1 / 41

Web Security with SSL

Web Security with SSL. Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College. Outline. Introduction - Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) SSL Architecture SSL Record Protocol Handshake Protocol

gyala
Télécharger la présentation

Web Security with SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College Prof. Reuven Aviv, SSL

  2. Outline • Introduction - Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • SSL Architecture • SSL Record Protocol • Handshake Protocol • In Closing: What does the SSL Really Protect? • Why the Web Service is special? Prof. Reuven Aviv, SSL

  3. Introduction Prof. Reuven Aviv, SSL

  4. Introduction • All businesses have Web sites • Most public organizations have Web sites • Many individuals have Web sites • Business are enthusiastic about setting facilities on the Web for electronic commerce • However: • Internet and the Web Servers are vulnerable • Demand for security increases What software options are available? Prof. Reuven Aviv, SSL

  5. Web Security Options • HTTP Client Server; Standard IPSec is applicable (later lecture) • BUT – we need special security mechanism: • The WEB is very visible. • It is the front end of business • Breaking into it makes bad business • What risks are (not) countered by SSL Prof. Reuven Aviv, SSL

  6. Web Security risks & counter-measures • Corrupt server or browser data • done by Trojans, ActiveX, Applets • Corrupt data in transit and session hijacking • Cryptographic checksum, Encryption • web proxy • Denial of Service: flooding server, DNS attacks • Network Mitigation procedures • Impersonation of users, and programs • signatures Prof. Reuven Aviv, SSL

  7. Approaches to network Security Advantages and Disadvantages? Prof. Reuven Aviv, SSL

  8. Approaches to network Security • IPSec – below TCP • transparent to applications (and users) • Only filtered packets incur overhead • General purpose client server security • Complex configuration (packet oriented) Prof. Reuven Aviv, SSL

  9. Approaches to network Security • SSL/TLS – above TCP • General purpose • but controllable by application • What does that mean? • At the application layer: PGP, S/MIME • Specific, tailored to the application Prof. Reuven Aviv, SSL

  10. Secure Socket Layer Prof. Reuven Aviv, SSL

  11. SSL (Secure Socket Layer) & TLS • SSL: Netscape, later Microsoft • SSL 3.0 Submitted to IETF • IETF TLS: Transport Layer Security • essentially SSLv3.1 • Free Implementations: SSLRef, OpenSSL • SSL support included in Microsoft IIS & IE What technologies are used for Privacy, Inegrity, Authentication, Non-Repudiation? Prof. Reuven Aviv, SSL

  12. SSL Services • Privacy – via user defined encryption algorithms • Integrity – user specified hash functions • Authentication – using X.509.3 public key certificates, also Passwords, or none • Non Repudiation – using signed messages Prof. Reuven Aviv, SSL

  13. SSL/TLS Features I • Separation of duties: encryption, authentication and data integrity use different keys (secrets) What are the benefits? • decreasing risks & different key lengths • Flexibility: authenticated connections with/without encryption • Note: algorithm & keys determined by server, limited by both Prof. Reuven Aviv, SSL

  14. SSL/TLS Features II • Efficiency – use (slow) public key once to create “master secret”. “connection Secrets” on the fly • Mutual Certificate based authentication • Protect against MIM & Replay • how? • validating identities, sequencing messages and nonces Prof. Reuven Aviv, SSL

  15. SSL Protocol Architecture • SSL Record Protocol: transmission of blocks of data (records) between applications (e.g. HTTP) What are the purpose of the SSL Handshake & Alert protocols? Prof. Reuven Aviv, SSL

  16. SSL Record Protocol • Provides Services -- to whom?: • Encryption Decryption of the payloads (TCP/HTTP, …) • conventional encryption algorithms (DES, AES,…) • Message integrity • using MAC Via hash function • secrets as agreed by a Handshake Protocol Prof. Reuven Aviv, SSL

  17. SSL Record Protocol Operation What’s in the header? Prof. Reuven Aviv, SSL

  18. Record Construction • Compress Fragment • Add Hash (MD5/SHA-1) of Fragment + Secret, SeqNum, Compression parameters • Encrypt by (IDEA, DES, 3DES, RC4,…) • Add a record header: • Payload Type (e.g. HTTP, Handshake, …) • Major/Minor version of SSL • Compressed Length of fragment • why names of algorithms not in header? Prof. Reuven Aviv, SSL

  19. SSL Record Format What is to be agreed by client/server during handshake? Prof. Reuven Aviv, SSL

  20. What is to be agreed: Cipher Suit • Key Exchange algorithm ID: Name of method to be used to create SSL Pre-Master Secret • One of four (e.g. D.H.), discussed below • Cipher-Spec: Specifications of algorithms and parameters that will be used by the SSL Record Protocol to encrypt/authenticate Prof. Reuven Aviv, SSL

  21. What’s in Cipher-Spec? • Encryption Algorithms – RC4, AES, 3DES, … • Cipher Type: Stream or Block • IV size, Hash size in Bytes: 0, 16 (MD5), 20 (SHA-1), .. • MAC Algorithm: HMAC-MD5 / HMAC-SHA-1 • Key Materials: Sequence of Bytes • data used in creating Secrets Prof. Reuven Aviv, SSL

  22. SSL: 6 Secrets • two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC • Procedure for derivation of secrets: • Pre_Master_Secret (48 Bytes PMS): one time value • Pre_master_secret  Master Secret  Secrets • Several methods for deriving Pre_Master_Secret(PMS) • Who calculates PMS / Master / Secrets? Prof. Reuven Aviv, SSL

