Secure Socket Layer/
Secure Socket Layer/
Transport Layer Security
Transport Layer Security
(SSL/TLS)
(SSL/TLS)
David
David
Sánchez
Sánchez
Universitat Pompeu Fabra
Universitat Pompeu Fabra
World Wide Web (www)
World Wide Web (www)
Ø
Ø
Client/server services running over the Internet or TCP/IP Intranets
Client/server services running over the Internet or TCP/IP Intra
nets
Ø
Ø
widely used by business, government, individuals
widely used by business, government, individuals
http://news.
http://news.netcraft
netcraft.com/archives/2003/04/09/
.com/archives/2003/04/09/
netcraft_
netcraft
_ssl
ssl
_survey.html
_survey.html
Ø
Some Web Threats
Some Web Threats
Web Security Approaches
Web Security Approaches
TLS Client/Server Model
TLS Client/Server Model
SSL Introduction
SSL Introduction
Ø
Ø
transport layer security service
transport layer security service
Ø
Ø
originally developed by Netscape
originally developed by Netscape
Ø
Ø
SSLvn
SSLvn
3 designed with public review and industry input
3 designed with public review and industry input
Ø
SSL Goals
SSL Goals
Ø
Ø
Cryptographic security
Cryptographic security
Ø
Ø
Interoperability
Interoperability
Ø
Ø
Extensibility
Extensibility
Ø
SSL Security Services
SSL Security Services
Ø
Ø
Server authentication
Server authentication
Ø
Ø
Client authentication or anonymous (for anonymous servers)
Client authentication or anonymous (for anonymous servers)
Ø
Ø
Data integrity
Data integrity
Ø
SSL Protocol Stack
SSL Protocol Stack
SSL Key Concepts
SSL Key Concepts
Ø
Ø
SSL session
SSL session
l
l
an association between client & server
an association between client & server
l
l
created by the Handshake Protocol
created by the Handshake Protocol
l
l
define a set of cryptographic parameters
define a set of cryptographic parameters
l
l
may be shared by multiple SSL connections
may be shared by multiple SSL connections
Ø
Ø
SSL connection
SSL connection
l
l
a transient, peer
a transient, peer
-
-
to
to
-
-
peer, communications link
peer, communications link
l
Session Parameters
Session Parameters
Ø
Ø
Session identifier
Session identifier
Ø
Ø
Peer certificate
Peer certificate
Ø
Ø
Compression method
Compression method
Ø
Ø
Cipher spec
Cipher spec
Ø
Connection Parameters
Connection Parameters
Ø
Ø
Server and client random
Server and client random
Ø
Ø
Server write MAC secret
Server write MAC secret
Ø
Ø
Client write MAC secret
Client write MAC secret
Ø
Ø
Server write key
Server write key
Ø
Ø
Client write key
Client write key
Ø
Ø
Initialization vectors
Initialization vectors
Ø
Keying Material
Keying Material
Ø
Ø
Client/server PU certificate, PR…
Client/server PU certificate, PR…
Ø
Ø
Pre-
Pre
-master secret S
master secret S
Ø
Ø
Master secret K
Master secret K
Ø
SSL Record Protocol
SSL Record Protocol
Services
Services
Ø
Ø
message integrity
message integrity
l
l
using a MAC with shared secret key
using a MAC with shared secret key
l
l
similar to HMAC but with different padding
similar to HMAC but with different padding
Ø
Ø
confidentiality
confidentiality
l
l
using symmetric encryption with a shared secret key defined by
using symmetric encryption with a shared secret key defined by
Handshake Protocol
Handshake Protocol
l
l
AES, IDEA, RC2-
AES, IDEA, RC2
-
40, DES
40, DES
-40, DES, 3DES,
-
40, DES, 3DES, Fortezza
Fortezza, RC4
, RC4-
-40, RC4
40, RC4-
-
128
128
l
SSL Record Protocol
SSL Record Protocol
Operation
Operation
SSL Handshake Protocol
SSL Handshake Protocol
Ø
Ø
allows server & client to:
allows server & client to:
l
l
authenticate each other
authenticate each other
l
l
to negotiate encryption & MAC algorithms
to negotiate encryption & MAC algorithms
l
l
to negotiate cryptographic keys to be used
to negotiate cryptographic keys to be used
Ø
Ø
comprises a series of messages in 4 phases
comprises a series of messages in 4 phases
1.
1.
Establish Security Capabilities
Establish Security Capabilities
2.
2.
Server Authentication and Key Exchange
Server Authentication and Key Exchange
3.
3.
Client Authentication and Key Exchange
Client Authentication and Key Exchange
4.
SSL Handshake Protocol
SSL Handshake Protocol
SSL Change Cipher Spec
SSL Change Cipher Spec
Protocol
Protocol
Ø
Ø
a single message
a single message
Ø
Ø
updates the cipher suite to be used for a connection after the
updates the cipher suite to be used for a connection after the
handshake protocol
SSL Alert Protocol
SSL Alert Protocol
Ø
Ø
conveys SSL-
conveys SSL
-related alerts to peer entity
related alerts to peer entity
Ø
Ø
Severity
Severity
l lFatal
Fatal
l lWarning
Warning
Ø
Ø
Specific alerts
Specific alerts
•
•
Fatal: unexpected message, bad record
Fatal: unexpected message, bad record
mac
mac
, decompression failure,
, decompression failure,
handshake failure, illegal parameter
TLS
TLS
Ø
Ø
TLS 1.0 IETF standard RFC 2246 similar to SSLv3
TLS 1.0 IETF standard RFC 2246 similar to SSLv3
l
l
record format version number
record format version number
l
l
uses HMAC for MAC
uses HMAC for MAC
l
l
a pseudo-
a pseudo
-random function expands secrets
random function expands secrets
l
l
additional alert codes
additional alert codes
l
l
some changes in supported ciphers
some changes in supported ciphers
l
l
changes in certificate types & negotiations
changes in certificate types & negotiations
l
l