CEN585 – Computer and Network Security
Transport Layer Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences
King Saud University
[email protected] http://faculty.ksu.edu.sa/mdahshan
Web Security Considerations
Web is client/server application over Internet Internet is 2-way, unlike traditional publishing Many businesses depend on web Underlying software is very complex
browsers, web servers easy to use, configure however, software hide many security flaws
Attack on web servers can harm other computers within organization Many users don’t know enough to handle risks 2
Web Security Threats
3
Web Security Approaches
IPSec
SSL/TLS
Kerberos, S/MIME/PGP
Transparent to applications
Part of protocol, thus, transparent to applications
Embedded into packages
General purpose
or embedded into packages (e.g. browsers)
Filtering capability
4
Can be tailored to specific application needs
Secure Socket Layer (SSL)
Originated by Netscape (SSLv3) Transport Layer Security developed by IETF TLS = SSLv3.1, backward compatible v3 Discussion is mainly for SSLv3
5
SSL Architecture
Designed to work with TCP Provide end-to-end reliable service Two layers of protocols SSL record protocol
SSL Handshake, Change Cipher Spec, Alert
provide services to upper protocols used in management of SSL exchanges
HTTP can operate on top of SSL 6
SSL Architecture
7
SSL Connections and Sessions
Connection
peer-to-peer relationship, transport layer transient associated with one session
Session
association between client, server created by Handshake Protocol define set of cryptographic security parameters parameters shared by multiple connections avoid negotiating new parameters/connection 8
Session State Parameters
Session identifier Peer certificate
Compression method Cipher spec
encryption algorithm (e.g. AES), hash (MD5)
Master secret
X.509v3 certificate of the peer
key shared between client, server
Is resumable 9
Connection State Parameters
Server and client random Server MAC secret secret keys used in MAC operations Client MAC secret Server write key secret encryption keys Client write key Initialization vector
IV used with CBC mode
Sequence numbers 10
SSL Record Protocol
Provides two services to SSL connections
confidentiality: encryption of SSL payloads message integrity: using MAC
Steps
fragmentation: to blocks of 214 bytes compression: optional MAC: of compressed data, secret key used encryption: symmetric block or stream cipher prepending header 11
SSL Record Protocol
12
SSL Record Format header
13
SSL Record Protocol Payload
14
Change Cipher Spec Protocol
Consists of single message
change_cipher_spec single byte, value = 1
Cause pending state to be copied to current
updates cipher suite to be used on connection
15
Alert Protocol
Convey SSL related alerts to peer entity Alert messages compressed, encrypted Consists of 2 bytes First byte take values warning (1), fatal (2) Fatal
SSL terminates connection other connections in same session continue no new connections allowed
Second byte contains code of specific alert 16
Handshake Protocol
Most complex part of SSL Allows server and client to
authenticate each other negotiate algorithms, keys used (crypt, MAC)
Used before any application data transmitted Consists of 4 phases
17
18
Phase 1: Establish Security Capabilities
Initiate logical connection Establish associated security capabilities client_hello message
version: highest supported SSL version CipherSuite: list of supported crypt algorithms in decreasing order of preference
server_hello message
version: highest supported by both client, server CipherSuite: selected suite from proposed list 19
Phase 2: Server Authentication and Key Exchange
certificate message
certificate_key_exchange message
parameters for key exchange required by some algorithms (no shared key)
certificate_request message
server sends its X.509 certificate or chain
list of acceptable certificate authorities
server_done message
indicate end of server hello messages 20
Phase 3: Client Authentication and Key Exchange
Client verify server certificate is valid Check that parameters are acceptable certificate_message
client_key_exchange message
sent if server requested certificate parameters for key exchange
certificate_verify message
optional, for some certificate types 21
Phase 4: Finish
Completes setting up secure connection change_cipher_spec message
sent using Change Cipher Spec protocol
finished message
sent with established algorithms, keys verifies key exchange, auth were successful
22
TLS Differences From SSL
Version number MAC algorithm and scope of calculation Pseudorandom function Alert codes: one unsupported, many added Client certificate types: some unsupported Hash calculation for messages
certificate_verify finished 23
HTTPS
HTTP over SSL/TLS Secure comm between web server and browser Supported by all modern web browsers Use depends on web server
24
HTTPS
25
Encrypted Elements
URL of requested document Contents of the document Contents of browser filled forms Cookies (both sides) HTTP headers
26
Secure Shell (SSH)
Protocol for secure network communications Relatively simple and inexpensive Initially focused on remote login (TELNET) Later: general client/server capability
file transfer email X tunneling
One of most pervasive encryption applications 27
Secure Shell (SSH)
28
SSH Protocols
29
Transport Layer Protocol (TLP)
Server uses public key for authentication Server host key used during key exchange Client must know server’s public key
local database [hostname : key]
no centrally administered infrastructure database can be large
central CA: client only knows CA root key
simpler maintenance host key must be centrally certified 30
Packet Exchanges
Supported algorithms for
•key exchange •encryption •MAC •compression see Table 16.3
Uses Diffie-Hellman
Why use key exchange when we have public key? 31
Packet Formation compression decided during ...?
why padding?
initialized to 0 incremented for each packet MAC not encrypted
32
User Authentication Protocol Authentication methods publickey
password
C S: E(PRC, M) .. where M contains PUC S checks PUC is acceptable, then verifies signature plaintext password (protected by TLP encryption)
hostbased
SSH server verifies client’s host believes host when it authenticates user 33
Connection Protocol
Runs on top of SSH Transport Layer Protocol Assume secure auth connection (tunnel) in use Tunnel multiplex multiple logical channels Channel used for each type of communication
e.g. terminal session flow controlled using window mechanism 34
Connection Protocol
35
Channel Types
session
x11
app run at server but displayed at client desktop
forwarded-tcpip
remote execution of a program program: shell, file transfer, email, …
remote port forwarding
direct-tcpip
local port forwarding 36
Port Forwarding
One of the most useful features of SSH Ability to secure any insecure TCP connection Also known as SSH Tunnel Two types
local forwarding remote forwarding
37
Local Forwarding
Source:
www.tectia.com/manuals/guardian-admin/30/scb_ssh_channel_types.html
38
Remote Forwarding
Source:
www.tectia.com/manuals/guardian-admin/30/scb_ssh_channel_types.html
39
References
Cryptography and Network Security, 5E, Chapter 16
40
Additional References
About SSL/TLS,
SSL/TLS Protocol overview,
www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS8a/SSLTLS.html www.lincoln.edu/math/rmyrick/ComputerNetworks/InetReference/121.htm
Implementing Web Site Client Authentication Using Digital IDs, www.verisign.com/clientauth/kit/details.html Secure Sockets Layer (SSL) Protocol, islab.oregonstate.edu/koc/ece575/99Project/Ying/index.htm
SSH Public-Key Authentication HOWTO, http://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html
41
Additional References
Supported SSH channel types, www.tectia.com/manuals/guardian-admin/30/scb_ssh_channel_types.html
SSH Port Forwarding – Local VS Remote, www.walkernews.net/2007/07/22/ssh-port-forwarding-local-vs-remote/
42