Lecture: Transport Layer Security (secure Socket Layer)
Recommended reading:
Stephen Thomas, “SSS and TLS essentials”, Wiley, 2000 Very old and in some parts obsolete, but very well written Giuseppe Bianchi
Lecture’s twofold goal �Full dissection of a well known and widely employed security protocol �Rasonable in-depth analysis of TSL details �Devil is in details ☺ �Although many more details had to be skipped (this is not a full course on TLS…)
�Understand how a long-to-live security protocol should be designed �Show good design choices vs bad ones �TLS shows several examples for both! Giuseppe Bianchi
1
Introduction to TLS
Giuseppe Bianchi
History of SSL/TLS SSL v1 by Netscape never released 1994
…
SSL v2 Integrated in netscape 1.1 Badly broken! 1995
TLS v1.0 First IETF design (versus Netscape) 1996-1999 RFC 2246, jan 1999
SSL v3 Redesigned from scratch by Netscape 1996
…
TLS v 1.1 RFC 4346 Apr 2006
DTLS TLS v 1.2 RFC 4347 Still in progress Apr 2006 Internet draft v07-bis UDP support (nov 07) Get rid of now weak MD5/SHA-1hash TLS = SSL with minor modification (negotiated PRF, TLS1.0=SSLv3.1 default SHA-256) However NOT backward compatible with SSL 3.0 Public Domain implementation available @ www.openssl.org
Giuseppe Bianchi
2
SSL/TLS: layered view TCP/UDP/ANY
SMTP smtps SST/TLS
IPsec
TCP (if UDP, then DTLS)
IP
IP
HTTP
SMTP
……
Network layer security
HTTP https
……
Transport layer security
� SSL/TLS: operates on top of TCP, but below application layer � (can be considered as top sublayer for L4 or bottom for L7) � SSL/TLS: NOT a security enhancement of TCP! � Not necessarily limited to Internet transport (L4)! � Devised for point-to-point relationships in general � E.g. EAP-TLS (RFC 2716) � TLS mechanisms employed for authentication and integrity protection over L2 EAP
Giuseppe Bianchi
Application support HTTP
SMTP
http 80
smtp 25
TLS
TLS
https 443
smtps 587
HTTP
� Typical approach: reserve special port number for SSL/TLS mediated application � Example: � port 80 = HTTP over TCP � Port 443 = HTTP over SSL/TLS (HTTPS)
� SSL/TLS common application port numbers
http 80
� � � � �
smtps 465 (MS) or 587 (others) spop3 995 imaps 991 telnets 992 …
� Pros � works well; de facto standard � Straightforward application support!!
� Cons:
TCP/IP
� 2 reserved port numbers for same service � deprecated by IETF (but still here…)
� Alternative approach: slightly adapt application’s internals � App reuses same port number � Example: HTTPv1.1: upgrade: TLS/1.0 new http command (see RFC 2817)
Giuseppe Bianchi
3
TLS Goals �Establish a session �Agree on algorithms �Share secrets �Perform authentication �Transfer application data �Communication privacy �Symmetric encryption
�Data integrity �Keyed Message Authentication Code (HMAC)
�TLS approach: two-in-one �Most other security protocols clearly distinguish the protocol for establishing a session (e.g., IPsec IKE) from the protocol that delivers data and enforces security services (e.g., IPsec ESP/AH) Giuseppe Bianchi
Session vs Connection �Connection: �Transport service �TLS provides encryption and integrity �TLS Record Protocol �Session: �Association between Client and Server �Authentication and exchange of security parameters
�May include several connections �Heavy work: done once at the beginning �Designed for HTTPv1.0;
�TLS Handshake Protocol Giuseppe Bianchi
4
TLS protocol stack HTTP, etc Trivial protocols! Error Handling Establishes session & Initializes communicaton
start cipher
Handshake Alert Protocol Protocol
Change Cipher Spec
Application on TLS
TLS Record Protocol
Data transfer
Possibly special app port#
