HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Transcription

1 CSCD27 Computer and Network Security HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL) 11 SSL CSCD27 Computer and Network Security 1 CSCD27F Computer and Network Security 1

2 TLS (Transport-Layer Security) TLS works at transportlayer. Provides security to any TCP-based application using TLS services transparent (mostly) to application developers (e.g. a Java http-server can be upgraded to https just by using a different class-constructor to get a secure socket) does not rely on underlying network (IP) being secure other network security-services are implemented at lower (e.g. IPSec) or higher (e.g. S/MIME, GPG) layers TLS security services: (CIA) data encryption (Confidentiality) data integrity (Integrity) server, optional client authentication (Authentication) 11 SSL CSCD27 Computer and Network Security 2 CSCD27F Computer and Network Security 2

3 SSL (Secure Socket Layer) The most widely used Web security protocol. SSLimplements confidential communication between Web browsersand servers(only those endpoints can read the encrypted traffic) HTTPS protocol headers and data are encrypted, but not encapsulating packets and headers, e.g. TCP, IP originally developed by Netscape Communications version 3 designed with public input subsequently became Internet IETF standard known as TLS (Transport Layer Security) uses TCP to provide reliable end-to-end connections Kipp Hickman Taher Elgamal 11 SSL CSCD27 Computer and Network Security 3 CSCD27F Computer and Network Security 3

4 TLS SecurityIssues Essential that the identify of the server by verified, why? How does the server prove its identity? What does this proof rely on? Does this prevent MITM attacks? What about Superfish? Implications of long-lived keys, esp. RSA public-private keypairs Why does NSA prefer you use RSA for TLS key-exchange? How can an ISP mount a denial-of-service (DoS) attack on HTTPS connections? Why doesn t SSLStrip work with HTTPS/TLS connections? What risk arises when HTTPS content loads HTTP content? 11 SSL CSCD27 Computer and Network Security 4 CSCD27F Computer and Network Security 4

5 Architecture Detail INITIALIZES SECURE COMMUNICATION ERROR HANDLING HANDLES COMMUNICATION WITH THE APPLICATION HANDLES DATA COMPRESSION Protocols INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER 11 SSL CSCD27 Computer and Network Security 5 CSCD27F Computer and Network Security 5

6 TLS Record-Layer Services fragment input stream and append protocol header to each fragment message integrity using a MAC with shared secret key similar to HMAC but with different padding confidentiality using symmetric encryption with a symmetric key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption 11 SSL CSCD27 Computer and Network Security 6 CSCD27F Computer and Network Security 6

7 TLS Record-Layer Operation 11 SSL CSCD27 Computer and Network Security 7 CSCD27F Computer and Network Security 7

8 TLS Handshake Protocol allows server & client to: authenticate each other negotiate encryption & MAC algorithms negotiate cryptographic keys to be used comprises a series of messages in phases 1. Establish Security Capabilities 2. Server Authentication and Key Exchange 3. Client Authentication and Key Exchange 4. Finish 11 SSL CSCD27 Computer and Network Security 8 CSCD27F Computer and Network Security 8

9 SSL/TLS Messages CLIENT SIDE SERVER SIDE OFFER CIPHER SUITE MENU TO SERVER SELECT A CIPHER SUITE SEND CERTIFICATE AND CHAIN TO CA ROOT SEND PUBLIC KEY TO ENCRYPT SYM KEY SEND ENCRYPTED SYMMETRIC KEY ACTIVATE ENCRYPTION CLIENT PORTION DONE ( CLIENT CHECKS OPTIONS ) NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION SERVER NEGOTIATION FINISHED ( SERVER CHECKS OPTIONS ) ACTIVATE SERVER ENCRYPTION SERVER PORTION DONE Based on: THOMAS, SSL AND TLS ESSENTIALS 11 SSL CSCD27 Computer and Network Security 10 CSCD27F Computer and Network Security 9

10 Handshake Protocol: ClientHello, ServerHello ClientHello message initiates session: client lists encryption and MAC ciphers, compression algorithms, and protocol-versions it supports also sends some random bytes (a nonce ) The server responds with a ServerHello message: chooses from the client options settings that are acceptable to both parties also sends a session identifier and some random bytes What are the client and server random bytes for? used later in computing the master secret shared between client and server in turn used as session-key material 11 SSL CSCD27 Computer and Network Security 11 CSCD27F Computer and Network Security 10

