1 / 68

Lecture 7: Transport Level Security – SSL/TLS

Lecture 7: Transport Level Security – SSL/TLS. CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard. Course Admin. HW/Lab 1 Graded; scores posted; to be returned today Solution was provided (emailed) HW/Lab 2 posted

conan-dickerson
Télécharger la présentation

Lecture 7: Transport Level Security – SSL/TLS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard

  2. Course Admin • HW/Lab 1 • Graded; scores posted; to be returned today • Solution was provided (emailed) • HW/Lab 2 posted • Covers Lecture 5 (network mapping and attacks) • Due Oct 25 • Questions? Lecture 7 - SSL/TLS

  3. Course Admin • Mid-Term Exam • Oct 23 • In-class, class timing (2 hrs?) • Covers Lecture 1-7 • Review Oct 16 Lecture 7 - SSL/TLS

  4. Outline SSL/TLS • Protocol • Messages and Message Formats • Secure Data Exchange Exposition borrowed from Stephen Thomas (a book on SSL) Lecture 7 - SSL/TLS

  5. Widely deployed security protocol Supported by almost all browsers and web servers https Tens of billions $ spent per year over SSL Originally designed by Netscape in 1993 Number of variations: TLS: transport layer security, RFC 2246 Provides Confidentiality Integrity Authentication Original goals: Had web e-commerce transactions in mind Encryption (especially credit-card numbers) Web-server authentication Optional client authentication Minimum hassle in doing business with new merchant Available to all TCP applications Not just web e.g., email (IMAP, SMTP), FTP SSL: Secure Sockets Layer Lecture 7 - SSL/TLS

  6. SSL in Action • Let us see some examples… • Gmail (uses SSL) • Wells fargo (uses SSL) • Blazernet (uses SSL) • Uab (no SSL) • HTTPS: HTTP over SSL (or TLS) • Typically on port 443 (regular http on port 80) Lecture 7 - SSL/TLS

  7. Which Layer to Add Security to? Relative Location of Security Facilities in the TCP/IP Protocol Stack Lecture 7 - SSL/TLS 7

  8. SSL and TLS SSL 2.0 was developed and patented by Netscape in 1994. TLS is the non-proprietary Internet standard development (RFC 2246, 1999) TLS 1.0 was an upgrade of SSL 3.0, so TLS 1.0 is sometimes referred to as SSL 3.1 Latest standard is TLS 1.2, sometimes referred to as SSL 3.3 Lecture 7 - SSL/TLS 8

  9. SSL Main Components • Handshake • Negotiation of protocol algorithms, versions and parameters • Authentication of communicating parties • Agreement of session keys • Secure Session Communication Lecture 7 - SSL/TLS 9

  10. 443 1 or more SSL Record Layer units Lecture 7 - SSL/TLS 10

  11. Establishing Secure Communications First, establish TCP connection from client to port 443 on server Secure channel established – proceed to use 11

  12. Lecture 7 - SSL/TLS 12

  13. Lecture 7 - SSL/TLS 13

  14. Lecture 7 - SSL/TLS 14

  15. Lecture 7 - SSL/TLS 15

  16. Lecture 7 - SSL/TLS 16

  17. Lecture 7 - SSL/TLS 17

  18. Secure channel established 18

  19. ClientHello Current versions: SSL 3.3, TLS 1.2 Also used as a nonce to repel replay attacks Lecture 7 - SSL/TLS 19

  20. ServerHello Server decides Server selects from menu submitted by client Lecture 7 - SSL/TLS 20

  21. ServerKeyExchange Server sends its public key certificate ServerHelloDone Server has completed initial negotiation. ClientKeyExchange Client generates “premaster secret,” and sends it encrypted with the server’s public key. Server decrypts the premaster secret using the corresponding private key. Both sides can compute necessary keys. Change Cipher Spec Preliminary negotiations are complete and client tells server “I’m going to begin using the agreed cipher suite.” 21

  22. ChangeCipherSpec “Since the transition to secured communication is critical, and both sides have to get it exactly right, the SSL specification is very precise in describing the process.” “The SSL specification also recognizes that some of the information (in particular, the key material) will be different for each direction of communication. In other words, one set of keys will secure data the client sends to the server, and a different set of keys will secure data the server sends to the client.” “For a given system, whether it is a client or a server, SSL defines a write state and a read state. The write state defines the security information for data that the system sends, and the read state defines the security information for data that the system receives.” Lecture 7 - SSL/TLS 22