Minor modification of apps may be necessary (e.g. see RFC 2817/2818 for - HTTPS #443 - HTTPv1.1 ext
TCP Giuseppe Bianchi
TLS Record Protocol
Giuseppe Bianchi
5
Record Protocol operation
Record Protocol: - takes messages to be transmitted from apps - fragments the data into manageable blocks - optionally compresses the data - applies a MAC - encrypts - and transmits the result. - Reverse operation at reception (decryption, verification, decompression, reassembly, delivery to apps) Giuseppe Bianchi
Fragmentation �At application �TLS interface � �DON’T get confused with TCP segmentation!! �Input: block message of arbitrary size �possibly multiple aggregated messages of SAME protocol �Fragment size: 214=16384 bytes
Giuseppe Bianchi
6
Compression �Based on compression state negotiated… �Lossless compression, if size increases (may happen in special cases) increase must NOT exceed 1024 bytes �… but no compression by default �Until recently, no compression was employed in TLS & SSLv3! �Feature formerly used only in SSLv2
�But some specifications recently emerged » RFC 3749 – support for DEFLATE (RFC 1951) » RFC 3943 – support for Lempel-Ziv-Stac
�Reason: widespread diffusion of “verbose” languages – e.g. XML
Giuseppe Bianchi
Message Authentication Code �MAC computation �Secret (symmetric) key derived from security parameters negotiated during handshake �Hash function: negotiated during handshake �Computation: uses HMAC construction �keyed-hashing Message Authentication, RFC 2104
Giuseppe Bianchi
7
Why HMAC? /1 Pay 100 dollars
Pay 100 dollars
Pay 1000 dollars
H(M,S)
Pay 1000 dollars
H(M,S)
Modified!
� Simplest way to authenticate a message: � Share secret S � Share Hash function H � Compute H(message, secret) and verify upon reception � Good hash (anticollision properties) � good protection � Weaker than digital signature, but practical
Giuseppe Bianchi
Why HMAC? /2 �Practical question: how to insert a secret in the hash??? �Secret prefix �H(S | M) � may lead to extension attacks – H(S|M|X) may be computed from H(S|M) without knowing S – If H(M)=H(M’) then H(M|X)=H(M’|X)
�Secret suffix �H(M | S) � much better; » but pre-computation can be exploited in attacks » and no formal proof of security
�Envelope �H(S1 | M | S2) � two secrets needed » Again, no formal security proof Giuseppe Bianchi
8
HMAC RFC 2104, february 2007
HMACK(M) = H(K+ XOR opad || H(K+ XOR ipad || M)) �K+ = shared key padded to hash basic block » When H=MD5, padding to 512 bits
size
�opad = 0x36 = 00110110 repeated as needed �ipad = 0x5C = 01011100 repeated as needed � HMAC design goals: � quantitatively proven robustness: as secure as its underlying hash is » see Bellare, Canetti, Krawcxykz, Keying Hash Functions for Message Authentication, 1996
� Practical and flexible (you may change the underlying hash with more robust one) � Efficient computation � Padding: two key effect! Giuseppe Bianchi
Encryption �Fragment Encryption �Applies to both (compressed) fragment and MAC �No encryption possible �If no encryption negotiated �Or in early handshake phases
�Symmetric encryption algorithm �Block or stream cipher �Algorithm (RC4, DES, 3DES, etc) negotiated during handshake, too �If block cipher, padding necessary to achieve block size �Secret key derived from security parameters negotiated during handshake �Differs from key used in MAC
�Encryption algorithm CANNOT increase size of more than 1024 bytes Giuseppe Bianchi
9
Record Protocol Data Unit Application data OR Alert OR Handshake OR Change_cipher_spec
3.1 for TLS
� 5 bytes header � Content type = 1 � Version = 1+1 � Length = 2 � Content Type � higher layer protocol � � � �
