IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client...
Transcript of IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client...
![Page 1: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/1.jpg)
IN3210 – Network Security
Transport Layer Security
![Page 2: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/2.jpg)
The TLS Protocol
![Page 3: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/3.jpg)
Transport Layer Security (TLS)
⚫ Security goals:− Authentication
− Integrity
− Confidentiality
⚫ Transparent security protocol between TCP and application
⚫ Widespread usage:− HTTP over TLS (HTTPS), IMAP over TLS (IMAPS), …
⚫ Security for single application (in contrast to IPSec):− Online Banking
− Online Shopping
3
![Page 4: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/4.jpg)
History of SSL/TLS
⚫ 1994: SSL 1.0 – Developed by Netscape Communications (never released)
⚫ 1995: SSL 2.0 – Published with Netscape Navigator 1.1 (officially deprecated 2011)
⚫ 1996: SSL 3.0 – Fixes severe security issues found in SSL 2.0 (officially deprecated 2015)
⚫ 1999: TLS 1.0 – RFC 2246 (deprecation planned for 2020)
⚫ 2006: TLS 1.1 – RFC 4346 (deprecation planned for 2020)
⚫ 2008: TLS 1.2 – RFC 5246
⚫ 2018: TLS 1.3 – RFC 8446
4
![Page 5: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/5.jpg)
TLS Versions supported by Web Servers
5
So
urc
e: h
ttp
s://
ww
w.s
slla
bs.
com
/ssl
-pu
lse
/
2013201420152016201720182019
![Page 6: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/6.jpg)
History of SSL/TLS
⚫ https://www.feistyduck.com/ssl-tls-and-pki-history/
6
![Page 7: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/7.jpg)
TLS < 1.3
7
![Page 8: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/8.jpg)
TLS: Protocols and Layers
9
Handshake Change Cipher Spec Alert Application Data
TLS Record Layer
TCP Layer
IP Layer
![Page 9: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/9.jpg)
TLS Handshake
⚫ Negotiation of cryptographic algorithms + parameters
⚫ Authentication of communication partners (just server or mutual)
⚫ Exchange of symmetric session key
10
Hand-shake
ChangeCipher
Spec
Alert Appli-cationData
TLS Record Layer
TCP Layer
IP Layer
![Page 10: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/10.jpg)
TLS Record Layer
⚫ „Core functionality“ of TLS
⚫ Accepts data from upper layer and performs (in that order):− Fragmentation
− Compression
− Authentication (e.g. MAC) using session key
− (Symmetric) Encryption using session key
11
Hand-shake
ChangeCipher
Spec
Alert Appli-cationData
TLS Record Layer
TCP Layer
IP Layer
![Page 11: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/11.jpg)
Key Exchange + Server Authentication
⚫ RSA Encryption (simplified)
− Server sends public key (inside a X.509 certificate)
− Client generates random number (premaster secret, PS)
− Client encrypts PS using the server public key and sends the result
− Server decrypts PS using its private key sk
− All further communication is encrypted with session key derived from PS
− (Implicit) authentication: only the owner of the private can participate in further communication
12
(pk, sk)pkPS
Epk(PS)
![Page 12: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/12.jpg)
Key Exchange + Server Authentication
⚫ Attacks on RSA Encryption− Attacker eavesdrops communication:
→ can not decrypt encrypted key
− Attacker replaces Epk(PS) with Epk(PS*) with PS* known to her
→ has negotiated a shared key with the server, but not with the client (i.e. can not communicate with the client)
− Attacker replaces server public key with the attacker's public key
→ Public keys are protected by certificate, client can detect the change
o public key does not match the certificate
o certificate is issued to wrong subject
13
![Page 13: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/13.jpg)
Key Exchange + Server Authentication
⚫ Diffie Hellman Key Exchange
− Client and server generate DH secret value a and b
− Client and server calculate DH public value ga and gb and send it
− Server sends public key (inside a X.509 certificate)
− Server creates signature over gb (using its private key sk) and send it
− Client verifies signature
− Client and server calculate the DH shared secret (premaster secret, PS)
− All further communication is encrypted with session key derived from PS14
bgba
ga(pk, sk)
pk Sig(gb)
![Page 14: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/14.jpg)
Key Exchange + Server Authentication
⚫ Attacks on Diffie Hellman Key Exchange− Attacker eavesdrops communication
→ can not break DH key exchange
− Attacker replaces gb
→ signature does not match
− Attacker replaces pk with her own public key (and creates signature with her own private key)
→ public keys are protected by certificate, client can detect the change
− Attacker replace ga with ge (e know to attacker)
→ has negotiated a shared key with the client, but not with the server (i.e. can not communicate with the server)
