Authenticity of Public Keys

Similar documents
Protocol Rollback and Network Security

Communication Systems SSL

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Web Security: SSL/TLS

Web Security Considerations

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Communication Security for Applications

Information Security

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

SSL Secure Socket Layer

CSC 474 Information Systems Security

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Lecture 7: Transport Level Security SSL/TLS. Course Admin

CSC Network Security

SSL Secure Socket Layer

Chapter 17. Transport-Level Security

Overview. SSL Cryptography Overview CHAPTER 1

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

SECURE SOCKETS LAYER (SSL)

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Secure Socket Layer. Security Threat Classifications

Three attacks in SSL protocol and their solutions

Transport Level Security

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Chapter 7 Transport-Level Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Learning Network Security with SSL The OpenSSL Way

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Introduction to Cryptography

Network Security Essentials Chapter 5

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Transport Layer Security Protocols

SSL: Secure Socket Layer

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Certificates and network security

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Sockets Layer

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

SSL/TLS/X.509. Aggelos Kiayias

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Institute of Computer Technology - Vienna University of Technology. L96 - SSL, PGP, Kerberos

The Secure Sockets Layer (SSL)

Client Server Registration Protocol

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

TLS/SSL in distributed systems. Eugen Babinciuc

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

SSL A discussion of the Secure Socket Layer

CS 361S SSL/TLS. Vitaly Shmatikov. slide 1

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

SSL/TLS: The Ugly Truth

Security vulnerabilities in the Internet and possible solutions

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Using etoken for SSL Web Authentication. SSL V3.0 Overview

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

ISA 562 Information System Security

CS 3251: Computer Networking 1 Security Protocols I

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

The Beautiful Features of SSL And Why You Want to Use Them?

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

Chapter 10. Network Security

Network Security Part II: Standards

TLS and SRTP for Skype Connect. Technical Datasheet

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Lab 7. Answer. Figure 1

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Chapter 11 Security Protocols. Network Security Threats Security and Cryptography Network Security Protocols Cryptographic Algorithms

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Network Security Standards. Key distribution Kerberos SSL/TLS

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

What is network security?

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Savitribai Phule Pune University

Computer and Network Security

Transport Layer Security (TLS)

Web Security. Mahalingam Ramkumar

Security Protocols/Standards

Chapter 8. Network Security

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Cornerstones of Security

SSL Protect your users, start with yourself

Lecture 4: Transport Layer Security (secure Socket Layer)

Should You Trust the Padlock? Web Security and the HTTPS Value Chain. Keeping Current 20 November 2013 Ken Calvert

Security. Learning Objectives. This module will help you...

T Cryptography and Data Security

mod_ssl Cryptographic Techniques

CS 758: Cryptography / Network Security

Cryptography and Network Security IPSEC

Transcription:

SSL/TLS EJ Jung 10/18/10 Authenticity of Public Keys Bob s key? private key Bob public key Problem: How does know that the public key she received is really Bob s public key?

Distribution of Public Keys! Public announcement or public directory Risks: forgery and tampering! Public-key certificate Signed statement specifying the key and identity sig ( Bob, PK B )! Common approach: certificate authority (CA) Single agency responsible for certifying public keys After generating a private/public key pair, user proves his identity and knowledge of the private key to obtain CA s certificate for the public key (offline) Every computer is pre-configured with CA s public key Using Public-Key Certificates Authenticity of public keys is reduced to authenticity of one key (CA s public key)

Hierarchical Approach! Single CA certifying every public key is impractical! Instead, use a trusted root authority For example, Verisign Everybody must know the public key for verifying root authority s signatures! Root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on Instead of a single certificate, use a certificate chain sig Verisign ( UI, PK UI ), sig UI ( EJ Jung, PK E ) What happens if root authority is ever compromised? Alternative: Web of Trust! Used in PGP (Pretty Good Privacy)! Instead of a single root certificate authority, each person has a set of keys they trust If public-key certificate is signed by one of the trusted keys, the public key contained in it will be deemed valid! Trust can be transitive Can use certified keys for further certification sig ( Friend, Friend s key) sig Friend ( FoaF, FoaF s key) I trust Friend of Friend of friend Bob

