Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

(1)

3YSTEMS )NFRASTRUCTURE

I

.ETWORK

$EPARTMENT 0ENNSYLVANIA

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

CSE598K/CSE545 - Advanced Network Security

Prof. McDaniel - Spring 2008

(2)

SSL/TLS

• The Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols implement security at the application layer

‣ Popular for securing the web, but not part of it

‣ Is a general purpose secure communication protocol suite

‣ Uses certificate authentication

HTTP FTP SMTP SSL/TLS

TCP

Note: throughout we will focus on SSLv3.

IP

Assume SSLv3 unless stated otherwise.

(3)

Model

• Often a one-way authentication mechanism, used to prove the authenticity of a web-server to a client.

‣ Server-side certificates

‣ Root CA certifications distributed with browser

‣ Non-certified (or expired) certificates can be accepted

• Mutual authentication performed using client-side certificates

‣ Less frequently uses (almost never in Web applications)

‣ Where used for enterprise internal or as layer for non-Web

based applications, much more frequently.

(4)

SSL as protocol suite

• Data Protocols

‣ Record Protocol

• Control Protocols

‣ Handshake Protocol

‣ Change Cipher Suite Protocol

‣ Alert Protocol

Alice Bob

Connection Connection Connection

Connection Connection

Connection

Session

(5)

SSL Session State

• Session ID

• Peer certificate (sometimes)

• Cipher Spec

• Compression algorithm

• Master Secret

(6)

SSL Connection State

• Server and client random

• Server MAC key

• Client MAC key

• Server write key

• Client write key

• Initialization vectors

(7)

Handshake Protocol

• The purpose of the handshake protocols is to

‣ authenticate one or both parties

‣ negotiate shared master keys

• Protocol operates in 4 phases

‣ Phase 1: establish security context

‣ Phase 2: server publishes certificate and key seeds

‣ Phase 3: client completes key exchange

‣ Phase 4: complete handshake

(8)

Phase 1

• Client sends and offer (CLIENT_HELLO) including

‣ SSL Version (highest supported)

‣ Random (R

C)

- { timestamp, plus 28 random bytes }

‣ Session ID - { 0 = new session, !0 = refresh }

‣ CipherSuite - algorithm selections for security/compression

• Server replies with (SERVER_HELLO) response

‣ Section of SSL version, crypto and compression algorithms

‣ A new session ID (as needed) (S

ID

)

‣ A server random number (R

S)

(9)

Phase 2

• Server sends a (CERTIFICATE)

‣ This contains the public key certificate for the server Ks+

• Server sends a (SERVER_KEY_EXCHANGE)

‣ This contains the server parameters for the key exchange to be performed (there are many variants)

• For example, the anonymous Diffie-Hellman sends the prime number and primitive root (n,r)

‣ The key exchange parameters are signed using the private key of the server with exchanged random numbers, e.g.,

• Server sends a completion (SERVER_DONE)

sig(K _s ⁻ , [n |g|X = g ^x mod n]) = Sig(K _s ⁻ , R _c |R ^s |n|g|X)

(10)

Phase 3

• Client sends a (CERTIFICATE) - optional

‣ This contains the public key certificate for the clients Ks+

• Client sends a response (CLIENT_KEY_EXCHANGE)

‣ This contains the client’s key exchange parameters

‣ As before this is the public client Diffie-Hellman parameters

• Signed if client has signing capability

‣ The parties generate the pre_master_secret

X = g ^x mod n Y = g ^y mod n

p _ms = Y ^x mod n = X ^y mod n

(11)

Phase 4

• Both sides complete the process by computing the 48 byte master secret:

• Then generate a “key block” of secret bytes

M _s k = MD5(p _ms |SHA( ^! A ^! |p ^ms |R ^c |R ^s ))|

M D5(p _ms |SHA( ^! BB ^! |p ^ms |R ^c |R ^s ))|

M D5(p _ms |SHA( ^! CCC ^! |p ^ms |R ^c |R ^s ))

key block = MD5(M _s k |SHA( ^! A ^! |M ^s k |R ^c |R ^s ))|

M D5(M _s k |SHA( ^! BB ^! |M ^s k |R ^c |R ^s ))|

M D5(M _s k |SHA( ^! CCC ^! |M ^s k |R ^c |R ^s ))|

M D5(M _s k |SHA( ^! DDDD ^! |M ^s k |R ^c |R ^s ))|

. . .

(12)

Transport Keys

• Just use the key_block as a PRF to generate enough bytes to generate the keys for clients and servers.

• Note: this PRF is practically of unlimited length and in practice (although generated differently) is used

extensively on TLS.

Client Write Key

Server Write Key

Server MAC Key Client

MAC Key ...

key_block

(13)

Record Protocol

• Provides to client (initiator) and server (service)

‣ Confidentiality (via encryption)

‣ Integrity (via MAC)

• Data is fragmented,

compressed, and security constructions applied.

