Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Transcription

1 Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

2 Security architecture and protocol stack Applicat. (SHTTP) SSL/TLS TCP IPSEC IP Secure applications: PGP, SHTTP, SFTP, or Security down in the protocol stack -SSL between TCP and applic. layer - IPSEC between TCP and IP 2

3 SSL/TLS intro Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end 3

4 SSL/TLS intro, continued Several versions of the protocols are in widespread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and VoIP TLS is an IETF standards track protocol, last updated in RFC 5246, that was based on the earlier SSL specifications developed by Netscape Corporation 4

5 SSL/TLS intro, continued 2 SSL/TLS allow client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering and message forgery provide endpoint authentication and communications confidentiality over the Internet using cryptography. RSA security with 1024 and 2048 bit strengths 5

6 main threats addressed eavesdropping = the act of secretly listening to private conversation tampering = the act of altering something secretly or improperly message forgery = sending of a message to deceive the recipient as to whom the real sender is 6

7 SSL/TLS intro, continued 3 In typical end-user/browser usage, TLS authentication is unilateral: only server is authenticated, but not vice TLS also supports mutual authentication provided that partners diligently scrutinize identity information 7

8 SSL/TLS intro, continued 4 Mutual authentication requires that the TLS client-side also holds a certificate (which is not usually the case in the enduser/browser scenario) Unless TLS-PSK, the Secure Remote Password (SRP) protocol, or some other protocol is used that can provide strong mutual authentication in the absence of certificates 8

9 SSL/TLS intro, continued 5 TLS involves three basic phases: 1. Peer negotiation for algorithm support 2. Key exchange and authentication 3. Symmetric cipher encryption and message authentication 9

10 SSL/TLS intro, continued 6 During first phase, client and server negotiate cipher suites, which determine ciphers to be used, key exchange and authentication algorithms, as well as message authentication codes (MACs) key exchange and authentication algorithms are typically public key algorithms, or, as in TLS-PSK, preshared keys (PSKs) could be used message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a nonstandard pseudorandom function for SSL. 10

11 SSL/TLS: typical algorithms For key exchange: RSA, Diffie-Hellman, ECDH (Elliptic Curve Diffie Hellman), SRP (Secure Remote Password protocol), PSK For authentication: RSA, DSA, ECDSA (Elliptic Curve Digital Signature Algorithm) Symmetric ciphers: RC4, Triple DES, AES, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used. For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used for TLS, MD5 and SHA for SSL, while older versions of SSL also used MD2 and MD4. 11

12 SLL/TLS and digital certificates The key information and certificates necessary for TLS are handled in the form of X.509 certificates, which define required fields and data formats. 12

13 how SSL/TLS works 1/5 Client and server negotiate a stateful connection by using a handshaking procedure. During handshake, client and server agree on various parameters used to establish connection's security Handshake begins when client connects to TLSenabled server requesting a secure connection and presents a list of supported ciphers and hash functions From this list, server picks the strongest cipher and hash function that it also supports and notifies client of the decision 13

14 how SSL/TLS works 2/5 Server sends back its identification in the form of a digital certificate X.509 Client may contact the CA and confirm that the certificate is authentic and not revoked before proceeding modern browsers support Extended Validation certificates 14

15 how SSL/TLS works 3/5 For generating session keys used for secure connection, client encrypts a random number (RN) with server's public key (PbK), and sends result to server. Only server is able to decrypt it (with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. 15

16 how SSL/TLS works 4/5 Client knows PbK and RN, and server knows PvK and (after decryption of the client's message) RN. A third party may only know PbK, unless PvK has been compromised. From the random number, both parties generate key material for encryption and decryption. 16

17 how SSL/TLS works 5/5 This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes. If any one of the above steps fails, the TLS handshake fails, and the connection is not created. 17

18 SSL (Secure Socket Layer) transport layer security service uses TCP to provide a reliable end-to-end service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) SSL has two layers of protocols 18

19 SSL Architecture 19

20 SSL Architecture SSL session an association between client & server created by the Handshake Protocol defines a set of cryptographic parameters maybe shared by multiple SSL connections (renegotiating can be onerous) stateful SSL connection a transient, peer-to-peer, communications link associated with 1 SSL session stateful 20

21 parameters defining session state Session identifier arbitrary byte sequence chosen by the server to identify an active or resumable session state Peer certificate X509.v3 certificate of the peer. This element of the state may be null Compression method The algorithm used to compress data prior to encryption. 21

22 parameters defining session state Cipher spec Specifies the bulk data encryption algorithm (such as null, DES, etc.) and hash algorithm (such as MD5 or SHA-l) used for MAC calculation. It also defines cryptographic attributes such as the hash_size. Master secret 48-byte secret shared between the client and server. Is resumable flag indicating whether the session can be used to initiate new connections. 22

