tls-intro meir sept 2010
TRANSCRIPT
-
8/7/2019 TLS-Intro Meir Sept 2010
1/63
N E T W O R K S
Introduction to TLS Meir LeshemSept 2010
-
8/7/2019 TLS-Intro Meir Sept 2010
2/63
N E T W O R K S
2
SSL/TLS Protocol Overview
The SSL/TLS protocol allows client/server applications tocommunicate across a network in a way designed toprevent eavesdropping and alteration of the messages.
TLS provides endpoint (peer) authentication and
communications confidentiality and Integrity over theInternet using cryptography (encryption/ decryption) .
Feature Service Method Attack
Hiding info Confidentiality Encryption Eavesdropping(anyone can see content)
Provingidentity
Authentication Public Key Forgery and Masquerade
(verify who you are talking to)
Verifying
info
Msg. Integrity HMAC Alteration
(someone may alter content)
-
8/7/2019 TLS-Intro Meir Sept 2010
3/63
N E T W O R K S
3
Network Layer (IpSec) Vs. Transport Layer (SSL/TLS) Security
-
8/7/2019 TLS-Intro Meir Sept 2010
4/63
N E T W O R K S
4
SSL/TLS History
TLS 1.1 TLS 1.2
RFC 2246 RFC 4346 RFC 5246
2006 2008
-
8/7/2019 TLS-Intro Meir Sept 2010
5/63
N E T W O R K S
5
The SSL with its (sub) layers and (sub) protocols
-
8/7/2019 TLS-Intro Meir Sept 2010
6/63
N E T W O R K S
6
SSL/TLS sub layers and protocols
HANDLES COMMU NICATIONWITH THE APPL ICATION
P rotocolsINITIALIZES COMMU NCATIONBETWEEN CLIENT & SERVER
INITIALIZES SE CU RECOMMU NICATION
HANDLES DATACOM PRESS ION and
transfers TLS messages
ERR OR HANDL ING
-
8/7/2019 TLS-Intro Meir Sept 2010
7/63
N E T W O R K S
7
SSL/TLS Main principles
Key Exchange (for Symmetric Encryption) using Public Key
Data Integrity using HMAC (Hashed Message Auth. Key)
Server Authentication using Certificates with public key
Client / Server Protocol
Establish a Security Session Agree on algorithms
Share secretsPerform server authentication (and optionally the client)
Transfer encrypted application dataEnsure privacy and integrity
-
8/7/2019 TLS-Intro Meir Sept 2010
8/63
N E T W O R K S
8
Encryption Types
S ymmetric encryption (= S ecret key cryptography):U ses the same key for encryption and decryption. It is alsoknown as secret-key cryptography. The symmetricalgorithms are normally used to encrypt the content of a
message Asymmetric encryption (= P ublic key cryptography):each of the two parties use separate keys - one for encryption and a different one for decryption. The criticalaspect of public key cryptography is that only one of these
two keys ( private key ) needs to be kept secret. The other key, the public key , need not be secret at all.
Symmetric encryption does not need as much processingpower as asymmetric encryption. The encryption comes ata much lower cost.
-
8/7/2019 TLS-Intro Meir Sept 2010
9/63
N E T W O R K S
9
Public/Private (RSA) Key functionality
The function provided depends on the cryptographickey in use:
If the recipients public key is used to encrypt a plaintextmessage (by the sender), then the RSA public key
cryptosystem yields an asymmetric encryption system.In this case, the recipients private key is used todecrypt the ciphertext. Ideally, this can only be done bythe recipient of the message.
If the senders private key is used to encrypt a plaintextmessage (or hash value thereof), then the RSA keycryptosystem yields a digital signature system.
In this case, the senders public key is used to verifythe digital signature. This can be done by anybody.
-
8/7/2019 TLS-Intro Meir Sept 2010
10/63
N E T W O R K S
10
TLS: Key Exchange algorithms for Encryption
N eed secure method to exchange secret key
U se public key encryption for thiskey pair is used - either one can encrypt and then theother can decrypt
slower than conventional cryptography
share one key, keep the other private
Choices are RSA or Diffie-Hellman
-
8/7/2019 TLS-Intro Meir Sept 2010
11/63
N E T W O R K S
11
TLS: Key Exchange Call Flow
Call Flow for Client (Alice) to Server (Bob) key exchange :Bob publishes its public key
Alice generates random number and creates secret using Bobspublic key
Bob decrypts the secret using its private key.
