eec 688/788 secure and dependable computing

26
EEC 688/788 EEC 688/788 Secure and Dependable Secure and Dependable Computing Computing Lecture 8 Lecture 8 Wenbing Zhao Wenbing Zhao Department of Electrical and Computer Department of Electrical and Computer Engineering Engineering Cleveland State University Cleveland State University [email protected] [email protected]

Upload: owen-small

Post on 03-Jan-2016

27 views

Category:

Documents


2 download

DESCRIPTION

EEC 688/788 Secure and Dependable Computing. Lecture 8 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University [email protected]. Outline. Reminder: Lab 2 next Monday Secure Socket Layer Pretty Good Privacy. SSL: The Secure Sockets Layer. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: EEC 688/788 Secure and Dependable Computing

EEC 688/788EEC 688/788Secure and Dependable Secure and Dependable ComputingComputing

Lecture 8Lecture 8

Wenbing ZhaoWenbing ZhaoDepartment of Electrical and Computer EngineeringDepartment of Electrical and Computer Engineering

Cleveland State UniversityCleveland State University

[email protected]@ieee.org

Page 2: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

OutlineOutline Reminder:

Lab 2 next Monday Secure Socket Layer Pretty Good Privacy

Page 3: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL: The Secure Sockets SSL: The Secure Sockets LayerLayer SSL (Secure Sockets Layer): a security package for

secure communication over Internet Introduced in 1995, Netscape Communications Corp

SSL builds a secure connection between two sockets, including Parameter negotiation between client and server Mutual authentication of client and server Secret communication Data integrity protection

Page 4: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

Secure Sockets Layer Secure Sockets Layer DocumentationDocumentation The SSL Protocol version 3.0 Internet Draft:

http://home.netscape.com/eng/ssl3/ssl-toc.html The TLS Protocol version 1.0 Internet Draft:

http://www.ietf.org/rfc/rfc2246.txt "HTTP Over TLS" Information RFC:

http://www.ietf.org/rfc/rfc2818.txt SSL and TLS: Designing and Building Secure Systems by Eric

Rescorla. Addison Wesley Professional, 2000 Analysis of the SSL 3.0 Protocol, by David Wagner and Bruce

Schneier, http://www.schneier.com/paper-ssl-revised.pdf

Page 5: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL: The Secure Sockets SSL: The Secure Sockets LayerLayer HTTPS (Secure HTTP): HTTP over SSL

Sometimes it is available at a new port (443) instead of the standard port (80)

Layers (and protocols) for home user using HTTPS

Page 6: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL: The Secure Sockets SSL: The Secure Sockets LayerLayer SSL consists of two main subprotocols:

handshake protocol record protocol

SSL supports multiple cryptographic algorithms The strongest one uses triple DES with three separate keys

for encryption and SHA-1 for message integrity For ordinary e-commerce applications, RC4 is used with a

128-bit key for encryption and MD5 is used for message authentication

Page 7: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL: The Secure Sockets SSL: The Secure Sockets LayerLayer

TCP

SSL Record Layer Protocol

Application Data

SSL Handshake

Protocol

SSL Alert

Protocol

Application software

SSL Change Cipher

Spec Protocol

Page 8: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

ClientKeyEx

Page 9: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

Message #1: Client hello SSL version; Random structure (timestamp and nonce);

Session id; CipherSuites; Compression methods Message #2: Server hello

SSL version*; Random structure (timestamp and nonce); Session id; CipherSuite*; Compression method*

* selection based on client’s preference by the server

Page 10: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

Message #3: Server certificate (server key exchange message would be sent if there is no certificate)

Message #4: Server hello done To indicate the end of the server hello and associated

messages

Page 11: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

Message #5: ClientKeyExchange - RSA encrypted premaster secret message 48-byte long (version number and random bytes), encrypted

using server’s public key

Page 12: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

Message #6&8: Change cipher spec Sent by both client and server to notify receiving party that subsequent

records will be protected under the new CipherSpec and keys The client sends a change cipher spec message following handshake

key exchange and certificate verify messages (if any) The server sends one after successfully processing the key exchange

message it received from the client

Page 13: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

The Change cipher spec message is an independent SSL Protocol content type, and is not actually an SSL handshake message This is designed as a performance improvement This message cannot be combined with the finished message

(change cipher spec is unencrypted [or encrypted using the previous session key] and the finished message is encrypted using the new session key)

Page 14: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake ProtocolProtocol

