1.04k likes | 1.15k Views
Chapter 5. Transport Level Security. 1. 5.1 Web Security Considerations Web presents new challenges :. ► Web is two-way, so servers can be attacked. ► Organizations use Web as "store-front" if compromised, money can be lost and reputation damaged.
E N D
Chapter 5 Transport Level Security 1
5.1 Web Security Considerations Web presents new challenges: ► Web is two-way, so servers can be attacked ► Organizations use Web as "store-front" if compromised, money can be lost and reputation damaged ► Underlying software is complex, and may hide many potential security flaws ► Subverting a Web server may provide a launching pad into the intranet (next slide) ► Users are untrained and unaware of security risks 2
► Subverting a Web server may provide a launching pad into the intranet “Three-tier system” 3
Web Security Threats - omit Web Traffic Security Approaches Figure 5.1 Relative Location of Security Facilities in the TCP/IP Protocol Stack 4
5.2 Secure Socket Layer and Transport Layer Security SSL 2.0 was developed and patented by Netscape in 1994. TLS is the non-proprietary Internet standard development (RFC 2246, 1999) TLS 1.0 was an upgrade of SSL 3.0, so TLS 1.0 is sometimes referred to as SSL 3.1 Latest standard is TLS 1.2, sometimes referred to as SSL 3.3 I did not find Stallings’ description of SSL easy to follow, so I am using the treatment by Stephen Thomas. 5
“SSL and TLS Essentials” by Stephen Thomas Chapter 3: SSL Operation 3.1 SSL roles ----------------------------- SKIM 3.2 SSL Messages ----------------------- SKIM 3.3 Establishing Encrypted Communications 3.3.1 ClientHello – OMIT compression methods p43 3.3.2 ServerHello 3.3.3 ServerKeyExchange 3.3.4 ServerHelloDone 3.3.5 ClientKeyExchange 3.3.6 ChangeCipherSpec 3.3.7 Finished 3.5 Authenticating the Server’s Identity 3.5.1 Certificate 3.5.2 ClientKeyExchange omit rest of chapter Start here 6
3.3 Establishing Encrypted Communications First, establish TCP connection from client to port 443 on server Secure channel established – proceed to use 7
3.3.1 ClientHello Current versions: SSL 3.3, TLS 1.2 “Cookie” Also used as a nonce to repel replay attacks 15
3.3.2 ServerHello Server decides Server selects from menu submitted by client 16
3.3.3 ServerKeyExchange Server sends its public key; in section 3.5 this will be replaced by server sending its public-key certificate 3.3.4 ServerHelloDone Server has completed initial negotiation. 3.3.5 ClientKeyExchange Client generates “premaster secret,” and sends it encrypted with the server’s public key. Decrypting the premaster secret will verify that the server possesses the corresponding private key. Both sides can compute necessary keys. 3.3.6 Change Cipher Spec Preliminary negotiations are complete and client tells server “I’m going to begin using the agreed cipher suite.” 17
3.3.6 ChangeCipherSpec “Since the transition to secured communication is critical, and both sides have to get it exactly right, the SSL specification is very precise in describing the process.” “The SSL specification also recognizes that some of the information (in particular, the key material) will be different for each direction of communication. In other words, one set of keys will secure data the client sends to the server, and a different set of keys will secure data the server sends to the client.” “For a given system, whether it is a client or a server, SSL defines a write state and a read state. The write state defines the security information for data that the system sends, and the read state defines the security information for data that the system receives.” 18
3.3.7 Finished “Immediately after sending their ChangeCipherSpec messages, each system sends a Finished message. The Finished messages allow both systems to verify that negotiation has been successful and that security has not been compromised. Two aspects of the Finished message contribute to this security.” “First … the Finished message itself is subject to the negotiated cipher suite … If the receiving party cannot successfully decrypt and verify the message, then clearly something has gone awry with the security negotiation.” “The contents of the Finished message also serves to protect the security of the SSL negotiation. Each Finished message contains a cryptographic hash of important information about the just-finished negotiation … This protects against an attacker who manages to insert fictitious messages into, or remove legitimate messages from, the communication.” 21