Both sides send Finish confirmation message with encryptedindication
-
8/7/2019 TLS-Intro Meir Sept 2010
12/63
N E T W O R K S
12
TLS: Data Integrity
Compute fixed-length Message Authentication Code (MAC)
Includes hash of message
Includes a shared secret
Transmit MAC with message
TLS allows:MD5 (16 bytes output)
SHA-1 (20 bytes output)
-
8/7/2019 TLS-Intro Meir Sept 2010
13/63
N E T W O R K S
13
Message Authentication Code (MAC, HMAC)MAC is a cryptographic checksum that is used to ensure the integrity of the message during transmission
The hash-based MAC (HMAC) is the most popular MAC type
Hashing properties:Processes a variable-length message into a fixed-length output (128,160 bits)
One way encryption (impossible/difficult to get the original message)Collision free output (at least infeasible to find 2 inputs with same output)
Sequence N umber (in SSL/TLS)
MD5 or SHA-1 are defined in TLS
RFC 2104 defined HMAC for authentication:
HMAC(K,M) = H(K XOR opad,H (K XOR ipad,M))where opad is the string 0X5c and ipad is the string 0x36K = Secret, H = Hash function (MD5 or SHA-1)
MD5("The quick brown fox jumps over the lazy dog ") =9e107d9d372bb6826bd81d3542a419d6
MD5("") = d41d8cd98f00b204e9800998ecf8427e
-
8/7/2019 TLS-Intro Meir Sept 2010
14/63
N E T W O R K S
14
Hashed MAC for TLS according RFC 2104
HMA C = H[K xor 0x5c , H(K xor 0x36 , text)]
K - secret
H Hash using MD 5 or S HA -1
-
8/7/2019 TLS-Intro Meir Sept 2010
15/63
N E T W O R K S
15
Message Authentication using HMAC
-
8/7/2019 TLS-Intro Meir Sept 2010
16/63
N E T W O R K S
16
TLS: Authentication
Verify identities of participants
Client authentication is optional
Certificate is used to associate endpoint identitywith public key and other attributes
ACertific ate
B
Certific ate
-
8/7/2019 TLS-Intro Meir Sept 2010
17/63
N E T W O R K S
17
Handshake Protocol
N egotiate Cipher-Suite AlgorithmsSymmetric cipher to use
Key exchange method (RSA or DH)
Message digest function
Establish and share master secret
Authenticate server and optionally the client
-
8/7/2019 TLS-Intro Meir Sept 2010
18/63
N E T W O R K S
18
The SSL record processing
-
8/7/2019 TLS-Intro Meir Sept 2010
19/63
N E T W O R K S
19
SSL Record Protocol Elements
Fragmentation: SSL Record Protocol fragments thehigher-layer protocol data into blocks of 16,384 bytes or less.
Compression: SSL Record Protocol compresses the SSLPlaintext structure according to the compression methodspecified in the SSL session state. This method is initiallyset to null.
MAC: Message Authentication Code (MD-5 or SHA-1).Cryptographic Protection: Key Exchange, Encryption andMessage authentication.
-
8/7/2019 TLS-Intro Meir Sept 2010
20/63
N E T W O R K S
20
SSL Record Structure
-
8/7/2019 TLS-Intro Meir Sept 2010
21/63
N E T W O R K S
21
Record Header
Three pieces of information:Content type (1 byte) Application data ( 23)
Alert ( 21 )
Handshake ( 22 )
Change_cipher_spec ( 20 )SSL version (2 bytes)
The major and minor version of the SSL
specification to which this message conformsRedundant check for version agreement
Content length (2 bytes)The length of the following higher-layer protocol messages as a 16-bit binarynumber.
The SSL specification requires that this value not exceed 2**14 (16 384)
-
8/7/2019 TLS-Intro Meir Sept 2010
22/63
N E T W O R K S
22
Handshake Protocol Messages
-
8/7/2019 TLS-Intro Meir Sept 2010
23/63
N E T W O R K S
23
Handshake Protocol Message Types
-
8/7/2019 TLS-Intro Meir Sept 2010
24/63
N E T W O R K S
24
SSL Messages
OFF ER CIPHER S UITEMEN U TO SERVER
SELE CT A CIPHER S UITE
SEND CERT IFIC ATE ANDCHAIN TO C A ROO T
CLIE N T SIDE SERVER SIDE
SEND P UBL IC K EY TO
EN CRYPT SY MM KEYSERVER NEG OTIATIONFINISHED
SEND ENCRYPTEDSY MMETR IC KEY
ACTIVATEEN CRYPT ION
CLIENT P ORT IONDONE
( SERVER CHECK S OPT IONS )
ACTIVATESERVEREN CRYPT ION
SERVER P ORT IONDONE
( CLIENT CHE CK S OPT IONS )
NOW THE PART IES CAN USE SY MMETR IC EN CRYPT ION
-
8/7/2019 TLS-Intro Meir Sept 2010
25/63
N E T W O R K S
25
Handshake Protocol - Detailed
-
8/7/2019 TLS-Intro Meir Sept 2010
26/63
N E T W O R K S
26
Handshake Protocol Detailed (Cont.)