20 = 0x14 = Change Cipher Spec 21 = 0x15 = Alert 22 = 0x16 = Handshake 23 = 0x17 = Application Data
� Sequence number � Not transmitted, but kept at both connection extremes � Remember: reliable transport, hence no “holes” � NO WAY TO AVOID TCP ☺ � Explicit 2 (epoch = cipher state change) + 6 bytes sequence number were added in DTLS
Giuseppe Bianchi
MAC generation details �Computed through HMAC �HMAC(seq.num | ctype | version | len | data) �Minor differences with SSLv3 » No version in SSLv3 » Slightly different HMAC construction – (RFC 2104 final specification not yet finalized at the time ☺)
�Hash used in HMAC: �MD5 � 16 bytes hash �SHA-1 � 20 bytes hash
�Negotiation may decide not to use MAC �In practice, always present �Sequence number: �Not transmitted but included in the MAC �to detect missing/extra data �and to prevent replay/reordering attacks Giuseppe Bianchi
10
TLS Handshake Protocol
Giuseppe Bianchi
Handshake: when � Initial negotiation and exchange of parameters � (mutually) authenticate � agree on algorithms � exchange random values � Exchange secrets or information to compute secrets � session resumption � Re-keying (“refresh” secrets)
Initial handshake Includes auth & cert verification TCP conn
Abbreviated handshake TCP conn
Abbreviated handshake TCP conn time
TLS SESSION Giuseppe Bianchi
11
Handshake: goals �Secure negotiation of shared secrets �Never transmitted in clear text; �derived from crypto parameters exchanged �Robust to MITM attacks if connection authenticated �Optional authentication �for both client and/or server �in practice always required for server
�Through asymmetric, or public key, cryptography �Exchange certificates and/or crypto information
�Reliable Negotiation: �Attacker cannot tamper communication and affect/alter the negotiation outcome without being detected by the involved C&S parties �Fundamental: negotiation amenable to downgrade attacks!! Giuseppe Bianchi
Handshake Messages SERVER
CLIENT Client Hello Server Hello Certificate Server Key Exchange
Mandatory
Certificate Request Server Hello Done Certificate
Optional and/or only at session start-up
Client Key Exchange Certificate Verify Change Ciper Spec Finished Change Cipher Spec
Start encryption
Finished Application Data Giuseppe Bianchi
12
TCP segmentation (example) Handshake Layer
TLS Record Layer
TCP Layer
Server Hello
Server Hello
Server Hello
Server Hello Done
Certificate
Server Hello Done
Certificate
Certificate (continued)
Certificate
Server Hello Done
� Simplified example: server responds to client hello with certificate only � Arbitrary correspondence between TLS Records and TCP segments (TLS records fragmented into TCP segments) � Obvious! Do you remember TCP? ☺ Giuseppe Bianchi
Handshake message format �Incapsulated in TLS Record �Handshake types: �hello_request(0), client_hello(1), server_hello(2), �certificate(11), server_key_exchange (12), �certificate_request(13), server_hello_done(14), �certificate_verify(15), client_key_exchange(16), �finished(20)
Handshake Length of remaining message type 3 bytes
Content Major type=0x16 version
Minor version
Depends on handshake msg
Length of fragment 2 bytes
payload
Giuseppe Bianchi
13
Handshake phase 1 SERVER
CLIENT Client Hello Server Hello
�General goal: �Create TLS/SSL connection between client and server �Detailed goals �Agree on TLS/SSL version �Define session ID �Exchange nonces � timestamp + random values used to, e.g., generate keys
�Agree on cipher algorithms �Agree on compression algorithm Giuseppe Bianchi
