270 likes | 285 Views
Introduction to SSL Protocol. Introduction to SSL Protocol. Secure Socket Layer (SSL) Developed by Netscape A de facto standard for securing traffic of WWW Which layer? Above TCP/IP Below higher-level protocols such as HyperText Transport Protocol (HTTP)
E N D
Introduction to SSL Protocol • Secure Socket Layer (SSL) • Developed by Netscape • A de facto standard for securing traffic of WWW • Which layer? • Above TCP/IP • Below higher-level protocols such as HyperText Transport Protocol (HTTP) • Mainly for web server authentication and user data confidentiality • E.g. online shopping, banking, etc. • Current version: 3.0 • Published in 1996 as an Internet-Draft by Netscape • It has never been renewed after the document expired. • In the same year, TLS (Tansport Layer Security) Working Group was established
Introduction to TLS Protocol • Mission of TLS Working Group: standardize a ‘transport layer’ security protocol with similar objectives to the SSL. • TLS started with SSL v3.0 Three years later… • RFC2246, “TLS Protocol Version 1.0” • Essentially the same as SSL v3.0 • RFC2817, “Upgrading to TLS within HTTP/1.1” • RFC2818, “HTTP over TLS” Recently… • RFC3268, “AES Ciphersuites for TLS • Currently supported ciphers • RC2, RC4, IDEA, DES and Triple DES All RFCs are available at http://www.ietf.org/rfc
What’s SSL For? Internet Web Server (PK, SK) Web Browser Cert = < IDserver, PK, Expiry, SignCA(…) > • Server Authentication • An SSL-enabled server authenticates itself to a client • Client Authentication • A client authenticates itself to a server • Privacy • Two machines establish an encrypted connection, we call it a secure channel • Integrity and Authenticity • SSL uses the MAC (Message Authentication Code) technique to provide message integrity and authenticity check SSL Secure Channel
An Example • In applications such as online banking and Internet shopping, secure web servers and web browsers use SSL to provide server authentication and privacy. • Client authentication is optional and usually does not take place. • Why? • Hint – Think about what security issues we want to address here.
The Principle of the SSL Protocol • Two layers • Lower layer – record protocol: defines the data format for transmission • Upper layer – handshake protocol, change cipher spec protocol and alert protocol • A session of SSL is established by running the Handshake Protocol between a web server and a web browser. Just another illustration
Handshake Protocol A typical setup procedure of the SSL session of secure web browsing (Abridged Version)
Notations • rc, rs : random numbers for preventing replay attack • d, e, n : RSA private exponent, public exponent, modulo, respectively • α : A 46-byte random number for generate the session key K • h : a cryptographic hash function (e.g. MD5, SHA-1) • K : the session key • sessionID, sessionID’ : If sessionID = sessionID’, this implies that a • previous session is resumed • (list-of-ciphers) : list of ciphers and key sizes supported by the browser • e.g. (SSL_RSA_WITH_RC4_128_SHA, • SSL_RSA_WITH_RC2_CBC_40_MD5) • CERT : A sequence of X.509 digital certificates, ordered with the • sender’s certificate first followed by any certificate authority • (CA) certificates proceeding sequentially upward
Cryptographic Hash Functions And Message Authentication Codes
Outline • The Definition of Hash function • Birthday Attack • Security of Hash Function • MD5, SHA-1 • Block Ciphers as Hash Functions • Applications of Hash Functions • Digital Signature • Message Authentication Code • HMAC • One-time password
Hash Functions • A hash function is denoted by h: {0, 1}* {0, 1}n where n is a security parameter, say 128, 160, 256 or 512. • In English: • A function which is applicable to data of any size. • Its produces a fixed length output, usually short. • 3 Types of Security Requirements: • One-way: given an output z, it is difficult to find x such that z = h(x). • Weak collision-resistant: given x, it is difficult to find y x such that h(y) = h(x). • Strong collision-resistant: it is difficult to find any pair (x, y) such that h(x) = h(y). • Note: Strong collision-resistant Weak collision-resistant One-way • Let m be some message. h(x) is called the message digest.
Birthday Attack • Birthday Paradox: • If there are 23 people in a room, the probability that at least two people have the same birthday is slightly more than 50%. If there are 30, the probability is around 70%. • This process is analogous to throwing k balls randomly into n bins and checking to see if some bin contains at least two balls. • For having more than half chance of finding at least two balls in one bin, k 1.17 n1/2 • E.g. n = 365 k 23
Birthday Attack Against a Hash Function • Finding collisions of a hash function using Birthday Paradox. • randomly chooses k messages, x1, x2, …, xk • search if there is a pair of messages, say xi and xj such that h(xi) = h(xj). If so, one collision is found. • This birthday attack imposes a lower bound on the size of message digests. • e.g. 40-bit message digest would be very insecure, since a collision could be found with probability at least ½ after doing slight over 220 (about a million) random hashes.
Size of a Message Digest / Hash Value • h : {0,1}*{0,1}n • If n = 64, the probability of finding one collision will be higher than half after slightly more than 232 random hashes being tried. • If there exists a machine which can carry out 100,000 hashes per second, it takes 12 hours for finding the first collision with probability higher than half. • Recommended message digest lengths (in bits): 128 (MD5), 160 (SHA-1), 256 (SHA-256) or 512 (SHA-512) • For those recommended lengths, because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 280 for SHA-1).