-
8/7/2019 TLS-Intro Meir Sept 2010
27/63
N E T W O R K S
27
Resuming a S ession
Client Hello sent with previously est ablished Session Id
-
8/7/2019 TLS-Intro Meir Sept 2010
28/63
N E T W O R K S
28
Client Hello
Protocol versionSSLv3(major=3, minor=0)
TLS (major=3, minor=1)
Random N umber
32 bytesFirst 4 bytes, time of the day in seconds, other 28 bytes random
Prevents replay attack
Session ID
32 bytes indicates the use of previous cryptographic material,maybe null in 1 st Client Hello
CipherSuites
A list of cryptographic parameters that the client can support.
Compression algorithmN ot used (null)
-
8/7/2019 TLS-Intro Meir Sept 2010
29/63
N E T W O R K S
29
Client Hello - Cipher Suites
INITIAL (NULL) CIPHER S UITE
P UBL IC-K EYALG ORITHM
SY MMETR ICALG ORITHM
HASHALG ORITHM
CIPHER S UITE CO DES USEDIN SSL MESSAGES
SSL_N ULL_W ITH_N ULL_N ULL = { 0, 0 }
SSL_RSA_W ITH_N ULL_ MD5 = { 0, 1 }
SSL_RSA_W ITH_N ULL_SHA = { 0, 2 }
SSL_RSA_EXP ORT_W ITH_R C4_4 0 _MD5 = { 0, 3 }
SSL_RSA_W ITH_R C4_ 1 28 _MD5 = { 0, 4 }
SSL_RSA_W ITH_R C4_ 1 28 _SHA = { 0, 5 }
SSL_RSA_EXP ORT_W ITH_R C2 _CBC _4 0 _MD5 = { 0, 6 }
SSL_RSA_W ITH_ IDEA_ CBC _SHA = { 0, 7 }
SSL_RSA_EXP ORT_W ITH_DES4 0 _CBC _SHA = { 0, 8 }
SSL_RSA_W ITH_DES_ CBC _SHA = { 0, 9 }
SSL_RSA_W ITH_3DES_EDE_ CBC _SHA = { 0, 10 }
-
8/7/2019 TLS-Intro Meir Sept 2010
30/63
N E T W O R K S
30
Block vs. Stream Ciphers
A stream cipher operates on individual bits or bytes, and theactual transformation varies during the encryption process.Example: RC4 (key size: U SA domestic unlimited, international limited to 40bit). U sed also in WiFi (802.11).
A block cipher operates on fixed-length groups of bits (i.e.,blocks) with an unvarying transformation (determined by thekey).Examples: DES (64 bit), 3DES (192 bit), AES (key size: 128,192,256,block size: 128)Modes: electronic code book (ECB), cipher block chaining (CBC), cipher feedback (CFB), output feedback (OFB).
Block ciphers require less computation resources, lessvulnerable, less convenient to use.N eed add of padding at the last block and requireinitialization vector at the beginning of the encryptionprocess .
