Secure Sockets by bestt571


More Info
									                                                                                                                                           Overview of Lecture

                                                                                                                           We covered an overview of authenticated key exchange
                                                                                                                           In this lecture we will
                                                                                                                           – Look at issues related to Web Security
                                        Secure Sockets                                                                     – Examine a specific implementation of such a protocol, known as
                                                                                                                             Secure Sockets

                                       Web Security Issues                                                                          So Where to Secure the Web?
      The Web has become the visible interface of the Internet                                                             There are many strategies to securing the web
       – Many corporations now use the Web for advertising, marketing and sales
                                                                                                                      1.   We may attempt to secure the IP Layer of the TCP/IP Stack:
      Web servers might be easy to use but…
                                                                                                                           This may be accomplished using IPSec, for example.
      – Complicated to configure correctly and difficult to build without security
        flaws                                                                                                         2.   We may leave IP alone and secure on top of TCP: This may be
      – They can serve as a security hole by which an adversary might be able to                                           accomplished using the Secure Sockets Layer (SSL) or
        access other data and computer systems                                                                             Transport Layer Security (TLS)
                        Threats                                Consequences                        Countermeasures
                                                                                                                      3.   We may seek to secure specific applications by using
Integrity               Modification of Data                   Loss of Information                 MACs and Hashes
                                                                                                                           application-specific security solutions: For example, we may
                        Trojan horses                          Compromise of Machine                                       use Secure Electronic Transaction (SET)
                        Eavesdropping                          Loss of Information                 Encryption
                                                                                                                           The first two provide generic solutions, while the third provides
                        Theft of Information                   Privacy Breach
DoS                     Stopping                               Stopped Transactions                                        for more specialized services
                        Filling up Disks and Resources
Authentication          Impersonation                          Misrepresentation of User           Signatures, MACs        We will focus this lecture on SSL
                        Data Forgery                           Accept false Data

                   Table from Stallings, and from A. Rubin

   A Quick Look at Securing the TCP/IP Stack                                                                                                  Overview of SSL
                                                                                                                           The Secure Sockets Layer was originally developed (1994) by
                                                                                HTTP         FTP       SMTP                Netscape in order to secure http communications
      HTTP          FTP         SMTP
                    TCP                                                                                                    Version 3 of SSL was released in 1995
                  IP/IPSEC                                                                                                 – It is what we think of when we say SSL
            At the Network Level                                                                                           – Slight variation became Transport Layer Security (TLS) and was
                                                                                      At the Transport Level
                                                                                                                             accepted by the IETF in 1999
                                                                                                                           – TLS is backward compatible with SSLv3
                                                        S/MIME PGP                 SET
                                       Kerberos               SMTP                 HTTP
                                                                                                                           TCP provides a reliable end-to-end service
                                           UDP                       TCP                                                   SSL consists of two sublayers:
                                                               IP                                                          – SSL Record Protocol (where all the action takes place)
                                                       At the Application Level                                            – SSL Management: (Handshake/Cipher Change/ Alert Protocols)

                        SSL Preliminaries                                                     SSL Preliminaries, pg. 2
    An SSL Session is an association between a client and a server            Connection Parameters:
    (created by the Handshake Protocol). There are a set of security              – Server and Client random byte sequences used for each connection
    parameters associated with each session
                                                                                  – Server MAC Key: Key used in MAC operations on data sent by
    An SSL Connection is a peer-to-peer relationship, and is                        the server
    transient. There may be many connections associated with one
    session. The same security parameters may apply to many                       – Client MAC Key: Key used in MAC operations on data sent by
    connections.                                                                    the client
    Session Security Parameters:                                                  – Server Encryption Key: Encryption key used for data encrypted by
                                                                                    server and decrypted by client
      – Session Identifier
      – Peer Certificate: X.509v3 certificate of the peer                         – Client Encryption Key: Encryption key used for data encrypted by
                                                                                    client and decrypted by server
      – Compression: Optional algorithm used to compress data
      – Cipher Specs: Encryption Algorithm (3DES, AES, etc.) and hash             – Initialization vectors: We will use CBC mode, so we need IVs.
        algorithm (MD5, SHA-1)                                                    – Sequence Numbers: Each entity maintains sequence numbers for
      – Master Secret: 48-byte secret shared between client and server              transmitted and received messages

