190 likes | 372 Views
SSL3.0 / TLS1.0. Secure Communication over Insecure Line. What does “Secure” Mean?. Confidentiality Prevent eavesdropping Authenticity Communication line cannot be overtaken Integrity Messages cannot be modified during transport Non-reputiation “you can’t prove I said that !”.
E N D
SSL3.0 / TLS1.0 Secure Communication over Insecure Line 0
What does “Secure” Mean? • Confidentiality • Prevent eavesdropping • Authenticity • Communication line cannot be overtaken • Integrity • Messages cannot be modified during transport • Non-reputiation • “you can’t prove I said that!” 1
Application Data Protocol Application Layer Handshake Layer Record Layer Transport Layer (TCP/IP) Handshake Protocol S S L Change Cipher Spec Protocol Alert Protocol Layered Architecture 2
SSL handles multiple simultaneous sessions • Each session handles multiple connections • Session State • Session ID • Peer certificate • Compression method • Cipher Spec. • Master Secret • Is resumable (flag) • Connection State • Random data • MAC Secrets • Transport Keys • IVs (for CBC block ciphers) • Sequence numbers SSL is a Statefull Protocol 3
TLS’ State Model • Session State (?) • Session ID • Peer certificate • Is resumable (flag) • Connection State • Master Secret • Random data • CipherSpec • Compression Method • MAC Secrets • Transport Keys • IVs (for CBC block ciphers) • Sequence numbers 4
Read Write Read Write Pending Current Pending Current State Structure Client Server RSA, 3DES, SHA, Keys, … RSA, 3DES, SHA, Keys, … RSA, 3DES, SHA, Keys, … RSA, 3DES, SHA, Keys, … Null, Null, Null, … Null, Null, Null, … Null, Null, Null, … Null, Null, Null, … 5
SSL Plaintext SSL Compressed SSL Ciphertext Type Version Length Fragment DATA Compression Encryption & Authentication Stream or block ciphered Transport Layer MAC Record Layer 6
MAC Computation MAC = hash(MAC_secret + pad2 + hash(MAC_secret + pad1+ seq_num + length + content)) hash = SHA-1 or MD5 pad1 = 0x36 repeated 40 times (SHA-1) of 48 times (MD5) pad2 = 0x5C repeated as above 7
Client Server Client Hello Server Hello Certificate ASN.1 Encoded Acceptable certificate types Acceptable CAs Cert. Req. Certificate Server Key Exchange Client Key Exchange ServerHello Done Empty Certificate Verify ChangeCipherspec Finished MAC on handshake messages, except ChangeCipherSpec ChangeCipherspec Finished Handshake Protocol 8
Handshake Client Hello Type Length Version Data Random Session ID Example Cipher Suites: SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA … Supported cipher suites Supported compression methods Client Hello 9
Server Hello Handshake Server Hello Type Length Version Data Random Session ID Cipher suite Compression method 10
Server Key Exchange Handshake Server Key Exchange (Diffie-Hellman) Server Key Exchange (RSA) Type Length p (modulus, prime) m (modulus = p*q) Data g (generator) e (pub. exp.) gas mod p Signature Signature Diffie-Hellman Client Computes: PreMasterSecret = (gas)ac mod p Client Sends : gac to server Server Computes: PreMasterSecret = (gac)as mod p RSA Client Computes: y = PreMasterSecrete mod p Client sends : y to server Server Computes: PreMasterSecret = yd mod p 11
Change Cipherspec (Client) Change Cipherspec (Server) Read Write Read Write Pending Current Pending Current Change Cipherspec Client Server 12
Key Generation ms = MD5(pms + SHA(‘A’ + pms + client_random + server_random)) + MD5(pms + SHA(‘BB’ + pms + client_random + server_random)) + MD5(pms + SHA(‘CCC’ + pms + client_random + server_random)) Where ms = “Master Secret” (48 bytes) pms = “Pre Master Secret” (48 bytes) Key material computed by (Pseudo) random data = MD5(ms + SHA(‘A’ + ms + client_random + server_random)) + MD5(ms + SHA(‘BB’ + ms + client_random + server_random)) + MD5(ms + SHA(‘CCC’ + ms + client_random + server_random)) + … 13
Dropping ChangeCipherSpec Attack: Remove the ChangeCipherSpec message entirely from the communication, forcing communication to proceed with initial cipher spec (null). SSL defence: Implementation must check that a ChangeCipherSpec message has been received before a Finished message is received. 14
Key Exchange Rollback Attack: Make client use a prime modulus for its RSA key exchange by tampering with cipher suite specs in ClientHello and ServerHello. SSL defence: Implementation must check that the number of fields in the ServerKeyExchange message matches the chosen cipher suite. 15
Experts in cryptography info@cryptomathic.com www.cryptomathic.com 16