General Design of Hash Algorithms • Partition the input message into L-1 fixed-sized blocks of b bits each. (e.g. b = 512 bits) • The remaining bits of the input are padded with the value of the length of the total input message. • It is then further padded until the final block is b bits long. … M1 M2 ML-1 ML||pad||Len b bits b bits • The hash algorithm involves iterated use of a compression function, f. • It is initialized by an initial value IV (i.e. a magic number). • Note: Hash algorithms are usually designed heuristically. M1 M2 ML b b b f f f IV n n n n n
Examples: MD5 and SHA-1 MD5 • MD – Message Digest, designed by Ron Rivest in 1992. • Available at http://www.ietf.org/rfc/rfc1321 • Output length: 128 bits • A Birthday Attack can be launched using 264 trials. SHA-1 • Developed by NIST based on MD4, a precursor to MD5, in 1995 • Available at http://www.itl.nist.gov/fipspubs/fip180-1.htm • Output length: 160 bits • More difficult to launch a birthday attack: needs 280 trials. SHA-2 (SHA 256/384/512) • Based on SHA-1 with a longer hash value
Block Ciphers as Hash Functions • Can use block ciphers as hash functions • using H0=0 and zero-pad for the final block • compute: Hi = AESMi [Hi-1] • and use the final block as the hash value • resulting hash is small (128-bit)
Digital Signature • Signature Generation Paradigm: SignSK(M) = ESK( H(M) ) • E.g. RSA-based Signature Scheme • Public key (n, e) • Private key (n, d) • Message m • Signature generation: = H(M)d mod n • Signature verification: H(M) ?= e mod n
Digital Signature • Advantages: • Enhance security: • Potential RSA signature forgery if without hash: 1 m1d mod n and 2 m2d mod n The signature of m1m2 mod n is 12 mod n. • With hash, the attack above does not work anymore. • Arbitrary message size: • Use a hash function H : {0, 1}* Zn for RSA signature scheme. • How to construct H from SHA-2?
Message Authentication • Data integrity: make sure what is sent is what is received. • Validating identity of sender: the claimed sender is the actual one. • Message authentication using digital signature • Method: Sender signs message using a private key • Disadvantage: digital signature is costly • Message Authentication Code (MAC) • Generated by an algorithm that creates a small fixed-sized block.
Message Authentication Code • MAC does not provide non-repudiation • Since both sender and receiver share the same key, • receiver could forge message • sender could deny message • Use digital signature for non-repudiation • MAC is a cryptographic checksum A CK(M) • condenses a variable-length message M to a fixed-sized tag A • using a secret key K • Security: knowing a message and a tag, is infeasible to find another message with same tag value • Like a keyed hash function (a many-to-one function) • potentially many messages have same MAC • but finding these are very difficult • Again: the authentication tag should be long enough (e.g. 256 bits)
Using Symmetric Ciphers for MACs • Can use any block cipher chaining mode and use final block as a MAC • Data Authentication Algorithm (DAA) • a widely used MAC based on DES-CBC • using IV=0 and zero-pad for the final block • encrypt message using DES in CBC mode • and send just the final block as the MAC
HMAC • Message Authentication Code: A CK (M) • M: message • A: authentication tag • for integrity and authenticity • HMAC: Keyed-hashing for Message Authentication • Used extensively in IPSec (IP Security) • IPSec is widely used for establishing Virtual Private Networks (VPNs) K opad K M ipad HMACK(M) = H( K opad || H((K ipad) || M) ) H H
One-time Password • For user authentication (e.g. remote login) • Pick a seed x0 (say 256-bit) to create a chain of hashed values: • Initially, the remote host stores xn and the user keeps x0 secret. • For the i-th login, the user sends xn-i to the remote host. • The system verifies if h(xn-i)= xn-i+1 • Recursively, the system stores xn-i and checks against h(xn-i-1) when user sends xn-i-1 in the next login session. • Adversaries cannot find xn-1 even if they know xn • New setup is needed after n log-on’s • Legacy system: S/Key • Reference: http://www.ietf.org/rfc/rfc2289
Security Updates of Hash Functions MD5 • In Aug 2004, Wang, et al. showed that it is “easy” to find collisions in MD5. They found many collisions in very short time (in minutes) • http://eprint.iacr.org/2004/199.pdf SHA-1 • In Feb 2005, Wang, et al. showed that collisions can be found in SHA-1 with an estimated effort of 269 hash computations. • Less than 280 hash computations by birthday attack. • http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Impacts • Hurts digital signatures • Does not affect HMAC where collisions aren’t important. • For applications require underlying hash functions should be collision resistant, it’s time to migrate away from SHA-1. • Start using new standards SHA-256 and SHA-512. • http://csrc.nist.gov/CryptoToolkit/tkhash.html
Some Details about Finding Collisions in SHA-1 Q:How hard would it be to find collisions in SHA-1?A: The reported attacks require an estimated work factor of 269 (approximately 590 billion billion) hash computations. While this is well beyond what is currently feasible using a normal computer, this is potentially feasible for attackers who have specialized hardware. For example, with 10,000 custom ASICs that can each perform 2 billion hash operations per second, the attack would take about one year. Computing improvements predicted by Moore 's Law will make the attack more practical over time, e.g. making it possible for a wide-spread Internet virus to use compromised computers to mount such attacks as well. Once a collision has been found, additional collisions can be found trivially by concatenating data to the matching messages. Borrowed from http://www.cryptography.com/cnews/hash.html