Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Published byChandler Hamblen Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET."— Presentation transcript:

1 1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET

2 2 History of SSL/TLS SSL (secure socket layer) v2 –Released in 1995 with Netscape 1.1 –Key generation algorithm kept secret –Reverse engineered & broken by Wagner & Goldberg SSLv3 –Fixed and improved, released in 1996 –Public design process PCT (private communications technology): Microsoft’s version of SSL TLS (transport layer security): IETF’s version, yet to be deployed, incompatible with v2 and v3

3 3 SSL Architecture Record Protocol: Message encryption/authentication Handshake P.: Identity authentication & key exchange Alert P.: Error notification (cryptographic or otherwise) Change Cipher P.: Activate the pending crypto suite IP TCP SSL Record Protocol HTTP, etc. SSL Alert Protocol SSL Change Cipher Spec. Protocol SSL Handshake Protocol

4 4 Basic SSL/TLS Handshake Protocol SSL is on top of TCP: uses TCP’s character stream, breaks the stream into records with headers and encrypts to provide: encrypted and integrity protected stream to the upper layers Alice Bob hello, crypto offered, R A certificate, crypto selected, R B {S} Bob, {keyed hash of messages} session keys derived from K (K = f(S, R A, R B )) {keyed hash of messages} who is authenticated in this exchange? Bob can optionally send “certificate request” in message 2 to authenticate Alice, not currently deployed

5 5 Session Initiation session vs. connection: “sessions” are relatively long-lived. Multiple “connections” (TCP) can be supported under the same SSL session. (designed for HTTP 1.0) without costly public key operations if Bob wants to resume session later (have multiple connections) – he sends Alice session_id and stores Alice Bob crypto offered, R A session-id, mycert, crypto selected, R B, {keyed hash of msgs} {S} B,{keyed hash of messages} session keys derived from K, R A, R B {keyed hash of messages}

6 6 Session Resumption (Connection Establishment) Alice sends session-id, if Bob remembers, new connection (keys) can be established (session resumed) by just exchanging nonces is connection resumption stateless? Alice Bob session-id, crypto offered, R A session-id, crypto selected, R B, {keyed hash of msgs} {keyed hash of messages} session keys derived from K, R A, R B

7 7 Key Computation “pre-master key”: S “master key”: K = f(S, R A, R B ) For each connection, 6 keys are generated from K and the nonces (two more Rs). –3 keys for each direction: encryption, integrity, IV – why do we need separate keys for encryption and integrity protection? may be unnecessarily complex but gets the job done

8 8 Negotiating Cipher Suites Cipher suite: A complete package specifying the crypto to be used. (encryption algorithm, key length, integrity algorithm, etc.) 24 (v2) to 16 (v3 and TLS) bits is reserved to id the cipher suites ~30 predefined standard cipher suites. 256 values reserved for private use. Selection: –v2: Alice proposes a set of suites; Bob returns a subset of them; Alice selects one (which doesn’t make much sense) –v3: Alice proposes a set of suites; Bob selects one.

9 9 The Trust Model PKI: Oligarchy model with X.509 certificates Browsers come configured with a set of trusted root CAs (VeriSign, AT&T, Entrust/Nortel, etc.) Additions to the root CA list by user is possible. Typically, only the server is authenticated. Client authentication is optional. No certificate revocation mechanism. Even expiration dates are not enforced.

10 10 Attacks on v2 downgrade attack – no integrity protection for the list of requested cipher suites; attacker can force parties to use weaker crypto –in v3, at the end of the handshake (protected) Bob and Alice exchange a “finished” messages which contains the digest of the previous messages truncation attack – SSL depended on TCP for closing connection; attacker can close connectivity by sending TCP close message –v3 added a “finished” message to indicate there is no more data to be sent

11 11 Secure Electronic Transaction (SET) Application-layer e-commerce protocol Developed by Visa & MasterCard consortium, 1996 –officially supported by Visa in 2003 Provides security, authentication, order transaction, payment authorization, etc. Both the merchant & customer are authenticated by X.509 certificates

12 12 SET Problems of e-commerce over SSL/TLS: –malicious merchants (stealing credit card numbers) –malicious customers (using stolen credit card no.s) SET solution: –Bank (B) acts as an intermediary between the customer (C) & the merchant (M) –M forwards C’s info. to B, encrypted with B’s key –B does: authenticate C’s public key signature decrypt the transaction info. (amount, card number, etc.) issue payment authorization & send it to B –more on that in next slide

13 13 SET Dual Signature concerns –merchant needs to know order information (OI) only –bank needs to know payment information (PI) only –needs to be a way to bind both kinds of info without revealing it to the wrong party dual sig by customer –customer’s private key {H{H{PI} || H{OI}}} = dual signature (DS) merchant can verify the info when it has OI and H{PI} and customer’s public key (how?) bank can verify the info when it has PI, H{OI} and customer’s public key

Download ppt "1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET."

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
CP3397 ECommerce.

CP3397 ECommerce.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.

Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Chapter 8 Web Security.

Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Similar presentations

Ads by Google