8-1 secure sockets layer (ssl) and transport layer security (tls) is511
TRANSCRIPT
8-1
Secure Sockets Layer (SSL) and Transport layer security (TLS)
IS511
8-2Network Security
Network SecurityGoals: understand principles of network security:
cryptography and its many uses beyond “confidentiality”
authentication message integrity
security in practice: firewalls and intrusion detection systems security in application, transport, network, link
layers
8-3Network Security
What is network security?
confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message
authentication: sender, receiver want to confirm identity of each other
message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
access and availability: services must be accessible and available to users
8-4Network Security
Friends and enemies: Alice, Bob, Trudy
well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages
securesender s
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
8-5Network Security
Who might Bob, Alice be?
… well, real-life Bobs and Alices! Web browser/server for electronic
transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?
8-6Network Security
There are bad guys (and girls) out there!
Q: What can a “bad guy” do?A: A lot!
eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source
address in packet (or any field in packet) hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in place
denial of service: prevent service from being used by others (e.g., by overloading resources)
8-7Network Security
The language of cryptography
m plaintext messageKA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
8-8Network Security
Symmetric key cryptography
symmetric key crypto: Bob and Alice share same (symmetric) key: K
e.g., key is knowing substitution pattern in mono alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage, m
K (m)S
m = KS(KS(m))
8-9Network Security
AuthenticationGoal: Bob wants Alice to “prove” her
identity to himProtocol ap1.0: Alice says “I am Alice”
Failure scenario??“I am Alice”
8-10Network Security
in a network,Bob can not “see” Alice, so Trudy simply declares
herself to be Alice“I am Alice”
AuthenticationGoal: Bob wants Alice to “prove” her
identity to himProtocol ap1.0: Alice says “I am Alice”
8-11Network Security
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Failure scenario??
“I am Alice”Alice’s
IP address
8-12Network Security
Trudy can createa packet “spoofing”
Alice’s address“I am Alice”
Alice’s IP address
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
8-13Network Security
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
Authentication: another try
8-14Network Security
playback attack: Trudy records Alice’s packet
and laterplays it back to Bob
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
Alice’s password
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
Authentication: another try
8-15Network Security
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
encrypted password
OKAlice’s IP addr
8-16Network Security
recordand
playbackstill works!
“I’m Alice”Alice’s IP addr
encryptedpassword
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
encryptedpassword
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
8-17Network Security
Goal: avoid playback attack
Failures, drawbacks?
nonce: number (R) used only once-in-a-lifetimeap4.0: to prove Alice “live”, Bob sends Alice
nonce, R. Alicemust return R, encrypted with shared secret
key“I am Alice”
R
K (R)A-B
Alice is live, and only Alice knows
key to encrypt nonce, so it must
be Alice!
Authentication: yet another try
8-18Network Security
Authentication: ap5.0ap4.0 requires shared symmetric key can we authenticate using public key
techniques?ap5.0: use nonce, public key cryptography
“I am Alice”
RBob computes
K (R)A-
“send me your public key”
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the private key, that encrypted R
such that
(K (R)) = RA
-K A
+
8-19Network Security
ap5.0: security holeman (or woman) in the middle attack: Trudy
poses as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))
+
T
-Trudy gets
sends m to Alice encrypted with
Alice’s public key
AK (m)+
Am = K (K (m))
+
A
-
R
8-20Network Security
difficult to detect:Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation!)problem is that Trudy receives all messages as well!
ap5.0: security holeman (or woman) in the middle attack: Trudy
poses as Alice (to Bob) and as Bob (to Alice)
8-21Network Security
Public-key certification motivation: Trudy plays pizza prank on
Bob Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob
Trudy signs order with her private key Trudy sends order to Pizza Store Trudy sends to Pizza Store her public key, but
says it’s Bob’s public key Pizza Store verifies signature; then delivers
four pepperoni pizzas to Bob Bob doesn’t even like pepperoni
8-22Network Security
Certification authorities certification authority (CA): binds public
key to particular entity, E. E (person, router) registers its public key with
CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by
CA – CA says “this is E’s public key”Bob’s public
key K B+
Bob’s identifying
information
CA private
key K CA-
K B+
certificate for Bob’s public key,
signed by CA
8-23Network Security
when Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate,
get Bob’s public key
Bob’s public
key K B+
CA public
key K CA
+
K B+
Certification authorities
8-24Network Security
SSL: Secure Sockets Layerwidely deployed security
protocol supported by almost all
browsers, web servers https billions $/year over SSL
mechanisms: [Woo 1994], implementation: Netscape
variation -TLS: transport layer security, RFC 2246
provides confidentiality integrity authentication
original goals: Web e-commerce
transactions encryption (especially
credit-card numbers) Web-server
authentication optional client
authentication minimum hassle in
doing business with new merchant
available to all TCP applications secure socket interface
8-25Network Security
SSL and TCP/IP