  23. What is to be agreed: PMS derivation method • [1] RSA Method: • Client creates PMS (random) • send PMS to server encrypted by Server’s RSA public key • Client needs Server’s Public Key Certificate Prof. Reuven Aviv, SSL

  24. PMS derivation methods • [2] Anonymous DiffieHellman Method • q, a agreed by two sides • Public keys (Y) are exchanged • PMS (calculated by each party) = YX(modq) • No exchange of Certificates • [3] Fixed DiffieHellman Method • Server is authenticated by a D.H. certificate (with D.H. public key). Rest is Anonymous D.H. • Disadvantage relative to RSA method? Prof. Reuven Aviv, SSL

  25. PMS derivation methods • [4] Ephemeral DiffieHellmanMethod: • Most secure way - both parties are authenticated • D.H. public keys are exchanged by messages • signed by senders’ private keys (RSA) • PMS is created by both parties • Signing keys (RSA or DSS) keys are presented via Certificates, themselves signed by CAs Prof. Reuven Aviv, SSL

  26. Handshake Protocol: full scenario Prof. Reuven Aviv, SSL

  27. 1. Hello Phase Prof. Reuven Aviv, SSL

  28. Hello messages: Establishing Security Capabilities • Client sends ClientHello (1) • ProtocolVersion (3.1 for TLS 1.0) • timestamp + random_num1 What are the purpose of these? • Session ID What is the purpose of this? • Lists of Cipher-Suites & Compression methods supported by client Prof. Reuven Aviv, SSL

  29. Hello messages: Establishing Security Capabilities • Server sends ServerHello (2) • Protocol Version, Timestamp, random num2 • Session ID: new value (or, if updating, old) • Selected Cipher-Suite, compression method Is the PMS Derivation method determined at this stage? Prof. Reuven Aviv, SSL

  30. 2. Server Authentication & Key exchange • Certificate (3): one (or more) X.509 certificate • Certificate present public key, that will be used for encrypting secrets and/or signing client Server These are optional. Who determines if these Messages are sent? Prof. Reuven Aviv, SSL

  31. Server Key_exchange_Message (4) • Sent from the Server to provide its public key • Not needed in RSA [1] or fixed D.H [3] methods – public key of Server was sent by Certificate (3) • What is the content of this message? • The Diffie Hellman public key (Y) • Message required in the Anonymous D.H. [2] • Message not signedWhy not? Prof. Reuven Aviv, SSL

  32. Server Key_exchange_Message (4) • Message required in the Ephemeral D.H [4] • Message signedby what? • by RSA or DSS private key What is the signature? • encrypted hash of D.H. parameters and the rand. in the Hello messages why? • KRSA{hash(Cl.Hello.rand|| Ser.Hello.rand || D.H. parameters)} Prof. Reuven Aviv, SSL

  33. End of Phase 2: Server • In all methods except Anonymous D.H. [2] Server sends Ceritificate_Request(5) requesting Client to authenticate itself by Certificate(s) • List of types, usages & names of acceptable certificates & CAs • Server sends ServerDone(6) message What will the client do? Prof. Reuven Aviv, SSL

  34. End of Phase 2: Client • Client Checks the acceptability of parameters in ServerHello (selected Cipher Suite & PMS method) • Client checks receipt of the required certificates • Client checks the validity of certificates Prof. Reuven Aviv, SSL

  35. Client Server Phase 3: Client Authentication & Key Exchange What’s in Client_key_Exchange (8)? • CertificateVerify (9): a signed hash of previous messages. What is the purpose of this? Prof. Reuven Aviv, SSL

  36. ClientKeyExchange (8) • Required. PMS calculated after this message • Content depends on method of key generation: • RSA [1]: Client generates a 48-byte PMS, encrypts with the certified Server’s public key • Ephemeral [4] or Anonymous D.H. [2]: Client sends its public D.H. key (Y) • Fixed D.H. (3): null, because Client’s public D.H. sent in previous message, Certificate (7) • In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS Prof. Reuven Aviv, SSL

  37. Certificate_Verify (9) • Sent by Client – if previously sent a Certificate with signing capabilities • i.e. Not Certificates with D.H. parameters • Purpose: proving that the client in the negotiation and the owner of the certificate are the same entities • What could be in this message? Prof. Reuven Aviv, SSL

  38. Certificate_Verify (cont’d) • Hash of collected shared knowledge • KClient{hash(Master_Secret || pad2 || hash (handshake_messages||Master_Secret||pad1))} • Signed by Client Private key • cannot be done by one who stole the Client certificate why? Prof. Reuven Aviv, SSL

  39. 4. Finish phase • ChangeCipherSpec: • Let’s start using agreed Cipher-Suite • Finished: hash of master secret, & other info • Using the agreed upon Cipher Suit Prof. Reuven Aviv, SSL

  40. In closing: What does SSL really protect? • It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform • It does not solve the hard problems of E-Commerce: • DOS Attacks • Application Layer Attacks on the client and servers. A notable risk of the later is stealing credit cards Prof. Reuven Aviv, SSL

  41. In closing: What does SSL really protect? • These are “solved” by: • Multi-layer Enterprise security system (last lecture) • Policies of Credit cards companies (Canceling cards and returning charges Prof. Reuven Aviv, SSL

More Related