Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS



Similar documents
Communication Systems SSL

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Network Security Essentials Chapter 5

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Web Security Considerations

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

ISA 562 Information System Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Transport Layer Security Protocols

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Secure Socket Layer. Security Threat Classifications

Chapter 7 Transport-Level Security

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Transport Level Security

Communication Security for Applications

CSC Network Security

SECURE SOCKETS LAYER (SSL)

CSC 474 Information Systems Security

Information Security

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

SSL Secure Socket Layer

SSL Secure Socket Layer

Overview. SSL Cryptography Overview CHAPTER 1

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Secure Sockets Layer

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

Chapter 17. Transport-Level Security

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Authenticity of Public Keys

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

Network Security Part II: Standards

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

The Secure Sockets Layer (SSL)

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Learning Network Security with SSL The OpenSSL Way

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Lecture 4: Transport Layer Security (secure Socket Layer)

TLS/SSL in distributed systems. Eugen Babinciuc

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Security Protocols/Standards

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

SSL: Secure Socket Layer

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

Protocol Rollback and Network Security

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Low-Level TLS Hacking

Lab 7. Answer. Figure 1

mod_ssl Cryptographic Techniques

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Web Security. Mahalingam Ramkumar

Introduction. Haroula Zouridaki Mohammed Bin Abdullah Waheed Qureshi

Cryptography and Network Security IPSEC

Some solutions commonly used in order to guarantee a certain level of safety and security are:

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Savitribai Phule Pune University

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Network Security Standards. Key distribution Kerberos SSL/TLS

SSL Handshake Analysis

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

SSL A discussion of the Secure Socket Layer

Transport Layer Security (TLS)

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

The Beautiful Features of SSL And Why You Want to Use Them?

Lecture 10: Communications Security

Network Security Protocols

Embedded SSL. Christophe Kiennert, Pascal Urien. Embedded SSL - Christophe Kiennert, Pascal Urien 1

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Chapter 10. Network Security

Certificates and network security

ERserver. iseries. Securing applications with SSL

Three attacks in SSL protocol and their solutions

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

, SNMP, Securing the Web: SSL

ms-help://ms.technet.2005mar.1033/winnetsv/tnoffline/prodtechnol/winnetsv/plan/ssl...

SSL/TLS: The Ugly Truth

T Cryptography and Data Security

Introduction to Cryptography

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

CS 3251: Computer Networking 1 Security Protocols I

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Computer and Network Security

Network Security. Chapter 12 Security Protocols of the Transport Layer

Transcription:

Security Engineering Part III Network Security Security Protocols (I): SSL/TLS Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer Science, Fall 2011

Preliminaries SSL: Secure Socket Layer (Netscape) v1 (1990-1994). Internal use. Never released v2 (1994). Usable but lots of security vulnerabilities v3 (1996). Stable. Basis for TLS 1.0 TLS: Transport Layer Security RFC 2246 Free open-source implementation at http://www.openssl.org TLS 1.0 aprox. = SSL 3.0 with some changes SSL/TLS gives transport-layer security TCP (reliable end-to-end transport required) Applications must undergo slightly modifications 2

Preliminaries SSL usage: Encryption of messages exchanged between client and server E.g., credit card numbers, e-mails, online banking,...) Authentication of communication parties: Ensure server authenticity Ensure client authenticity (optional) SSL in HTTP transactions: https:// Lock displayed in browser Maybe a warning 3

SSL Architecture SSL application data protocol SSL Record Protocol: authentication and encryption. Upper layers: session establishment, parameter negotiation, etc. 4

SSL Session vs Connection SSL session Association between a client and a server (host S, port S, host C, port C ) Created by the Handshake Protocol Defines a number of shared cryptographic parameters Algorithms, master secret (MS), certificates, key lengths,... Can be shared by multiple SSL connections Idea: avoid repeated used of Handshake Protocol (costly) SSL connection Transient communication link Associated with an SSL session Stated defined by: nonces, secret keys used by MAC and encryption algorithms, IVs, sequence numbers. Keys derived from MS created during Handshake. 5

