december 2008prof. reuven aviv, ssl1 web security with ssl network security prof. reuven aviv king...

December 2008 Prof. Reuven Aviv, SSL 1

Web Security with SSL

Network Security

Prof. Reuven Aviv

King Mongkut’s University of Technology

Faculty of information Technology

December 2006 Prof. Reuven Aviv, SSL 2

WEB Security with SSL/TLS• Introduction – Risks and counter measures

• Secure Socket Layer (SSL) architectu

• SSL Record Protocol

• SSL Handshake Protocol

• In Closing: What does the SSL Really Protect?

• Appendix: Usage of SSL and Certificates in Win2K/IIS

Why the Web Service is special?

December 2006 Prof. Reuven Aviv, SSL 3

Web Security risks & counter-measures

• Corrupt server or browser data

– done by Trojans, ActiveX, Applets

• Corrupt data in transit and session hijacking

– Cryptographic checksum, Encryption

– web proxy (later lecture)

• Denial of Service: flooding server, DNS attacks

– Network Mitigation procedures

• Impersonation of users, and programs

– signatures

December 2006 Prof. Reuven Aviv, SSL 4

Approaches to network Security

Advantages and Disadvantages?

SECURE SOCKET LAYER (SSL)

December 2006 Prof. Reuven Aviv, SSL 5

December 2006 Prof. Reuven Aviv, SSL 6

SSL (Secure Socket Layer) & TLS

• SSL: Netscape, later Microsoft

– SSL 3.0 Submitted to IETF

• IRTF TLS: Transport Layer Security

– essentially SSLv3.1

• Free Implementations: SSLRef, OpenSSL

• SSL support included in Microsoft IIS & IE

What methods are used for:

Privacy, Integrity, Authentication,

Non-Repudiation?

December 2006 Prof. Reuven Aviv, SSL 7

SSL Protocol Architecture• SSL Record Protocol: transmission of blocks of

data (records) between applications (e.g. HTTP)

What are the purpose of the

SSL Handshake & Alert protocols?

SSL Record Protocol

December 2006 Prof. Reuven Aviv, SSL 8

December 2006 Prof. Reuven Aviv, SSL 9

SSL Record Protocol: Services

• Encryption/Decryption of payloads (HTTP, …)

– conventional encryption algorithms (DES…)

• Message integrity

• using MAC How the MAC is constructed?

• hash of (message + secret)

• secrets as agreed by a Handshake Protocol

December 2006 Prof. Reuven Aviv, SSL 10

SSL Record Protocol Operation

What’s in the header?

December 2006 Prof. Reuven Aviv, SSL 11

SSL Record Format

What is to be agreed by client/server during handshake?

SSL Handshake Protocol

December 2006 Prof. Reuven Aviv, SSL 12

December 2006 Prof. Reuven Aviv, SSL 13

What is to be agreed: Cipher Suit

• Key Exchange algorithm: method to be used to

create SSL Pre-Master Secret (1 of 4. e.g. D.H)

• Specifications of Encryption/Hash algorithms

• Encryption: from RC4, or 3DES,…

– Cipher Type: Stream or Block

• MAC Algorithm: HMAC-MD5 / HMAC-SHA-1

– IV size, Hash size, …

December 2006 Prof. Reuven Aviv, SSL 14

SSL: 6 Secrets

• two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC

• Procedure for derivation of secrets

• Pre_Master_Secret --> Master Secret --> Secrets

– 48 Bytes PMS: one time value

• 4 methods for deriving PMS

• Who calculates PMS / Master / Secrets?

December 2006 Prof. Reuven Aviv, SSL 15

PMS derivation methods

• [1] RSA Method:

• Client creates PMS (random)

• send PMS to server encrypted by Server’s RSA

public key

– Client needs Server’s Public Key Certificate

December 2006 Prof. Reuven Aviv, SSL 16

PMS derivation methods

• [2] Anonymous Diffie Hellman

– q, agreed by two sides

– Public keys (Y) are exchanged

– PMS (calculated by both parties) = YX(modq)

– No exchange of Authenticating Certificates

• [3] Fixed Diffie Hellman

– Server is authenticated by its D.H. certificate (inc

D.H. public key). Rest is Anonymous D.H.

Disadvantage relative to RSA method?

December 2006 Prof. Reuven Aviv, SSL 17

PMS derivation methods

• [4] Authenticated Diffie Hellman:

– Most secure way - both parties are

authenticated

– D.H. public keys are exchanged by messages

– signed by senders’ private RSA or DSS keys

– PMS is created by both parties

• Signing keys (RSA or DSS) keys are presented

via Certificates, themselves signed by CAs

December 2006 Prof. Reuven Aviv, SSL 18

Handshake Protocol:

full scenario

December 2006 Prof. Reuven Aviv, SSL 19

1. Hello Phase

December 2006 Prof. Reuven Aviv, SSL 20

Hello messages: Establishing Security Capabilities • Client sends ClientHello (1)

– ProtocolVersion (3.1 for TLS 1.0)

– timestamp + random_num1

What are the purpose of these?

• Session ID

What is the purpose of this?

• Lists of Algorithms & Compression methods

supported by client

December 2006 Prof. Reuven Aviv, SSL 21

Hello messages: Establishing Security Capabilities

• Server sends ServerHello (2)

• Protocol Version, Timestamp, random num2

– Session ID: new value (or, if updating, old)

– Selected Cipher-Suite, compression method

Is the PMS Derivation method

determined at this stage?

