1SE 3316 Jagath Samarabandu22-Oct-13
[email protected] 351519-661-2111 x80058
Dr. Jagath Samarabandu
SE 3316a - WEB TECHNOLOGIES
SSL Protocol
2SE 3316 Jagath Samarabandu22-Oct-13
Web Security
Web now widely used by business, government, individuals
But internet & web are vulnerable Have a variety of threats
Integrity Confidentiality Denial of service Authentication
Need added security mechanisms
3SE 3316 Jagath Samarabandu22-Oct-13
Security Facilities
HTTP FTP SMTPTCP
IP/IPSec
Network Level
HTTP FTP SMTP
TCPIP
TLS or SSL
Transport Level
Kerberos HTTP SMTPTCP
IP
S/MIME PGP SET
UDP
Application Level
4SE 3316 Jagath Samarabandu22-Oct-13
SSL (Secure Socket Layer)
Transport layer security service Originally developed by Netscape Version 3 designed with public input Subsequently became internet standard known
as TLS (transport layer security) Uses TCP to provide a reliable end-to-end
service SSL has two layers of protocols
5SE 3316 Jagath Samarabandu22-Oct-13
SSL Architecture
SSL Handshake Protocol
SSL Change Cipher Spec
ProtocolSSL Alert Protocol HTTP
SSL Record Protocol
TCP
IP
6SE 3316 Jagath Samarabandu22-Oct-13
SSL Architecture
SSL session An association between client & server Created by the handshake protocol Define a set of cryptographic parameters May be shared by multiple SSL connections
SSL connection A transient, peer-to-peer, communications link Associated with 1 SSL session
7SE 3316 Jagath Samarabandu22-Oct-13
SSL States
Session State Session ID Peer certificate Compression method Cipher spec Master secret Is resumable
Connection State Server and client random Server write MAC secret Client write MAC secret Server write key Client write key Initialization vectors Sequence numbers
8SE 3316 Jagath Samarabandu22-Oct-13
SSL Record Protocol
Confidentiality Using symmetric encryption with a shared secret
key defined by handshake protocol IDEA(128), RC2-40, DES-40, DES, 3DES,
Fortezza(80), RC4-40, RC4-128 Message is compressed before encryption
Message integrity Using a MAC with shared secret key Similar to HMAC but with different padding
9SE 3316 Jagath Samarabandu22-Oct-13
SSL Record Protocol Operation
SSL record format
Content type (8)
Major version
Compressed length (16)
Plaintext(Optionally compressed)
MAC (0, 16 0r 20 bytes)
Minor version
En
crypted
Application Data
Fragment
Compress
Add MAC
Encrypt
Append SSLrecord header
10SE 3316 Jagath Samarabandu22-Oct-13
Computing MAC For SSL
Message Authentication Code (MAC) is calculated over the compressed data
Based on HMAC algorithm (concat instead of XOR) MAC = H(kMAC|| P2 ||
H(kMAC || P1 || Nseq || Ztype || Zlength || Zfrag) ) kMAC is the shared key MAC write secret P1 and P2 are padding constants. Nseq is sequence number. Ztype is type of compression, Zlength is length of compressed data, Zfrag is compressed fragment number
11SE 3316 Jagath Samarabandu22-Oct-13
SSL Payloads
1 Type Length Content
Level Alert Opaque content
1 byte 1 byte 3 bytes 0 bytes
1 bytes1 byte 1 byte
(a) Change cipher specProtocol
(c) Handshake Protocol
(b) Alert Protocol (d) Application Data Protocol
12SE 3316 Jagath Samarabandu22-Oct-13
SSL Change Cipher Spec Protocol
One of 3 SSL specific protocols which use the SSL record protocol (simplest)
A single message (single byte with value 1) Causes pending state to become current Hence updating the cipher suite in use
13SE 3316 Jagath Samarabandu22-Oct-13
SSL Alert Protocol
Consists of severity level (1 byte) and alert (1 byte) Conveys SSL-related alerts to peer entity Severity : Warning or fatal Specific alert
Fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter
Warning: Close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
Compressed & encrypted like all SSL data
14SE 3316 Jagath Samarabandu22-Oct-13