Client Hello �First message, sent in plain text �Incapsulated in 5 bytes TLS Record �Content: �Handshake Type (1 byte), Length (3 bytes), Version (2 bytes) �Type 01 for Client Hello �Version: 0300 for SSLv3, 0301 for TLS
�32 bytes Random (4 bytes Timestamp + 28 bytes random) �First 4 bytes in standard UNIX 32-bit format » Seconds since the midnight starting Jan 1, 1970, GMT
�(Session ID length, session ID) �1+32 bytes – either empty or previous session ID » Previous session ID = resumed session state
�(Cipher Suites length, Cipher suites) �2+Nx2 bytes, in order of client preference
�(Compression length, compression algorithm) �1+1 byte (in all cases, today: compression algo = 00 = null) Giuseppe Bianchi
14
Cipher suites PUBLIC-KEY ALGORITHM
SYMMETRIC ALGORITHM
HASH ALGORITHM
TLS_AAAAAAA_WITH_BBBBBBBB_CCCCCCCC TLS_NULL_WITH_NULL_NULL
INITIAL (NULL) CIPHER SUITE
TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_3DES_EDE_CBC_SHA JUST A FEW EXAMPLES (FULL LIST IN RFC)
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5
Note: arbitrary combination not possible: must choose from a (small) list of combinations Giuseppe Bianchi
The two basic approaches to key management � Key transport (e.g., RSA) � One party generates a random secret
Public Key Pk
» Client in TLS
Public Key Pk
� Which is transported to the other party through a cryptographically secured channel
CLIENT draw secret
EPk (secret)
SERVER
» To Server » Using public key encryption
� Key agreement (e.g., DH) � Shared secred generated at both party sides � through suitable exchange of crypto parameters
CLIENT Y, gY Compute mod p secret = (gX)Y = gXY
g, p, gX mod p gY mod
p
SERVER Y, gY Compute mod p secret = (gY)X = gXY
Giuseppe Bianchi
15
Server Hello �In reply to Client Hello, sent in plain text �Content: �Handshake Type (1 byte), Length (3 bytes) �Type = 02 for Server Hello)
�Version �Highest supported by both Client and Server
�32 bytes Random (4 bytes Timestamp + 28 bytes random) �Different random value than Client Hello
�(Session ID length, session ID) �If Client session ID=0, then generate session ID �Otherwise, if resumed session ID OK also for Server, use it; �Otherwise generate new one
�Cipher Suite, 2 bytes �Selected from client list (usually best one, but no obligation)
�Compression algo, 1 byte �Selected from Client list Giuseppe Bianchi
Downgrade attack MITM – doesn’t break SSL3.x, but knows very well how to break SSL2.0 (40 bit encryption only) CLIENT SSLv3.1
Client Hello, SSLv3.1 Server Hello, SSLv2.0
Client assumes that Server supports only SSL 2.0!!
Client Hello, SSLv2.0 Server Hello, SSLv2.0
SERVER SSL v3.1
Server assumes that client supports only SSL 2.0!!
�Downgrade attacks on cipher suites, too �MITM: remove “strong” cipher suites, and leave in Client Hello only the ones he knows he can break! Since hello message authentication not viable at the moment (not yet a shared secret available), verification must be necessarily delayed to a subsequent phase… Giuseppe Bianchi
16
Handshake phase 2 & 3 (schematic, RSA case) CLIENT
Signed_ca(server, PublicKey)
SERVER
(SSLVersion | SharedSecret)PublicKey
�Phase 2: �Server sends authentication information (certificate) �Along with Public Key (in certificate or in extra msg) �Phase 3: �Client generates a Shared Secret �Length depends on agreed cipher suite (RSA = 46 bytes)
�And transmits it to Server, encrypted with Public Key �Native SSL version included to early combat downgrade attacks Giuseppe Bianchi
Against downgrade attack CLIENT SSLv3.1
Client Hello, SSLv3.1 Server Hello, SSLv2.0
Client Hello, SSLv2.0 Server Hello, v2.0
SERVER SSL v3.1
Signed_ca(server, PublicKey) (SSLv3.1 |
SharedSecret)PublicKey
STOP!!
