3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 1 Chapter 3.2: Transport Layer – SSL/TLS

3.2: Transport Layer: SSL/TLS

• Secure Socket Layer (SSL)

• Transport Layer Security (TLS) Protocol

Chapter 2: Security Techniques Background

Chapter 3: Security on Network and Transport Layer

• Network Layer: IPSec

• Transport Layer: SSL/TLS Chapter 4: Security on

the Application Layer

Chapter 5: Security Concepts for Networks

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 2 Chapter 3.2: Transport Layer – SSL/TLS

Secure Socket Layer (SSL)

SSL, initially developed by Netscape, provides authentication, data integrity, and privacy between two applications (not complete hosts as in IPSec)

• SSL is located on top of TCP/IP and has become a de-facto standard for security- sensitive applications over intranets or the Internet

• Most widely used as secure transport layer for HTTP traffic, e.g. e-commerce

• Version 3.1 of SSL is known as TLS

• Special port numbers are assigned to applications which use SSL, e.g. https = 443, telnets = 992

SSL comprises four mechanisms:

• SSL Handshake Protocol (authentication, negotiates an encryption algorithm and cryptographic keys)

• SSL Record Protocol (data encryption and compression)

• SSL Change Cipher Spec (signal the begin of encryption)

• SSL Alert Protocol (reaction to error situations)

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 3 Chapter 3.2: Transport Layer – SSL/TLS

Handshake Protocol

Responsible for “secure session establishment” between two applications.

Session means:

• Association between a client and a server

• Can comprise several connections

• Definition of encryption and compression algorithms for these connections

• Contains a “master secret” for all connections (from which keys for the connections are generated)

The handshake protocol has the following tasks:

1.) Negotiation of an encryption algorithm 2.) Mutual authentication

3.) Key exchange

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 4 Chapter 3.2: Transport Layer – SSL/TLS

Session Establishment

Alice

client_hello, ciphersuites, R_A

certificate, cipher suite, R^B

{S}_B

, hash of K and the handshake messages

keyed hash of thehandshake messages

Bob

Hello message of Alice, including:

• A set of possible encryption and compression algorithms (start of negotiation)

• A random number R

Answer message of Bob, including:

• Certificate of Bob (authentication, often RSA)

• Chosen algorithms (end of negotiation, often 3DES)

• A random number R

Alice chooses a random number S, computes a master secret K = f(S, R

, R

) and sends to Bob:

• S encrypted with Bob’s public key

• A hash (MD5) of K the messages before to proof

knowing K and K corresponds to the handshake

Bob responds with a hash of the messages before,

encrypted with a key generated from K, R

, and R

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 5 Chapter 3.2: Transport Layer – SSL/TLS

Session Keys and Change Cipher Spec

K, R

, and R

are used to generate 6 keys:

• Two keys for encryption

• Two keys for integrity

• Two keys as initalization vector

The two keys are used to treat both communication directions different, e.g. for encryption:

• Alice does encryption with her so-called write key and decryption with her read key

• Bob also has a write and a read key, but his write key is Alice’s read key and vice versa

• Same for integrity

At the end of handshake:

• Together with the last message, Bob sends a change cipher spec

• Only one byte, signaling that all following messages now are encrypted with the

mechanism/keys from the handshake phase

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 6 Chapter 3.2: Transport Layer – SSL/TLS

Record Protocol

Responsible for encryption and

compression of all messages following the change cipher spec as follows:

1. Break down data to be transferred in block of fixed length

2. Compression

3. Append a Message Authentication Code (MAC) computed with the integrity key 4. Encryption using the encryption key

5. Add SSL header which contains:

• Content Type (e.g. HTTPS)

• Protocol Version Number

• Length,

• Sequence Number

…

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 7 Chapter 3.2: Transport Layer – SSL/TLS

Alert Protocol

Only needed in case of errors – defines error messages and actions to be taken Level 1: Warning

• No special actions defined

• Maybe displayed to the user Level 2: Fatal

• Connection will be closed

• No more connections are opened within the current session

• Examples are

unexpected message

bad record MAC

decryption/decompression failure

handshake failure

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 8 Chapter 3.2: Transport Layer – SSL/TLS

Transport Layer Security (TLS)

TLS in basic version is SSLv3.1 with some additions:

• Addition of Kerberos Cipher Suites

• Upgrading to TLS Within HTTP/1.1 to change to encryption within an existing TCP connection

• HTTP Over TLS for separating secure and unsecure traffic

• Addition of AES

• Addition of new alert messages

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Page 9 Chapter 3.2: Transport Layer – SSL/TLS

Comparison IPSec and SSL

Interaction with the user (e.g. acceptance of certificates)

Implemented transparently for the user

Management by application or user Central management

Independent of certain mechanisms (encryption, compression, hash...) Transport Layer Network Layer

Can be automated

SSL IPSec

Conclusion: it is impossible to state that one mechanism is better than the other – they are thought for different scenarios

→ Variety of security mechanisms necessary in the Internet!