HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

CSCD27F Computer and Network Security 1

11 SSL CSCD27 Computer and Network Security 1

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

CSCD27

Computer and Network Security

TLS (Transport-Layer Security)

TLS works at transport layer. Provides security to any TCP-based application using TLS services

 transparent (mostly) to application developers (e.g. a Java http-server can be upgraded to https just by using a

different class-constructor to get a secure socket)

 does not rely on underlying network (IP) being secure

 other network security-services are implemented at lower (e.g. IPSec) or higher (e.g. S/MIME, GPG) layers

TLS security services: (CIA)

 data encryption (Confidentiality)

 data integrity (Integrity)

 server, optional client authentication (Authentication)

CSCD27F Computer and Network Security 3

11 SSL CSCD27 Computer and Network Security 3

SSL (Secure Socket Layer)

The most widely used Web security protocol.

SSL implements confidential communication between Web browsers and servers (only those endpoints can read the encrypted traffic)

 HTTPS protocol headers and data are encrypted, but not encapsulating packets and headers, e.g. TCP, IP

originally developed by Netscape Communications

 version 3 designed with public input

subsequently became Internet IETF standard known as TLS (Transport Layer Security)

uses TCP to provide reliable end-to-end connections

Kipp Hickman

Taher Elgamal

TLS Security Issues

Essential that the identify of the server by verified, why?

 How does the server prove its identity?

 What does this proof rely on?

 Does this prevent MITM attacks? What about Superfish?

Implications of long-lived keys, esp. RSA public-private keypairs

 Why does NSA prefer you use RSA for TLS key-exchange?

How can an ISP mount a denial-of-service (DoS) attack on HTTPS connections?

Why doesn’t SSLStrip work with HTTPS/TLS connections?

What risk arises when HTTPS content loads HTTP content?

CSCD27F Computer and Network Security 5

11 SSL CSCD27 Computer and Network Security 5

Architecture Detail

HANDLES COMMUNICATION WITH THE APPLICATION

Protocols

INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER INITIALIZES SECURE

COMMUNICATION

HANDLES DATA COMPRESSION

ERROR HANDLING

TLS Record-Layer Services

fragment input stream and append protocol header to each fragment

message integrity

 using a MAC with shared secret key

 similar to HMAC but with different padding

confidentiality

 using symmetric encryption with a symmetric key defined by Handshake Protocol

 AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128

 message is compressed before encryption

CSCD27F Computer and Network Security 7

11 SSL CSCD27 Computer and Network Security 7

TLS Record-Layer Operation

TLS Handshake Protocol

allows server & client to:

 authenticate each other

 negotiate encryption & MAC algorithms

 negotiate cryptographic keys to be used

comprises a series of messages in phases

1. Establish Security Capabilities

2. Server Authentication and Key Exchange

3. Client Authentication and Key Exchange

4. Finish

CSCD27F Computer and Network Security 9

11 SSL CSCD27 Computer and Network Security 10

SSL/TLS Messages

OFFER CIPHER SUITE

MENU TO SERVER SELECT A CIPHER SUITE

SEND CERTIFICATE AND CHAIN TO CA ROOT

CLIENT SIDE SERVER SIDE

SEND PUBLIC KEY TO ENCRYPT SYM KEY SERVER NEGOTIATION FINISHED

SEND ENCRYPTED SYMMETRIC KEY

Based on: THOMAS, SSL AND TLS ESSENTIALS ACTIVATE

ENCRYPTION CLIENT PORTION DONE

( SERVER CHECKS OPTIONS ) ACTIVATE SERVER ENCRYPTION

SERVER PORTION DONE

( CLIENT CHECKS OPTIONS )

NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION

Handshake Protocol:

ClientHello, ServerHello

ClientHello message initiates session:

 client lists encryption and MAC ciphers, compression algorithms, and protocol-versions it supports

 also sends some random bytes (a “nonce”)

The server responds with a ServerHello message:

 chooses from the client options settings that are acceptable to both parties

 also sends a session identifier and some random bytes

What are the client and server random bytes for?

