1 / 29

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Web Security. Web is now widely used by business, government, and individuals But Internet and Web are vulnerable Have a variety of threats integrity confidentiality denial of service

mairi
Download Presentation

CSCE 715: Network Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

  2. Web Security • Web is now widely used by business, government, and individuals • But Internet and Web are vulnerable • Have a variety of threats • integrity • confidentiality • denial of service • authentication • Need to add security mechanisms

  3. Security Socket Layer (SSL) • Security service at transport layer • Originally developed by Netscape • SSLv3 was designed with public input • Subsequently became Internet standard known as Transport Layer Security (TLS) • Use TCP to provide reliable end-to-end service

  4. SSL Services • SSL provides • Client-server authentication (public-key cryptography) • Data traffic confidentiality • Message authentication and integrity check • SSL does not prevent • Traffic analysis • TCP implementation oriented attacks

  5. SSL State Information • SSL session is stateful  SSL protocol must initialize and maintain session state information on either side of the session • SSL session can be used for several connections  connection state information

  6. SSL Session State Information • Session ID: chosen by the server to identify an active or resumable session state • Peer certificate: certificate for peer entity (X.509 v. 3) • Compression method: algorithm to compress data before encryption • Cipher spec: specification of data encryption and MAC algorithms • Master secret: 48-byte secret shared between client and server • Is resumable: flag that indicates whether the session can be used to initiate new connections

  7. SSL Connection State Information • Server and client random: byte sequences that are chosen by server and client for each connection • Server write MAC secret: secret used for MAC on data written by server • Client write MAC secret: secret used for MAC on data written by client • Server write key: key used for data encryption by server and decryption by client • Client write key: key used for encryption by client and decryption by server • Initialization vector: for CBC block ciphers • Sequence number: for both transmitted and received messages, maintained by each party

  8. SSL Protocol Architecture

  9. SSL Protocol • SSL has two layers of protocols • SSL Record Protocol • Layered on top of a connection-oriented and reliable transport layer service • Provides message origin authentication, data confidentiality, and data integrity • SSL sub-protocols • Layered on top of the SSL Record Protocol • Provides support for SSL session and connection establishment

  10. SSL Record Protocol • Receives data from higher layer protocols • Provide two services • confidentiality • using symmetric encryption with a shared secret key defined by Handshake Protocol • IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 • message is compressed before encryption (optional) • message integrity • using a MAC with shared secret key • similar to HMAC but with different padding

  11. SSL Record Protocol Operation

  12. SSL Record Format

  13. SSL Change Cipher Spec Protocol • A single message with only one byte “1” • Cause pending state to become current, hence updating the cipher suite in use

  14. SSL Alert Protocol • Use two-byte message to convey SSL-related alerts to peer entity • First byte is severity level • warning(1) or fatal(2) • Second byte is specific alert • Always fatal: unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter • Other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown • Compressed and encrypted like all SSL data

  15. SSL Handshake Protocol • Allow server and client to • authenticate each other • negotiate encryption and MAC algorithms • negotiate cryptographic keys to be used • Comprise a series of messages in phases • Establish Security Capabilities • Server Authentication and Key Exchange • Client Authentication and Key Exchange • Finish

  16. SSL Handshake Messages

  17. SSL Handshake • C  S: CLIENTHELLO • S  C: SERVERHELLO • [CERTIFICATE] • [SERVERKEYEXCHANGE] • [CERTIFICATEREQUEST] • SERVERHELLODONE • C  S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • S  C: CHANGECIPHERSPEC • FINISH

  18. SSL Handshake • CLIENTHELLO message is sent by the client • When the client wants to establish a TCP connection to the server, • When a HELLOREQUEST message is received, or • When client wants to renegotiate security parameters of an existing connection • Message content: • Number of highest SSL understood by the client • Client’s random structure (32-bit timestamp and 28-byte pseudorandom number) • Session ID client wishes to use (ID is empty for new session) • List of cipher suites the client supports • List of compression methods the client supports • C  S: CLIENTHELLO