                     SSL Record Protocol                                                    SSL Record Protocol, pg. 2
    The SSL Record Protocol uses the keys derived from the                    SSL Record protocol allows protocols above SSL to be secured
    Handshake Protocol to securely deliver data                                – Example: HTTP delivers packets that are fragmented and securely
    Two functions:
                                                                               – SSL does not handle retransmissions… it does not have to! TCP provides
      – Confidentiality and Message Integrity                                    that functionality
                                                                               – This is quite the opposite of IPSec, which only secures IP!
                                                                              Messages are broken into blocks of at most 16384 bytes
Fragmentation          Chunk               Chunk              Chunk           The compression is optional and, due to message size/type, it might not even
                                                                              be desirable to use!
Compression          Shrunk                                                   Encryption may be stream or block mode. This is negotiated through the
                                                                              Handshake protocol
MAC                  Shrunk                                                    – If block encryption, padding is necessary in order to fill out a block
Encrypt              Encrypted

Prepend Header          Encrypted

                 SSL Record Protocol, pg. 3                                                 SSL Record Protocol, pg. 4
    The Header consists of                                                   The real trick to the Record Protocol is the MAC
      – Content type descriptor (1 byte): For the upper layer to use         In SSL, the record layer computes a MAC for each chunk of data.
      – Major Version (1 byte): What version of SSL? (3 for SSL and          In SSLv3 the MAC is
        TLS)                                                                 Hash(MACws|| Pad2||Hash(MACws||Pad1||SeqNum||SSLComp||SSLLen||Chunk))
      – Minor Version (1 byte): Indicates the revision (0 for SSLv3, 1 for   The pieces:
        TLS)                                                                  –   MACws = Shared MAC Key
    There are only a limited selection of ciphers and MAC                     –   Hash: MD5 or SHA-1
    algorithms that are allowed                                               –   Pad1: (00110110) repeated 48 times for MD5 or 40 times for SHA-1
      – Interchange Ciphers: RSA, Diffie-Hellman (signed and unsigned),       –   Pad2: (01011100) repeated 48 times for MD5 or 40 times for SHA-1
        Fortezza                                                              –   SeqNum; Sequence number for this message
      – Bulk Encryption Cipher: RC4, RC2, DES (CBC Mode), 3DES                –   SSLComp: Higher Layer descriptor of message type
        (EDE-CBC Mode), Fortezza (CBC)                                        –   SSLLen: Length of the chunk
      – MAC: SHA-1 and MD5                                                    –   Chunk: The fragment of data after it has been compressed

                  SSL Handshake Protocol                                                                           SSL Handshake Protocol, pg. 2
This is the beast… Its where all the action really takes place!                                              ClientHello                     Round 1: Create the Connection between
                                                                                                                                             the Client A and Server G (Gigafirm in my
Basically, the Handshake protocol is used before any application                                            ServerHello
                                                                                                                                             notes), and figure out what each entity can
data is transmitted.                                                                                        ServerCertificat
                                                                                                                            e                do!
– It is used to allow the server and client to authenticate each other                                       ServerKeyE xcha
                                                                                                                                           1.A → G : {vers # , rA , SessID, CiphList , CompList}
– To negotiate on an encryption and MAC algorithm                                                           CertRequest                    2.G → A : {vers # , rG , SessID, CiphChoice , CompChoice }

– Establish keys to be used                                                                                 ServerHelloEnd

                                                                                                                                         • rA is a nonce made of 4 bytes of timestamp and
The Handshake Protocol consists of messages consisting of                                                                    e
                                                                                                                                         28 bytes of random #. Similarly for rG.
three fields:
                                                                                                            ClientKeyE xch
                                                                                                                           ange          •SessID: 0 if new session, else is the session ID of
                                                                                                               CertVerify                an existing session (and the Handshake will update
– Type (1 byte): Indicates type of the message. There are 10 types.                                                                      parameters)
– Length (3 bytes)                                                                                            Finished
                                                                                                                                         •CiphList is a list of algorithms supported by the
– Content: The payload exchanged in each message                                                                                         client in an order of decreasing preference (Key
                                                                                                                       r                 Exchange and Encryption Cipher)
                                                                                                                                         •CiphChoice: The cipher suite chosen by the