 used later in computing the “master secret” shared between

client and server – in turn used as session-key material

CSCD27F Computer and Network Security 11

11 SSL CSCD27 Computer and Network Security 12

ClientHello - Cipher Suites

INITIAL (NULL) CIPHER SUITE

PUBLIC-KEY ALGORITHM

SYMMETRIC ALGORITHM

HASH ALGORITHM

CIPHER SUITE CODES USED IN SSL MESSAGES

SSL_NULL_WITH_NULL_NULL = { 0, 0 }

SSL_RSA_WITH_NULL_MD5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 }

SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 } SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 }

SSL_RSA_WITH_RC4_128_SHA = { 0, 5 }

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 }

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 }

SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 }

Handshake Protocol:

Server Certificate, Client Certificate,

the server usually authenticates itself to the client by providing its public-key certificate to the client

how does client verify this certificate?

 certificate created by hashing information including server public-key, user/organization identification, etc

 encrypted with CA’s private key

 so, client decrypts with CA’s known … and verifies the hash

Server then optionally requests a client-certificate to authenticate the client

 rare in practice, since clients usually don't have a certificate

CSCD27F Computer and Network Security 13

11 SSL CSCD27 Computer and Network Security 14

Public-Key Certificates

Trust in each certificate is backed by a hierarchy of certificates each of which signs lower-level certificates

Root certificate in the hierarchy is trusted by the client (e.g.

hard-coded into application such as browser)

Revocation list checked to be sure certificate remains valid

X-509 standard format for

public-key

certificates

Client Key Exchange

Premaster-secret

 created by client; used to “seed” calculation of encryption parameters

 2 bytes of SSL version + 46 random bytes

 Sent encrypted to server using server’s public key

This is where the attack

happened in SSLv2

CSCD27F Computer and Network Security 15

11 SSL CSCD27 Computer and Network Security 18

Netscape SSL Implementation

global variable seed;

RNG_CreateContext() {

(seconds, microseconds) = time-of-day;

pid = process ID;

ppid = parent process ID;

a = mklcpr (microseconds);

b = mklcpr (pid + seconds + (ppid << 12));

seed = MD5 (a, b);

}

The mklcpr() function just scrambles the input a bit, and MD5 is a well-known hashing function

What does the crucial seed depend on here?

Protocol Handshake:

master-secret generation

server and client both compute a “master secret”

according to the a specific pseudo-random function

 inputs are the premaster secret, a set of literal string values, and a seed consisting of the client's and the server's earlier random-bytes concatenated together

This iteratively calculates two keyed-hash message authentication codes (HMACs)

 Uses MD5 as the hash function for half of the input secret and SHA-1 for the rest

Then XORs together the result of those two separate

HMAC calculations to get the final value

CSCD27F Computer and Network Security 17

11 SSL CSCD27 Computer and Network Security 20

Generating the Master Secret

Based on: THOMAS, SSL AND TLS ESSENTIALS SERVER’S PUBLIC KEY

IS SENT BY SERVER IN ServerKeyExchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER

CLIENT SENDS PREMASTER SECRET IN ClientKeyExchange

SENT BY CLIENT IN ClientHello

SENT BY SERVER IN ServerHello

MASTER SECRET IS 3 MD5 HASHES CONCATENATED TOGETHER = 384 BITS

JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET

Generation of Key Material

Based on: THOMAS, SSL AND TLS ESSENTIALS

. . .

CSCD27F Computer and Network Security 19

11 SSL CSCD27 Computer and Network Security 23

TLS Overhead

2-10 times slower than an unsecure TCP session

 partly why major services like Twitter and Facebook did not secure connections with HTTPS until relatively recently

Where we lose time:

 handshake phase

o packet exchange with server (round-trip time – RTT)

o client does public-key encryption

o server does private-key decryption

o usually clients have to wait on servers to finish

 data-transfer phase

o symmetric-key encryption

Each separate HTTPS connection requires this overhead –

browsers may initiate many parallel connections

SSL Vulnerabilities

Mixed-content sites: main page loads over https, includes non-secure content, such as images, script/css files etc.

 by tampering with the insecure content, an attacker can undermine the security of HTTPS

SSL Stripping: takes advantage of the fact that many users reach secure sites by starting with insecure URL’s

 e.g. type “tdcanadatrust.com” and rely on server redirects to get to the actual site … even then, the entry page may be non-secure info-page

 when time comes to switch to https, attacker interposes a

MITM relay