������������������ ���������������������� � � �������������������������������� ����������������������������������������� �������������������������������������������� Secure Socket Layer (SSL) and Trnasport Layer Security (TLS) CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 1
SSL/TLS • The Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols implement security at the application layer ‣ Popular for securing the web, but not part of it ‣ Is a general purpose secure communication protocol suite ‣ Uses certificate authentication HTTP FTP SMTP SSL/TLS TCP IP Note: throughout we will focus on SSLv3. Assume SSLv3 unless stated otherwise. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 2
Model • Often a one-way authentication mechanism, used to prove the authenticity of a web-server to a client. ‣ Server-side certificates ‣ Root CA certifications distributed with browser ‣ Non-certified (or expired) certificates can be accepted • Mutual authentication performed using client-side certificates ‣ Less frequently uses (almost never in Web applications) ‣ Where used for enterprise internal or as layer for non-Web based applications, much more frequently. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 3
SSL as protocol suite • Data Protocols • Control Protocols ‣ Record Protocol ‣ Handshake Protocol ‣ Change Cipher Suite Protocol ‣ Alert Protocol Session Connection Connection Connection Alice Bob Connection Connection Connection CSE598K/CSE545 - Advanced Network Security - McDaniel Page 4
SSL Session State • Session ID • Peer certificate (sometimes) • Cipher Spec • Compression algorithm • Master Secret CSE598K/CSE545 - Advanced Network Security - McDaniel Page 5
SSL Connection State • Server and client random • Server MAC key • Client MAC key • Server write key • Client write key • Initialization vectors CSE598K/CSE545 - Advanced Network Security - McDaniel Page 6
Handshake Protocol • The purpose of the handshake protocols is to ‣ authenticate one or both parties ‣ negotiate shared master keys • Protocol operates in 4 phases ‣ Phase 1: establish security context ‣ Phase 2: server publishes certificate and key seeds ‣ Phase 3: client completes key exchange ‣ Phase 4: complete handshake CSE598K/CSE545 - Advanced Network Security - McDaniel Page 7
Phase 1 • Client sends and offer (CLIENT_HELLO) including ‣ SSL Version (highest supported) ‣ Random (R C) - { timestamp, plus 28 random bytes } ‣ Session ID - { 0 = new session, !0 = refresh } ‣ CipherSuite - algorithm selections for security/compression • Server replies with (SERVER_HELLO) response ‣ Section of SSL version, crypto and compression algorithms ‣ A new session ID (as needed) (S ID ) ‣ A server random number (R S) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 8
Phase 2 • Server sends a (CERTIFICATE) ‣ This contains the public key certificate for the server Ks+ • Server sends a (SERVER_KEY_EXCHANGE) ‣ This contains the server parameters for the key exchange to be performed (there are many variants) • For example, the anonymous Diffie-Hellman sends the prime number and primitive root (n,r) ‣ The key exchange parameters are signed using the private key of the server with exchanged random numbers, e.g., s , [ n | g | X = g x mod n ]) = Sig ( K − sig ( K − s , R c | R s | n | g | X ) • Server sends a completion (SERVER_DONE) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 9
Phase 3 • Client sends a (CERTIFICATE) - optional ‣ This contains the public key certificate for the clients Ks+ • Client sends a response (CLIENT_KEY_EXCHANGE) ‣ This contains the client’s key exchange parameters ‣ As before this is the public client Diffie-Hellman parameters • Signed if client has signing capability ‣ The parties generate the pre_master_secret X = g x mod n Y = g y mod n p ms = Y x mod n = X y mod n CSE598K/CSE545 - Advanced Network Security - McDaniel Page 10
Phase 4 • Both sides complete the process by computing the 48 byte master secret: = MD 5( p ms | SHA ( ′ A ′ | p ms | R c | R s )) | M s k MD 5( p ms | SHA ( ′ BB ′ | p ms | R c | R s )) | MD 5( p ms | SHA ( ′ CCC ′ | p ms | R c | R s )) • Then generate a “key block” of secret bytes = MD 5( M s k | SHA ( ′ A ′ | M s k | R c | R s )) | key block MD 5( M s k | SHA ( ′ BB ′ | M s k | R c | R s )) | MD 5( M s k | SHA ( ′ CCC ′ | M s k | R c | R s )) | MD 5( M s k | SHA ( ′ DDDD ′ | M s k | R c | R s )) | . . . CSE598K/CSE545 - Advanced Network Security - McDaniel Page 11
Transport Keys • Just use the key_block as a PRF to generate enough bytes to generate the keys for clients and servers. key_block Client Server Client Server ... Write Key Write Key MAC Key MAC Key • Note: this PRF is practically of unlimited length and in practice (although generated differently) is used extensively on TLS. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12
Record Protocol • Provides to client (initiator) Original Data and server (service) ‣ Confidentiality (via Fragmented Fragmented Fragmented Data Data Data encryption) ‣ Integrity (via MAC) Compressed Data • Data is fragmented, compressed, and security M Compressed A Data C constructions applied. Encrypted Data H Encrypted D Data R CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13
RFC 2104 (MAC for TLS) Given: h () = hash function = input/out byte-length of h B = a secret key K pad i = inner pad = 0 x 35 repeated B times pad o = outer pad = 0 x 5 C repeated B times text = text to MAC Compute the MAC: MAC ( K, text ) = ( H (( K ⊕ pad o ) | H (( K ⊕ pad i ) | text )) CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Alert/CCS Protocol • Change Cipher Suite Protocol ‣ Trigged at end of handshake, causes security association to be enabled • Alert Protocols - signals ‣ MAC failure ‣ No known certificate ‣ Handshake failure ‣ Bad certificate ‣ Close notification CSE598K/CSE545 - Advanced Network Security - McDaniel Page 15
Why? • ... does SSL work? • ... does SSL not work? • ... is SSL so popular? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 16
Recommend
More recommend