          SSL Handshake Protocol, pg. 3                                                                            SSL Handshake Protocol, pg. 4
   ClientHello                     Round 2: Server Authentication and Key                                    ClientHello                      Round 3: Client Authentication and Key
                                   Exchange                                                                                                   Exchange
  ServerHello                                                                                               ServerHello
                                    – Server begins by sending its X.509 cert (and                                                              – Client verifies that the Server’s Cert is valid, and
                   e                  associated cert chain)                                                                e
                                                                                                                                                  checks that parameters sent are valid
   ServerCertificat                                                                                         ServerCertificat
                                    – Next, a public key is sent (e.g. modulus and
   ServerKeyE xcha
                                      exponent, if RSA)                                                      ServerKeyE xcha
                                                                                                                             nge                – If a cert was requested, then the Client sends one
   CertRequest                      – Server may Request a Cert from the Client                             CertRequest
                                                                                                                                                – Server generates a PreMasterSecret sPM
                                    – Server sends end round 2 message                                                                    7.A → G : {A _ X509Cert}
   ServerHelloEnd                                                                                           ServerHelloEnd

                             3.G → A : {G _ X509Cert}
                                                                                                                                                      {           }
                                                                                                                                          8.A → G : E + K G [s PM ]
   ClientCertificat                                                                                          ClientCertificat
                                                                                                                                          9.A → G : {hash(MS || rG || hash(Messages1to8 || MS || rA ))}
                                            {                                                      }
                   e                                                                                                         e
                             4.G → A : (n G , e G ) || E K G [hash (rA || rG || (n G , e G ))]
                                                                                                                                          MS = MD5(s PM || SHA1(' A' || s PM || rA || rG ))||
   ClientKeyE xch                                                                                           ClientKeyE xch
                  ange                                                                                                     ange
     CertVerify              5.G → A : {CertType || ValidCertAuthorities}                                      CertVerify                        MD5(s PM || SHA1(' BB' || s PM || rA || rG ))||
    ChangeCipher             6.G → A : {EndHello}                                                             ChangeCipher                       MD5(s PM || SHA1(' CCC' || s PM || rA || rG ))
    Finished                                                                                                  Finished
                            KG is the private key, and hence EKG is a signature                                                          +KG is the public key, and hence E+KG is a encryption
              r             operation by the Server                                                         ChangeCiphe
                                                                                                                       r                 using the public key gained from the certificate
                            ValidCertAuthorities identifies the authorities the server                                                   Messages1to8 is the concatenation of first 8 messages
                            will accept                                                                        Finished
                                                                                                                                         MS is master secret and Step 9 is for verification

          SSL Handshake Protocol, pg. 5                                                                         Other SSL Management Functions
   ClientHello                     Round 4: Wrap-up                                                       There are two other Management Functions provided by SSL:
                                    – Client tells Server to change cipher (via the
  ServerHello                                                                                             – Change Cipher Spec: A single byte is sent after new cipher
                                      Change Cipher Protocol).
                   e                                                                                        parameters have been agreed upon (aka. Handshake). “Pending”
                                    – Server responds with its own changed cipher
                                                                                                            parameters become activated.
   ServerKeyE xcha
                     nge              message
                                    – Finished Message are hashes for verification
                                                                                                          – SSL Alert Protocol: Signals that unusual conditions have been
   ClientCertificat        10.A → G : {ChangeCiph er}                                                                                                          "                       #
                           11.A → G : {hash (MS || rG || hash ( Messages1to9 || Client || MS || rA ) )}
   ClientKeyE xch
                           12.G → A : {CipherChan ged}                                                           %
                           13.G → A : {hash (MS || rG || hash ( Messages1to9 || Server || MS || rA ) )}          & '                 ()     *!
    ChangeCipher                                                                                                 + (,                  )- *
                                                                                                                                      ( .!
    Finished                                                                                                     /                      (!    *!
                                                                                                                 0                   (!    *!
   ChangeCiphe                                                                                                   -                      $


Many other parameters are generated from the master secret:
– ClientWrite MAC Secret and ClientWrite Key
– ServerWrite MAC Secret and ServerWrite Key
– Client and Server IVs
– Parameters are generated via hashing… MS is basically a seed to a
  pseudorandom function.
TLS is very similar to SSL
– TLS uses HMAC instead of the concatenation-MAC
– TLS does not support Fortezza
– Minor differences in padding requirements


To top