X.509 Authentication Service! ITU-T standard! Specifies certificate format X.509 certificates are used in IPSec and SSL/TLS! Specifies certificate directory service For retrieving other users CA-certified public keys! Specifies a set of authentication protocols For proving identity using public-key signatures! Does not specify crypto algorithms Can use it with any digital signature scheme and hash function, but hashing is required before signing X.509 Version 1, sig (Time, Bob, encrypt PublicKey(Bob) (message)) Bob! Encrypt, then sign for authenticated encryption Goal: achieve both confidentiality and authentication E.g., encrypted, signed password for access control! Does this work?

Attack on X.509 Version 1 Attacker extracts encrypted password and replays it under his own signature, sig (Time, Bob, encrypt PublicKey(Bob) (password)) Charlie, sig Charlie (Time Charlie, Bob, encrypt PublicKey(Bob) (password)) Bob! Receiving encrypted password under signature does not mean that the sender actually knows the password!! Proper usage: sign, then encrypt Denning-Sacco Protocol, Bob Certificate server cert, cert Bob I m, cert, cert Bob, encrypt PublicKey(Bob) (sig (Time, K AB )) Bob! Goal: establish a new shared key K AB with the help of a trusted certificate service

Attack on Denning-Sacco Nothing in this signature says that it was sent to Bob! I m, cert, cert Bob, encrypt PublicKey(Bob) (sig (Time, K AC )) I m, cert, cert Charlie, encrypt PublicKey(Charlie) ( sig (Time, K AC )) Bob (with an evil side) Charlie! s signature is insufficiently explicit Does not say to whom and why it was sent! s signature can be used to impersonate her Authentication with Public Keys PRIVATE KEY I am PUBLIC KEY fresh random challenge C sig (C) Bob Verify s signature on c!" Only can create a valid signature #" Signature is on a fresh, unpredictable challenge Potential problem: will sign anything

Mafia-in-the-Middle Attack [from Anderson s book] PRIVATE KEY K customer Picture 143! Prove your age by signing X sig K (x) XXX Adult entertainment Over 21 only! Mafia porn site Buy 10 gold coins Sign X sig K (x) Bank Early Version of SSL (Simplified) encrypt PublicKey(Bob) (, K AB ) fresh session key fresh random number encrypt K AB (N B ) encrypt K AB (, sig (N B )) Bob! Bob s reasoning: I must be talking to because Whoever signed N B knows s private key Only knows her private key must have signed N B N B is fresh and random and I sent it encrypted under K AB could have learned N B only if she knows K AB She must be the person who sent me K AB in the first message...

Breaking Early SSL encrypt PK(Charlie) (,K AC ) encrypt PK(Bob) (,K CB ) encrypt K AC (N B ) encrypt K CB (N B ) enc K AC (, sig (N B )) encrypt Charlie K CB (, sig (N B )) (with an evil side) Bob! Charlie uses his legitimate conversation with to impersonate to Bob Information signed by is not sufficiently explicit What is SSL / TLS?! Transport Layer Security protocol, version 1.0 De facto standard for Internet security The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications In practice, used to protect information transmitted between browsers and Web servers! Based on Secure Sockets Layers protocol, ver 3.0 Same protocol design, different algorithms! Deployed in nearly every Web browser slide 17

SSL / TLS in the Real World slide 18 Application-Level Protection application email, Web, NFS presentation session transport network data link physical RPC TCP IP 802.11 Protects againt application-level threats (e.g.,server impersonation), NOT against IP-level threats (spoofing, SYN flood, DDoS by data flood) slide 19

History of the Protocol! SSL 1.0 Internal Netscape design, early 1994? Lost in the mists of time! SSL 2.0 Published by Netscape, November 1994 Several weaknesses! SSL 3.0 Designed by Netscape and Paul Kocher, November 1996! TLS 1.0 Internet standard based on SSL 3.0, January 1999 Not interoperable with SSL 3.0 TLS uses HMAC instead of MAC; can run on any port slide 20 Request for Comments! Network protocols are usually disseminated in the form of an RFC! TLS version 1.0 is described in RFC 2246! Intended to be a self-contained definition of the protocol Describes the protocol in sufficient detail for readers who will be implementing it and those who will be doing protocol analysis Mixture of informal prose and pseudo-code slide 21