� Since (signed) certificate cannot be tampered… � … and since MITM cannot decrypt SharedSecret � and must act as pass-through � Downgrade attack on SSL version easily discovered! � Encrypted SSL version is the one initially proposed, NOT the one negotiated in server hello, of course Giuseppe Bianchi
17
Handshake Phase 2 details Certificate (single or certificate chain)
CLIENT
SERVER
Server Key Exchange Certificate Request (certificate type & certificate authorities) Server Hello Done � Certificate � typically a certificate chain � Server Key exchange � When certificate not issued (no server authentication required – UNSAFE!!) � When certificate key is for signature only (not for encryption) � When certificate key cannot be used for legal reasons � E.g. RSA key larger than 512 bits may not be used for encryption outside US, but only for signature � Larger RSA key encoded in certificates may be used to sign shorter, temporary, RSA key
� When Ephemeral Diffie-Hellman used � Certificate request � Requires client authentication (asks for an acceptable certificate) � Server Hello Done � empty message
Giuseppe Bianchi
Example: Diffie-Hellman /1 �Review of DH �Server transmits public value gX mod p �Client replies with public value gY mod p �Both compute shared key as �K = (gY)X mod p = (gX)Y mod p
�Three basic approaches (see next slide): �Anonymous �Fixed �Ephemeral
�Depends on whether X and Y values are pre-assigned or dynamically generated and/or signed �Anon & Ephemeral DH transmitted in ServerKeyExchange
Giuseppe Bianchi
18
Example: Diffie-Hellman /2 DH variants � “Anonymous” (basic) Diffie-Hellman � X, Y generated on the fly and NOT authenticated � Trivial MITM attack g, gZ
C Y, gY secret = gXY
g, gX
MITM Z, gZ Secret with C = gYZ Secret with S = gXZ
gY
S X, gX secret = gXZ
gZ
� (Fixed) Diffie-Hellman � DH “public” parameters gX and gY are static and signed by a certification authority � No MITM anymore � But they are long-lived � brute-force attacks � Ephemeral Diffie-Hellman � DH parameters can vary � But unlike anonymous DH, they are SIGNED by the party � Hence parties mush have an RSA or DSS secret key for signature purposes � Hence, why don’t just use RSA key transport? (we are here neglecting IPR/legal issues, of course ☺)
Giuseppe Bianchi
Example: Diffie-Hellman /3 ServerKeyExchange message format: Content Major Minor Length of fragment type=0x14 version=3 version=1 2 bytes = nn Handshake type=0x0c
Length 3 bytes = nn-4
DH p length 2 bytes
TLS Record Header (5 bytes) 0x14 = Handshake protocol
Handshake Header (4 bytes); 0x0c=ServerKeyEx DH p value ***
DH g length 2 bytes
DH g value ***
DH Ys length 2 bytes
DH Ys value ***
Signature RSA � 16 MD5 + 20 SHA-1 DSA � 20 SHA-1 only
DH parameters (variable length)
Signature size and hash used depends on signature type (RSA or DSA). Note: RSA uses BOTH MD5 and SHA-1
Client replies with DH public value Ys only (p and g are already known by the Server ☺) Giuseppe Bianchi
19
Handshake Phase 3 details CLIENT Certificate
SERVER
Client Key Exchange Certificate Verify
� Certificate: � Client certificate if requested � Client Key exchange � Transmit encrypted symmetric (premaster) key or information to generate secret key at server side (e.g. Diffie-Hellman Ys) � Certificate Verify � Signature of “something” known at both client and server �ALL the messages exchanged up to now » Which is not only known, but also useful! Allows to detect at an early stage (more later on this) tampering attacks (e.g. cipher suite downgrade)
� To prove Client KNOWS the private key behind the certificate �Otherwise I could authenticate by simply copying a certificate ☺ Giuseppe Bianchi
A (smart) detail on certificate verify �Q: Why Certificate Verify does not immediately follows certificate? �A: to include connection specific crypto parameters into signature! �client & server random values �Explicit inclusion of master secret in SSLv3.0 » Since master secret can be computed only after the ClientKeyExchange message, Certificate Verify follows ClientKeyExchange » Although this was abandoned in TLS1.x, but certificate verify still left as late as possible and hence after ClientKeyExchange
Giuseppe Bianchi
20
Phase 4 CLIENT Change Ciper Spec Finished
SERVER Change Cipher Spec Finished
� Phase 4 has two fundamental goals � Switch to the new security connection state �Hence authentication and encryption based on keys computed with the exchanged security parameters �Immediately applied to finished message » First check that everything went OK! If Client and(orserver cannot decrypt finished message, something has gone wrong!