15
![Page 15: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/15.jpg)
Forward Secrecy
⚫ A key exchange protocol offers (perfect) forward secrecy the session key is not compromised even if the private server key is compromised
⚫ Imagine the following situation:− Attacker records the complete handshake
− Attacker learns later (after the protocol has finished) the private key
⚫ RSA:− Attacker uses the private to decrypt the premaster secret + calculates
the session key → no forward secrecy
⚫ DH:− Attacker can still not break the DH key exchange → forward secrecy
− Session key is “ephemeral”
16
![Page 16: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/16.jpg)
TLS Handshake(here: using RSA)
⚫ Client Hello:− Supported algorithms
− 1. random number
⚫ Server Hello:− Selected algorithms
− 2. random number
− Session ID
⚫ Client Key Exchange:− Encrypted premaster secret
⚫ Change Cipher Spec:− Starts message protection
⚫ Finished:− Authenticates all previous messages
(protects from downgrade attacks)
ServerClient
Ses
sio
n k
ey c
alcu
lati
on
2 RT
T
17
encrypted
![Page 17: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/17.jpg)
TLS Handshake (here: using DH)
⚫ Client +Server Key Exchange:− Diffie Hellman key exchange
− (with Server Key Exchange signed)
− Groups:
▪ “DHE”: Finite Field DH
▪ “ECDHE”: Elliptic Curve DH
18
ServerClient
Ses
sio
n k
ey c
alcu
lati
on
encrypted
![Page 18: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/18.jpg)
TLS Handshake – Details (1)
⚫ Algorithms− Different types of algorithms bundled into “Cipher Suites”
− Format:TLS_key-exchange-algorithm_WITH_data-protection-algorithm
− Example: TLS_DHE_WITH_AES_128_CBC_SHA256
▪ DHE = Diffie Hellman key exchange (E = ephemeral)
▪ AES with CBC mode for encryption
▪ SHA256 as hash function for authentication and integrity protection
⚫ Client offers list of cipher suites – server selects one
⚫ Further examples for Cipher Suites:− TLS_RSA_WITH_RC4_128_SHA
− TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
19
![Page 19: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/19.jpg)
TLS Handshake – Details (2)
⚫ Random numbers in ClientHello and ServerHello− Client and Server select independently random numbers
− Random numbers are included in session key calculation
⚫ Certificate− Most Cipher Suites required certificates for server authentication
− X.509 format
⚫ Session ID− For new session
▪ Client sends empty session ID field
▪ Server chooses session ID
− For resumed session▪ Client sends known session ID
20
![Page 20: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/20.jpg)
TLS Handshake – Session Key Calculation
⚫ Key material calculation (general)− Uses “Key Expansion”− Internally using a pseudo random
function (based on hash function)− Can produce arbitrary length key
material
⚫ Master secret calculation− Input: Premaster Secret, random
number client, random number
server− Output: Master Secret (48 byte)
⚫ Encryption/MAC key calculation− Input: Master Secret, random
number client, random number server
− Output: Key block, is partitioned into required keys
21
Random (Client)
Random (Server)
Premaster secret PRF PRFMaster secret
Key B
lock
Client MAC
Server MAC
. . .
![Page 21: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/21.jpg)
TLS Handshake – Session Key Calculation
⚫ Required keys:− Encryption (Client)
− Encryption (Server)
− Authentication / MAC (Client)
− Authentication / MAC (Server)
− Initialization Vectors
22
![Page 22: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/22.jpg)
TLS: Resuming Sessions
⚫ “Client Hello” contains session ID of session to be resumed
⚫ Server responds with same session ID
⚫ No key exchange required
23
Client Server
![Page 23: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/23.jpg)
TLS: Client Authentication
⚫ Client authentication with certificate optional in TLS− Server
▪ “Certificate Request” requests client authentication
− Client:
▪ “Certificate”: client certificate
▪ “Certificate Verify”: signature over previous messages (proves ownership of private key)
2424
ServerClient
![Page 24: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/24.jpg)
TLS 1.3
25
![Page 25: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/25.jpg)
Major Changes in TLS 1.3
⚫ Removal of old algorithms − e.g. RC4, SHA-1
⚫ Removal of insecure methods − CBC, compression, “MAC then encrypt”
⚫ Removal of non-forward-secrecy key exchange − RSA, “DH static”
⚫ Simpler and faster handshake: − in most cases 1-RTT
− even 0-RTT possible
⚫ Many cryptographic improvements − e.g. EC, padding, DH groups
⚫ Better privacy− more encrypted protocol parameters
26
![Page 26: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/26.jpg)
TLS Handshake (1 RTT)
⚫ Client assumes a key agreement protocol
⚫ Sends key share for this protocol in his first message
⚫ Client Hello:− Supported algorithms (incl.
