2. Outline
Web Security
Introduction to SSL/TLS
Secure Socket Layer (SSL)
Where, What and How about SSL
Architecture
The Four Protocols
Simple Handshake process
Transport Layer Security (TLS)
TLS Overview
Public Key Certificates
Implementation & Applications of SSL/TLS
Summary
References
December 1, 2012 NITTTR, Chandigarh 2
3. “Use your mentality, Wake up to reality”
---From the song, “I've got you under my skin”
by Cole Porter
December 1, 2012 NITTTR, Chandigarh 3
5. Web security
Web is now widely used by businesses, government firms
and individuals.
but Internet & Web space are vulnerable.
have a variety of threats related to
Integrity : Someone might alter content
Confidentiality : Anyone can see content
Denial of service
Authentication : Not clear who you are talking with
need added security mechanisms
December 1, 2012 NITTTR, Chandigarh 5
6. Introduction (contd.)
Secure Sockets Layer (SSL)
Developed by Netscape Corporation
Versions 1, 2, and 3 (released in 1996)
Transport Layer Security (TLS)
Successor of SSL
IETF standards track protocol, based on SSL 3.0
Last updated in RFC 5246 (2008)
December 1, 2012 NITTTR, Chandigarh 6
7. Introduction (contd.)
Transport Layer Security (TLS) and its
predecessor, Secure Sockets Layer (SSL), are
cryptographic protocols that provide security for
communications over networks such as the
Internet.
TLS and SSL encrypt the segments of network
connections at the Transport Layer end-to-end.
December 1, 2012 NITTTR, Chandigarh 7
9. Where SSL fits?
HTTP SMTP POP3 HTTPS SSMTP SPOP3
80 25 110 443 465 995
Port
Secure Socket Layer
No.
Transport
Network
Data Link
December 1, 2012 NITTTR, Chandigarh 9
10. What security is provided?
By providing:
Endpoint Authentication
Unilateral or Bilateral
Communication Confidentiality
For preventing:
Eavesdropping
Tampering
Message Forgery
December 1, 2012 NITTTR, Chandigarh 10
11. How security is provided?
December 1, 2012 NITTTR, Chandigarh 11
12. Uses public key scheme
Each client-server pair uses
2 public keys
○ one for client (browser)
created when browser is installed on client machine
○ one for server (http server)
created when server is installed on server hardware
2 private keys
○ one for client browser
○ one for server (http server)
December 1, 2012 NITTTR, Chandigarh 12
13. Cipher Suite
Common Cipher Suite algorithms:
Encryption algorithm
○ RC4,Triple DES,AES, IDEA, DES, Camellia
Message authentication code (MAC) algorithm
○ Authentication by RSA, DSA, ECDSA
○ Hashing by MD5, SHA
Key exchange algorithm
○ RSA, Diffie-Hellman, ECDH, SRP, PSK
Pseudorandom function (PRF)
December 1, 2012 NITTTR, Chandigarh 13
15. SSL Architecture (Contd.)
SSL session
an association between client & server
created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections
SSL connection
a transient, peer-to-peer, communications link
associated with 1 SSL session
December 1, 2012 NITTTR, Chandigarh 15
16. The Four Upper Layer Protocols
Application Encryption Protocol
Encrypt/Decrypt application data
Change Cipher Spec Protocol
Alert to a change in communication variables
Alert Protocol
Messages important to SSL connections
Handshaking Protocol
Establish communication variables
December 1, 2012 NITTTR, Chandigarh 16
17. SSL Record Protocol
Services provided are :
Confidentiality
using symmetric encryption with a shared secret key defined by
Handshake Protocol
IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
message is compressed before encryption
Message integrity
using a MAC (Message Authentication Code) created using a
shared secret key and a short message
December 1, 2012 NITTTR, Chandigarh 17
19. SSL Change Cipher Spec Protocol
one of 3 SSL specific protocols which use the
SSL Record protocol
a single message
Purpose of message
Cause copy of pending state to current state.
Updates cipher suite to be used on the current
connection .
