Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)pdm12/cse545/slides/cse545-tls.pdf ·...
Transcript of Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)pdm12/cse545/slides/cse545-tls.pdf ·...
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)
CSE598K/CSE545 - Advanced Network SecurityProf. McDaniel - Spring 2008
1
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSL/TLS• The Secure Socket Layer (SSL) and Transport Layer
Security (TLS) protocols implement security at the application layer
‣ Popular for securing the web, but not part of it
‣ Is a general purpose secure communication protocol suite
‣ Uses certificate authentication
2
HTTP FTP SMTP
SSL/TLS
TCP
IPNote: throughout we will focus on SSLv3. Assume SSLv3 unless stated otherwise.
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Model• Often a one-way authentication mechanism, used to
prove the authenticity of a web-server to a client.
‣ Server-side certificates
‣ Root CA certifications distributed with browser
‣ Non-certified (or expired) certificates can be accepted
• Mutual authentication performed using client-side certificates
‣ Less frequently uses (almost never in Web applications)
‣ Where used for enterprise internal or as layer for non-Web based applications, much more frequently.
3
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSL as protocol suite• Data Protocols
‣ Record Protocol
• Control Protocols
‣ Handshake Protocol
‣ Change Cipher Suite Protocol
‣ Alert Protocol
4
Alice Bob
Connection
Connection
Connection
Connection
Connection
Connection
Session
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSL Session State• Session ID
• Peer certificate (sometimes)
• Cipher Spec
• Compression algorithm
• Master Secret
5
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSL Connection State• Server and client random
• Server MAC key
• Client MAC key
• Server write key
• Client write key
• Initialization vectors
6
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Handshake Protocol• The purpose of the handshake protocols is to
‣ authenticate one or both parties
‣ negotiate shared master keys
• Protocol operates in 4 phases
‣ Phase 1: establish security context
‣ Phase 2: server publishes certificate and key seeds
‣ Phase 3: client completes key exchange
‣ Phase 4: complete handshake
7
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Phase 1• Client sends and offer (CLIENT_HELLO) including
‣ SSL Version (highest supported)
‣ Random (RC) - { timestamp, plus 28 random bytes }
‣ Session ID - { 0 = new session, !0 = refresh }
‣ CipherSuite - algorithm selections for security/compression
• Server replies with (SERVER_HELLO) response
‣ Section of SSL version, crypto and compression algorithms
‣ A new session ID (as needed) (SID)
‣ A server random number (RS)
8
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Phase 2• Server sends a (CERTIFICATE)‣ This contains the public key certificate for the server Ks+
• Server sends a (SERVER_KEY_EXCHANGE)‣ This contains the server parameters for the key exchange to
be performed (there are many variants)• For example, the anonymous Diffie-Hellman sends the prime
number and primitive root (n,r)
‣ The key exchange parameters are signed using the private key of the server with exchanged random numbers, e.g.,
• Server sends a completion (SERVER_DONE)9
sig(K!s , [n|g|X = gx mod n]) = Sig(K!
s , Rc|Rs|n|g|X)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Phase 3• Client sends a (CERTIFICATE) - optional‣ This contains the public key certificate for the clients Ks+
• Client sends a response (CLIENT_KEY_EXCHANGE)‣ This contains the client’s key exchange parameters
‣ As before this is the public client Diffie-Hellman parameters• Signed if client has signing capability
‣ The parties generate the pre_master_secret
10
X = gx mod nY = gy mod npms = Y x mod n = Xy mod n
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Phase 4• Both sides complete the process by computing the 48
byte master secret:
• Then generate a “key block” of secret bytes
11
Msk = MD5(pms|SHA(!A!|pms|Rc|Rs))|MD5(pms|SHA(!BB!|pms|Rc|Rs))|MD5(pms|SHA(!CCC !|pms|Rc|Rs))
key block = MD5(Msk|SHA(!A!|Msk|Rc|Rs))|MD5(Msk|SHA(!BB!|Msk|Rc|Rs))|MD5(Msk|SHA(!CCC !|Msk|Rc|Rs))|MD5(Msk|SHA(!DDDD!|Msk|Rc|Rs))|. . .
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Transport Keys• Just use the key_block as a PRF to generate enough
bytes to generate the keys for clients and servers.
• Note: this PRF is practically of unlimited length and in practice (although generated differently) is used extensively on TLS.
12
ClientWrite Key
ServerWrite Key
ServerMAC Key
ClientMAC Key
...
key_block
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Record Protocol• Provides to client (initiator)
and server (service)
‣ Confidentiality (via encryption)
‣ Integrity (via MAC)
• Data is fragmented, compressed, and security constructions applied.
13
Original Data
Fragmented Data
Fragmented Data
Fragmented Data
Compressed
Data
Compressed
Data
M
A
C
EncryptedData
Encrypted Data
H
D
R
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
RFC 2104 (MAC for TLS)Given:
h() = hash functionB = input/out byte-length of hK = a secret key
padi = inner pad = 0x35 repeated B timespado = outer pad = 0x5C repeated B timestext = text to MAC
Compute the MAC:
MAC(K, text) = (H((K ! pado)|H((K ! padi)|text))
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Alert/CCS Protocol• Change Cipher Suite Protocol
‣ Trigged at end of handshake, causes security association to be enabled
• Alert Protocols - signals
‣ MAC failure
‣ No known certificate
‣ Handshake failure
‣ Bad certificate
‣ Close notification
15
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Why?• ... does SSL work?
• ... does SSL not work?
• ... is SSL so popular?
16