Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Published byHarley Grose Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication."— Presentation transcript:

1

2 1 SSL/TLS

3 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication and integrity to prevent message alteration / injection For example, if you want to buy a book at amazon.com You want to be sure you are dealing with Amazon (authentication) Your credit card information must be protected in transit (confidentiality and/or integrity) As long as you have money, Amazon doesn’t care who you are (authentication need not be mutual)

4 Approaches Web security approaches IP Security: it is transparent to end users and applications. Security above TCP Application-specific security: embedded within the particular application 3

5 4 Comparison of web security approaches IP Sec TCP HTTPFTPSMTP IP TCP HTTPFTPSMTP SSL(TLS) IP TCP HTTPSMTP SETS/MIMEPGP

6 Socket layer “Socket layer” lives between application and transport layers SSL usually lies between HTTP (application) and TCP (transport) application transport network link physical Socket “layer” OS User NIC

7 6 SSL(Secure Sockets Layer protocol) History SSL v1: Designed by Netscape, never deployed SSL v2: Deployed in Netscape Navigator 1.1 in 1995 SSL v3: Substantial overhaul, fixing security flaws, publicly reviewed TLS(Transport Layer Security protocol) v1 IETF standard SSLv3 with little tweak

8 Simple SSL-like Protocol Is Alice sure she’s talking to Bob? Is Bob sure he’s talking to Alice? Alice Bob I’d like to talk to you securely Here’s my certificate {K AB } Bob protected HTTP

9 Simplified SSL Protocol S is pre-master secret K = h(S,R A,R B ) msgs = all previous messages CLNT and SRVR are constants Alice Bob Can we talk?, cipher list, R A Certificate, cipher, R B {S} Bob, E(h(msgs,CLNT,K),K) Data protected with key K h(msgs,SRVR,K)

10 SSL Keys 6 “keys” derived from K = hash(S,R A,R B ) 2 encryption keys: send and receive 2 integrity keys: send and receive 2 IVs: send and receive Why different keys in each direction? Q: Why is h(msgs,CLNT,K) encrypted (and integrity protected)? A: It adds no security…

11 SSL Authentication Alice authenticates Bob, not vice-versa How does client authenticate server? Why does server not authenticate client? Mutual authentication is possible: Bob sends certificate request in message 2 This requires client to have certificate If server wants to authenticate client, server could instead require (encrypted) password

12 SSL MiM Attack Q: What prevents this MiM attack? A: Bob’s certificate must be signed by a certificate authority (such as Verisign) What does Web browser do if sig. not valid? What does user do if signature is not valid? Alice Bob RARA certificate T, R B {S 1 } Trudy,E(X 1,K 1 ) E(data,K 1 ) h(Y 1,K 1 ) Trudy RARA certificate B, R B {S 2 } Bob,E(X 2,K 2 ) E(data,K 2 ) h(Y 2,K 2 )

13 12 SSL Handshake Protocol Clientserver client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 Phase 2 Phase 3 Phase 4 Blue: optional message

14 13 Phase 1: establish security capabilities {client, server}_hello message Version: the highest SSL version Random 32-bit timestamp 28 bytes random number Session ID Cipher suite client_hello: Ciphers are listed in decreasing order of preference server_hello: chosen cipher Compression method

15 14 Cipher Suite Cipher suite = (key exchange methods, cipher spec) Key exchange methods RSA: encrypt key with receiver ’ s public key Fixed Diffie-Hellman Server ’ s certificate contains DH public parameters signed by CA. The client provides its DH public parameters either in a certificate or in a key exchange message. Ephemeral Diffie-Hellman Certificate contains server ’ s public key. DH public parameters are signed using the server ’ s private key. Anonymous Diffie-Hellman Each side sends its DH public parameters to the other without authentication.