December 1, 2012 NITTTR, Chandigarh 19
20. SSL Alert Protocol
conveys SSL-related alerts to peer entity
Consists of two bytes
1st byte : warning or fatal
2nd byte: code for specific alerts
specific alert types
unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
close notify, no certificate, bad certificate, unsupported certificate,
certificate revoked, certificate expired, certificate unknown
compressed & encrypted like all SSL data
December 1, 2012 NITTTR, Chandigarh 20
21. SSL Handshake Protocol (1/10)
The most complex part of SSL.
allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
comprises a series of messages in phases
Establish Security Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
December 1, 2012 NITTTR, Chandigarh 21
22. Simple Handshake process (2/10)
The client(Alice) and server(Bob) must agree on various
parameters to establish the connection
Alice request a secure connections and presents a list of Cipher Suites
Bob picks the strongest supported Cipher Suite
Bob sends back his digital certificate
○ Including the certificate authority and his public key
By encrypting using the server’s public key, Alice send a random
number to Bob securely
Alice and Bob generate key material from the random number
Secure connection established
December 1, 2012 NITTTR, Chandigarh 22
31. TLS (Transport Layer Security)
IETF standard RFC 2246 similar to SSLv3
with minor differences
in record format version number
uses HMAC for MAC
a pseudo-random function expands secrets
has additional alert codes
some changes in supported ciphers
changes in certificate negotiations
changes in use of padding
December 1, 2012 NITTTR, Chandigarh 31
32. Changes from SSL 3.0 to TLS
Fortezza removed
Additional Alerts added
Modification to hash calculations
Protocol version 3.1 in ClientHello,
ServerHello
32
December 1, 2012 NITTTR, Chandigarh
33. What is TLS?
Protocol layer
Requires reliable transport layer (e.g. TCP)
Supports any application protocols
HTTP Telnet FTP LDAP
TLS
TCP
IP
33
December 1, 2012 NITTTR, Chandigarh
34. TLS: Privacy
Encrypt message so it cannot be read
Use conventional cryptography with shared
key
DES, 3DES
RC2, RC4
IDEA
A B
Message $%&#!@ Message
34
December 1, 2012 NITTTR, Chandigarh
35. TLS:Key Exchange
Need secure method to exchange secret key
Use public key encryption for this
“key pair” is used - either one can encrypt and
then the other can decrypt
slower than conventional cryptography
share one key, keep the other private
Choices are RSA or Diffie-Hellman
35
December 1, 2012 NITTTR, Chandigarh
36. TLS: Integrity
Compute fixed-length Message
Authentication Code (MAC)
Includes hash of message
Includes a shared secret
Include sequence number
Transmit MAC with message
36
December 1, 2012 NITTTR, Chandigarh
37. Integrity (Contd.)
Receiver creates new MAC
should match transmitted MAC
TLS allows MD5, SHA-1
A B
Message Message’ MAC
MAC MAC’ =?
37
December 1, 2012 NITTTR, Chandigarh
38. TLS: Authentication
Verify identities of participants
Client authentication is optional
Certificate is used to associate identity with
public key and other attributes
A B
Certificate
Certificate
38
December 1, 2012 NITTTR, Chandigarh
39. TLS: Architecture
TLS defines Record Protocol to transfer
application and TLS information
A session is established using a Handshake
Protocol
Handshake Change Alert
Protocol Cipher Spec Protocol
TLS Record Protocol
39
December 1, 2012 NITTTR, Chandigarh
41. TLS: Handshake
Negotiate Cipher-Suite Algorithms
Symmetric cipher to use
Key exchange method
Message digest function
Establish and share master secret
Optionally authenticate server and/or client
41
December 1, 2012 NITTTR, Chandigarh
42. Handshake Phases
Hello messages
Certificate and Key Exchange messages
Change Cipher Spec and Finished messages
42
December 1, 2012 NITTTR, Chandigarh
43. TLS: Hello
Client “Hello” - initiates session
Propose protocol version
Propose cipher suite
Server chooses protocol and suite
Client may request use of cached session
Server chooses whether to honor request
43
December 1, 2012 NITTTR, Chandigarh
44. TLS: Key Exchange
Server sends certificate containing public key
(RSA) or Diffie-Hellman parameters
Client sends encrypted “pre-master” secret to
server using Client Key Exchange message
Master secret calculated
Use random values passed in Client and Server Hello
messages
44
December 1, 2012 NITTTR, Chandigarh
45. Public Key Certificates
X.509 Certificate associates public key with
identity