� Authenticate all the previous handshake messages �Finished = digital signature of all the previous handshake messages as transmitted and received by the peer up to now �To avoid MITM tampering Giuseppe Bianchi
Change Cipher Spec � Defined as a separate protocol (!) � Only one message: � 1 single byte � Fixed content: constant value = 01 (!!!) 01
Change cipher spec protocol
Content Major type=0x14 version
Minor version
Length of fragment payload 0x0001
TLS Record Header Why a separate protocol, and not part of the Handshake? Wise choice! TLS specification allows aggregation of multiple messages of a SAME upper layer protocol into single TLS Record. How this possible with a Change Cipher Spec? (TLS Record is either ALL encrypted, or NOT encrypted) Giuseppe Bianchi
21
TLS Key Computation
Giuseppe Bianchi
Secret hierarchy Pre Master Secret
Exchanged (RSA) or computed (DH) during handshake - could be always the same value for same C-S pair (e.g., in the case fo fixed DH)
Master Secret
Nonce C Nonce S
Connection State Keys
Master Secret computed from: - Pre master - random values from C & S - timestamps from C & S � Recomputed at session resumption
Up to 6 keys: - encription keys (write/read = C/S) - authentication keys (write/read = C/S) - initialization vector if needed (write/read) � Recomputed at session resumption
Giuseppe Bianchi
22
Abbreviated handshake (3-way) (session resumption) �Used to re-generate key material �For new connection �Avoids to reauthenticate peers �Done at start of session only �Avoid to re-exchange pre-master-secret �Exchange new TS+random values Client Hello CLIENT
Server Hello
SERVER
Change Cipher Spec Finished Change Ciper Spec Finished Application Data Giuseppe Bianchi
Initial keying, re-keying: todo 1) Add randomness in key generation Pre master nounces
?
Master key
2) “Expand” initially limited secret to the needed amount of crypto material A3547B6AF2 ???
154892FFA100F4579D5F3AB….
Encryption key
Blablabla key
Giuseppe Bianchi
23
Basic building block: PRF Input (seed, other)
Pseudo Random Function
Output (“random”), unlimited
secret � Fundamental “brick”: � GOOD PRF �Criteria and extensive literature available... �Not only GOOD, but also fast/lightweight
� PRFs in TLS � SSL 3.0: not fully satisfactory PRF � TLS 1.0 and 1.1: good PRF but… hard-coded! �Construction used MD5 and SHA-1 (now weak) �(unlike IPsec) TLS forgot that “good” in crypto is not forever….
� TLS 1.2:negotiable PRF (at last ☺), and strong default based on SHA-256 Giuseppe Bianchi
PRF from a 1-way hash: Expansion function Phash �A0 �A1 �A2 �A3 �… Phash =
= = = =
seed HMAChash(A0) HMAChash(A1) HMAChash(A2)
HMAChash(A1 | seed)
Same secret used in all HMACs Hash = chosen hash function
HMAChash(A2 | seed)
HMAChash(A3 | seed)
……
� Phash function of: � Chosen hash function � Secret � seed � Phash size: any (unlike HMAC size) Giuseppe Bianchi
24
TLS 1.2 PRF from Phash PRF(secret, label, seed) = Phash(label|seed) �TLS1.2: �Default: this construction with SHA-256 �32 bytes hash
�But also negotiable PRF �Hence possibly very different and not based on HMAC
�Example: Master secret generation �Inputs: �Secret = Pre-master-secret �Seed = Nonces (client-random & server-random)
�Further input: �Label = string “master secret”
�Computation: first 48 bytes of: �PRF(pre-master-secret, “master secret”, Client-Random | Server-Random) Giuseppe Bianchi
PRF (until TLS 1.1, i.e. today!) � Employs two hash algorithms � Idea: combine both MD5 and SHA-1 � Greater robustness! Must break both… �Indeed ☺
� Input: � Desired length � Secret �Assume even size, split it in two parts (S1,S2)
� Seed � Label (an ascii string)
Source: Stephen Thomas, SSL&TLS Essentials
� PRF(scrt, lbl, sd) = PMD5(lbl | sd) XOR PSHA-1(lbl | sd) � MD5 uses S1 as secret � SHA-1 uses S2 as secret Giuseppe Bianchi
25
