• No results found

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Institut für Internet-Sicherheit

https://www.internet-sicherheit.de FH Gelsenkirchen

Christian J. Dietrich

dietrich [at] internet-sicherheit . de

TLS-RSA-PSK

Channel Binding using Transport Layer Security with Pre Shared Keys

(2)

tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

Introduction

Nov. 2010: New German ID card

eID functionality

authenticate mutually between eID card and eID server

transmit personal data from eID card to eID server (securely)

Extended Access Control (by BSI)

3 kinds of card readers

Basic (no pinpad) Standard

(3)

Chris tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

Terminal and Chip Authentication

1. PACE Terminal

2. Terminal Authentication

3. Chip Authentication

1. PACE

Bind eID to card reader (Diffie-Hellman)

2. Term. Authentication

eID card authenticates the

Terminal (Terminal Certificate)

3. Chip Authentication

Terminal authenticates the eID card

(4)

tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

eID authentication in practice

Lots of components

involved

Browser, Browser plugin 2 Servers

eID reader & card

Several TLS connections

However:

Connection management is browser‘s concern!

(5)

Chris tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

Channel Binding

Bind channel BS to CS

eID Server generates a Pre Shared Key and sends it via

BS to the Web Browser

Browser plugin is triggered and provides the PSK to eID

API client

(6)

tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

Transport Layer Security (TLS/SSL)

Negotiate Cipher Suite Session Key agreement

Optional server authentication

Pre Master Secret (PMS)

Input to the key derivation function (PRF) in order to get the Master Secret

Master Secret (MS)

48 byte fixed length output from PRF

Derive session keys for encryption and hashing (HMAC)

Client PMS | [PRF] | V

MS

Server PMS | [PRF] | V

MS

Cipher Suites negiotiation Session Key agreement

(7)

Chris tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

TLS with Pre Shared Keys

Defined in RFC 4279 (Dec 2005)

3 variants of TLS with PSK

Plain PSK

No server authentication

No Perfect Forward Secrecy

RSA-PSK

Server authentication (certificate) No Perfect Forward Secrecy

DHE-PSK

No server authentication Perfect Forward Secrecy

(8)

tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

„usual“ TLS with plain RSA

Certificate message required

ServerKeyExchange is optional

(not needed for plain RSA)

ClientKeyExchange

Client builds premaster secret pms = (client_version,

46 random bytes) Transmit encrypted premaster secret to the server

RSAEncrypt(pubkeyServer, pms) Client Server ClientHello ServerHello Certificate (ServerKeyExchange) ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data

(9)

Chris tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

TLS with plain PSK

ServerKeyExchange

Provide a hint for the client identity (username)

ClientKeyExchange

Transmit client_identity to the server

Both parties build the premaster

secret as follows

pms = (len(PSK), 0x00 * len(PSK), len(PSK), PSK) Client Server ClientHello ServerHello (Certificate) ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data

(10)

tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

TLS with RSA-PSK

ServerKeyExchange

Provide a hint for the client identity (username)

ClientKeyExchange

Client builds premaster secret

pms = (0x30,

client_version, 46 random bytes, len(PSK), PSK)

Transmit client_identity and

encrypted premaster secret to the server RSAEncrypt(pubkeyServer, pms) Client Server ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data

(11)

Chris tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

eID authentication: why RSA-PSK?

PSK is required in order to bind channel BS to channel CS

Why is RSA Server Authentication required?

The Terminal Authentication is bound to a certain eID Server! The Hash of the eID Server Certificate is stored in the Terminal Certificate

The Hash of the Web Application Server is stored in the Terminal Certificate, too!

(12)

tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

Binding eID to certain Servers

RSA Server Authentication

Terminal Authentication is restricted to certain Servers

eID Server

(13)

Chris tia n J. Die trich , Ins tit ut fü r Inte rne t-Sic he rhe it, if( is )

Extending eID trust to BS and BW

Sequence of trusted channels is extended to cover the channels

CS, BS and BW (in theory)

(14)

Institut für Internet-Sicherheit

https://www.internet-sicherheit.de FH Gelsenkirchen

Christian J. Dietrich

dietrich [at] internet-sicherheit . de

Thank you.

Questions?

Transport Layer Security with Pre Shared Keys

References

Download now ( PDF - 14 Page - 1.64 MB )

Related documents

The Management of Tax Debt Collection

The analysis does not lead to clear-cut conclusions, but indicates that the research of particular cases is warranted. The analysis thus far might suggest that two types of

Designing your customer experience

Brands that deliver great experiences usually reverse these two, being very ‘tight’ about what the brands stands for and the experience they wish to create but quite ‘loose’

SSL DOES NOT MEAN SOL What if you don t have the server keys?

Server decrypts secret with private key Client sends secret to server Client encrypts using public key Client generates pre-master secret!. What’s so Special About the

Reflection Desktop Deployment Guide. Version 16.0

In a standard Administrative WebStation configuration for a secure Reflection session, the connection between the client and security proxy server is encrypted using SSL/TLS, but

Perspective on 3D printing of separation membranes and comparison to related unconventional fabrication techniques

The use of additive manufacturing techniques could provide more control towards the design of separation membrane systems and o ffers novel membrane preparation techniques that are

Gas Absorption

These occur due to the air flow rate increased results of increasing in resistance for the water to flows down the column and give high pressure drop across the packing.. In the

Nocioni i së drejtës penale

shtrohet pyetja si mund te ekzistojnë dy elemente krahas dhe çfarë është raporti mes tyre. V BAZAT TE CILAT E PËRJASHTOJNË VEPRËN PENALE Nëse kundërligjshmëria

Bao cao tot nghiep monitoring

Giám sát có thể được định nghĩa như là việc theo dõi tài nguyên và thiết bị trong hệ thống máy tính, cũng như hệ thống mạng để thu thập được các