Certification Authority (CA) creates certificate
Adheres to policies and verifies identity
Signs certificate
User of Certificate must ensure it is valid
45
December 1, 2012 NITTTR, Chandigarh
46. Validating a Certificate
Must recognize accepted CA in certificate
chain
One CA may issue certificate for another CA
Must verify that certificate has not been
revoked
CA publishes Certificate Revocation List (CRL)
46
December 1, 2012 NITTTR, Chandigarh
47. X.509 Certificate Issues
Certificate Administration is complex
Hierarchy of Certification Authorities
Mechanisms for requesting, issuing, revoking
certificates
X.500 names are complicated
Description formats are cumbersome
(ASN.1)
47
December 1, 2012 NITTTR, Chandigarh
48. TLS: HTTP Application
HTTP is most common TLS application
https://
Requires TLS-capable web server
Requires TLS-capable web browser
Netscape Navigator
Internet Explorer
Cryptozilla
○ Netscape Mozilla sources with SSLeay
48
December 1, 2012 NITTTR, Chandigarh
49. TLS “Alternatives”
S-HTTP: secure HTTP protocol, shttp://
IPSec: secure IP
SET: Secure Electronic Transaction
Protocol and infrastructure for bank card
payments
SASL: Simple Authentication and Security
Layer (RFC 2222)
49
December 1, 2012 NITTTR, Chandigarh
50. Implementation of SSL/TLS
SSL and TLS have been widely implemented
Open source software projects
○ OpenSSL, NSS, or GnuTLS
Microsoft Windows
○ Part of its Secure Channel
Browsers
○ Apple Safari
○ Mozilla Firefox (2+)
○ Internet Explorer, etc.
December 1, 2012 NITTTR, Chandigarh 50
51. Application of SSL/TLS
On top of the Transport Layer protocols
Primarily with TCP
Datagram Transport Layer Security(DTLS) for UDP
Encapsulating the application protocols
HTTP (HTTPS)
for securing WWW traffic
FTP (FTPS), SMTP, NNTP, etc.
December 1, 2012 NITTTR, Chandigarh 51
52. Summary
SSL/TLS addresses the need for security in
Internet communications
Privacy - conventional encryption
Integrity - Message Authentication Codes
Authentication - X.509 certificates
SSL in use today with web browsers and
servers
52
December 1, 2012 NITTTR, Chandigarh
SSL Record Protocol defines these two services for SSL connections.
Stallings Fig 17-6.
Hash includes Finished and CertificateVerify messages following client cert types removed: rsa_ephemeral_dh dss_ephemeral_dh fortezza_dms SSL 2 -> SSL 3.0 major changes
Reliable transport layer delivers data without duplicates or missing data, and in order. Not really transparent to applications Application must understand desired security level and if TLS cannot provide that must not assume a secure connection Application must communicate security parameters to TLS Application may introduce security issues e.g. HTTP 1.0 connection close with empty Content-Length
Most block ciphers (64 bit blocks) except for RC4 stream cipher CBC cipher block chaining use IV (initialization vector) XOR previous encrypted block with block then encrypt …
Secret is used so that someone cannot replace both message and MAC, putting a new matching MAC in place of the original
Operational and pending states
Currently no compression defined but could be client boundaries are not preserved 2^14 bytes or less in protocol unit md5, sha-1, none MAC des, 3des, des40, rc2, rc4, idea none encryption
Encryption mac key exchange Des/3des/des40 md5, sha1, none rsa, dh rc2 rc4 idea none
Server “ Hello Request ”- ask client to restart hello includes some random data for creating the master secret
Client generates 48-byte secret random # , encrypts using server’s public key, sends to server if diffie-hellman, p,g
PKCS standards from RSA for RSA certificates PKCS #10 cert requests PKCS #9 cert attributes PKCS #7 cert chain format application/x-pkcs7-mime used to load CA chain into browser
Mention different kinds of certificates identity encryption etc
S-HTTP inter-operates with http signature authentication encryption public key key exchange, & externally arranged Secure * Secure-HTTP/1.4 : Request URI Secure-HTTP/1.4 200 OK response header lines convey information e.g. Certificate-Info: has cert, Encryption-Identity: x500 name ------------ IPSec RFC 1825-1829 required for IPv6, optional for IPv4 transport mode - protect contents of IP packet tunnel mode - protect entire IP packet encryption, MAC SASL Means to add authentication to connection-based protocol Variety of mechanisms Kerberos V4, GSSAPI, “External” Allows separation of authorization identity from client identity in credentials Permits authenticated state in protocol