  19. SSL Handshake • S  C: SERVERHELLO • [CERTIFICATE] • [SERVERKEYEXCHANGE] • [CERTIFICATEREQUEST] • SERVERHELLODONE • Server processes CLIENTHELLO message • Server responds to client with SERVERHELLO message: • Server version number: lower version of that suggested by the client and the highest supported by the server • Server’s random structure: 32-bit timestamp and 28-byte pseudorandom number • Session ID: corresponding to this connection • Cipher suite: selected by the server from client’s list • Compression method: selected by the server from client’s list

  20. SSL Handshake • S  C: SERVERHELLO • [CERTIFICATE] • [SERVERKEYEXCHANGE] • [CERTIFICATEREQUEST] • SERVERHELLODONE } Optional messages: • CERTIFICATE: • If the server is using certificate-based authentication • May contain RSA public key  good for key exchange • SERVERKEYEXCHANGE: • If the client does not have certificate, has certificate that can only be used to verify digital signatures, or uses FORTEZZA token-based key exchange • CERTIFICATEREQUEST: • Server may request personal certificate to authenticate a client

  21. SSL Handshake • C  S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • Client processing: • Verifies site certification • Valid site certification if the server’s name matches the host part of the URL the client wants to access • Checks security parameters supplied by the SERVERHELLO

  22. SSL Handshake • C  S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • Client messages: • CERTIFICATE • If server requested a client authentication, client sends • CLIENTKEYEXCHANGE • Format depends on the key exchange algorithm selected by the server • RSA: 48-byte premaster secret encrypted by the server’s public key • Diffie-Hellman: public parameters between server and client in SERVERKEYEXCHANGE and CLIENTKEYEXCHANGE messages • FORTEZZA: token-based key exchange based on public and private parameters • Premaster key is transformed into a 48-byte master secret, stored in the session state

  23. SSL Handshake • C  S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • Client messages: • CERTIFICATEVERIFY • If client authentication is required • Provides explicit verification of the user’s identity (personal certificate) • CHANGECIPHERSPEC • Completes key exchange and cipher specification • FINISH • Encrypted by the newly negotiated session key • Verifies that the keys are properly installed in both sites

  24. SSL Handshake • S  C: CHANGECIPHERSPEC • FINISH • Server finishes handshake by sending CHANGECIPHERSPEC and FINISH messages • After SSL handshake completes a secure connection is established to send application data encapsulated in SSL Record Protocol

  25. SSL Handshake to Resume Session • C  S: CLIENTHELLO • S  C: SERVERHELLO CHANGECIPHERSPEC FINISH • C  S: CHANGECIPHERSPEC FINISH

  26. Transport Layer Security (TLS) • Specified as IETF standard RFC 2246 • Similar to SSLv3 but with minor differences • in record format version number • use HMAC for MAC • a pseudo-random function expands secrets • has additional alert codes • some changes in supported ciphers • changes in certificate negotiations • changes in use of padding

  27. SSL/TLS vs IPsec • SSL/TLS and IPsec are very similar in that they both require negotiation of security parameters and both provide authentication and confidentiality • However there are still differences • SSL can be used to secure traffic going over TCP, while IPsec can be used to secure traffic going over IP, including UDP • SSL requires modifying applications by replacing socket calls with SSL socket calls, but does not require modifying OS; IPsec can be added without modifying applications (although can be modified optionally to provide tailored service), but needs to change the IP stack in OS

  28. SSL/TLS vs IPsec • ISAKMP requires both sides to authenticate each other, which is optional in SSL • In some cases SSL can be tunneled through a proxy, while IPsec does not allow tunneling through intermediaries • IPsec doesn’t work with a host behind a router performing network address translation (NAT); SSL has no problem with NAT

  29. Next Class • Midterm exam! • Oct. 17 in class • 75 minutes • About 10 questions • Account for 20% toward final grade • Review textbook, lecture slides and related papers discussed in class

More Related