SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng



Similar documents
Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

CSC 474 Information Systems Security

CSC Network Security

Web Security Considerations

Communication Systems SSL

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

The Secure Sockets Layer (SSL)

Communication Security for Applications

SECURE SOCKETS LAYER (SSL)

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Transport Layer Security Protocols

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

Network Security Part II: Standards

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

SSL Secure Socket Layer

Secure Socket Layer. Security Threat Classifications

SSL Secure Socket Layer

Chapter 7 Transport-Level Security

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Chapter 17. Transport-Level Security

Network Security Essentials Chapter 5

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Secure Sockets Layer

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Transport Level Security

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Lecture 7: Transport Level Security SSL/TLS. Course Admin

ISA 562 Information System Security

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

Chapter 27 Secure Sockets Layer (SSL)

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Chapter 51 Secure Sockets Layer (SSL)

Chapter 34 Secure Sockets Layer (SSL)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

As enterprises conduct more and more

Lecture 4: Transport Layer Security (secure Socket Layer)

TLS and SRTP for Skype Connect. Technical Datasheet

SSL A discussion of the Secure Socket Layer

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security Protocols/Standards

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Authenticity of Public Keys

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Chapter 10. Network Security

SSL Handshake Analysis

Protocol Rollback and Network Security

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Einführung in SSL mit Wireshark

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

SSL: Secure Socket Layer

, ) I Transport Layer Security

Three attacks in SSL protocol and their solutions

Configuring Security Features of Session Recording

TLS handshake method based on SIP

Transport Layer Security (TLS)

Vulnerabilità dei protocolli SSL/TLS

Standards and Products. Computer Security. Kerberos. Kerberos

Embedded SSL. Christophe Kiennert, Pascal Urien. Embedded SSL - Christophe Kiennert, Pascal Urien 1

Lecture 9 - Network Security TDTS (ht1)

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Computer and Network Security

Information Security

Network Security Protocols

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

TLS/SSL in distributed systems. Eugen Babinciuc

T Cryptography and Data Security

Chapter 32 Internet Security

Web Security. Mahalingam Ramkumar

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Network Security. Lecture 3

Overview. SSL Cryptography Overview CHAPTER 1

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Computer Networks. Secure Systems

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

, SNMP, Securing the Web: SSL

Chapter 9. IP Secure

Lecture 17 - Network Security

Application Note: Onsight Device VPN Configuration V1.1

ETSF10 Part 3 Lect 2

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Transcription:

What Layer? /TLS IT443 Network Security Administration Instructor: Bo Sheng Application TCP IPSec IP LAN layer Application TCP IP LAN layer 1 2 History v2 proposed and deployed in Netscape 1.1 (1995) PCT (Private Communications Technology) by Microsoft v3: most commonly used (1995) was developed with public review TLS proposed by the IETF based on v3 but not compatible (1996) Uses patent free DH and DSS instead of RSA which patent didn t expire yet vs. IPsec : Avoids modifying TCP stack and requires minimum changes to the application Mostly used to authenticate servers IPsec Transparent to the application and requires modification of the network stack Authenticates network nodes and establishes a secure channel between nodes Application still needs to authenticate the users 3 4 Handshake Protocol Architecture HTTP and other applications Change Cipher Protocol Alert Protocol Record Protocol TCP IP API Architecture Handshake protocol: establishment of a session key Change Cipher protocol: start using the previouslynegotiated encryption / message authentication Alert protocol: notification (warnings or fatal exceptions) Record protocol: protected (encrypted, authenticated) communication between client and server Relies on TCP for reliable communication 5 6 1