SSL Handshake Protocol
Consists of type (1 byte), length (3 bytes) and content Allows server & client to:
Authenticate each other To negotiate encryption & MAC algorithms To negotiate cryptographic keys to be used
Comprises a series of messages in phases Establish security capabilities Server authentication and key exchange Client authentication and key exchange Finish
15SE 3316 Jagath Samarabandu22-Oct-13
SSL Handshake Protocol Message Types
hello_request : null client_hello : version, random, session id, cipher
suite, compression method server_hello : same as above certificate : chain of x.509v3 certificates server_key_exchange : parameters, signature certificate_request : type, authorities server_done : null certificate_verify : signature client_key_exchange : parameters, signature finished : hash value
SSL Handshake ProtocolClient Server
Phase 1Establish security capabilities, including protocol version, session ID, cipher suite, compression method and initial random numbers
Phase 2Server may send certificate, key exchange and request certificate. Server signals end of hello message phase
Phase 3Client sends certificate if requested. Client sends key exchange. Client may send certificate verification
Phase 4Change cipher suite and finish handshake protocol
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finishedShaded transfers are optional or situation dependant messages that are not always sent.
17SE 3316 Jagath Samarabandu22-Oct-13
SSL Key Exchange Methods
RSA: Secret key encrypted with receivers RSA public key
Fixed Diffie-Hellman: Servers certificate contains DH public parameters signed by the CA
Ephemeral Diffie-Hellman: DH public keys are generated and exchanged, signed using senders private RSA or DSS key
Anonymous Diffie-Hellman: DH public keys are exchanged without any authentication
Fortezza: Using Fortezza scheme
18SE 3316 Jagath Samarabandu22-Oct-13
CipherSpec in SSL
Cipher Algorithm: RC4, RC2, DES, 3DES MAC Algorithm: MD5 or SHA-1 Is Exportable: True or False Hash Size: 0, 16 (MD5) or 20 (SHA-1) bytes Key Material: IV Size: for CBC mode
19SE 3316 Jagath Samarabandu22-Oct-13
Signatures in SSL Protocol
Hash used in signature is Hash(client_random || server_random || server_parameters)
Hash covers RSA or DH parameters as well as nonces
For DSS, SHA-1 is used For RSA, both MD5 and SHA-1 is used
20SE 3316 Jagath Samarabandu22-Oct-13
Master Secret Creation
First, a 48 byte pre-master secret (SpM) is exchanged with either RSA or DH key exchange protocols
Master secret (SM) is generated from the pre-master key, server random (Rs) and client random (Rc) SM = MD5(S
pM || SHA(A || SpM || Rc || Rs)) ||
MD5(SpM || SHA(BB || SpM || Rc || Rs)) || MD5(SpM || SHA(CCC || SpM || Rc || Rs))
All required key material is generated from master secret using a similar mechanism
21SE 3316 Jagath Samarabandu22-Oct-13
TLS (Transport Layer Security)
IETF standard RFC 2246 similar to SSLv3 With minor differences
In record format version number (3.1) Uses HMAC for MAC A pseudo-random function expands secrets Has additional alert codes Some changes in supported ciphers Changes in certificate negotiations Changes in use of padding
22SE 3316 Jagath Samarabandu22-Oct-13
TLS Pseudorandom Function
HMAC
||HMAC HMAC
||HMAC HMAC
||HMAC
secret
seed
seed
seed
seed
secret secret
secret
secret
A(1)
A(2)
A(3)
Length = hash size
23SE 3316 Jagath Samarabandu22-Oct-13
TLS Alert Codes
Supports all SSLv3 codes except no-certificate Supports additional alert codes Fatal alert codes include
Decryption failed, record overflow, unknown CA, access denied, decode error, export restriction, protocol version, insufficient security, internal error
Warning alert codes include Decrypt error, user cancelled, no renegotiation
Top Related