Application
TCP
IP
normal application
Application
SSL
TCP
IP
application with SSL
SSL provides application programming interface (API) to applications
C and Java SSL libraries/classes readily available
8-26Network Security
Toy SSL: a simple secure channel handshake: Alice and Bob use their
certificates, private keys to authenticate each other and exchange shared secret
key derivation: Alice and Bob use shared secret to derive set of keys
data transfer: data to be transferred is broken up into series of records
connection closure: special messages to securely close connection
8-27Network Security
Toy: a simple handshake
MS: master secretEMS: encrypted master secret
hello
public key certificate
KB+(MS) = EMS
8-28Network Security
Toy: key derivation considered bad to use same key for more than one
cryptographic operation use different keys for message authentication code (MAC) and
encryption four keys:
Kc = encryption key for data sent from client to server
Mc = MAC key for data sent from client to server
Ks = encryption key for data sent from server to client
Ms = MAC key for data sent from server to client keys derived from key derivation function (KDF)
takes master secret and (possibly) some additional random data and creates the keys
8-29Network Security
Toy: data records why not encrypt data in constant stream as we
write it to TCP? where would we put the MAC? If at end, no message
integrity until all data processed. e.g., with instant messaging, how can we do integrity
check over all bytes sent before displaying? instead, break stream in series of records
each record carries a MAC receiver can act on each record as it arrives
issue: in record, receiver needs to distinguish MAC from data want to use variable-length records
length data MAC
8-30Network Security
Toy: sequence numbers
problem: attacker can capture and replay record or re-order records
solution: put sequence number into MAC: MAC = MAC(Mx, sequence||data) note: no sequence number field
problem: attacker could replay all records
solution: use nonce
8-31Network Security
Toy: control information
problem: truncation attack: attacker forges TCP connection close segment one or both sides thinks there is less data
than there actually is. solution: record types, with one type for
closure type 0 for data; type 1 for closure
MAC = MAC(Mx, sequence||type||data)
length type data MAC
8-32Network Security
Toy SSL: summary
hello
certificate, nonce
KB+(MS) = EMS
type 0, seq 1, datatype 0, seq 2, data
type 0, seq 1, data
type 0, seq 3, data
type 1, seq 4, close
type 1, seq 2, close
enc
rypt
ed
bob.com
8-33Network Security
Toy SSL isn’t complete
how long are fields? which encryption protocols? want negotiation?
allow client and server to support different encryption algorithms
allow client and server to choose together specific algorithm before data transfer
8-34Network Security
SSL cipher suite cipher suite
public-key algorithm symmetric encryption
algorithm MAC algorithm
SSL supports several cipher suites
negotiation: client, server agree on cipher suite client offers choice server picks one
common SSL symmetric ciphers DES – Data Encryption
Standard: block 3DES – Triple strength: block AES RC2 – Rivest Cipher 2: block RC4 – Rivest Cipher 4:
stream
SSL Public key encryption RSA
8-35Network Security
Real SSL: handshake (1)
Purpose1. server authentication2. negotiation: agree on crypto
algorithms3. establish keys4. client authentication (optional)
8-36Network Security
Real SSL: handshake (2)1. client sends list of algorithms it supports, along
with client nonce2. server chooses algorithms from list; sends back:
choice + certificate + server nonce3. client verifies certificate, extracts server’s public
key, generates pre_master_secret, encrypts with server’s public key, sends to server
4. client and server independently compute encryption and MAC keys from pre_master_secret and nonces
5. client sends a MAC of all the handshake messages6. server sends a MAC of all the handshake
messages
8-37Network Security
Real SSL: handshaking (3)
last 2 steps protect handshake from tampering
client typically offers range of algorithms, some strong, some weak
man-in-the middle could delete stronger algorithms from list
last 2 steps prevent this last two messages are encrypted
8-38Network Security
Real SSL: handshaking (4)
why two random nonces? suppose Trudy sniffs all messages
between Alice & Bob next day, Trudy sets up TCP connection
with Bob, sends exact same sequence of records Bob (Amazon) thinks Alice made two
separate orders for the same thing solution: Bob sends different random nonce
for each connection. This causes encryption keys to be different on the two days
Trudy’s messages will fail Bob’s integrity check
8-39Network Security
SSL record protocol
data
data fragment
data fragment
MAC MAC
encrypteddata and MAC
encrypteddata and MAC
recordheader
recordheader
record header: content type; version; length
MAC: includes sequence number, MAC key Mx
fragment: each SSL fragment 214 bytes (~16 Kbytes)
8-40Network Security
SSL record format
contenttype SSL version length
MAC
data
1 byte 2 bytes 3 bytes
data and MAC encrypted (symmetric algorithm)
8-41Network Security
handshake: ClientHello
handshake: ServerHello
handshake: Certificate
handshake: ServerHelloDone
handshake: ClientKeyExchangeChangeCipherSpec
handshake: Finished
ChangeCipherSpec
handshake: Finished
application_data
application_data
Alert: warning, close_notify
Real SSLconnection
TCP FIN follows
everythinghenceforth
is encrypted
8-42Network Security
Key derivation Step 4: Using the same key derivation
function, the client and server compute the MS from the PMS and nonces. The PMS is sliced up to generate the two encryption and two MAC keys. Also, when the cipher method is CBC, it also generates two initialization vectors (one for each side).
client MAC key server MAC key client encryption key server encryption key client initialization vector (IV) server initialization vector (IV)