11 ClientHello -Cipher Suites SSL_NULL_WITH_NULL_NULL = { 0, 0 } INITIAL (NULL) CIPHER SUITE PUBLIC-KEY ALGORITHM SYMMETRIC ALGORITHM HASH ALGORITHM SSL_RSA_WITH_NULL_MD5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 } SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 } SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 } SSL_RSA_WITH_RC4_128_SHA = { 0, 5 } SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 } SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 } SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 } CIPHER SUITE CODES USED IN SSL MESSAGES 11 SSL CSCD27 Computer and Network Security 12 CSCD27F Computer and Network Security 11

12 Handshake Protocol: Server Certificate, Client Certificate, the server usually authenticates itself to the client by providing its public-key certificate to the client how does client verify this certificate? certificate created by hashing information including server public-key, user/organization identification, etc encrypted with CA s private key so, client decrypts with CA s known and verifies the hash Server then optionally requests a client-certificate to authenticate the client rare in practice, since clients usually don't have a certificate 11 SSL CSCD27 Computer and Network Security 13 CSCD27F Computer and Network Security 12

13 Public-Key Certificates X-509 standard format for public-key certificates Trust in each certificate is backed by a hierarchy of certificates each of which signs lower-level certificates Root certificate in the hierarchy is trusted by the client (e.g. hard-coded into application such as browser) Revocation list checked to be sure certificate remains valid 11 SSL CSCD27 Computer and Network Security 14 CSCD27F Computer and Network Security 13

14 Client Key Exchange Premaster-secret created by client; used to seed calculation of encryption parameters 2 bytes of SSL version + 46 random bytes Sent encrypted to server using server s public key This is where the attack happened in SSLv2 11 SSL CSCD27 Computer and Network Security 16 CSCD27F Computer and Network Security 14

15 Netscape SSL Implementation global variable seed; RNG_CreateContext() { (seconds, microseconds) = time-of-day; pid = process ID; ppid = parent process ID; a = mklcpr (microseconds); b = mklcpr (pid + seconds + (ppid << 12)); seed = MD5 (a, b); } The mklcpr()function just scrambles the input a bit, and MD5 is a well-known hashing function What does the crucial seed depend on here? 11 SSL CSCD27 Computer and Network Security 18 CSCD27F Computer and Network Security 15

16 Protocol Handshake: master-secret generation server and client both compute a master secret according to the a specific pseudo-random function inputs are the premaster secret, a set of literal string values, and a seed consisting of the client's and the server's earlier random-bytes concatenated together This iteratively calculates two keyed-hash message authentication codes (HMACs) Uses MD5 as the hash function for half of the input secret and SHA-1 for the rest Then XORs together the result of those two separate HMAC calculations to get the final value 11 SSL CSCD27 Computer and Network Security 19 CSCD27F Computer and Network Security 16

17 Generating the Master Secret SERVER S PUBLIC KEY IS SENT BY SERVER IN ServerKeyExchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER CLIENT SENDS PREMASTER SECRET IN ClientKeyExchange SENT BY CLIENT IN ClientHello SENT BY SERVER IN ServerHello MASTER SECRET IS 3 MD5 HASHES CONCATENATED TOGETHER = 384 BITS Based on: THOMAS, SSL AND TLS ESSENTIALS 11 SSL CSCD27 Computer and Network Security 20 CSCD27F Computer and Network Security 17

18 Generation of Key Material JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET... Based on: THOMAS, SSL AND TLS ESSENTIALS 11 SSL CSCD27 Computer and Network Security 22 CSCD27F Computer and Network Security 18

19 TLS Overhead 2-10 times slower than an unsecure TCP session partly why major services like Twitter and Facebook did not secure connections with HTTPS until relatively recently Where we lose time: handshake phase o packet exchange with server (round-trip time RTT) o client does public-key encryption o server does private-key decryption o usually clients have to wait on servers to finish data-transfer phase o symmetric-key encryption Each separate HTTPS connection requires this overhead browsers may initiate many parallel connections 11 SSL CSCD27 Computer and Network Security 23 CSCD27F Computer and Network Security 19

20 SSL Vulnerabilities Mixed-content sites: main page loads over https, includes non-secure content, such as images, script/css files etc. by tampering with the insecure content, an attacker can undermine the security of HTTPS SSL Stripping: takes advantage of the fact that many users reach secure sites by starting with insecure URL s e.g. type tdcanadatrust.com and rely on server redirects to get to the actual site even then, the entry page may be non-secure info-page when time comes to switch to https, attacker interposes a MITM relay 11 SSL CSCD27 Computer and Network Security 24 CSCD27F Computer and Network Security 20