guessed key agreement protocol)
− Client key share
⚫ Server Hello:− Chosen algorithms (incl. key
agreement protocol)
− Server key share
27
ServerClient
Ses
sio
n k
ey c
alcu
lati
on
encrypted 1 RT
T
![Page 27: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/27.jpg)
TLS Handshake– Details
⚫ Supported algorithms (always DH key exchange!):− Cipher suites:
▪ TLS_AEAD_HASH
o AEAD: The authenticated encryption algorithm for record protection
o HASH: The hash algorithm for key derivation
▪ TLS_AES_128_GCM_SHA256
▪ TLS_AES_256_GCM_SHA384
▪ TLS_CHACHA20_POLY1305_SHA256
− Diffie Hellman group:
▪ Elliptic curve (e.g. secp256r1, x25519)
▪ Finite field (e.g. 2048 bit, 3072 bit)
− Signature algorithm (e.g. ECDSA, RSA)
28
![Page 28: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/28.jpg)
AES with Galois/Counter Mode (GCM)
⚫ Combines encryption and authentication
29
Imag
e S
ou
rce:
Wik
iped
ia
![Page 29: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/29.jpg)
TLS Handshake (2 RTT)
⚫ If client has guessed the wrong key agreement → additional RTT is required
⚫ Hello Retry Request− Chosen Key Agreement protocol
30
ServerClient
Ses
sio
n k
ey c
alcu
lati
on
encrypted
2 RT
T
![Page 30: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/30.jpg)
TLS Handshake (0 RTT)
⚫ If client and server already have a shared key (from a previous session)→ application data can be sent (encrypted) on the first flight
⚫ Weaker security properties (e.g. no replay protection)
⚫ Should not be used not for requests triggering an action (e.g. shopping, banking)
⚫ Can be used e.g. for requesting a (static) Web page
31
ServerClient
encrypted
0 RT
T
![Page 31: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/31.jpg)
TLS and „Security Monitoring“ (1)
⚫ In TLS all application data encrypted
⚫ Parameters visible to an external “monitor”:− IP address (no very helpful)
− Server name from certificate
⚫ However in TLS 1.3:− Certificate is encrypted
− Increases privacy
− Makes surveillance harder
32TLS 1.2TLS 1.3
Monitors:• Enterprise• Provider• Intelligence Agency
![Page 32: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/32.jpg)
TLS and „Security Monitoring“ (2)
⚫ Nowadays the insecure key exchange methods in TLS <1.3 are (mis-)used for network monitoring:− All network traffic is copied to the monitor
− Monitor has a copy of the server’s private key
− Monitor can decrypt the RSA key exchange (or DH with static keys)
− Monitor can decrypt all traffic
⚫ This is not possible any more with TLS 1.3
⚫ ETSI created an alternative security protocol: ETS (formerly eTLS) still allowing interception
33
![Page 33: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/33.jpg)
TLS and „Security Monitoring“ (2)
34
![Page 34: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/34.jpg)
Further Details on TLS
35
![Page 35: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/35.jpg)
Server Name Identification
36
192.0.2.1
www.example.org
www.mypage.name
⚫ Common Web hosting:− 1 Web server (1 IP address)
− multiple domain names/Web pages
− Web server demultiplexes requests
⚫ How does the server know the target domain/pages)?
⚫ HTTP/1.1:− Mandatory header
field “host”
GET /index.html HTTP/1.1Host: www.example.org
![Page 36: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/36.jpg)
Server Name Identification
37
192.0.2.1
www.example.org
www.mypage.name
⚫ Problem with HTTP over TLS hosting:− Different domains/pages have different certificates (+ private keys)
− Web server must select certificate at the beginning of the TLS connection, i.e. before the HTTP request
⚫ Solution:− Host name is (additionally) sent
inside the client hello message(SNI, server name identification)
![Page 37: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/37.jpg)
TLS: Implementation Aspects
⚫ TLS implemented on application level− For example by using the openssl library
⚫ Application (or even the user) decides about security level− Advantages? Disadvantages?