Key generation �Master secret [48 bytes]: � PRF(pre-master-secret, “master secret”, Client-Random | Server-Random)
�Key Block [size depends on cipher suites]: � PRF(master-secret, “key expansion”, Server-Random | Client-Random)
�Individual keys: �Partition key block into up to 6 fields in the following order: � Client MAC, Server MAC, Client Key, Server Key, Client IV, Server IV
PRF used also in computation of finished message instead of “normal” MD5 or SHA-1 Hash. E.g. For client finished message: PRF(master-secret, “client finished”, MD5(all handshake msg) | SHA-1(all handshake msg)) [12 bytes] Giuseppe Bianchi
TLS connection management & application support
Giuseppe Bianchi
26
Alert Protocol � TLS defines special messages to convey “alert” information between the involved fields � Alert Protocol messages encapsulated into TLS Records � And accordingly encrypted/authenticated � Alert Protocol format (2 bytes): � First byte: Alert Level �warning(1), fatal(02)
� Second Byte: Alert Description �23 possible alerts Alert level
Alert protocol
Content Major type=0x15 version
Minor version
Alert description
Length of fragment payload 0x0002
TLS Record Header Giuseppe Bianchi
Sample alerts See RFC2246 for all alerts and detailed description � unexpected_message � Inappropriate message received � Fatal - should never be observed in communication between proper implementations
� bad_record_mac � Record is received with an incorrect MAC � Fatal
� record_overflow � Record length exceeds 214+2048 bytes � Fatal
� handshake_failure � Unable to negotiate an acceptable set of security parameters given the options available � Fatal
� bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown � Various problems with a certificate (corrupted, signatures did not verify, unsupported, revoked, expired, other unspecified issues which render it unacceptable � Warning or Fatal, depends on the implementation
If fatal, terminate and do not allow resumption with same security parameters (clear all!) Giuseppe Bianchi
27
Truncation attack
TCP
TLS
TCP FIN
An attacker may end connection at any time by sending a TCP FIN Part of the intended information exchange is lost How can Server and Client distinguish this from a transaction that “normally” completes? Giuseppe Bianchi
Solution: Close Notify Application Data Close Notify Close Notify
�Issued by any party �Close Notify = Alert (warning level) �Informs that no more data will be transmitted �A connection that ends abruptly without a Close Notify may be a truncation attack A remark: note the weakness of TLS against TCP DOS attacks in general! Giuseppe Bianchi
28
Conclusive remarks �Performance drawbacks: �Increased overhead and latency! �Mostly for encryption overhead and handshake overhead
�Computational overhead may kill server performance �Up to two orders of magnitude » ref: Transport Layer Security: how much does it really costs? Infocom 99
�TLS does NOT protect TCP �How to protect non SSL/TLS-aware applications? �Tools available to protect a generic TCP connection �stunnel = TCP over TLS over TCP » www.stunnel.org » Crazy (tcp tunneled over tcp), but as last resort…
�DOS attacks to TCP remains a significant issue (no protection at all) Giuseppe Bianchi
DTLS �Recently specified �RFC 4347 – Datagram TLS – April 2006 �TLS over UDP
�DTLS design goal: �Be as most as possible similar to TLS!
�DTLS vs TLS �TLS assumes orderly delivery » DTLS: Sequence number explicitly added in record header
�TLS assumes reliable delivery » Timeouts added to manage datagram loss
�TLS may generate large fragments up to 16384B » DTLS includes fragmentation capabilities to fit into single UDP datagram, and recommends Path MTU discovery
�TLS assumes connection oriented protocol » DTLS connection = (TLS handshake – TLS closure Alert)
Giuseppe Bianchi
29
