460 likes | 501 Views
An Introduction to SSL/TLS and Certificates. Providing secure communication over the Internet. Frederick J. Hirsch fjh@fjhirsch.com. CertCo Overview. Background Established in 1996. Banker’s Trust spinoff. Privately held. Mission
E N D
An Introduction to SSL/TLS and Certificates Providing secure communication over the Internet Frederick J. Hirsch fjh@fjhirsch.com
CertCo Overview • Background Established in 1996. Banker’s Trust spinoff. Privately held. • Mission CertCo provides secure and cost-effective business solutions that enable trust institutions to build a worldwide trust infrastructure to support high-value, secure electronic commerce. • Expertise Cryptography, risk management, law, technology and banking. • Location Headquarters: New York City Regional Offices: Cambridge (MA), Washington, DC, United Kingdom.
Outline • Problem: Creating applications which can communicate securely over the Internet • TLS: Transport Layer Security (SSL) • Certificates • Related technology: S-HTTP, IPSec, SET, SASL • References
Security Issues • Privacy • Anyone can see content • Integrity • Someone might alter content • Authentication • Not clear who you are talking with
TLS: Transport Layer Security • formerly known asSSL: Secure Sockets Layer • Addresses issues of privacy, integrity and authentication • What is it? • How does it address the issues? • How is it used
HTTP Telnet FTP LDAP TLS TCP IP What is TLS? • Protocol layer • Requires reliable transport layer (e.g. TCP) • Supports any application protocols
A B Message $%&#!@ Message TLS: Privacy • Encrypt message so it cannot be read • Use conventional cryptography with shared key • DES, 3DES • RC2, RC4 • IDEA
TLS:Key Exchange • Need secure method to exchange secret key • Use public key encryption for this • “key pair” is used - either one can encrypt and then the other can decrypt • slower than conventional cryptography • share one key, keep the other private • Choices are RSA or Diffie-Hellman
TLS: Integrity • Compute fixed-length Message Authentication Code (MAC) • Includes hash of message • Includes a shared secret • Include sequence number • Transmit MAC with message
A B Message Message’ MAC =? MAC MAC’ TLS: Integrity • Receiver creates new MAC • should match transmitted MAC • TLS allows MD5, SHA-1
A B Certificate Certificate TLS: Authentication • Verify identities of participants • Client authentication is optional • Certificate is used to associate identity with public key and other attributes
TLS: Overview • Establish a session • Agree on algorithms • Share secrets • Perform authentication • Transfer application data • Ensure privacy and integrity
Handshake Protocol Change Cipher Spec Alert Protocol TLS Record Protocol TLS: Architecture • TLS defines Record Protocol to transfer application and TLS information • A session is established using a Handshake Protocol
TLS: Handshake • Negotiate Cipher-Suite Algorithms • Symmetric cipher to use • Key exchange method • Message digest function • Establish and share master secret • Optionally authenticate server and/or client
Handshake Phases • Hello messages • Certificate and Key Exchange messages • Change CipherSpec and Finished messages
TLS: Hello • Client “Hello” - initiates session • Propose protocol version • Propose cipher suite • Server chooses protocol and suite • Client may request use of cached session • Server chooses whether to honor request
TLS: Key Exchange • Server sends certificate containing public key (RSA) or Diffie-Hellman parameters • Client sends encrypted “pre-master” secret to server using Client Key Exchange message • Master secret calculated • Use random values passed in Client and Server Hello messages
Public Key Certificates • X.509 Certificate associates public key with identity • Certification Authority (CA) creates certificate • Adheres to policies and verifies identity • Signs certificate • User of Certificate must ensure it is valid
Validating a Certificate • Must recognize accepted CA in certificate chain • One CA may issue certificate for another CA • Must verify that certificate has not been revoked • CA publishes Certificate Revocation List (CRL)
Version Serial Number Signature Algorithm Identifier Object Identifier (OID) e.g. id-dsa: {iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 1} Issuer (CA) X.500 name Validity Period (Start,End) Subject X.500 name Subject Public Key Algorithm Value Issuer Unique Id (Version 2 ,3) Subject Unique Id (Version 2,3) Extensions (version 3) optional CA digital Signature X.509: Certificate Content
