑐 𝜏 𝐶 ≠1 or Vrfy 𝑚𝑘 𝑡𝑟𝑎𝑛𝑠𝑐𝑟𝑖𝑝𝑡, 𝜏 𝐶 ≠1 then abort Otherwise server and client agree so far on communication S computes 𝜏 𝑆 ← MAC 𝑚𝑘 𝑡𝑟𝑎𝑛𝑠𝑐𝑟𝑖𝑝𝑡′ and sends 𝐸𝑛𝑐 𝑘 𝑆 𝜏 𝑆 , MAC 𝑘′ 𝑆 𝐸𝑛𝑐 𝑘 𝑆 𝜏 𝐶 to C Client validates 𝜏 𝑆 ; otherwise aborts

18 Security Intuition C verifies certificate so it knows it is talking to S Knows that only legitimate S can learn pmk and mk If protocol finishes successfully then C knows that it shares four keys kC,kC’,kS,kS’ with S MAC on transcript? Ensures consistency Man-in-the-Middle attacker may attempt to modify ciphersuite E.g., force C and S to use old version of cipher with security bugs etc…

19 Transport Security Layer (TLS)
Record Layer Protocol once C and S share keys they start communication Sequence numbers prevent replay attacks TLS 1.2 used authenticate-then-encrypt (can be problematic) Client Sends Message Sever Sends Message Encryption kC kS MAC kC’ kS’

20 Building Authenticated Encryption
Attempt 3: (Authenticate-then-encrypt) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA- Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Let 𝐾= 𝐾 𝐸 , 𝐾 𝑀 then 𝐸𝑛𝑐 𝐾 𝑚 = Enc 𝐾 𝐸 ′ 𝑚∥𝑡 , where t=Mac 𝐾 𝑀 ′ 𝑚 Can be problematic for some CPA-Secure schemes…

21 Building Authenticated Encryption
Attempt 3: (Authenticate-then-encrypt) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA- Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Let 𝐾= 𝐾 𝐸 , 𝐾 𝑀 then 𝐸𝑛𝑐 𝐾 𝑚 = Enc 𝐾 𝐸 ′ 𝑚∥𝑡 , where t=Mac 𝐾 𝑀 ′ 𝑚 𝐷𝑒𝑐 𝐾 𝑐 = 𝑚 = Dec 𝐾 𝐸 ′ 𝑐 . If 𝑚 is not padded correctly return “bad padding” Parse as 𝑚∥𝑡. If Vrfy 𝐾 𝑀 ′ 𝑚,𝑡 =1 return m. otherwise output “authentication failure”

22 Building Authenticated Encryption
𝐷𝑒𝑐 𝐾 𝑐 = 𝑚 = Dec 𝐾 𝐸 ′ 𝑐 . If is not padded correctly return “bad padding” Parse as 𝑚∥𝑡. If Vrfy 𝐾 𝑀 ′ 𝑚,𝑡 =1 return m. otherwise output “authentication failure” It is hard to ensure that the error messages cannot be distinguished! Timing Attacks Debugging Generic Integration of MAC scheme with Encryption scheme?

23 Next Class: Multiparty Computation
Finished with Katz and Lindell! Read Wikipedia entry on Secure Multi-party computation Read Katz and Lindell page (commitment schemes) OK, almost done 

Download ppt "Cryptography CS 555 Topic 34: SSL/TLS."

Similar presentations

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Internet Security Protocols

Internet Security Protocols
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/1.1 200 OK.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on: https://developer.mozilla.org/En/Introduction_to_SSL#The_SSL_Protocol.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Similar presentations

Ads by Google