December 2006 Prof. Reuven Aviv, SSL 22

2. Server Authentication & Key exchange

• Certificate (3): one (or more) X.509 certificate

• Certificate present public key, that will be used for encrypting secrets and/or signing

Serverclient

These are optional.Who determines if these Messages are sent?

December 2006 Prof. Reuven Aviv, SSL 23

Server Key_exchange_Message (4)

• Sent from the Server to provide its public key

– Not needed in RSA [1] method (public key of

Server was already sent by Certificate (3))

– not needed in fixed D.H [3] method why?

• What is the content of this message?

• The Diffie Hellman public key (Y)

• Message required in the Anonymous D.H. [2]

– Message not signed Why not?

December 2006 Prof. Reuven Aviv, SSL 24

Server Key_exchange_Message (4)

• Message required in the Ephemeral D.H [4]

– Message signed by what?

• by RSA or DSS private key

What is the signature?

• encrypted hash of D.H. parameters and the rand.

in the Hello messages why?

• KRSA{hash(Cl.Hello.rand|| Ser.Hello.rand || D.H.

parameters)}

December 2006 Prof. Reuven Aviv, SSL 25

End of Phase 2: Server

• In all methods except Anonymous D.H. [2]

– Server sends Ceritificate_Request (5)

• requesting Client to provide its Certificate(s)

• List of acceptable certificates & CAs

• Server sends ServerDone (6) message

What will the client do?

December 2006 Prof. Reuven Aviv, SSL 26

End of Phase 2: Client

• Client Checks the acceptability of parameters in

ServerHello (selected algorithms & PMS method)

• Client checks receipt of the required certificates

• Client checks the validity of received certificates

• How?

December 2006 Prof. Reuven Aviv, SSL 27

Phase 3: Client Authentication & Key Exchange

What’s in Client_key_Exchange (8)?

• CertificateVerify (9): a signed hash of previous

messages. What is the purpose of this?

Client Server

December 2006 Prof. Reuven Aviv, SSL 28

ClientKeyExchange (8): Required

• Content depends on method of key generation:

• RSA [1]: Client sends a random 48-byte PMS, encrypted with the certified Server’s public key

• Authenticated or Anonymous D.H. [4], [2]:

– Client sends its public D.H. key (Y)

• Fixed D.H. (3): null, (Client’s public D.H. sent in previous message, Certificate (7))

– In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS

December 2006 Prof. Reuven Aviv, SSL 29

Certificate_Verify (9)

• Sent by Client – if previously sent a Certificate

with signing capabilities

– i.e. Not Certificate with D.H. parameters

• Purpose: Authenticating the client - proving that

the client knows its private key

• What should be in this message?

• Specific agreed info, signed by the client

– Alternative to challenge response

December 2006 Prof. Reuven Aviv, SSL 30

Certificate_Verify (cont’d)

• Hash of collected shared knowledge

– KClient{hash(Master_Secret || pad2 || hash

(handshake_messages||Master_Secret||pad1))}

• Signed by Client Private key

• cannot be done by one who stole the Client

certificate why?

December 2006 Prof. Reuven Aviv, SSL 31

4. Finish phase

• ChangeCipherSpec:

– Let’s start using agreed Cipher-Suite

• Finished: hash of master secret, & other info

– Using the agreed upon Cipher Suit

December 2006 Prof. Reuven Aviv, SSL 32

In closing: What does SSL really protect?

• It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform

• It does not solve the hard problems of E-Commerce:

– DOS Attacks

– Application Layer Attacks on the client and servers. (BO)

• By which credit cards may be stolen

December 2006 Prof. Reuven Aviv, SSL 33

Appendix

Configuring SSL & Certificates in

Win2K

Internet Information Server (IIS)

December 2006 Prof. Reuven Aviv, SSL 34

Selecting the Web Server to be configured

Tool: mmc

December 2006 Prof. Reuven Aviv, SSL 35

Web Server Properties: Certificate

(SSL)

December 2006 Prof. Reuven Aviv, SSL 36

Web Server certificate

December 2006 Prof. Reuven Aviv, SSL 37

Configuring “Secure Communication” (SSL)

December 2006 Prof. Reuven Aviv, SSL 38

Web Server: Client Authentication Methods

December 2006 Prof. Reuven Aviv, SSL 39

IIS: Client (Browser) Authentication

• Anonymous: No authentication

• Basic: domain password sent in the clear

• Digest: challenge response

– Challenge (from IIS): Workstation ID, domain/realm, time

– Response: Thumbprint (hash with password)

– Server needs to know password

• Integrated Windows Authentication

– Browser obtains and sends Kerberos ticket

• Certificate based authentication

December 2006 Prof. Reuven Aviv, SSL 40

Web Server Certificate Trust List

December 2006 Prof. Reuven Aviv, SSL 41

IIS Access Control

• Mapping Client Certificates to accounts

– Define subjects’ rights of access to www pages

December 2006 Prof. Reuven Aviv, SSL 42

Controlling Authentication for certain pages

• Selecting the page

December 2006 Prof. Reuven Aviv, SSL 43

Authentication methods for this page

December 2006 Prof. Reuven Aviv, SSL 44

Accessing the page