Original Data

Fragmented Data

Compressed Data

M A C

Encrypted Data

H D R

(14)

RFC 2104 (MAC for TLS)

Given:

h() = hash function

B = input/out byte-length of h K = a secret key

pad

_i

= inner pad = 0x35 repeated B times pad

_o

= outer pad = 0x5C repeated B times

text = text to MAC Compute the MAC:

M AC(K, text) = (H((K ⊕ pad ^o ) |H((K ⊕ pad ⁱ ) |text))

(15)

Alert/CCS Protocol

• Change Cipher Suite Protocol

‣ Trigged at end of handshake, causes security association to be enabled

• Alert Protocols - signals

‣ MAC failure

‣ No known certificate

‣ Handshake failure

‣ Bad certificate

‣ Close notification

(16)

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

3YSTEMS )NFRASTRUCTURE

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

CSE598K/CSE545 - Advanced Network Security

Prof. McDaniel - Spring 2008

SSL/TLS

• The Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols implement security at the application layer

‣ Popular for securing the web, but not part of it

‣ Is a general purpose secure communication protocol suite

‣ Uses certificate authentication

HTTP FTP SMTP SSL/TLS

TCP

IP

Assume SSLv3 unless stated otherwise.

Model

• Often a one-way authentication mechanism, used to prove the authenticity of a web-server to a client.

‣ Server-side certificates

‣ Root CA certifications distributed with browser

‣ Non-certified (or expired) certificates can be accepted

• Mutual authentication performed using client-side certificates

‣ Less frequently uses (almost never in Web applications)

‣ Where used for enterprise internal or as layer for non-Web

based applications, much more frequently.

SSL as protocol suite

• Data Protocols

‣ Record Protocol

• Control Protocols

‣ Handshake Protocol

‣ Change Cipher Suite Protocol

‣ Alert Protocol

Alice Bob

Session

SSL Session State

• Session ID

• Peer certificate (sometimes)

• Cipher Spec

• Compression algorithm

• Master Secret

SSL Connection State

• Server and client random

• Server MAC key

• Client MAC key

• Server write key

• Client write key

• Initialization vectors

Handshake Protocol

• The purpose of the handshake protocols is to

‣ authenticate one or both parties

‣ negotiate shared master keys

• Protocol operates in 4 phases

‣ Phase 1: establish security context

‣ Phase 2: server publishes certificate and key seeds

‣ Phase 3: client completes key exchange

‣ Phase 4: complete handshake

Phase 1

• Client sends and offer (CLIENT_HELLO) including

‣ SSL Version (highest supported)

‣ Random (R

- { timestamp, plus 28 random bytes }

‣ Session ID - { 0 = new session, !0 = refresh }

‣ CipherSuite - algorithm selections for security/compression

• Server replies with (SERVER_HELLO) response

‣ Section of SSL version, crypto and compression algorithms

‣ A new session ID (as needed) (S

)

‣ A server random number (R

Phase 2

• Server sends a (CERTIFICATE)

‣ This contains the public key certificate for the server Ks+

• Server sends a (SERVER_KEY_EXCHANGE)

‣ This contains the server parameters for the key exchange to be performed (there are many variants)

• For example, the anonymous Diffie-Hellman sends the prime number and primitive root (n,r)

‣ The key exchange parameters are signed using the private key of the server with exchanged random numbers, e.g.,

• Server sends a completion (SERVER_DONE)

sig(K s − , [n |g|X = g x mod n]) = Sig(K s − , R c |R s |n|g|X)

Phase 3

• Client sends a (CERTIFICATE) - optional

‣ This contains the public key certificate for the clients Ks+

• Client sends a response (CLIENT_KEY_EXCHANGE)

‣ This contains the client’s key exchange parameters

sig(K _s ⁻ , [n |g|X = g ^x mod n]) = Sig(K _s ⁻ , R _c |R ^s |n|g|X)

X = g ^x mod n Y = g ^y mod n

p _ms = Y ^x mod n = X ^y mod n

M _s k = MD5(p _ms |SHA( ^! A ^! |p ^ms |R ^c |R ^s ))|

M D5(p _ms |SHA( ^! BB ^! |p ^ms |R ^c |R ^s ))|

M D5(p _ms |SHA( ^! CCC ^! |p ^ms |R ^c |R ^s ))

key block = MD5(M _s k |SHA( ^! A ^! |M ^s k |R ^c |R ^s ))|

M D5(M _s k |SHA( ^! BB ^! |M ^s k |R ^c |R ^s ))|

M D5(M _s k |SHA( ^! CCC ^! |M ^s k |R ^c |R ^s ))|

M D5(M _s k |SHA( ^! DDDD ^! |M ^s k |R ^c |R ^s ))|

M AC(K, text) = (H((K ⊕ pad ^o ) |H((K ⊕ pad ⁱ ) |text))