Connections and Sessions Session an association between peers created through a handshake, negotiates security parameters, can be long-lasting Connection a type of service (i.e., an application) between a client and a server transient Multiple connections can be part of a single session Basic Protocols Goal: application independent security Originally for HTTP, but now used for many applications Each application has an assigned TCP port, e.g., https (HTTP over ) uses port 443 Messages A -> B: I want to talk, ciphers I support, R A B -> A: certificates, cipher I choose, R B A -> B: {S} B+, {keyed hash of handshake msgs} B -> A: {keyed hash of handshake msgs} A <-> B: data encrypted and integrity checked with keys derived from K Keyed hashes use K = f(s, R A, R B ) 7 8 Basic Protocols How do you make sure that keyed hash in message 3 is different from B s response? Include a constant CLNT/client finished (in /TLS) for A and SRVR/server finished for B Keyed hash is sent encrypted and integrity protected for no real reason Keys: derived by hashing K and R A and R B 3 keys in each direction: encryption, integrity and IV Write keys (to send: encrypt, integrity protect) Read keys (to receive: decrypt, integrity check) Session Resumption Many secure connections can be derived from the session Cheap: how? Session initiation: modify message 2 B -> A: session_id, certificate, cipher, R B A and B remember: (session_id, master key) To resume a session: A presents the session_id in message 1 A -> B: session_id, ciphers I support, R A B -> A: session_id, cipher I choose, R B, {keyed hash of handshake msgs} A -> B: {keyed hash of handshake msgs} A <-> B: data encrypted and integrity checked with keys derived from K 9 10 Negotiating Cipher Suites A cipher suite is a complete package: (encryption algorithm, key length, integrity checksum algorithm, etc.) Cipher suites are predefined: Each assigned a unique value (contrast with IKE) v2: 3 bytes, v3: 2 bytes => up to 65000 combinations 30 defined, 256 reserved for private use: FFxx (risk of non-interoperability) Record Protocol Selection decision: In v3 A proposes, B chooses In v2 A proposes, B returns acceptable choices, and A chooses Suite names examples: _RSA_EXPORT_WITH_DES40_CBC_SHA 2_RC4_128_WITH_MD5 11 12 2

Encrypted Protocol Steps 1. Fragment data stream into records each with a maximum length of 2 14 (=16K) bytes 2. Compress each record 3. Create message authentication code for each record 4. Encrypt each record Application Data Fragment Compress Add MAC Encrypt Add Hdr Protocol Steps 13 14 Record Format Record Type Version Payload Length Application Data (optionally compressed) Handshake Protocol Optional MAC (16 or 20 bytes) There is, unfortunately, some version number silliness between v2 and v3; see text for (ugly) details 15 16 Phases of Protocol I. Establish security capabilities version of to use cipher + parameters to use All the Messages II. III. IV. Authenticate server (optional), and perform key exchange Authenticate client (optional), and perform key exchange Finish up 17 18 3

I. Establish Security Capabilities Messages marked with * are mandatory _Hello Message Transmitted in plaintext Contents highest version understood by client R C : a 4-byte timestamp + 28-byte random number session ID: 0 for a new session, non-zero for a previous session list of supported cryptographic algorithms list of supported compression methods 19 20 _Hello Message Also transmitted in plaintext II. Auth. / Key Exchange Contents minimum of (highest version supported by server, highest version supported by client) R S : 4-byte timestamp and 28-byte random number session ID a cryptographic choice selected from the client s list a compression method selected from the client s list The _Certificate message is optional, but almost always used in practice 21 22 _Certificate Message Contains a certificate with server s public key, in X.509 format or, a chain of certificates if required Authenticating the source: sun.com The server certificate is necessary for any key exchange method except for anonymous Diffie-Hellman Step #4: Domain name in certificate must match domain name of server (not part of protocol, but clients should check this) 23 24 4

_Certificate_Request Msg. III. Auth. / Key Exchange Normally not used, because in most applications only the server is authenticated client is authenticated at the application layer, if needed Two parameters certificate type accepted, e.g., RSA/signature only, DSS/signature only, list of certificate authorities recognized (i.e., trusted third parties) _Certificate_Verify Msg Proves the client is the valid owner of a certificate (i.e., knows the corresponding private key) IV. Finish Up Only sent following any client certificate that has signing capability Switch to the negotiated cipher for all remaining (application) messages 27 28 Change_Cipher_Spec Msg Confirms the change of the current state of the session to a newly-negotiated set of cryptographic parameters Finished Messages keyed hash of the previous handshake messages to prevent man-in-the-middleattacks from succeeding Alert Protocol Examples Type 1: Warning ex.: No_Certificate, Close_Notify Type 2: Fatal_Alert ex.: Unexpected_Message, Bad_MAC, etc. connection is immediately terminated 29 30 5

Summary 1. is the de facto authentication/encryption protocol standard for HTTP becoming popular for many other protocols as well 2.Allows negotiation of cryptographic methods and parameters 31 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information