TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys



Similar documents
Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Information Security

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Communication Systems SSL

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

CSC Network Security

CSC 474 Information Systems Security

SECURE SOCKETS LAYER (SSL)

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Web Security Considerations

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

SSL Secure Socket Layer

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

SSL Secure Socket Layer

Authenticity of Public Keys

eid Online Authentication Network Threat Model, Attacks and Implications

Secure Socket Layer. Security Threat Classifications

Lecture 4: Transport Layer Security (secure Socket Layer)

Lab 7. Answer. Figure 1

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Overview. SSL Cryptography Overview CHAPTER 1

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Communication Security for Applications

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Practical Invalid Curve Attacks on TLS-ECDH

Secure Sockets Layer

Transport Layer Security (TLS)

TLS/SSL in distributed systems. Eugen Babinciuc

Learning Network Security with SSL The OpenSSL Way

SSL: Secure Socket Layer

Protocol Rollback and Network Security

Some solutions commonly used in order to guarantee a certain level of safety and security are:

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Einführung in SSL mit Wireshark

Chapter 7 Transport-Level Security

Secure Communication Protocol for ATM Using TLS Handshake

Transport Layer Security Protocols

Chapter 17. Transport-Level Security

Network Security Protocols

Embedded SSL. Christophe Kiennert, Pascal Urien. Embedded SSL - Christophe Kiennert, Pascal Urien 1

Interested in learning more about security? SSL/TLS: What's Under the Hood. Copyright SANS Institute Author Retains Full Rights

Trust negotiation protocol support for secure mobile network service deployment

Properties of Secure Network Communication

SSL/TLS/X.509. Aggelos Kiayias

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Low-Level TLS Hacking

Secure network protocols: how SSL/TLS, SSH, SFTP and FTPS work

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

Security Protocols/Standards

Transport Level Security

ISA 562 Information System Security

Certificates and network security

MatrixSSL Developer's Guide Version 3.7

On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

Internet Security Architecture

Managing SSL certificates in the ServerView Suite

Computer and Network Security

Savitribai Phule Pune University

Chapter 11 Security Protocols. Network Security Threats Security and Cryptography Network Security Protocols Cryptographic Algorithms

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

, ) I Transport Layer Security

Institute of Computer Technology - Vienna University of Technology. L96 - SSL, PGP, Kerberos

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Verifying security protocols using theorem provers

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

The Beautiful Features of SSL And Why You Want to Use Them?

Bit Chat: A Peer-to-Peer Instant Messenger

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Network Security Part II: Standards

Transport Layer Security

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

A Study of the Performance of SSL on PDAs

Strengthening Master Secrets! (to get good TLS Channel Identifiers)

Network Authentication X Secure the Edge of the Network - Technical White Paper

Three attacks in SSL protocol and their solutions

Name-based SSL virtual hosts: how to tackle the problem

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Extensible Authentication Protocol Transport Layer Security Deployment Guide for Wireless LAN Networks

SSL A discussion of the Secure Socket Layer

Network Security Standards. Key distribution Kerberos SSL/TLS

Transcription:

TLS-RSA-PSK Channel Binding using Transport Layer Security with Pre Shared Keys Christian J. Dietrich dietrich [at] internet-sicherheit. de Institut für Internet-Sicherheit https://www.internet-sicherheit.de FH Gelsenkirchen

Introduction Nov. 2010: New German ID card eid functionality authenticate mutually between eid card and eid server transmit personal data from eid card to eid server (securely) Extended Access Control (by BSI) 3 kinds of card readers Basic (no pinpad) Standard Comfort 2

Terminal and Chip Authentication Terminal 1. PACE 2. Terminal Authentication 1. PACE Bind eid to card reader (Diffie- Hellman) 2. Term. Authentication eid card authenticates the Terminal (Terminal Certificate) 3. Chip Authentication 3. Chip Authentication Terminal authenticates the eid card BSI Technical Guideline TR-03110 3

eid authentication in practice Lots of components involved Browser, Browser plugin 2 Servers eid reader & card Several TLS connections However: Connection management is browser s concern! 4

Channel Binding Bind channel BS to CS eid Server generates a Pre Shared Key and sends it via BS to the Web Browser Browser plugin is triggered and provides the PSK to eid API client PSK is then used to establish CS 5

Transport Layer Security (TLS/SSL) Negotiate Cipher Suite Session Key agreement Optional server authentication Client Cipher Suites negiotiation Session Key agreement Server authentication Server Pre Master Secret (PMS) Input to the key derivation function (PRF) in order to get the Master Secret Master Secret (MS) 48 byte fixed length output from PRF Derive session keys for encryption and hashing (HMAC) PMS [PRF] V MS PMS [PRF] V MS 6

TLS with Pre Shared Keys Defined in RFC 4279 (Dec 2005) 3 variants of TLS with PSK Plain PSK No server authentication No Perfect Forward Secrecy RSA-PSK Server authentication (certificate) No Perfect Forward Secrecy DHE-PSK No server authentication Perfect Forward Secrecy 7

usual TLS with plain RSA Certificate message required Client ClientHello Server ServerKeyExchange is optional (not needed for plain RSA) ClientKeyExchange ServerHello Certificate (ServerKeyExchange) ServerHelloDone Client builds premaster secret pms = (client_version, 46 random bytes) ClientKeyExchange ChangeCipherSpec Finished Transmit encrypted premaster secret to the server RSAEncrypt(pubkey Server, pms) ChangeCipherSpec Finished Application Data 8

TLS with plain PSK ServerKeyExchange Provide a hint for the client identity (username) ClientKeyExchange Transmit client_identity to the server Both parties build the premaster secret as follows pms = (len(psk), 0x00 * len(psk), len(psk), PSK) Client ClientHello ServerHello (Certificate) ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Server 9

TLS with RSA-PSK ServerKeyExchange Provide a hint for the client identity (username) ClientKeyExchange Client builds premaster secret Client ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone Server pms = (0x30, client_version, 46 random bytes, len(psk), PSK) ClientKeyExchange ChangeCipherSpec Finished Transmit client_identity and encrypted premaster secret to the server RSAEncrypt(pubkey Server, pms) ChangeCipherSpec Finished Application Data 10

eid authentication: why RSA-PSK? PSK is required in order to bind channel BS to channel CS Why is RSA Server Authentication required? The Terminal Authentication is bound to a certain eid Server! The Hash of the eid Server Certificate is stored in the Terminal Certificate The Hash of the Web Application Server is stored in the Terminal Certificate, too! 11

Binding eid to certain Servers RSA Server Authentication Terminal Authentication is restricted to certain Servers eid Server Web Application Server 12

Extending eid trust to BS and BW Sequence of trusted channels is extended to cover the channels CS, BS and BW (in theory) Renders Man-in-the-middle attacks useless 13

Transport Layer Security with Pre Shared Keys Thank you. Questions? Christian J. Dietrich dietrich [at] internet-sicherheit. de Institut für Internet-Sicherheit https://www.internet-sicherheit.de FH Gelsenkirchen

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information