Subject Names • X.500 Distinguished Name (DN) • Associated with node in hierarchical directory (X.500) • Each node has Relative Distinguished Name (RDN) • Path for parent node • Unique set of attribute/value pairs for this node
Example Subject Name • Country at Highest Level (e.g. US) • Organization typically at next level (e.g. CertCo) • Individual below (e.g. Common Name “Elizabeth” with Id = 1) DN = { • C=US; • O=CertCo; • CN=Elizabeth, ID=1}
Version 3 Certificates • Version 3 X.509 Certificates support alternative name formats as extensions • X.500 names • Internet domain names • e-mail addresses • URLs • Certificate may include more than one name
Certificate Signature • RSA Signature • Create hash of certificate • Encrypt using CA’s private key • Signature verification • Decrypt using CA’s public key • Verify hash
Client ClientHello Server ServerHello Certificate ServerKeyExchange TLS: ServerKeyExchange
Client ClientHello Server ServerHello Certificate ServerKeyExchange CertificateRequest TLS: Certificate Request
Client ClientHello ClientCertificate ClientKeyExchange Server ServerHello Certificate ServerKeyExchange CertificateRequest TLS: Client Certificate
Client [ChangeCipherSpec] Finished Application Data Server [ChangeCipherSpec] Finished Application Data TLS: Change Cipher Spec, Finished
TLS: Change Cipher Spec/Finished • Change Cipher Spec • Announce switch to negotiated algorithms and values • Finished • Send copy of handshake using new session • Permits validation of handshake
Client ClientHello (Session #) [ChangeCipherSpec] Finished Application Data Server ServerHello (Session #) [ChangeCipherSpec] Finished Application Data TLS: Using a Session
Changes from SSL 3.0 to TLS • Fortezza removed • Additional Alerts added • Modification to hash calculations • Protocol version 3.1 in ClientHello, ServerHello
TLS: HTTP Application • HTTP most common TLS application • https:// • Requires TLS-capable web server • Requires TLS-capable web browser • Netscape Navigator • Internet Explorer • Cryptozilla • Netscape Mozilla sources with SSLeay
Web Servers • Apache-SSL • Apache mod_ssl • Stronghold • Roxen • iNetStore
Other Applications • Telnet • FTP • LDAP • POP • SSLrsh • Commercial Proxies
TLS: Implementation • Cryptographic Libraries • RSARef, BSAFE • TLS/SSL packages • SSLeay • SSLRef
X.509 Certificate Issues • Certificate Administration is complex • Hierarchy of Certification Authorities • Mechanisms for requesting, issuing, revoking certificates • X.500 names are complicated • Description formats are cumbersome (ASN.1)
X.509 Alternative: SDSI • SDSI: Simple Distributed Security Infrastructure (Rivest, Lampson) • Merging with IETF SPKI: Simple Public-Key Infrastructure in SDSI 2.0 • Eliminate X.500 names - use DNS and text • Everyone is their own CA • Instead of ASN.1 use “S-expressions” and simple syntax • Name and Authorization certificates
TLS “Alternatives” • S-HTTP: secure HTTP protocol, shttp:// • IPSec: secure IP • SET: Secure Electronic Transaction • Protocol and infrastructure for bank card payments • SASL: Simple Authentication and Security Layer (RFC 2222)
Summary • SSL/TLS addresses the need for security in Internet communications • Privacy - conventional encryption • Integrity - Message Authentication Codes • Authentication - X.509 certificates • SSL in use today with web browsers and servers
References - 1 • Engelschall, Ralph, mod_ssl, <http://www.engelschall.com/sw/mod_ssl> • Ford, Warwick, Baum, Michael S. Secure Electronic Commerce, Prentice Hall 1997. • Hirsch, Frederick J. “Introduction to SSL and Certificates Using SSLeay”, World Wide Web Journal, Summer 1997, <http://www.fjhirsch.com/wwwj/> • Hudson, Tim J, Young, Eric A , “SSLeay and SSLapps FAQ”, <http://www.psy.uq.oz.au/~ftp/Crypto/> • Kaufman, Charlie, Perlman, Radia, Speciner,Mike Network Security: PRIVATE Communication in a PUBLIC World, Prentice Hall, 1995.
References - 2 • Rivest, Ron, SDSI, <http://theory.lcs.mit.edu/~cis/sdsi.html> • Stallings, William Cryptography and Network Security: Principles and Practice, 2nd Edition,Prentice Hall, 1999. • Wagner, David, Schneier, Bruce “Analysis of the SSL 3.0 Protocol” <http://www.counterpane.com/ssl.html> • Internet Drafts and RFCs <http://www.ietf.org/>. Use the keyword search on TLS or SSL in the Internet Drafts section to find the TLS Protocol specification and other relevant documents. • PKCS standards: <http://www.rsa.com/rsalabs/pubs/PKCS/>
References - 3 • Microsoft Security Documents <http://www.microsoft.com/workshop/security/contents.htm> • Netscape Security Documents <http://www.netscape.com/eng/security/>