⚫ How to choose TLS protected connection:− Browser: URL starts with “https”
− TLS protected service typically offered on different port:
▪ 80 (http) 443 (https)
▪ 143 (IMAP) 993 (IMAPS)
38
![Page 38: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/38.jpg)
Opportunistic TLS
⚫ Some protocols allows switching to TLS protection inside given connection (“STARTTLS”)
⚫ Most common usage: SMTP, IMAP, POP3
⚫ Example (SMTP/STARTTLS):[establish TCP connection]
S: 220 mail.example.org ESMTP service ready
C: EHLO client.example.org
S: 250 mail.example.org offers a warm hug of welcome
S: 250 STARTTLS
C: STARTTLS
S: 220 Go ahead
[TLS handshake]
C: EHLO client.example.org [TLS secured]
39
Exam
ple
Sou
rce:
Wik
iped
ia
![Page 39: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/39.jpg)
UDP Security
⚫ Problem:− TLS can only be used with TCP
⚫ Approach for UDP:− Security mechanisms moved into application
− Datagram TLS (RFC 4347)
▪ Secures individual packets
▪ Packet loss and packet order no issue with UDP
▪ Reliable transport of handshake messages
40
![Page 40: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/40.jpg)
Attacks on TLS
41
![Page 41: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/41.jpg)
Padding Oracle Attack
⚫ Recapitulation: Block cipher and Padding
⚫ Encryption:− Fill plaintext to multiple of block size (padding)
− Encrypt
⚫ Decryption:− Decrypt
− Verify padding (e.g. PKCS #5)
− If padding invalid (e.g. PKCS #5: ... 08 02) send an error messages
42
![Page 42: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/42.jpg)
Padding Oracle
⚫ A send encrypted messages (using CBC) to B
⚫ E eavesdrops encrypted messages
⚫ E sends modified messages to B
⚫ B decrypts messages and responses with “Padding Error” or “OK”
43
A
E
Bc
c*
k
c = Enck(p)
k
Deck(c)
Deck(c*)OK / Error
![Page 43: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/43.jpg)
Padding Oracle
⚫ A and B communicating using block cipher with CBC mode(decryption at B illustrated)
⚫ E has picked up 2 cipher text blocks(for simplification let’s assume E knows IV and c0 and c0
includes the end of a message) → E wants to learn p0
⚫ If E sends cipher text to B, B decrypts the cipher text and sends error message if padding of decrypted message is invalid
⚫ In practice: even if B does not explicitly send error messages, E can often derive the result of the padding verification (e.g. timing, behavior)
44
IV
p0 p1
D
c0 c1
D
p2
c2
D
![Page 44: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/44.jpg)
Padding Oracle
45
XX XX XX XX XX XX XX XX
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
A4 17 D3 94 01 BD 81 0A
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
B: OK
⊕
=
XX: unknownto E
![Page 45: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/45.jpg)
Padding Oracle
46
XX XX XX XX XX XX XX XX
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
F0 17 D3 94 01 BD 81 0A
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
B: OK
⊕
=
![Page 46: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/46.jpg)
Padding Oracle
47
XX XX XX XX XX XX XX XX
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
F0 A9 D3 94 01 BD 81 0A
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
B: OK
⊕
=
![Page 47: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/47.jpg)
Padding Oracle
48
XX XX XX XX XX XX XX XX
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
F0 A9 56 94 01 BD 81 0A
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
B: Error
Checked by B = Padding
⊕
=
![Page 48: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/48.jpg)
Padding Oracle
49
XX XX 06 06 06 06 06 06
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
A4 17 D3 94 01 BD 81 0A
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
⊕
=
![Page 49: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/49.jpg)
Padding Oracle
50
XX XX 06 06 06 06 06 07
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
A4 17 D3 94 01 BD 81 0B
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
⊕
=
0A
06
07
![Page 50: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/50.jpg)
Padding Oracle
51
XX XX 07 07 07 07 07 07
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
A4 17 D2 95 00 BC 80 0B
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
⊕
=
B: Error
![Page 51: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/51.jpg)