Message #7&9: Finished Sent immediately after a change cipher specs msg The finished message is the first protected with the just-

negotiated algorithms, keys, and secrets No acknowledgment of the finished message is required;

parties may begin sending confidential data immediately after sending the finished message

Page 15: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake Protocol Protocol OutputOutput

Pre-masterSecret

ClientRandom

ServerRandom

MasterSecret

Key Block

ClientMAC

ServerMAC

ClientWrite

ServerWrite

ClientIV

ServerIV

Page 16: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake Protocol Protocol OutputOutput

Master secret: computed based on the premaster secret and the nonces proposed by the client and the server

master_secret = MD5(pre_master_secret + SHA('A' + pre_master_secret +

ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('BB' + pre_master_secret +

ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('CCC' + pre_master_secret +

ClientHello.random + ServerHello.random));

Session keys, MAC secrets, and IVs: the master secret is used as an entropy source, and the random values provide unencrypted salt material and IVs for exportable ciphers

Page 17: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake Protocol Protocol OutputOutput To generate the key material, compute

key_block = MD5(master_secret + SHA('A' + master_secret +

ServerHello.random + ClientHello.random)) + MD5(master_secret + SHA('BB' + master_secret +

ServerHello.random + ClientHello.random)) + MD5(master_secret + SHA('CCC' + master_secret +

ServerHello.random + ClientHello.random)) + [...];

until enough output has been generated

Page 18: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL HandshakeSSL Handshake Protocol Protocol OutputOutput Then the key_block is partitioned as follows:

client_write_MAC_secret[CipherSpec.hash_size] server_write_MAC_secret[CipherSpec.hash_size] client_write_key[CipherSpec.key_material] server_write_key[CipherSPec.key_material] client_write_IV[CipherSpec.IV_size] /* non-export ciphers */ server_write_IV[CipherSpec.IV_size] /* non-export ciphers */

Page 19: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL Record ProtocolSSL Record Protocol

MAC = hash(MAC_write_secret + pad_2 + hash(MAC_write_secret + pad_1 + seq_num + length + content));

<= 16 KB each

Why?

Page 20: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

SSL and TLSSSL and TLS In 1996, Netscape Communications Corp. turned

SSL over to IETF for standardization. The result was TLS (Transport Layer Security) It is described in RFC 2246 The changes made to SSL were relatively small, but just

enough that SSL version 3 and TLS cannot interoperate The TLS version is also known as SSL version 3.1

Page 21: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

E-Mail SecurityE-Mail Security

PGP– Pretty Good Privacy PEM – Privacy Enhanced Mail S/MIME

Page 22: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy PGP (Pretty Good Privacy): e-mail security

package that provides privacy, authentication, digital signatures, and compression, all in an easy-to-use form Created by Zimmermann, released in 1991 Zimmermann is a privacy advocate whose motto is:

If privacy is outlawed, only outlaws will have privacy The complete package, including all the source code, is

distributed free of charge via the Internet Due to its quality, price (zero), and easy availability on

UNIX, Linux, Windows, and Mac OS platforms, it is widely used today

Page 23: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy PGP encrypts data by using a block cipher called IDEA

(International Data Encryption Algorithm) It has been patented and OpenPGP has stopped using it

Key management uses RSA Data integrity uses MD5 Compression uses the ZIP program, which uses the

Ziv-Lempel algorithm (Ziv and Lempel, 1977) Compression saves bandwidth It also wipes out the frequency information contained in the

plaintext. In effect, it converts the plaintext into junk

Page 24: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy PGP in operation for sending a message

Page 25: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy Alice sends an email P to Bob using PGP:

Both Alice and Bob have private (DX) and public (EX) RSA keys. Assume that each one knows the other's public key

PGP first hashes Alice’s message, P, using MD5, and then encrypts the resulting hash using her private RSA key, DA

The encrypted hash and the original message are concatenated into a single message, P1, and compressed using the ZIP program, the output of this step is P1.Z

Page 26: EEC 688/788 Secure and Dependable Computing

04/20/2304/20/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable

ComputingComputing Wenbing ZhaoWenbing Zhao

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy

Next, PGP prompts Alice for some random input. Both the content and the typing speed are used to generate a 128-bit IDEA message key, KM

KM is now used to encrypt P1.Z with IDEA in cipher feedback mode

In addition, KM is encrypted with Bob's public key, EB. These two components are then concatenated and converted to base64