  23. ChangeCipherSpec 23

  24. 24

  25. Finished “Immediately after sending their ChangeCipherSpec messages, each system sends a Finished message. The Finished messages allow both systems to verify that negotiation has been successful and that security has not been compromised. Two aspects of the Finished message contribute to this security.” “First … the Finished message itself is subject to the negotiated cipher suite … If the receiving party cannot successfully decrypt and verify the message, then clearly something has gone awry with the security negotiation.” “The contents of the Finished message also serves to protect the security of the SSL negotiation. Each Finished message contains a cryptographic keyed hash (MAC) of important information about the just-finished negotiation … This protects against an attacker who manages to insert fictitious messages into, or remove legitimate messages from, the communication.” Lecture 7 - SSL/TLS 25

  26. Authenticating the Server By now in this course we’re familiar with the need to authenticate the server’s identity. In the usual situation in which SSL is deployed (ordering from Amazon.com) we do not need to authenticate the client – SSL has an option to do so, but we will skip this. No surprise: we will insist on the server sending the client an X.509 certificate – browser will automatically check validity, using its library of CA public keys. Lecture 7 - SSL/TLS 26

  27. Authenticating the Server’s Identity – continued New: replaces ServerKeyExchange Lecture 7 - SSL/TLS 27

  28. Darth Sends amazon.com certificate ClientKeyExchange Encryption of the “pre-master secret” with the public key sent in the Certificate message means that the server must actually possess the corresponding private key to decrypt the pre-master secret. Both sides can compute necessary keys. 28

  29. Message Formats Transport Requirements Record Layer ChangeCipherSpec Protocol Alert Protocol Severity Level Alert Description Handshake Protocol ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange- include RSA only Finished Securing Messages Message Authentication Code Encryption Creating Cryptographic Keys 29

  30. 443 1 or more SSL Record Layer units Lecture 7 - SSL/TLS 30

  31. Transport Requirements Lecture 7 - SSL/TLS 31

  32. Record Layer Lecture 7 - SSL/TLS 32

  33. 33

  34. Figure 5.3 SSL Record Protocol Operations Lecture 7 - SSL/TLS 34

  35. HTTP Lecture 7 - SSL/TLS 35

  36. ChangeCipherSpec Protocol Record Layer Header Lecture 7 - SSL/TLS 36

  37. Alert Protocol The Alert Protocol signals an error. Some error messages are cautionary, others fatal. TLS removes some of the error categories in SSL and adds some new ones. Lecture 7 - SSL/TLS 37

  38. Alert Protocol Description 38

  39. Handshake Protocol Purposes: 1. negotiate cipher suite to be used ClientHello message ServerHello message 2. authenticate I/D of server Certificate message ClientKeyExchange message 3. generate collection of shared secret information Premaster secret (ClientKeyExchange) Master secret Keying material MAC key Encryption key IV 39

  40. Format of Handshake message Record Layer Header protocol = 22 In practice they are not! Lecture 7 - SSL/TLS 40

  41. Lecture 7 - SSL/TLS 41

  42. Lecture 7 - SSL/TLS 42

  43. Record Layer Header protocol = 22 ClientHello 43

  44. There are more of these in SSL; TLS removes some and adds others. 44

  45. Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 92 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 88 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 10, 2008 10:54:18.000000000 random_bytes: 751AB9DCEBF3014D799038D27E24E6409C8397FE6E1A7553... Session ID Length: 0 Cipher Suites Length: 24 Cipher Suites (12 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Client can handle up to TLS 1.0 (SSL 3.1) Remarkable range of capabilities in browser! 45

  46. Lecture 7 - SSL/TLS 46

  47. ServerHello Lecture 7 - SSL/TLS 47

  48. Server to client: Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 10, 2008 11:00:13.000000000 random_bytes: C7B2A2F58454A2C2A0DE667781E2773544C86C8FF724069E... Session ID Length: 32 Session ID: 77987B601B5544C111C3FCB1DF96F7A8970D1EFD39630F3F... Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Method: null (0) 48

  49. Certificate 49

  50. Server to client: Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 2468 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 2464 Certificates Length: 2461 Certificates (2461 bytes) Certificate Length: 1271 Certificate (id-at-commonName=www.amazon.com, Certificate Length: 1184 Certificate (id-at-commonName=VeriSign Class 3 Secure Server CA Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 50

More Related