Secure Socket Layer/ Transport Layer Security (SSL/TLS) David Sánchez Universitat Pompeu Fabra
World Wide Web (www) Client/server services running over the Internet or TCP/IP Intranets nets widely used by business, government, individuals http://news.netcraft netcraft.com/archives/2003/04/09/.com/archives/2003/04/09/netcraft_ssl_survey.html Internet & Web are vulnerable
Some Web Threats
Web Security Approaches
TLS Client/Server Model
SSL Introduction transport layer security service originally developed by Netscape SSLvn 3 designed with public review and industry input subsequently became Internet standard known as TLS
SSL Goals Cryptographic security Interoperability Extensibility Relative efficiency
SSL Security Services Server authentication Client authentication or anonymous (for anonymous servers) Data integrity Data confidentiality
SSL Protocol Stack
SSL Key Concepts SSL session an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections SSL connection a transient, peer-to to-peer, communications link associated with 1 SSL session
Session Parameters Session identifier Peer certificate Compression method Cipher spec Master secret Is resumable
Connection Parameters Server and client random Server write MAC secret Client write MAC secret Server write key Client write key Initialization vectors Sequence numbers
Keying Material Client/server PU certificate, PR Pre-master secret S Master secret K Connection IV s, MAC key and encryption keys
SSL Record Protocol Services message integrity using a MAC with shared secret key similar to HMAC but with different padding confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,, RC4-40, 40, RC4-128 message is compressed before encryption
SSL Record Protocol Operation
SSL Handshake Protocol allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in 4 phases 1. Establish Security Capabilities 2. Server Authentication and Key Exchange 3. Client Authentication and Key Exchange 4. Finish
SSL Handshake Protocol
SSL Change Cipher Spec Protocol a single message updates the cipher suite to be used for a connection after the handshake protocol
SSL Alert Protocol conveys SSL-related alerts to peer entity Severity Fatal Warning Specific alerts Fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter Warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data
TLS TLS 1.0 IETF standard RFC 2246 similar to SSLv3 record format version number uses HMAC for MAC a pseudo-random function expands secrets additional alert codes some changes in supported ciphers changes in certificate types & negotiations changes in crypto computations & padding TLS 1.1 RFC 4346 (April 2006)