SSL Handshake Protocol SSL uses symmetric cryptography for: MACs and encryption (Record Protocol) Different keys for each communication party! In addition to key establishment, the Handshake Protocol has among its goals: Client and server authentication Server almost always authenticated Client rarely authentication, though possible Useful model for most e-commerce applications Secure negotiation of the ciphersuite (algorithms + parameters) Encryption Hash function Authentication method Key establishment 6

SSL Handshake Protocol Key establishment Various mechanisms supported RSA-based: C chooses PMS and sends it to S using S s public key Diffie-Hellman Entity authentication Again various mechanisms supported: RSA-based: ability to correctly decrypt PMS and generate a valid MAC (using keys derived from PMS). This implicitly authenticates S 7

SSL Handshake Protocol Key derivation Keys used by Record Protocol for encryption and MAC are derived from PMS: MS obtained from (PMS, client nonce, server nonce) through a hash function Key_block obtained from (MS, client nonce, server nonce) through repeated application of hash function Keys obtained from Key_block 8

SSL Handshake Protocol Protocol messages: Usual SSL configuration: No client authentication Cliente sends PMS using S s RSA public key, obtained from its certificate Server authenticated if capable of decrypting PMS and construct a valid finish message M1: C S: ClientHello Cliente starts connection Sends version number Sends ClientNonce (28 random bytes+ 4-byte timestamp) Sends ciphersuite (key exchange, authentication methods, encryption and MAC algorithms, hash funcitons) 9

SSL Handshake Protocol M2: S C: ServerHello, ServerCertChain, ServerHelloDone Server sends version number Sends ServerNonce and SessionID Chooses ciphersuite from C s list ServerCertChain: needed by client to verify S s public key through TTP (optional) CertRequest: if C to be authenticated Finally, ServerHelloDone M3: C S: ClientKeyExchange, ChangeCipherSpec, ClientFinished ClientKeyExchange: contains encrypted PMS ChangeCipherSpec: from now on, everything encrypted+authenticated (optional) ClientCertificate, ClientCertificateVerify Finally, ClientFinished Contains MAC of all messages (both directions) exchanged so far. 10

SSL Handshake Protocol M4: S C: ChangeCipherSpec, ServerFinished Server starts encryption+authentication ServerFinished contains: MAC of all messages exchanged (both directions) so far Correct key_block needed! Only computable if S has obtained MS and has decrypted M3 There s a possibility to renegotiate the ciphersuite: Useful to reuse MS over multiple connections but keys are recomputed using new nonces Can be done during one session Protected by Record Protocol 11

SSL Handshake Protocol Source: Wikipedia 12

SSL Handshake Protocol Source: Wikipedia 13

SSL Alert & Change Ciphersuite Alert Protocol Manages SSL session and error/warning messges: Unexpected message Bad record MAC Decompression failure Bad certificate Certificate revoked Certificate expired Etc... Change Ciphersuite Protocol 1 message only Used to announce that one party will immediately change to the recently negotiated ciphersuite Both executed on top of Record Protocol 14

SSL Record Protocol Source: Stallings 15

SSL Record Protocol Confidentiality Symmetric encryption IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40,... Message is optionally compressed before encryption, e.g. using Lempel-Ziv (ZIP) Integrity & message authentication MAC (with a shared key) 16

SSL vs TLS Standard RFC 2246, similar to SSL 3.0 TLS version numbers: SSL 3.1 (TLS 1.0) SSL 3.2 (TLS 1.1) SSL 3.3 (TLS 1.2) Uses HMAC as MAC algorithm Different method for deriving master_secret and key_block PRF based on HMAC with MD5 or SHA-1 More warning and error messages More client certificates supported Variable-length padding Used to hide the length of short messages Protects against traffic analysis attacks More crypto algorithms supported Etc... 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information