Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4095 Transport Layer Security TLS

Published byOz Onay Modified over 5 years ago

Similar presentations

Presentation on theme: "CSE 4095 Transport Layer Security TLS"— Presentation transcript:

1 CSE 4095 Transport Layer Security TLS

2 So far… Link layer security IP (network) layer security
In particular, security for WiFi network IP (network) layer security IPSec and its usage for VPNs BGP security We have already seen (flavors of) TLS WiFi security: EAP-TLS, EAP-TTLS TLS used in VPNs TLS Most important security protocol for the Internet!

3 SSL/TLS SSL (Secure Sockets Layer), predecessor of TLS
mechanisms: [Woo 1994], implementation: Netscape SSL V1 never published (many flaws) SSL V2 1995, deprecated in 2011 SSL V3 1996, deprecated in 2015 TLS (Transport Layer Security) Substitute SSL in 1999; standardized by IETF TLS 1.0, RFC 2246, 1999 TLS 1.1, RFC 4346, 2006 TLS 1.2, RFC 5246, 2008 TLS 1.3, working draft as of now

4 Goals of SSL/TLS Between two end hosts
Allows client and server to communicate while preventing eavesdropping and tampering Provide Confidentiality (symmetric key encryption) Message integrity check (through MAC) Authentication (public key crypto)

5 Usage of SSL/TLS Implemented in all (major) web browsers
Widely used in web browsing (HTTPS), , instant messaging, voice-over-IP (VoIP), … Major websites (including Google, YouTube, Facebook) use TLS

6 Think about Google or YouTube
Desired properties Indeed the other side is Google or YouTube server Confidentiality: your query, the video you choose Content from Google or YouTube has not been modified Does TLS give you all the desired properties?

7 application with SSL/TLS
SSL/TLS and TCP/IP Application TCP IP normal application Application SSL/TLS TCP IP application with SSL/TLS SSL/TLS: user-level process SSL/TLS provides API to any application that uses TCP SSL libraries/classes readily available for programming languages (C, Java, python…)

8 TLS for UDP? Datagram Transport Layer Security (DTLS)
First proposed in NDSS, 2004 RFC 4347, 2006 Applications in VPN some web browsers for real-time communication

9 TLS Handshaking protocol Record protocol
enable authentication and session key establishment peers agree upon security parameters for the record layer report error conditions Record protocol Lower layer protocol to support handshaking protocol and application data protocol

10 Handshaking protocol Three sub-protocols Handshake Protocol
Change Cipher Spec Protocol Alert Protocol

11 Handshake Protocol Overview
Runs between a client and a server e.g., client: web browser, server: website Negotiate version of the protocol and the set of cryptographic algorithms to be used Interoperability between different implementations Authenticate server and client (optional) Use digital certificates to learn each other’s public keys and verify each other’s identity Often only the server is authenticated Use public keys to establish a shared secret

12 Handshake Protocol Diagram

13 TLS connection parameters
Two connection ends (client, server) Bulk encryption algorithm MAC algorithm Compression algorithm Master secret (48 bytes) Client random (32 byte) Server random (32 byte)

14 ClientHello ClientRandom structure (32 bytes) SessionID
Client Timestamp Random 28 byte string SessionID can be empty / it is used for resuming a previous session Ciphersuite list List of cryptographic algorithms supported by the client Key exchange algorithm, bulk encryption algorithm, MAC algorithm, and PRF Compression list List of compression algorithms

15 ClientHello Example TLS 1.0

16 ServerHello

17 ServerHello Example

18 Server Certificate server provides its certificate to authenticate its name on the public-key it provides to the client Certificate type MUST be X.509v3, unless explicitly negotiated otherwise

19 ClientKeyExchange message
Used to set the premaster secret that will allow each side to agree upon the same pre-master secret. By transmitting the RSA-encrypted secret or Diffie-Hellman parameters

20 Client Authentication
CertificateRequest : server will use this message to request a certificate-based authentication from the client. Certificate : response to a CertificateRequest message. This will be sent before ClientKeyExchange

21 Computing master secret
convert the pre_master_secret into the master_secret Master secret 48 bytes master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) [0..47];

22 Key generation master secret is expanded into a sequence of secure bytes split into client MAC key server MAC key client encryption key server encryption key client initialization vector (IV) server initialization vector (IV)

23 Finished message To verify key exchange and authentication processes were successful It is the first message protected with the just negotiated algorithms, keys, and secrets Recipients of Finished messages MUST verify that the contents are correct By sending verify_data PRF(master_secret, finished_label, Hash(handshake_messages)) use all handshake msgs up to, but not including this msg

24 TLS Example

25 Why need two random nonces?
client.random in ClientHello server.random in ServerHello Deal with playback attacks They are used to calculate master secret key Different nonces lead to different master secret key, and hence different sub-keys

26 If no random nonces is being used
Suppose that an attack records all messages between client (Alice) and server (Bob) Initial messages are not encrypted Later messages are encrypted e.g., This is a transaction that Alice orders a laptop from Bob (Amazon.com) Attacker replays all messages at a later time Same master key will be established between attacker and server (Amazon.com) No client authentication Alice will be charged to get another laptop! Attacker can launch the attack although he does not understand every message

27 Why need Finished message?
protect handshake from tampering (Finished messages are encrypted) client typically offers range of algorithms, some strong, some weak man-in-the middle could delete stronger algorithms from list Server is forced to choose a weak algorithm Verify server and client have the same master key

Download ppt "CSE 4095 Transport Layer Security TLS"

Similar presentations

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
SSL: Secure Sockets Layer

SSL: Secure Sockets Layer
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Similar presentations

Ads by Google