se3316a_2013_08b_ssl

1SE 3316 Jagath Samarabandu22-Oct-13

[email protected] 351519-661-2111 x80058

Dr. Jagath Samarabandu

SE 3316a - WEB TECHNOLOGIES

SSL Protocol


Web Security

Web now widely used by business, government, individuals

But internet & web are vulnerable Have a variety of threats

Integrity Confidentiality Denial of service Authentication

Need added security mechanisms


Security Facilities

HTTP FTP SMTPTCP

IP/IPSec

Network Level

HTTP FTP SMTP

TCPIP

TLS or SSL

Transport Level

Kerberos HTTP SMTPTCP

IP

S/MIME PGP SET

UDP

Application Level


SSL (Secure Socket Layer)

Transport layer security service Originally developed by Netscape Version 3 designed with public input Subsequently became internet standard known

as TLS (transport layer security) Uses TCP to provide a reliable end-to-end

service SSL has two layers of protocols


SSL Architecture

SSL Handshake Protocol

SSL Change Cipher Spec

ProtocolSSL Alert Protocol HTTP

SSL Record Protocol

TCP

IP


SSL Architecture

SSL session An association between client & server Created by the handshake protocol Define a set of cryptographic parameters May be shared by multiple SSL connections

SSL connection A transient, peer-to-peer, communications link Associated with 1 SSL session


SSL States

Session State Session ID Peer certificate Compression method Cipher spec Master secret Is resumable

Connection State Server and client random Server write MAC secret Client write MAC secret Server write key Client write key Initialization vectors Sequence numbers


SSL Record Protocol

Confidentiality Using symmetric encryption with a shared secret

key defined by handshake protocol IDEA(128), RC2-40, DES-40, DES, 3DES,

Fortezza(80), RC4-40, RC4-128 Message is compressed before encryption

Message integrity Using a MAC with shared secret key Similar to HMAC but with different padding


SSL Record Protocol Operation

SSL record format

Content type (8)

Major version

Compressed length (16)

Plaintext(Optionally compressed)

MAC (0, 16 0r 20 bytes)

Minor version

En

crypted

Application Data

Fragment

Compress

Add MAC

Encrypt

Append SSLrecord header


Computing MAC For SSL

Message Authentication Code (MAC) is calculated over the compressed data

Based on HMAC algorithm (concat instead of XOR) MAC = H(kMAC|| P2 ||

H(kMAC || P1 || Nseq || Ztype || Zlength || Zfrag) ) kMAC is the shared key MAC write secret P1 and P2 are padding constants. Nseq is sequence number. Ztype is type of compression, Zlength is length of compressed data, Zfrag is compressed fragment number


SSL Payloads

1 Type Length Content

Level Alert Opaque content

1 byte 1 byte 3 bytes 0 bytes

1 bytes1 byte 1 byte

(a) Change cipher specProtocol

(c) Handshake Protocol

(b) Alert Protocol (d) Application Data Protocol


SSL Change Cipher Spec Protocol

One of 3 SSL specific protocols which use the SSL record protocol (simplest)

A single message (single byte with value 1) Causes pending state to become current Hence updating the cipher suite in use


SSL Alert Protocol

Consists of severity level (1 byte) and alert (1 byte) Conveys SSL-related alerts to peer entity Severity : Warning or fatal Specific alert

Fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter

Warning: Close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown

Compressed & encrypted like all SSL data


SSL Handshake Protocol

Consists of type (1 byte), length (3 bytes) and content Allows server & client to:

Authenticate each other To negotiate encryption & MAC algorithms To negotiate cryptographic keys to be used

Comprises a series of messages in phases Establish security capabilities Server authentication and key exchange Client authentication and key exchange Finish


SSL Handshake Protocol Message Types

hello_request : null client_hello : version, random, session id, cipher

suite, compression method server_hello : same as above certificate : chain of x.509v3 certificates server_key_exchange : parameters, signature certificate_request : type, authorities server_done : null certificate_verify : signature client_key_exchange : parameters, signature finished : hash value

SSL Handshake ProtocolClient Server

Phase 1Establish security capabilities, including protocol version, session ID, cipher suite, compression method and initial random numbers

Phase 2Server may send certificate, key exchange and request certificate. Server signals end of hello message phase

Phase 3Client sends certificate if requested. Client sends key exchange. Client may send certificate verification

Phase 4Change cipher suite and finish handshake protocol

client_hello

server_hello

certificate

server_key_exchange

certificate_request

server_hello_done

certificate

client_key_exchange

certificate_verify

change_cipher_spec

finished

change_cipher_spec

finishedShaded transfers are optional or situation dependant messages that are not always sent.


SSL Key Exchange Methods

RSA: Secret key encrypted with receivers RSA public key

Fixed Diffie-Hellman: Servers certificate contains DH public parameters signed by the CA

Ephemeral Diffie-Hellman: DH public keys are generated and exchanged, signed using senders private RSA or DSS key

Anonymous Diffie-Hellman: DH public keys are exchanged without any authentication

Fortezza: Using Fortezza scheme


CipherSpec in SSL

Cipher Algorithm: RC4, RC2, DES, 3DES MAC Algorithm: MD5 or SHA-1 Is Exportable: True or False Hash Size: 0, 16 (MD5) or 20 (SHA-1) bytes Key Material: IV Size: for CBC mode


Signatures in SSL Protocol

Hash used in signature is Hash(client_random || server_random || server_parameters)

Hash covers RSA or DH parameters as well as nonces

For DSS, SHA-1 is used For RSA, both MD5 and SHA-1 is used


Master Secret Creation

First, a 48 byte pre-master secret (SpM) is exchanged with either RSA or DH key exchange protocols

Master secret (SM) is generated from the pre-master key, server random (Rs) and client random (Rc) SM = MD5(S

pM || SHA(A || SpM || Rc || Rs)) ||

MD5(SpM || SHA(BB || SpM || Rc || Rs)) || MD5(SpM || SHA(CCC || SpM || Rc || Rs))

All required key material is generated from master secret using a similar mechanism


TLS (Transport Layer Security)

IETF standard RFC 2246 similar to SSLv3 With minor differences

In record format version number (3.1) Uses HMAC for MAC A pseudo-random function expands secrets Has additional alert codes Some changes in supported ciphers Changes in certificate negotiations Changes in use of padding


TLS Pseudorandom Function

HMAC

||HMAC HMAC

||HMAC HMAC

||HMAC

secret

seed

seed

seed

seed

secret secret

secret

secret

A(1)

A(2)

A(3)

Length = hash size


TLS Alert Codes

Supports all SSLv3 codes except no-certificate Supports additional alert codes Fatal alert codes include

Decryption failed, record overflow, unknown CA, access denied, decode error, export restriction, protocol version, insufficient security, internal error

Warning alert codes include Decrypt error, user cancelled, no renegotiation

se3316a_2013_08b_ssl

Documents

Transcript of se3316a_2013_08b_ssl