SSL/TLS Overview
SSL/TLS provides security ‘at TCP layer’.
- Uses TCP to provide reliable, end-to-end transport.
- Applications need some modification.
- In fact, usually a thin layer between TCP and HTTP.
SSL/TLS Basic Features
SSL/TLS is widely used in Web browsers and servers to secure traffic:
- Microsoft IE, Netscape, Mozilla, Apache, IIS,…
SSL architecture provides two layers:
- SSL Record Protocol
* Provides secure, reliable channel to upper layer. - Upper layer carrying:
* SSL Handshake Protocol, Change Cipher Spec. Protocol, Alert Protocol, HTTP, any other application protocols.
SSL Protocol Architecture
SSL Record Protocol
- Provides secure, reliable channel to upper layer.
- Carries application data and SSL ‘management’ data.
Session concept:
- Sessions created by handshake protocol.
- Defines set of cryptographic parameters (encryption and hash algorithm, master secret, certificates).
- Carries multiple connections to avoid repeated use of expensive handshake protocol.
SSL Record Protocol
SSL Record Protocol provides:
- Data origin authentication and integrity.
- MAC using algorithm similar to HMAC.
- Based on MD-5 or SHA-1 hash algorithms.
- MAC protects 64 bit sequence number for anti-replay.
- Confidentiality.
- Bulk encryption using symmetric algorithm.
- IDEA, RC2-40, DES-40 (exportable), DES, 3DES,…
- RC4-40 and RC4-128.
Data from application/upper layer SSL protocol partitioned into fragments (max size 214 bytes).
- Add MAC, then padding (if needed), finally encrypt.
- Prepend header (Content type, version, length of fragment).
- Submit to TCP .
SSL Records Protocol Grafik
SSL Record Format Grafik
SSL Handshake Protocol: Security Goals
Entity authentication of participating parties.
- Participants are called ‘client’ and ‘server’.
- Server nearly always authenticated, client rarely.
- Appropriate for most e-commerce applications.
Establishment of a fresh, shared secret.
- Shared secret used to derive further keys.
- For confidentiality and authentication in SSL Record Protocol.
Secure ciphersuite negotiation.
- Encryption and hash algorithms
- Authentication and key establishment methods
SSL Handshake Protocol – Key Exchange
SSL supports several key establishment mechanisms.
Most common is RSA encryption
- Client chooses pre_master_secret, encrypts using public RSA key of server, sends to server.
Can create pre_master_secret from:
- Fixed Diffie-Hellman
- D-H parameters, signed by a CA
- DSS or RSA algorithms used to sign
- Ephemeral Diffie-Hellman
1. Server and Client choose fresh Diffie-Hellman components and sign it with a certificate - Anonymous Diffie-Hellman
- Each side sends Diffie-Hellman values, but no authentication.
- Vulnerable to man-in-middle attacks.
SSL Handshake Protocol – Entity Authentication
SSL supports several different entity authentication mechanisms.
Most common based on RSA.
- Ability to decrypt pre_master_secret and generate correct MAC in finished message using keys derived frompre_master_secret authenticates server to client.
Less common: DSS or RSA signatures on nonces (and other fields, e.g. Diffie-Hellman values).
SSL Handshake Protocol
SSL uses symmetric keys:
- MAC and encryption at Record Layer.
- Different keys in each direction.
These keys are established as part of the SSL Handshake Protocol.
The SSL Handshake Protocol is a complex protocol with many options…
SSL Key Dervation
Keys used for MAC and encryption in Record Layer derived from pre_master_secret:
- Derive master_secret from pre_master_secret and client/server nonces using MD5 and SHA-1 hash functions.
- Derive key_block key material from master_secret and client/server nonces, by repeated use of hash functions.
- Split up key_block into MAC and encryption keys for Record Protocol as needed.
SSL Handshake Protocol Run
We choose the most common use of SSL.
No client authentication.
client sends pre_master_secret using Server’s RSA public encryption key from Server certificate.
Server authenticated by ability to decrypt to obtain pre_master_secret, and construct correct finished message.
SSL Encryption
Master secret
- Generated by both parties from pre master secret and random values generated by both client and server
Key material
- Generated from the mastersecret and shared random values
Encryption keys
- Extracted from the key material
SSL Handshake Protocol Run Questions
1. Is the client authenticated to the server in this protocol run?
2. Can an adversary learn the value of pre_master_secret?
3. Is the server authenticated to the client?
- No.
- No. Client has validated server’s public key; Only holder of private key can decrypt ClientKeyExchange to learnpre_master_secret.
- Yes. ServerFinished includes MAC on nonces computed using key derived from pre_master_secret.
SSL Handshake Protocol - Additional Features
SSL Handshake Protocol supports session resumption and ciphersuite re-negotiation.
- Allows authentication and shared secrets to be reused across multiple connections.
- Eg, next webpage from same website.
- Allows re-keying of current connection using fresh nonces.
- Allows change of ciphersuite during session.
- ClientHello quotes old SessionID.
- Bothsides contribute new nonces ,update master_secret and key_block.
- All protected by existing Record Protocol.
Other SSL Protocols
Alert protocol.
- Management of SSL session, error messages.
- Fatal errors and warnings.
Change cipher spec protocol.
- Not part of SSL Handshake Protocol.
- Used to indicate that entity is changing to recently agreed ciphersuite.
SSL and TLS
- TLS1.0 = SSL3.0 with minor differences.
- TLS signalled by version number 3.1.
- Use of HMAC for MAC algorithm.
- Different method for deriving keying material (master-secret and key-block).
- Pseudo-random function based on HMAC with MD5 and SHA-1.
Additional alert codes.
More client certificate types.
Variable length padding.
- Can be used to hide lengths of short messages and so frustrate traffic analysis.
SSL/TLS Applications
Secure e-commerce using SSL/TLS.
- Client authentication not needed until client decides to buy something.
- SSL provides secure channel for sending credit card information, personal details, etc.
- Client authenticated using creditcard information, merchant bears (most of) risk.
- Very successful (amazon.com,on-linesupermarkets, airlines,…)
Secure e-commerce: some issues.
- No guarantees about what happens to client data (including credit card details) after session: may be stored on insecure server.
- Does client understand meaning of certificate expiry and other security warnings?
- Does client software actually check complete certificate chain?
- Does the name in certificate match the URL of e-commerce site? Does the user check this?
- Is the site the one the client thinks it is?
- Is the client software proposing appropriate cipher suites?
Secure electronic banking
- Client authentication may be enabled using client certificates.
Issues: Registration, secure storage of private keys, revocation and re-issue.
- Otherwise, SSL provides secure channel for sending username, password, mother’s maiden name,…
What else does client use same password for?
- Does client understand meaning of certificat eexpiry andother security warnings?
- Is client software proposing appropriate ciphersuites?
Enforce from server.
SSL/TLS Security Flaws
(Historical) flaws in random number generation for SSL.
- Low quality RNG leads to predictable session keys.
Flaws in error reporting.
- (differing response times by server in event of padding failure and MAC failure) + (analysis of padding method for CBC-mode) = recovery of SSL plaintext.
Timing attacks.
- analysis of OpenSSL server response times allows attacker in same LAN segment to derive server’s private key!
Security and Network Layers 1
Security and Network Layers 2
