160 likes | 450 Views
Internet Security 1 ( IntSi1 ). 8 Transport Layer Security (TLS ). Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). TLS Session Example. TLS Market Share of Certification Authorities.
E N D
Internet Security 1 (IntSi1) 8 Transport Layer Security (TLS) Prof. Dr. Andreas SteffenInstitute for Internet Technologies and Applications (ITA)
TLS Market Share ofCertificationAuthorities 2010 Netcraft Ltdhttps://ssl.netcraft.com/ssl-sample-report/CMatch/certs
Communication layers Security protocols Application layer ssh, S/MIME, PGP, Kerberos, WSS Transport layer TLS, [SSL] Network layer IPsec Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2) Physical layer Quantum Cryptography Secure Network Protocols for the OSI Stack
Application Application Application Sockets TCP TLS Fragmentation IP TCP Compression IP Authentication Insecure Transport Layer SecureTransport Layer Encryption Transport TLS/SSL Protocol Layers
TLS Record Protocol Application Handshake ChangeCipherSpec Alert Application Data (messages) TLS - Record Protocol (records) TCP - Transport Protocol (stream) IP - Network Protocol (packets)
TLS RecordStructure Application Data (Segment 1) Application Data (Segment 2) [Compressed] Data MAC Padding Record Header Record Body 5 Bytes n * Block Cipher Size Record Header TCP Header Encrypted Data
Client Hello RC Server Hello RS Certificate* Client *optional ServerKeyExchange* CertificateRequest* ServerHelloDone Certificate* ClientKeyExchange *optional Server ChangeCipherSpec CertificateVerify* ChangeCipherSpec Finished° Finished° Application Data° Application Data° TLS Handshake Protocol °encrypted
Client Hello RC Server Hello RS ChangeCipherSpec Finished° ChangeCipherSpec Finished° Client Server Application Data° Application Data° Resuming a TLS Session °encrypted
Implemented SSL/TLS Protocol Versions • SSL – Secure Sockets Layer Version 2.0 • Initiallydevelopedby Netscape • SSL 2.0 is sensitive to man-in-the-middleattacksleadinge.g. tothenegotiationofweakencryptionkeys • SSL 2.0 should not beusedanymore • SSL – Secure Sockets Layer Version 3.0 • Internet Draftauthoredby Netscape, November 1996 • Supportedby all browsers • Vulnerable tothe BEAST Cipher-Block-Chaining (CBC) attack • TLS – Transport Layer Security Version 1.0 (SSL 3.1) • IETF RFC 2246, January 1999 • TLS 1.0 ist not backwardscompatibleto SSL 3.0 (differences inMAC computation, PRF functionformaster_secretandkey material) • Supportedby all browsers • Vulnerable tothe BEAST Cipher-Block-Chaining (CBC) attack
BEAST – Browser ExploitAgainst SSL/TLS • Authors • Thai Duong andJuliano Rizzo presentedtheirexploit on September 23 2011 atthe 7th ekoparty Security Conference in Buenos Aires. • Exploit • The exploituses a known-plaintextattack on theCipher-Block-Chaining (CBC) encryptionvulnerabilityof SSL 3.0 and TLS 1.0whichhasbeenknownsince 2001 and was fixedby TLS 1.1 in 2006. • Approach • The BEAST JavaScript coderunning in a browserdecryptsencryptedcookiessent via HTTPS within a coupleofseconds. • Fix • Temporaryworkaround: Set up HTTPS web serverswithstreamciphers (e.g. theratheroutdated RC4 algorithm) • Migration of HTTPS web serversandbrowsersto TLS 1.1 or 1.2.
Latest TLS Protocol Versions • TLS – Transport Layer Security Version 1.1 (SSL 3.2) • IETF RFC 4346, April 2006 • Protectionagainst CBC attacks (Serge Vaudenay, EPFL, 2004): • ImplicitInitializationVector (IV) isreplacedwith an explicit IV • Handling ofpaddingerrorsischangedtousethebad_record_mac alert ratherthendecryption_failed. • TLS – Transport Layer Security Version 1.2 (SSL 3.3) • IETF RFC 5246, August 2008, updatedby RFC • CombinedMD5/SHA-1hashand PRF functionsreplacedby SHA-256 baseddefaultalgorithmsorcipher-suitespecifiedmethods. • Support ofAuthenticated Encryption with Additional Data (AEAD) modes (e.g. AES-GCM acceleratedby Intel AES-NI instructionset) • TLS 1.1 and 1.2 Support • Windows 7, Windows Server 2008 R2 • GnuTLSlibrary, theOpenSSL 1.0.1 snapshotandstrongSwanlibtls.
TLS Enhanced TCP-basedApplicationProtocols Service Name Port Secured Service • https 443/tcp http protocoloverTLS • smtps 465/tcpsmtpprotocoloverTLSsmtp 25/tcp STARTTLS keyword (RFC 2487) • imaps 993/tcp imap4 protocoloverTLSimap4 143/tcp STARTTLS keyword (RFC 2595) • pop3s 995/tcp pop3 protocoloverTLSpop3 110/tcp STLS keyword (RFC 2595) • ldaps 636/tcpldapprotocoloverTLS • ircs 994/tcpircprotocoloverTLS • nntps 563/tcpnntpprotocoloverTLS