Secure Socket Layer/ Transport Layer Security (SSL/TLS)

(1)

Secure Socket Layer/

Transport Layer Security

(SSL/TLS)

David

Sánchez

Universitat Pompeu Fabra

(2)

World Wide Web (www)

Ø

Client/server services running over the Internet or TCP/IP Intranets

Client/server services running over the Internet or TCP/IP Intra

nets

Ø

widely used by business, government, individuals

http://news.

http://news.netcraft

netcraft.com/archives/2003/04/09/

.com/archives/2003/04/09/

netcraft_

netcraft

_ssl

ssl

_survey.html

Ø

(3)

Some Web Threats

(4)

Web Security Approaches

(5)

TLS Client/Server Model

(6)

SSL Introduction

Ø

transport layer security service

_{transport layer security service}

Ø

originally developed by Netscape

_{originally developed by Netscape}

Ø

SSLvn

_SSLvn

3 designed with public review and industry input

Ø

(7)

SSL Goals

Ø

Cryptographic security

_{Cryptographic security}

Ø

Interoperability

_{Interoperability}

Ø

Extensibility

_{Extensibility}

Ø

(8)

SSL Security Services

Ø

Server authentication

_{Server authentication}

Ø

Client authentication or anonymous (for anonymous servers)

Ø

Data integrity

Ø

(9)

SSL Protocol Stack

(10)

SSL Key Concepts

Ø

SSL session

_{SSL session}

l

an association between client & server

l

created by the Handshake Protocol

l

define a set of cryptographic parameters

l

may be shared by multiple SSL connections

Ø

SSL connection

_{SSL connection}

l

a transient, peer

-

to

-

peer, communications link

l

(11)

Session Parameters

Ø

Session identifier

Ø

Peer certificate

_{Peer certificate}

Ø

Compression method

_{Compression method}

Ø

Cipher spec

_{Cipher spec}

Ø

(12)

Connection Parameters

Ø

Server and client random

Ø

Server write MAC secret

Ø

Client write MAC secret

_{Client write MAC secret}

Ø

Server write key

_{Server write key}

Ø

Client write key

_{Client write key}

Ø

Initialization vectors

Ø

(13)

Keying Material

Ø

Client/server PU certificate, PR…

_{Client/server PU certificate, PR…}

Ø

Pre-

_Pre

-master secret S

master secret S

Ø

Master secret K

_{Master secret K}

Ø

(14)

SSL Record Protocol

Services

Ø

message integrity

l

using a MAC with shared secret key

l

similar to HMAC but with different padding

Ø

confidentiality

_{confidentiality}

l

using symmetric encryption with a shared secret key defined by

Handshake Protocol

l

AES, IDEA, RC2-

AES, IDEA, RC2

-

40, DES

-40, DES, 3DES,

-

40, DES, 3DES, Fortezza

Fortezza, RC4

, RC4-

-40, RC4

40, RC4-

-

128

l

(15)

SSL Record Protocol

Operation

(16)

SSL Handshake Protocol

Ø

allows server & client to:

_{allows server & client to:}

l

authenticate each other

l

to negotiate encryption & MAC algorithms

l

to negotiate cryptographic keys to be used

Ø

comprises a series of messages in 4 phases

_{comprises a series of messages in 4 phases}

1.

Establish Security Capabilities

2.

Server Authentication and Key Exchange

3.

Client Authentication and Key Exchange

4.

(17)

SSL Handshake Protocol

(18)

SSL Change Cipher Spec

Protocol

Ø

a single message

_{a single message}

Ø

updates the cipher suite to be used for a connection after the

_{updates the cipher suite to be used for a connection after the}

handshake protocol

(19)

SSL Alert Protocol

Ø

conveys SSL-

conveys SSL

-related alerts to peer entity

related alerts to peer entity

Ø

Severity

l l

Fatal

l l

Warning

Ø

Specific alerts

•

• Fatal: unexpected message, bad record

Fatal: unexpected message, bad record

mac

, decompression failure,

handshake failure, illegal parameter

(20)

TLS

Ø

TLS 1.0 IETF standard RFC 2246 similar to SSLv3

l

record format version number

l

uses HMAC for MAC

l

a pseudo-

a pseudo

-random function expands secrets

random function expands secrets

l

additional alert codes

l

some changes in supported ciphers

l

changes in certificate types & negotiations

l

changes in crypto computations & padding

Ø