-
8/7/2019 TLS-Intro Meir Sept 2010
31/63
N E T W O R K S
31
ClientHello Message Structure
-
8/7/2019 TLS-Intro Meir Sept 2010
32/63
N E T W O R K S
32
Server Hello
VersionSSLv3(major=3, minor=0)
TLS (major=3, minor=1
Random N umber 32 byte random number, protects against handshake replay
Session IDProvided to the client for later resumption of the session
Cipher suiteU sually picks clients best preference N o obligation
Compression methodN ull
-
8/7/2019 TLS-Intro Meir Sept 2010
33/63
N E T W O R K S
33
ServerHello Message Structure
-
8/7/2019 TLS-Intro Meir Sept 2010
34/63
N E T W O R K S
34
Certificates
X.509 Certificate associates public key with identity
Certification Authority (CA) creates certificate Adheres to policies and verifies identity
Signs certificateU ser of Certificate must ensure it is valid
A Public Key Certificate compromises at least 3 types of information:
A Public KeyN aming Information
Digital Signature
CA types: Private (private network, corporate) or Public
-
8/7/2019 TLS-Intro Meir Sept 2010
35/63
N E T W O R K S
35
X.509: Certificate Content (ASN.1 DER format)
Version ( X.5 09 version , e .g . 3)S erial Number (integer)
S ignature Algorithm Identifier Object Identifier (OI D) of the algorithm used to digitally sign thecertificate
e .g . sha 1 RSA : {iso( 1 ) member-body(2) us( 8 40 ) rsadsi( 11 354 9 )pkcs( 1 ) pkcs- 1 (1 ) sha 1 -with-rsa-signature( 5)}
Issuer (C A) X.5 00 nameIdentifies the organization issued this certificate (see later slide)
Validity P eriod ( S tart ,End)
-
8/7/2019 TLS-Intro Meir Sept 2010
36/63
N E T W O R K S
36
X.509: Certificate Content (Cont.)S ubject X.5 00 name (Owner)
S ame format as Issuer , see next slide
S ubject P ublic KeyAlgorithm Id (OI D)Algorithm parametersP ublic key Value
Issuer Unique Id (enables several ids to same issuer)S ubject Unique Id (several ids to same subject)
ExtensionsOptional (used by browsers)
CA digital S ignatureDigital signature of the content of the certificate with C A private keyThis signature shall be verified by the user using the C A public key
-
8/7/2019 TLS-Intro Meir Sept 2010
37/63
N E T W O R K S
37
Digital Signature principle
The sign atorys priv ate key is used to encrypt a mess age (or itshash v alue).The RS A sign ature is gener ated for th at particul ar mess age.The sender pu blic key is used to successfully decrypt thesign ature, proving th at only someone possessing the priv ate keycould h ave cre ated it.
-
8/7/2019 TLS-Intro Meir Sept 2010
38/63
N E T W O R K S
38
Digital Signature in Action (e.g. certificate verification)
Sender side:
Receiver side:
-
8/7/2019 TLS-Intro Meir Sept 2010
39/63
N E T W O R K S
39
Issuer and Subject Name format
Name Attributes (Distinguished
Name) by ObjectIdentifier (OID):
country N ame::= SEQ U EN CE{{2.5.4.6}. StringType(size(2))}organization::= SEQ U EN CE{{2.5.4.10}. StringType(size(1..64))}locality N ame ::= SEQ U EN CE{{2.5.4.7}. StringType(size(1..64))}
stateOrProvince ::= SEQ U EN CE{{2.5.4.8}. StringType(size(1..64))}common N ame ::= SEQ U EN CE{{2.5.4.3}. StringType(size(1..64))}
Distinguished N ame (D N ) user format:
Country at highest level (e.g.U
S)Organization typically at next level (e.g. CertCo)Individual below (e.g. Common N ame Elizabeth)
Dn={* C=U S
* O=CertCo* CN =Elizabeth}
-
8/7/2019 TLS-Intro Meir Sept 2010
40/63
N E T W O R K S
40
Certificate Message Structure
-
8/7/2019 TLS-Intro Meir Sept 2010
41/63
N E T W O R K S
41
Validating a Certificate
Must recognize accepted CA in certificate chainOne CA may issue certificate for another CA
Must verify that certificate has not been revokedCA publishes Certificate Revocation List (CRL)
-
8/7/2019 TLS-Intro Meir Sept 2010
42/63
N E T W O R K S
42
SSL Messages - reminder
OFF ER CIPHER S UITEMEN U TO SERVER
SELE CT A CIPHER S UITE
SEND CERT IFIC ATE ANDCHAIN TO C A ROO T
CLIE N T SIDE SERVER SIDE
SEND P UBL IC K EY TO
EN CRYPT SY MM KEYSERVER NEG OTIATIONFINISHED
SEND ENCRYPTEDSY MMETR IC KEY
ACTIVATEEN CRYPT ION
CLIENT P ORT IONDONE
( SERVER CHECK S OPT IONS )
ACTIVATESERVEREN CRYPT ION
SERVER P ORT IONDONE
( CLIENT CHE CK S OPT IONS )
NOW THE PART IES CAN USE SY MMETR IC EN CRYPT ION
-
8/7/2019 TLS-Intro Meir Sept 2010
43/63
N E T W O R K S
43
Client Key Exchange - Assymetric encryption of Client Premaster secret
Premaster secretCreated by client; used to seed calculation of encryptionparametersRSA: 2 bytes of SSL version + 46 random bytes
D.H.: Special algorithmSent encrypted to server using servers public key
-
8/7/2019 TLS-Intro Meir Sept 2010
44/63
N E T W O R K S
44
ClientKeyExchange Message Structure (RSA)
For RS A key exch ange, the prem aster secret is simply 2 bytesfor the version of ssl the client supports (3 and 1, for TLS version 1.0) followed by 46 securely gener ated r andom bytes (encrypted with the pu blic key).
