secure socket layer (ssl) and trnasport layer security (tls)pdm12/cse545/slides/cse545-tls.pdf ·...

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

CSE598K/CSE545 - Advanced Network SecurityProf. McDaniel - Spring 2008

1


SSL/TLS• The Secure Socket Layer (SSL) and Transport Layer

Security (TLS) protocols implement security at the application layer

‣ Popular for securing the web, but not part of it

‣ Is a general purpose secure communication protocol suite

‣ Uses certificate authentication

2

HTTP FTP SMTP

SSL/TLS

TCP

IPNote: throughout we will focus on SSLv3. Assume SSLv3 unless stated otherwise.


Model• Often a one-way authentication mechanism, used to

prove the authenticity of a web-server to a client.

‣ Server-side certificates

‣ Root CA certifications distributed with browser

‣ Non-certified (or expired) certificates can be accepted

• Mutual authentication performed using client-side certificates

‣ Less frequently uses (almost never in Web applications)

‣ Where used for enterprise internal or as layer for non-Web based applications, much more frequently.

3


SSL as protocol suite• Data Protocols

‣ Record Protocol

• Control Protocols

‣ Handshake Protocol

‣ Change Cipher Suite Protocol

‣ Alert Protocol

4

Alice Bob

Connection

Connection

Connection

Connection

Connection

Connection

Session


SSL Session State• Session ID

• Peer certificate (sometimes)

• Cipher Spec

• Compression algorithm

• Master Secret

5


SSL Connection State• Server and client random

• Server MAC key

• Client MAC key

• Server write key

• Client write key

• Initialization vectors

6


Handshake Protocol• The purpose of the handshake protocols is to

‣ authenticate one or both parties

‣ negotiate shared master keys

• Protocol operates in 4 phases

‣ Phase 1: establish security context

‣ Phase 2: server publishes certificate and key seeds

‣ Phase 3: client completes key exchange

‣ Phase 4: complete handshake

7


Phase 1• Client sends and offer (CLIENT_HELLO) including

‣ SSL Version (highest supported)

‣ Random (RC) - { timestamp, plus 28 random bytes }

‣ Session ID - { 0 = new session, !0 = refresh }

‣ CipherSuite - algorithm selections for security/compression

• Server replies with (SERVER_HELLO) response

‣ Section of SSL version, crypto and compression algorithms

‣ A new session ID (as needed) (SID)

‣ A server random number (RS)

8


Phase 2• Server sends a (CERTIFICATE)‣ This contains the public key certificate for the server Ks+

• Server sends a (SERVER_KEY_EXCHANGE)‣ This contains the server parameters for the key exchange to

be performed (there are many variants)• For example, the anonymous Diffie-Hellman sends the prime

number and primitive root (n,r)

‣ The key exchange parameters are signed using the private key of the server with exchanged random numbers, e.g.,

• Server sends a completion (SERVER_DONE)9

sig(K!s , [n|g|X = gx mod n]) = Sig(K!

s , Rc|Rs|n|g|X)


Phase 3• Client sends a (CERTIFICATE) - optional‣ This contains the public key certificate for the clients Ks+

• Client sends a response (CLIENT_KEY_EXCHANGE)‣ This contains the client’s key exchange parameters

‣ As before this is the public client Diffie-Hellman parameters• Signed if client has signing capability

‣ The parties generate the pre_master_secret

10

X = gx mod nY = gy mod npms = Y x mod n = Xy mod n


Phase 4• Both sides complete the process by computing the 48

byte master secret:

• Then generate a “key block” of secret bytes

11

Msk = MD5(pms|SHA(!A!|pms|Rc|Rs))|MD5(pms|SHA(!BB!|pms|Rc|Rs))|MD5(pms|SHA(!CCC !|pms|Rc|Rs))

key block = MD5(Msk|SHA(!A!|Msk|Rc|Rs))|MD5(Msk|SHA(!BB!|Msk|Rc|Rs))|MD5(Msk|SHA(!CCC !|Msk|Rc|Rs))|MD5(Msk|SHA(!DDDD!|Msk|Rc|Rs))|. . .


Transport Keys• Just use the key_block as a PRF to generate enough

bytes to generate the keys for clients and servers.

• Note: this PRF is practically of unlimited length and in practice (although generated differently) is used extensively on TLS.

12

ClientWrite Key

ServerWrite Key

ServerMAC Key

ClientMAC Key

...

key_block


Record Protocol• Provides to client (initiator)

and server (service)

‣ Confidentiality (via encryption)

‣ Integrity (via MAC)

• Data is fragmented, compressed, and security constructions applied.

13

Original Data

Fragmented Data

Fragmented Data

Fragmented Data

Compressed

Data

Compressed

Data

M

A

C

EncryptedData

Encrypted Data

H

D

R


RFC 2104 (MAC for TLS)Given:

h() = hash functionB = input/out byte-length of hK = a secret key

padi = inner pad = 0x35 repeated B timespado = outer pad = 0x5C repeated B timestext = text to MAC

Compute the MAC:

MAC(K, text) = (H((K ! pado)|H((K ! padi)|text))


Alert/CCS Protocol• Change Cipher Suite Protocol

‣ Trigged at end of handshake, causes security association to be enabled

• Alert Protocols - signals

‣ MAC failure

‣ No known certificate

‣ Handshake failure

‣ Bad certificate

‣ Close notification

15


Why?• ... does SSL work?

• ... does SSL not work?

• ... is SSL so popular?

16

secure socket layer (ssl) and trnasport layer security (tls)pdm12/cse545/slides/cse545-tls.pdf ·...

Documents