23 parameters defining connection state Server and client random Byte sequences that are chosen by the server and client for each connection. Server write MAC secret The secret key used in MAC operations on data sent by the server Client write MAC secret The secret key used in MAC operations on data sent by the client. Server write key The conventional encryption key for data encrypted by the server and decrypted by the client 23

24 parameters defining connection state Client write key The conventional encryption key for data encrypted by the client and decrypted by the server. Initialization vectors When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter the final ciphertext block from each record is preserved for use as the IV with the following record 24

25 parameters defining connection state Sequence numbers Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not exceed

26 SSL Record Protocol two main services confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption message integrity using a MAC with shared secret key similar to HMAC but with different padding 26

27 SSL - Record Protocol 27

28 Authentication: MAC Similar to HMAC (uses concatenation instead of EXOR) Hash(MAC_secret_key pad2 hash(mac_secret_key pad1 seqnum SSLcompressed.type SSLcompressed.length SSLcompressed.fragment)) pad1=0x36 repeated 48 times (MD5); 40 times (SHA-1) pad2=0x5c repeated SSLcompressed.type = high level protocol used to process segment 28

29 encoding methods segment into blocks of 2 14 = bytes compression (optional): must be no lossy and must guarantee to reduce pack size default in SSLv3 : no compression MAC computation (see previous slide) on compressed data several (symmetric) encryption methods: block ciphers: IDEA (128) RC2-40, DES-40, DES (56), 3DES (168), Stream Cipher: RC4-40, RC4-128 Smart card: Fortezza 29

30 SSL - record fields of the header 30

31 fields Content Type (8 bits) The higher layer protocol used to process the enclosed fragment (change_cipher_spec, alert, handshake, and application_data. The first three are the SSL-specific protocols; no distinction is made among the various applications (e.g., HTTP) that might use SSL) Major Version (8 bits) Indicates major version of SSL in use. For SSLv3, the value is 3 Minor Version (8 bits) Indicates minor version in use. For SSLv3, the value is O Compressed Length (16 bits) The length in bytes of the plaintext fragment (or compressed fragment if compression is used). 31

32 SSL - Payload 32

33 SSL Change Cipher Spec Protocol one of 3 SSL specific protocols which use the SSL Record protocol a single message to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection usually sent just after handshaking 33

34 SSL Alert Protocol conveys SSL-related alerts to peer entity severity two possibilities: warning or fatal (close connection) specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data 34

35 SSL Handshake Protocol Most complex part of SSL allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish 35

36 SSL Handshake Protocol 36

37 Handshake protocol 4 steps 1. Hello: determine security capabilities 2. Server sends certificate, asks for certificate and starts exchange session keys 3. Client sends certificate and continues exchanges of keys 4. End of handshake protocol: encoded methods changes Note: some requests are optional clear separation between handshake and the rest (to avoid attacks) 37

38 Handshake: parameters message type Hello-request Client-hello Server_hello Certificate Server_key_exchange Certificate_request Server_done Certificate_verify Client_key_exchange Finished null parameters version, 32-bit timestamp + 28 random bytes (nonce, i.e. number used once), sessionid, cipher suite and compression method <same as Client_hello> X.509v3 chain of certificates info, signature of mess. type of cert., authority null signature of certificate info, signature of mess. hash of all exchanged messages (integrity of handshake CNS & protocol) SiReSI 38

39 Handshake Protocol - step 1 Initialization : Client_hello: client to server Version = highest SSL version used by client 32-bit timestamp + 28 bytes random (a pseudo number generator is required) sessionid: = 0 new connection in new session; 0 update previous connection Cipher suite: list that contains the combinations of cryptographic algorithms supported by the client, in decreasing order of preference. Each element of the list (each cipher suite) defines both a key exchange algorithm and a CipherSpec. Compression algorithms: ordered sequence of acceptable algorithms : Server_hello: server to client ack all above (if sessionid of client = 0 generates new sessionid) 39

40 Cipher suite Algorithms for key exchange RSA : session key is encoded with server public key Diffie-Hellman (several versions) Fixed Ephemeral Anonymous Fortezza CipherSpec Crypto algorithm (either a stream algo or a block algo) MAC algorithm Hash (in byte): 0, 16 (for MD5), 20 (for SHA-1) Key material info used to generate session keys Info for initializing CBC (initial vector) 40

