Presentation is loading. Please wait.

Presentation is loading. Please wait.

ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.

Published byAnnabella Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002."— Presentation transcript:

1 ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002

2 Introduction ANSI X9.44 specifies key establishment schemes based on the RSA algorithm –currently in draft form Schemes selected to reflect and guide industry practice NIST key management FIPS intended to adopt X9.44 and other X9 standards

3 Reflecting and Guiding X9.44 reflects industry practice where appropriate for banking/FIPS: –S/MIME key transport with PKCS #1 v1.5 –TLS handshake with PKCS #1 v1.5, SHA-1, MD5 Also guides toward new techniques: –S/MIME key transport with RSA-KEM –TLS handshake with RSA-KEM, SHA-256 and above Focus on key establishment, not session encryption

4 TLS Handshake: Crypto Recap Ciphertext = Encrypt (Server Public, Premaster) Master = KDF (Premaster, Nonces) Session = KDF (Master, Nonces) Tag = MAC (Master, Handshake Messages)

5 TLS Handshake Crypto Today Encrypt = PKCS #1 v1.5 Block Type 02 KDF = TLS PRF –PRF (secret, label, seed) = HMAC-MD5 (S1, label + seed)  HMAC-SHA-1 (S2, label + seed) –S1 is first half of secret; S2 is second half MAC = TLS PRF

6 Security Analysis PKCS #1 v1.5 encryption has vulnerabilities, but TLS handshake has countermeasures Jonsson-Kaliski result (Crypto 2002): –TLS handshake security (loosely) related to gap-partial-RSA assumption –relies only on SHA-1 security, not MD5 Analysis has helped support X9F1 acceptance of TLS, despite PKCS #1 v1.5 vulnerabilities –SSLv3 currently out; security relies on SHA-1 & MD5

7 X9.44-Recommended Enhancements Encrypt = Raw RSA –Premaster as long as RSA modulus KDF = IEEE P1363a KDF2 MAC = HMAC –both based on SHA-1 or higher Note: No architectural changes required

8 Rationale for Enhancements Raw RSA + KDF2  Shoup’s RSA-KEM –Security related to ordinary RSA assumption –Intuition: Attacker must know full input to RSA in order to compute master secret KDF2, HMAC more standard, support larger hash sizes

9 Client Authentication Sign (Client Private, Handshake Messages) Today: PKCS #1 v1.5 variant Enhancement: RSA-PSS (or other X9-approved signature scheme)

10 Next Steps TLS WG: –Consider X9.44 direction X9F1: –Incorporate TLS WG feedback Joint: –Draft TLS cipher suites for new algorithms, e.g., SHA-256, reflecting guidance

11 More Information Russ Housley –rhousley@rsasecurity.com –+1 703 435 1775 Burt Kaliski (editor, ANSI X9.44) –bkaliski@rsasecurity.com –+1 781 515 7073 Next ANSI X9F1 meeting: January 29-30, 2003 by teleconference

Download ppt "ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Web security: SSL and TLS

Web security: SSL and TLS
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006.

Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Transport Layer Security (TLS) Bill Burr November 2, 2001.

Transport Layer Security (TLS) Bill Burr November 2, 2001.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.

Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

Similar presentations

Ads by Google