Padding Oracle
52
XX XX 07 07 07 07 07 07
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
A4 D2 95 00 BC 80 0B
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
⊕
=
B: OK
000102030405060708090A
B: Error
![Page 52: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/52.jpg)
Padding Oracle
53
XX 07 07 07 07 07 07 07
𝑝0 = 𝐷𝑘(𝑐0) ⊕ 𝐼𝑉
IV
p0
D
c0
A4 0A D2 95 00 BC 80 0B
XX XX XX XX XX XX XX XX
𝑝0
𝐷𝑘(𝑐0)
𝐼𝑉
⊕
=
p0[1] = 0A 07 17 = 1A
![Page 53: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/53.jpg)
Padding Oracle
⚫ Number of guesses for recovering a complete block (128 bit):− “Simple” brute fore: 2128
− Padding oracle: 16 * 256 = 212
54
![Page 54: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/54.jpg)
Attack on CBC
⚫ Recapitulation: CBC modefor encryption
⚫ Prerequisite for attack:attacker can choose plain text
⚫ Attacker guesses 𝑝𝑖 = 𝑥
⚫ For plain text 𝑝𝑗 he chooses 𝑥 ⊕ 𝑐𝑖−1 ⊕ 𝑐𝑗−1
⚫ If guess is correct:
𝑐𝑗 = 𝐸 𝑚𝑗 ⊕𝑐𝑗−1 = 𝐸 𝑥 ⊕ 𝑐𝑖−1 ⊕𝑐𝑗−1 ⊕ 𝑐𝑖−1 =
= 𝐸 𝑥 ⊕ 𝑐𝑖−1 = 𝐸 𝑚𝑖 ⊕ 𝑐𝑖−1 = 𝑐𝑖⚫ If guess is not correct, repeat attack
55
IV
p0 p1
E
c0 c1
E
p2
c2
E
![Page 55: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/55.jpg)
Attack on CBC
⚫ BEAST attack (2011)− attacker places JavaScript code in legitimate Web site (e.g. via iFrame)
− Attack program can send arbitrary data over existing TLS connection → requirements for attack fulfilled
− Attack program tries for guess the cookie for legitimate Web Site
56
TLS
![Page 56: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/56.jpg)
Attack on CBC
⚫ Countermeasures:− Upgrade to TLS 1.1 or TLS 1.2 → new IV for each record
− Sending empty blocks in the beginning → guessing is harder
− Avoiding CBC mode → GCM mode recommended
− Use of RC4 (but check also next slide)
57
![Page 57: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/57.jpg)
RC4
⚫ Stream cipher
⚫ Developed 1987 by Ron Rivest
⚫ Widespread usage in TLS and WEP
⚫ Weaknesses in „randomness“
⚫ Given enough different encryption of the same plaintextthe plaintext can be recovered
⚫ Not recommend any more
![Page 58: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/58.jpg)
Famous Attacks on TLS
⚫ Downgrade Attacks− POODLE
− FREAK
− Logjam
⚫ Padding Oracle− Lucky Thirteen
− ROBOT
⚫ Misusing CBC− BEAST
⚫ Misusing Compression− CRIME
59
![Page 59: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/59.jpg)
TLS and the Web
60
![Page 60: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/60.jpg)
Security for the Web
⚫ Typical usage:− Confidentiality: TLS
− Integrity: TLS
− Authentication (Server → Client): TLS / Certificate
− Authentication (Client → Server):
▪ Password (entered into HTML form) transported via HTTP POST
▪ Advantages / disadvantages compared to TLS client authentication?
![Page 61: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/61.jpg)
TLS in the Browser
![Page 62: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/62.jpg)
TLS in the Browser
⚫ The browser is checking:− Was the TLS handshake successful?
(this proves that the server owns the private key)
− Hostname address bar = Hostname inside certificate?
− Exists signed chain from server certificate to trustworthy CA?
− Is certificate still valid?
− Was the certificate not revoked?
![Page 63: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/63.jpg)
TLS in the Browser
![Page 64: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/64.jpg)
Summary
65
![Page 65: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/65.jpg)
Summary
⚫ TLS most widespread security protocol for layer 4
⚫ Allows application specific security
⚫ User can directly influence security level
⚫ Problems: − certificate management
− usage of insecure algorithms → regular configuration verification
− weaknesses in protocol or implementation
66
![Page 66: IN3210 Network Security Transport Layer Security · Transport Layer Security (TLS) ... −Client encrypts PS using the server public key and sends the result −Server decrypts PS](https://reader033.fdocuments.us/reader033/viewer/2022052011/6026685d60de077dc2178dcf/html5/thumbnails/66.jpg)
Practical Usage Recommendations
⚫ Server test: https://www.ssllabs.com/ssltest/
⚫ TLS version: 1.2 (or 1.3)
⚫ Key Exchange: (ephemeral) Diffie Hellman (EC or FF)
⚫ Encryption/Integrity: AES/GCM
⚫ Hash (MAC, Key Derivation): SHA-2
67