41 Fixed Diffie-Hellman Diffie-Hellman key exchange in which server's certificate contains Diffie-Hellman public parameters signed by the certificate authority (CA). Client provides its Diffie-Hellman public key parameters either in a certificate, if client authentication is required, or in a key exchange message. This method results in a fixed secret key between two peers, based on the Diffie- Hellman calculation using the fixed public keys. 41

42 Ephemeral Diffie-Hellman Used to create ephemeral (temporary, onetime) secret keys. In this case, the Diffie- Hellman public keys are exchanged, signed using the sender's private RSA or DSS key. The receiver can use the corresponding public key to verify the signature. Certificates are used to authenticate the public keys. This would appear to be the most secure of the three Diffie-Hellman options because it results in a temporary, authenticated key. 42

43 Anonymous Diffie-Hellman The base Diffie-Hellman algorithm is used, with no authentication. Each side sends its public Diffie- Hellman parameters to the other, with no authentication. This approach is vulnerable to man-in-the-middle attacks, in which the attacker conducts anonymous Diffie-Hellman with both parties. 43

44 Handshake Protocol - step 2 Server authentication and key exchange Server to client Certificate: X.509 certificate chain (optional) Server_key_exchange (optional) a signature is created by taking the hash of a message and encrypting it with the sender's private key. In this case the hash is defined as hash(clienthello.random ServerHello.random ServerParams) So the hash covers also the two nonces from the initial hello messages. Certificate_request: (optional) Server_hello_done: I am done and I wait for answers 44

45 Certificate message The server begins this phase by sending its certificate, if it needs to be authenticated; the message contains one or a chain of X.509 certificates. The certificate message is required for any agreed-on key exchange method except anonymous Diffie-Hellman. If fixed Diffie-Hellman is used, this certificate message functions as the server's key exchange message because it contains the server's public Diffie- Hellman parameters. 45

46 server_key_exchange not needed A server_key_exchange message is not required in two instances: (1) The server has sent a certificate with fixed Diffie-Hellman parameters, or (2) RSA key exchange is to be used. 46

47 server_key_exchange needed Anonymous Diffie-Hellman. Message content consists of the two global D.H. values (a prime number and a primitive root of that number) plus the server's public D.H. key Ephemeral Diffie-Hellman. Message content includes the three D.H. parameters provided for anonymous D.H. plus a signature of those parameters. RSA key exchange, in which the server is using RSA but has a signature-only RSA key. Server creates a temporary RSA public/private key pair and use server_key_exchange message to send public key. Message content includes the two parameters of the temporary RSA public key (exponent and modulus) plus a signature of those parameters. 47

48 Handshake Protocol - step 3 Client authentication Client verifies server certificates and parameters Client to server Client Certificate and info to verify it: (if asked) Message for key exchange (Client_key_exchange) 48

49 Handshake Protocol - step 4 End: go to next phase, cipher_spec Client to server Message: Change_cipher_spec Finished message under new algorithms, keys (new cipher_spec) Server sends back Message: Change_cipher_spec Finished message under new algorithms, keys (new cipher_spec) 49

50 SSL & TLS IETF standard RFC 2246 similar to SSLv3 with minor differences in record format version number uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding 50

51 Paying in the Web: SSL SSL and credit card are used for paying simple no need of specialized software compliant with credit card mechanisms most used method for paying in the web Problems malicious sellers have info on clients clients can in principle refuse to pay (there is no signature) many disputes (20%- 60%) expensive method for the shop 51

52 Secure Electronic Transactions (SET) open encryption & security specification to protect Internet credit card transactions developed in 1996 by Mastercard, Visa etc not a payment system rather a set of security protocols & formats secure communications amongst parties trust from use of X.509v3 certificates privacy by restricted info to those who need it 52

53 components 1 Cardholder: Purchasers interact with merchants from personal computers over the Internet. A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. Merchant: Person/organization that has goods or services to sell to cardholders, offered via a Web site or by electronic mail. A merchant that accepts payment cards must have a relationship with an acquirer. 53

54 components 2 Issuer: Financial institution that provides the cardholder with the payment card. Ultimately, it is the issuer that is responsible for the payment of the debt of the cardholder. Acquirer: Financial institution that establishes an account with a merchant and processes authorizations (card account must be active and proposed purchase does not exceed credit limit) and payments (electronic transfer of payments to merchant's account). Subsequently, acquirer is reimbursed by issuer over some sort of payment network for electronic funds transfer. 54

55 components 3 Payment gateway: Function operated by acquirer or a designated third party that processes merchant payment messages. It interfaces between SET and the existing bankcard payment networks for authorization and payment functions. The merchant exchanges SET messages with the payment gateway over the Internet, while the payment gateway has some direct or network connection to the acquirer's financial processing system. Certification authority (CA): Entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants and payment gateways. A hierarchy of CAs is used, so that participants need not be directly certified by a root authority. 55

