290 likes | 317 Views
CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Web Security. Web is now widely used by business, government, and individuals But Internet and Web are vulnerable Have a variety of threats integrity confidentiality denial of service
E N D
CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina
Web Security • Web is now widely used by business, government, and individuals • But Internet and Web are vulnerable • Have a variety of threats • integrity • confidentiality • denial of service • authentication • Need to add security mechanisms
Security Socket Layer (SSL) • Security service at transport layer • Originally developed by Netscape • SSLv3 was designed with public input • Subsequently became Internet standard known as Transport Layer Security (TLS) • Use TCP to provide reliable end-to-end service
SSL Services • SSL provides • Client-server authentication (public-key cryptography) • Data traffic confidentiality • Message authentication and integrity check • SSL does not prevent • Traffic analysis • TCP implementation oriented attacks
SSL State Information • SSL session is stateful SSL protocol must initialize and maintain session state information on either side of the session • SSL session can be used for several connections connection state information
SSL Session State Information • Session ID: chosen by the server to identify an active or resumable session state • Peer certificate: certificate for peer entity (X.509 v. 3) • Compression method: algorithm to compress data before encryption • Cipher spec: specification of data encryption and MAC algorithms • Master secret: 48-byte secret shared between client and server • Is resumable: flag that indicates whether the session can be used to initiate new connections
SSL Connection State Information • Server and client random: byte sequences that are chosen by server and client for each connection • Server write MAC secret: secret used for MAC on data written by server • Client write MAC secret: secret used for MAC on data written by client • Server write key: key used for data encryption by server and decryption by client • Client write key: key used for encryption by client and decryption by server • Initialization vector: for CBC block ciphers • Sequence number: for both transmitted and received messages, maintained by each party
SSL Protocol • SSL has two layers of protocols • SSL Record Protocol • Layered on top of a connection-oriented and reliable transport layer service • Provides message origin authentication, data confidentiality, and data integrity • SSL sub-protocols • Layered on top of the SSL Record Protocol • Provides support for SSL session and connection establishment
SSL Record Protocol • Receives data from higher layer protocols • Provide two services • confidentiality • using symmetric encryption with a shared secret key defined by Handshake Protocol • IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 • message is compressed before encryption (optional) • message integrity • using a MAC with shared secret key • similar to HMAC but with different padding
SSL Change Cipher Spec Protocol • A single message with only one byte “1” • Cause pending state to become current, hence updating the cipher suite in use
SSL Alert Protocol • Use two-byte message to convey SSL-related alerts to peer entity • First byte is severity level • warning(1) or fatal(2) • Second byte is specific alert • Always fatal: unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter • Other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown • Compressed and encrypted like all SSL data
SSL Handshake Protocol • Allow server and client to • authenticate each other • negotiate encryption and MAC algorithms • negotiate cryptographic keys to be used • Comprise a series of messages in phases • Establish Security Capabilities • Server Authentication and Key Exchange • Client Authentication and Key Exchange • Finish
SSL Handshake • C S: CLIENTHELLO • S C: SERVERHELLO • [CERTIFICATE] • [SERVERKEYEXCHANGE] • [CERTIFICATEREQUEST] • SERVERHELLODONE • C S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • S C: CHANGECIPHERSPEC • FINISH
SSL Handshake • CLIENTHELLO message is sent by the client • When the client wants to establish a TCP connection to the server, • When a HELLOREQUEST message is received, or • When client wants to renegotiate security parameters of an existing connection • Message content: • Number of highest SSL understood by the client • Client’s random structure (32-bit timestamp and 28-byte pseudorandom number) • Session ID client wishes to use (ID is empty for new session) • List of cipher suites the client supports • List of compression methods the client supports • C S: CLIENTHELLO
SSL Handshake • S C: SERVERHELLO • [CERTIFICATE] • [SERVERKEYEXCHANGE] • [CERTIFICATEREQUEST] • SERVERHELLODONE • Server processes CLIENTHELLO message • Server responds to client with SERVERHELLO message: • Server version number: lower version of that suggested by the client and the highest supported by the server • Server’s random structure: 32-bit timestamp and 28-byte pseudorandom number • Session ID: corresponding to this connection • Cipher suite: selected by the server from client’s list • Compression method: selected by the server from client’s list
SSL Handshake • S C: SERVERHELLO • [CERTIFICATE] • [SERVERKEYEXCHANGE] • [CERTIFICATEREQUEST] • SERVERHELLODONE } Optional messages: • CERTIFICATE: • If the server is using certificate-based authentication • May contain RSA public key good for key exchange • SERVERKEYEXCHANGE: • If the client does not have certificate, has certificate that can only be used to verify digital signatures, or uses FORTEZZA token-based key exchange • CERTIFICATEREQUEST: • Server may request personal certificate to authenticate a client
SSL Handshake • C S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • Client processing: • Verifies site certification • Valid site certification if the server’s name matches the host part of the URL the client wants to access • Checks security parameters supplied by the SERVERHELLO
SSL Handshake • C S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • Client messages: • CERTIFICATE • If server requested a client authentication, client sends • CLIENTKEYEXCHANGE • Format depends on the key exchange algorithm selected by the server • RSA: 48-byte premaster secret encrypted by the server’s public key • Diffie-Hellman: public parameters between server and client in SERVERKEYEXCHANGE and CLIENTKEYEXCHANGE messages • FORTEZZA: token-based key exchange based on public and private parameters • Premaster key is transformed into a 48-byte master secret, stored in the session state
SSL Handshake • C S: [CERTIFICATE] • CLIENTKEYEXCHANGE • [CERTIFICATEVERIFY] • CHANGECIPHERSPEC • FINISH • Client messages: • CERTIFICATEVERIFY • If client authentication is required • Provides explicit verification of the user’s identity (personal certificate) • CHANGECIPHERSPEC • Completes key exchange and cipher specification • FINISH • Encrypted by the newly negotiated session key • Verifies that the keys are properly installed in both sites
SSL Handshake • S C: CHANGECIPHERSPEC • FINISH • Server finishes handshake by sending CHANGECIPHERSPEC and FINISH messages • After SSL handshake completes a secure connection is established to send application data encapsulated in SSL Record Protocol
SSL Handshake to Resume Session • C S: CLIENTHELLO • S C: SERVERHELLO CHANGECIPHERSPEC FINISH • C S: CHANGECIPHERSPEC FINISH
Transport Layer Security (TLS) • Specified as IETF standard RFC 2246 • Similar to SSLv3 but with minor differences • in record format version number • use HMAC for MAC • a pseudo-random function expands secrets • has additional alert codes • some changes in supported ciphers • changes in certificate negotiations • changes in use of padding
SSL/TLS vs IPsec • SSL/TLS and IPsec are very similar in that they both require negotiation of security parameters and both provide authentication and confidentiality • However there are still differences • SSL can be used to secure traffic going over TCP, while IPsec can be used to secure traffic going over IP, including UDP • SSL requires modifying applications by replacing socket calls with SSL socket calls, but does not require modifying OS; IPsec can be added without modifying applications (although can be modified optionally to provide tailored service), but needs to change the IP stack in OS
SSL/TLS vs IPsec • ISAKMP requires both sides to authenticate each other, which is optional in SSL • In some cases SSL can be tunneled through a proxy, while IPsec does not allow tunneling through intermediaries • IPsec doesn’t work with a host behind a router performing network address translation (NAT); SSL has no problem with NAT
Next Class • Midterm exam! • Oct. 17 in class • 75 minutes • About 10 questions • Account for 20% toward final grade • Review textbook, lecture slides and related papers discussed in class