Evolution of the SSL/TLS RFC slide 22 TLS Basics! TLS consists of two protocols Familiar pattern for key exchange protocols! Handshake protocol Use public-key cryptography to establish a shared secret key between the client and the server! Record protocol Use the secret key established in the handshake protocol to protect communication between the client and the server! We will focus on the handshake protocol slide 23

TLS Handshake Protocol! Two parties: client and server! Negotiate version of the protocol and the set of cryptographic algorithms to be used Interoperability between different implementations of the protocol! Authenticate client and server (optional) Use digital certificates to learn each other s public keys and verify each other s identity! Use public keys to establish a shared secret slide 24 Handshake Protocol Structure ClientHello C [Certificate], ClientKeyExchange, [CertificateVerify] ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone S Finished switch to negotiated cipher Record of all sent and received handshake messages switch to negotiated cipher Finished slide 25

ClientHello ClientHello C Client announces (in plaintext): Protocol version he is running Cryptographic algorithms he supports S slide 26 ClientHello (RFC) struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites; CompressionMethod compression_methods; } ClientHello Session id (if the client wants to resume an old session) Highest version of the protocol supported by the client Set of cryptographic algorithms supported by the client (e.g., RSA or Diffie-Hellman) slide 27

ServerHello C, Version c, suite c, N c ServerHello C Server responds (in plaintext) with: Highest protocol version supported by both client and server Strongest cryptographic suite selected from those offered by the client S slide 28 ServerKeyExchange C, Version c, suite c, N c Version s, suite s, N s, ServerKeyExchange C Server sends his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite) S slide 29

ClientKeyExchange C, Version c, suite c, N c C ClientKeyExchange Version s, suite s, N s, sig ca (S,K s ), ServerHelloDone S Client generates some secret key material and sends it to the server encrypted with the server s public key (if using RSA) slide 30 ClientKeyExchange (RFC) struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys } ClientKeyExchange struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret Random bits from which symmetric keys will be derived (by hashing them with nonces) slide 31

Core SSL 3.0 Handshake C, Version c =3.0, suite c, N c C {Secret c } Ks Version s =3.0, suite s, N s, sig ca (S,K s ), ServerHelloDone S If the protocol is correct, C and S share some secret key material (secret c ) at this point switch to key derived from secret c, N c, N s switch to key derived from secret c, N c, N s slide 32 Version Rollback Attack C, Version c =2.0, suite c, N c C Server is fooled into thinking he is communicating with a client who supports only SSL 2.0 {Secret c } Ks Version s =2.0, suite s, N s, sig ca (S,K s ), ServerHelloDone S C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include Finished messages) slide 33

SSL 2.0 Weaknesses (Fixed in 3.0)! Cipher suite preferences are not authenticated Cipher suite rollback attack is possible! Weak MAC construction! SSL 2.0 uses padding when computing MAC in block cipher modes, but padding length field is not authenticated Attacker can delete bytes from the end of messages! MAC hash uses only 40 bits in export mode! No support for certificate chains or non-rsa algorithms, no handshake while session is open slide 34 Chosen-Protocol Attacks! Why do people release new versions of security protocols? Because the old version got broken!! New version must be backward-compatible Not everybody upgrades right away! Attacker can fool someone into using the old, broken version and exploit known vulnerability Similar: fool victim into using weak crypto algorithms! Defense is hard: must authenticate version early! Many protocols had version rollback attacks SSL, SSH, GSM (cell phones) slide 35

Version Check in SSL 3.0 C, Version c =3.0, suite c, N c C Embed version number into secret {Version c,secret c } Ks Version s =3.0, suite s, N s, sig ca (S,K s ), ServerHelloDone Check that received version is equal to the version in ClientHello S If the protocol is correct, C and S share some secret key material secret c at this point switch to key derived from secret c, N c, N s switch to key derived from secret c, N c, N s slide 36 SSL/TLS Record Protection Use symmetric keys established in handshake protocol slide 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information