Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) - - PowerPoint PPT Presentation

lecture 14 transport layer security secure socket layer
SMART_READER_LITE
LIVE PREVIEW

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) - - PowerPoint PPT Presentation

Apr 06, 2024 396 likes •617 views

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce transactions supported by almost all browsers,

slide-1
SLIDE 1

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL)

(Chapter 9 in KPS)

slide-2
SLIDE 2

SSL: Secure Sockets Layer

v widely deployed security

protocol

§ supported by almost all browsers, web servers § the “s” in https § billions $/year over SSL

v mechanisms: [Woo 1994],

implementation: Netscape

v Variation: TLS=Transport Layer

Security, RFC 2246

v provides

§ confidentiality § integrity § authentication

v original goals:

§ Web e-commerce transactions § encryption (especially credit- card numbers) § Web-server authentication § optional client authentication § minimum hassle in doing business with new merchant

v available to all TCP applications

§ secure socket interface

slide-3
SLIDE 3

SSL and TCP/IP

Application TCP IP normal application Application SSL TCP IP application with SSL

v SSL provides application programming interface

(API) to applications

v C and Java SSL libraries/classes readily available

slide-4
SLIDE 4

Could do something like PGP:

v but want to send byte streams & interactive data v want set of secret keys for entire connection v want certificate exchange as part of protocol: handshake phase H( )

.

KA( )

.

+

KA(H(m))

m

KA

m

KS( )

.

KB( )

.

+

KB(KS )

KS

KB Internet

KS

  • Pretty Good Privacy (PGP)

used to secure email

  • KA is Alice’s private key used

to sign

  • KB is Bob’s public key used

to encrypt to Bob a session key KS

slide-5
SLIDE 5

Toy SSL: a Simple Secure Channel

v handshake: Alice and Bob use their certificates,

private keys to authenticate each other and exchange a shared secret

v key derivation: Alice and Bob use shared secret to

derive set of keys

v data transfer: data to be transferred is broken up

into series of records

v connection closure: special messages to securely

close connection

slide-6
SLIDE 6

Toy: a Simple Handshake

MS: master secret EMS: encrypted master secret

h e l l

  • public key certificate

KB(MS) = EMS

slide-7
SLIDE 7

Toy: Key Derivation

v considered bad to use same key for more than one

cryptographic operation

§ use different keys for message authentication code (MAC) and encryption

v four keys:

§ Kc = encryption key for data sent from client to server § Mc = MAC key for data sent from client to server § Ks = encryption key for data sent from server to client § Ms = MAC key for data sent from server to client

v keys derived from key derivation function (KDF)

§ takes master secret and (possibly) some additional random data and creates the keys

slide-8
SLIDE 8

Toy: Data Records

v why not encrypt data in constant stream as we write it to

TCP?

§ where would we put the MAC? If at end, no message integrity until all data processed. § e.g., with instant messaging, how can we do integrity check over all bytes sent before displaying?

v instead, break stream in series of records

§ each record carries a MAC § receiver can act on each record as it arrives

v issue: in record, receiver needs to distinguish MAC from

data

§ want to use variable-length records length data MAC

slide-9
SLIDE 9

Toy: Sequence Numbers

v problem: attacker can capture and replay record

  • r re-order records

v solution: put sequence number into MAC:

§ MAC = MAC(Mx, sequence||data) § note: no sequence number field, Mx = MAC key

v problem: attacker could replay all records v solution: use nonce

slide-10
SLIDE 10

Toy: Control Information

v problem: truncation attack:

§ attacker forges TCP connection close segment § one or both sides thinks there is less data than there actually is

v solution: record types, with one type for closure

§ type 0 for data; type 1 for closure

v MAC = MAC(Mx, sequence||type||data) length type data MAC

slide-11
SLIDE 11

Toy SSL: Summary

hello certificate, nonce KB ( M S ) = E M S type 0, seq 1, data type 0, seq 2, data t y p e , s e q 1 , d a t a type 0, seq 3, data type 1, seq 4, close type 1, seq 2, close encrypted bob.com

slide-12
SLIDE 12

Toy SSL isn’t complete

v how long are fields? v which encryption algorithms to use? v want negotiation?

§ allow client and server to support different encryption algorithms § allow client and server to choose together specific algorithm before data transfer

slide-13
SLIDE 13

SSL Cipher Suite

v cipher suite § public-key algorithm § symmetric encryption algorithm § MAC algorithm v SSL supports several cipher

suites

v negotiation: client, server

agree on cipher suite

§ client offers choice § server picks one Common SSL symmetric ciphers

§ DES – Data Encryption Standard: block § 3DES – Triple strength: block § RC2 – Rivest Cipher 2: block § RC4 – Rivest Cipher 4: stream

SSL Public key encryption § RSA

slide-14
SLIDE 14

Real SSL: Handshake (1)

Purpose

1.

server authentication

2.

negotiation: agree on crypto algorithms

3.

establish keys

4.

client authentication (optional)

slide-15
SLIDE 15

Real SSL: Handshake (2)

  • 1. client sends list of algorithms it supports, along with

client nonce

  • 2. server chooses algorithms from list; sends back:

choice + certificate + server nonce

  • 3. client verifies certificate, extracts server’s public

key, generates pre_master_secret, encrypts with server’s public key, sends to server

  • 4. client and server independently compute encryption

and MAC keys from pre_master_secret and nonces

  • 5. client sends a MAC of all the handshake messages
  • 6. server sends a MAC of all the handshake messages
slide-16
SLIDE 16

Real SSL: Handshake (3)

last 2 steps protect handshake from tampering

v client typically offers range of algorithms, some

strong, some weak

v man-in-the middle could delete stronger algorithms

from list

v last 2 steps prevent this

§ last two messages are encrypted

slide-17
SLIDE 17

Real SSL: Handshake (4)

v why two random nonces? v suppose Eve sniffs all messages between Alice &

Bob

v next day, Eve sets up TCP connection with Bob,

sends exact same sequence of records

§ Bob (Amazon) thinks Alice made two separate orders for the same thing § solution: Bob sends different random nonce for each

  • connection. This causes encryption keys to be different
  • n the two days

§ Eve’s messages will fail Bob’s integrity check

slide-18
SLIDE 18

SSL Record Protocol

data data fragment data fragment MAC MAC encrypted data and MAC encrypted data and MAC

record header record header

record header: content type; version; length MAC: includes sequence number, MAC key Mx fragment: each SSL fragment 214 bytes (~16 Kbytes)

slide-19
SLIDE 19

SSL Record Format

content type SSL version length MAC data 1 byte 2 bytes 3 bytes

data and MAC encrypted (symmetric algorithm)

slide-20
SLIDE 20

handshake: ClientHello h a n d s h a k e : S e r v e r H e l l

  • h

a n d s h a k e : C e r t i f i c a t e h a n d s h a k e : S e r v e r H e l l

  • D
  • n

e handshake: ClientKeyExchange ChangeCipherSpec handshake: Finished ChangeCipherSpec handshake: Finished application_data application_data Alert: warning, close_notify

Real SSL Connection

TCP FIN message follows everything henceforth is encrypted

slide-21
SLIDE 21

Key Derivation

v client nonce, server nonce, and pre-master secret input

into pseudo random-number generator (PRG).

§ produces master secret

v master secret and new nonces input into another

random-number generator: “key block”

v key block sliced and diced:

§ client MAC key § server MAC key § client encryption key § server encryption key § client initialization vector (IV) § server initialization vector (IV)