16 15 Cipher spec Cipher Algorithm (RC4, RC2, DES, 3DES, DES40, IDEA) MAC Algorithm (MD5, SHA-1) Cipher Type (stream or block) Is Exportable (true or false) Hash size (0 or 16 bytes for MD5, 20 bytes for SHA-1) IV size: IV size for Cipher Block Chaining(CBC) encryption

17 16 Phase 2: Server authentication and key exchange S  C: certificate RSA: Certificate contains server ’ s public key Fixed DH: Certificate contains DH public parameters signed by CA. Ephemeral DH: Certificate contains server ’ s public key. S  C: server_key_exchange Anonymous DH: {g, p, g s } Ephemeral DH: {g, p, g s } + signature of {g, p, g s } RSA: if server ’ s key is only for a signature-only key, the server create a temporary RSA public/private keys and send the temporary public key S  C: certificate_request Cert_type (RSA or DSS for key exchange) List of acceptable certificate authorities S  C: server_hello_done, no parameters A signature is created by computing hash(client_rand || server_rand || server parameters) and encrypting it with the sender ’ s private key.

18 17 Phase 3 After phase 2, client has all values required to generate the session key C  S: certificate If server requested a certificate C  S: client_key_exchange RSA: client generates 48 byte pre-master secret, encrypts it with server ’ s public key or temporary RSA key from a server_key_exchange message. Ephemeral or anonymous DH: client ’ s DH public parameters Fixed DH: null (certificate contained client ’ s DH key) C  S: certificate_verify Only used if client sent certificate with signing key K C CertificateVerify.signature.md5_hash = {MD5( master secret || pad2 || MD5( handshake messages || master secret || pad1 ))} K C -1

19 18 Phase 4 After phase 3, client and server share master secret computed from pre-master secret, and authenticated each other Phase 4: Finish C  S: change_cipher_spec Copies the pending Cipher spec in the current CipherSpec. C  S: finished MD5( master_secret || pad2 || MD5( handshake messages || Sender || master_secret || pad1 )) || SHA-1( master_secret || pad2 || SHA-1( handshake messages || Sender || master_secret || pad1 )) pad1 and pad2 are the values defined earlier for the MAC Handshake messages contains all messages up to now S  C: change_cipher_spec S  C: finished

20 19 Cryptographic computation Client and server perform DH calculation to create the shared pre-master secret (PS). Master secret (MS) created from pre-master secret (PS), Client random (CR), Server random (SR) MS = MD5( PS || SHA-1( ‘ A ’ || PS || CR || SR )) || MD5( PS || SHA-1( ‘ BB ’ || PS || CR || SR )) || MD5( PS || SHA-1( ‘ CCC ’ || PS || CR || SR )) CipherSpec requires client & server MAC key, client & server encryption key, client & server IV, generated from MS: MD5( MS || SHA-1( ‘ A ’ || MS || SR || CR )) || MD5( MS || SHA-1( ‘ BB ’ || MS || SR || CR )) || MD5( MS || SHA-1( ‘ CCC ’ || MS || SR || CR )) || MD5( MS || SHA-1( ‘ DDDD ’ || MS || SR || CR )) || …

21 20 SSL Record format SSL Record = Content type || Major version || Minor version || Length ||{ Data || MAC( K ’, Data ) } K MAC( K ’, Data ) = hash( K ’ || pad2 || hash( K ’ || pad1 || seq_num || compressed_type || length || Data )) hash: MD5 or SHA-1 pad1 = 0x363636 … pad2 = 0x5C5C5C … seq_num: sequence number for message

22 21 Sample SSL session Client has no certificate, only server authenticated C  S: client_hello S  C: server_hello Ephemeral DH key exchange, RC4 encryption, MD5-based MAC S  C: Server certificate, containing RSA public key Client checks validity + verifies URL matches certificate! S  C: Server_key_exchange: g, p, g s, {H(g, p, g s )} K S -1 S  C: server_hello_done C  S: client_key_exchange: g c C  S: change_cipher_spec C  S: finished S  C: change_cipher_spec S  C: finished

23 SSL Sessions vs Connections SSL session is established as shown on previous slides SSL designed for use with HTTP 1.0 HTTP 1.0 usually opens multiple simultaneous (parallel) connections SSL session establishment is costly Due to public key operations SSL has an efficient protocol for opening new connections given an existing session

24 SSL Connection Assuming SSL session exists So S is already known to Alice and Bob Both sides must remember session-ID Again, K = h(S,R A,R B ) Alice Bob session-ID, cipher list, R A session-ID, cipher, R B, h(msgs,SRVR,K) h(msgs,CLNT,K) Protected data No public key operations! (relies on known S )

Download ppt "1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication."

Similar presentations

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Web security: SSL and TLS

Web security: SSL and TLS
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

Similar presentations

Ads by Google