3.5 Authenticating the Server’s Identity By now in this course we’re familiar with the need to authenticate the server’s identity. In the usual situation in which SSL is deployed (ordering from Amazon.com) we do not need to authenticate the client – SSL has an option to do so, but we will skip this. No surprise: we will insist on the server sending the client an X.509 certificate – browser will automatically check validity, using its library of CA public keys. But just receiving a valid certificate is not enough - It must be the right certificate! The browser will also check this. 22
3.5 Authenticating the Server’s Identity – continued New: replaces ServerKeyExchange 23
Darth Sends amazon.com certificate 3.5.2 ClientKeyExchange Encryption of the “pre-master secret” with the public key sent in the Certificate message means that the server must actually possess the corresponding private key to decrypt the pre-master secret. Both sides can compute necessary keys. 24
Chapter 4: Message Formats 4.1 Transport Requirements 4.2 Record Layer 4.3 ChangeCipherSpec Protocol 4.4 Alert Protocol 4.4.1 Severity Level 4.4.2 Alert Description 4.5 Handshake Protocol 4.5.2 ClientHello 4.5.3 ServerHello 4.5.4 Certificate 4.5.7 ServerHelloDone 4.5.8 ClientKeyExchange- include RSA only 4.5.10 Finished 4.6 Securing Messages 4.6.1 Message Authentication Code 4.6.2 Encryption 4.6.3 Creating Cryptographic Parameters3 25
443 SSL Record Layer 26
HTTP 32
4.3 ChangeCipherSpec Protocol Record Layer Header 33
4.4 Alert Protocol The Alert Protocol signals an error. Some error messages are cautionary, others fatal. TLS removes some of the error categories in SSL and adds some new ones. 34
4.5 Handshake Protocol Purposes: 1. negotiate cipher suite to be used ClientHello message (section 4.5.2) ServerHello message (section 4.5.3) 2. authenticate I/D of server Certificate message (section 4.5.4) ClientKeyExchange message (4.5.8) 3. generate collection of shared secret information Premaster secret (ClientKeyExchange) Master secret (section 4.6.3) Keying material (section 4.6.3) MAC key Encryption key IV 36
Format of Handshake message Record Layer Header protocol = 22 decimal In practice they are not! 37
Record Layer Header protocol = 22 4.5.2 ClientHello 40
There are more of these in SSL; TLS removes some and adds others. 41
Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 92 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 88 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 10, 2008 10:54:18.000000000 random_bytes: 751AB9DCEBF3014D799038D27E24E6409C8397FE6E1A7553... Session ID Length: 0 Cipher Suites Length: 24 Cipher Suites (12 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Client can handle up to TLS 1.0 (SSL 3.1) Remarkable range of capabilities in browser! 42
Server to client: Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 10, 2008 11:00:13.000000000 random_bytes: C7B2A2F58454A2C2A0DE667781E2773544C86C8FF724069E... Session ID Length: 32 Session ID: 77987B601B5544C111C3FCB1DF96F7A8970D1EFD39630F3F... Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Method: null (0) 46
Server to client: Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 2468 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 2464 Certificates Length: 2461 Certificates (2461 bytes) Certificate Length: 1271 Certificate (id-at-commonName=www.amazon.com, Certificate Length: 1184 Certificate (id-at-commonName=VeriSign Class 3 Secure Server CA Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 49
CS 336/536 Lab #3: SSL/TLS “Certificate” message from Amazon.com contains a chain of public key certificates: Certificate #1: Issued to: www.amazon.com Issuer: VeriSign Class 3 Secure Server CA Certificate #2: Issued to: VeriSign Class 3 Secure Server CA Issuer: VeriSign Class 3 Public Primary Certification Authority