56 SET Components 56

57 SET Transaction 1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10.merchant requests payment 57

58 transactions 1 1. The customer opens an account. Customer obtains credit card account (e.g., MasterCard or Visa) with a bank that supports electronic payment and SET. 2. The customer receives a certificate. After suitable verification of identity, customer receives an X509v3 digital certificate, signed by the bank. Certificate verifies the customer's RSA public key and its expiration date. It also establishes a relationship, guaranteed by the bank, between customer's key pair and credit card. 58

59 transactions 2 3. Merchants have their own certificates. Merchant accepting a brand of card must be in possession of two certificates for two public keys owned by the merchant: one for signing messages, and one for key exchange. The merchant also needs a copy of the payment gateway's public-key certificate. 4. Customer places order. Customer (possibly) browses through merchant's Web site to select items and see prices. Customer then sends list of items to be purchased to the merchant, who returns an order form containing the list of items, their price, a total price, and an order number. 59

60 transactions 3 5. Merchant is verified. Merchant also sends a copy of its certificate, so that customer can verify about dealing with a valid store. 6. Order and payment are sent. Customer sends both order and payment information to merchant, along with certificate. Order confirms the purchase of the items in the order form. Payment contains credit card details. Payment information is encrypted and cannot be read by merchant. 7. Merchant requests payment authorization. Merchant sends payment information to payment gateway, requesting authorization. 60

61 transactions 4 8. Merchant confirms the order. Merchant sends confirmation of the order to customer. 9. Merchant provides the goods or service. Merchant ships the goods or provides the service to customer. 10.Merchant requests payment. Request is sent to the payment gateway, which handles all of the payment processing. 61

62 Dual Signature customer creates dual messages order information (OI) for merchant payment information (PI) for bank neither party needs details of other but must know they are linked use a dual signature for this signed concatenated hashes of OI & PI 62

63 dual signature schema 63

64 SET transaction types 1/4 transaction type Cardholder registration Merchant registration Purchase request Payment authorization Payment capture info Cardholders must register with a CA before they can send SET messages to merchants. Merchants must register with a CA before they can exchange SET messages with customers and payment gateways. Message from customer to merchant containing OI for merchant and PI for bank. Exchange between merchant and payment gateway to authorize a given amount for a purchase on a given credit card account. Allows the merchant to request payment from the payment gateway. 64

65 SET transaction types 2/4 transaction type Certificate inquiry and status Purchase inquiry info If the CA is unable to complete the processing of a certificate request quickly, it will send a reply to the cardholder or merchant indicating that the requester should check back later. The cardholder or merchant sends the Certificate Inquiry message to determine the status of the certificate request and to receive the certificate if the request has been approved. Allows the cardholder to check the status of the processing of an order after the purchase response has been received. Note that this message does not include information such as the status of backordered goods but does indicate the status of authorization, capture, and credit processing. 65

66 SET transaction types 3/4 transaction type Authorization reversal Capture reversal Credit info Allows a merchant to correct previous authorization requests. If the order will not be completed, the merchant reverses the entire authorization. If part of the order will not be completed, the merchant reverses part of the amount of the authorization. Allows a merchant to correct errors in capture requests such as transaction amounts that were entered incorrectly by a clerk. Allows a merchant to issue a credit to a cardholder's account such as when goods are returned or were damaged during shipping. Note that the SET Credit message is airways initiated by the merchant, not the cardholder. All communications between the cardholder and merchant that result in a credit being processed happen outside of SET. 66

67 SET transaction types 4/4 transaction type Credit reversal Payment gateway request Batch administration Error message info Allows a merchant to correct a previously request credit. Allows a merchant to query the payment gateway and receive a copy of the gateway's current key exchange and signature certificates. Allows a merchant to communicate information to the payment gateway regarding merchant batches. Indicates that a responder rejects a message because it fails format or content verification tests. 67

68 Purchase Request Customer needed for verification merchant doesn t know K S generated by customer 68

69 Purchase Request Merchant 69

70 Purchase Request Merchant 1. verifies cardholder certificates using CA sigs 2. verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key 3. processes order and forwards the payment information to the payment gateway for authorization (see next) 4. sends a purchase response to cardholder 70

71 Payment Gateway Authorization 1. verifies all certificates 2. decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block 3. verifies merchant's signature on authorization block 4. decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block 5. verifies dual signature on payment block 6. verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer 7. requests & receives an authorization from issuer 8. sends authorization response back to merchant 71

72 Payment Capture merchant sends payment gateway a payment capture request gateway checks request then causes funds to be transferred to merchants account notifies merchant using capture response 72