-
8/7/2019 TLS-Intro Meir Sept 2010
45/63
N E T W O R K S
45
SSL Encryption
Master secretGenerated by both parties from premaster secretand random values generated by both client andserver
Key materialGenerated from the master secret and sharedrandom values
Encryption keysExtracted from the key material
-
8/7/2019 TLS-Intro Meir Sept 2010
46/63
N E T W O R K S
46
SSL/TLS Master Secret Generation (using premaster secret)
-
8/7/2019 TLS-Intro Meir Sept 2010
47/63
N E T W O R K S
47
TLS Key materials generation
See next slide
-
8/7/2019 TLS-Intro Meir Sept 2010
48/63
N E T W O R K S
48
TLS Pseudorandom function
-
8/7/2019 TLS-Intro Meir Sept 2010
49/63
N E T W O R K S
49
Change Cipher Spec & Finished Messages
Change Cipher SpecSwitch to newly negotiated algorithms and key material
FinishedFirst message encrypted with new crypto parameters.
Approval for successful negotiation.
Digest (Hash) of negotiated master secret, the ensemble of handshake messages, sender type (client/ server).
If the receiver can not decrypt the message it closes the session
-
8/7/2019 TLS-Intro Meir Sept 2010
50/63
N E T W O R K S
50
ChangeChiperSpec and Alert Protocols
CCS:
Alert:
-
8/7/2019 TLS-Intro Meir Sept 2010
51/63
N E T W O R K S
51
Finished Message Structure
-
8/7/2019 TLS-Intro Meir Sept 2010
52/63
N E T W O R K S
52
Application Data Message (Stream Cipher) Structure
-
8/7/2019 TLS-Intro Meir Sept 2010
53/63
N E T W O R K S
53
TLS connection states
Pending ActiveRead Encr Key=
MAC=Secret=
Encr Key=MAC=Secret=
Write Encr Key=MAC=Secret=
Encr Key=MAC=Secret=
Server Hello ch anges Encryption key and MA C in Pending/Re adand Pending/Write st ates from null (or old) to new v alues in
both client and in server.Client K eyExch ange ch anges the Secret in Pending/Re adand Pending/Write st ates from null (or old) to new v alue in both client and in server.Tx Ch angeCipherSpec Moves Pending to Active in Write st ate
Rx Ch an eCi herS ec Moves Pendin to Active in Re ad st ate
-
8/7/2019 TLS-Intro Meir Sept 2010
54/63
N E T W O R K S
54
TLS connection states (cont.)
-
8/7/2019 TLS-Intro Meir Sept 2010
55/63
N E T W O R K S
55
TLS connection states (cont.)
-
8/7/2019 TLS-Intro Meir Sept 2010
56/63
N E T W O R K S
56
PKI
PKI is as an infrastructure that can be used to issue,validate, and revoke public keys and public keycertificates. (best defined in RFC 5280)
PKI Functions
Public key cryptography Includes the generation, distribution,administration, and control of cryptographic keys.
Certificate issuance Binds a public-key to an individual, organization,or other entity.
Certificate validation Verifies that a trust relationship or bindingexists and that a certificate is still valid for specific operations.
Certificate revocation Cancels a previously issued certificate andeither publishes the cancellation to a Certificate Revocation List or enables an Online Certificate Status Protocol process.
-
8/7/2019 TLS-Intro Meir Sept 2010
57/63
N E T W O R K S
57
PKI standards - protocols
RFC 5280 - X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) ProfileRFC 2585 - X.509 Public Key Infrastructure Operational Protocols: FTPand HTTP
RFC 2560 - X.509 Public Key Infrastructure Online Certificate StatusProtocol (OCSP)
RFC 4210 - X.509 Public Key Infrastructure Certificate ManagementProtocol (CMP)U ses PKCS#7 and PKCS#10, maybe not deployed
RSA PKCS #7 (RFC 2315)Cryptographic message syntax standard
RSA PKCS #10 V1.7 (RFC 2986) Certificate Request syntax standard
IETF Draft-nourse-scep-20 Simple Certificate Enrollment Protocol
RFC 4510- RFC 4521 Lightweight Directory Access Protocol (LDAP)
-
8/7/2019 TLS-Intro Meir Sept 2010
58/63
N E T W O R K S
58
P KIX Architectural Model (from RFC 5280 )
-
8/7/2019 TLS-Intro Meir Sept 2010
59/63
N E T W O R K S
59
SCEP - Simple Certificate Enrollment Protocol SCEP: Simple Certificate Enrollment ProtocolDraft-nourse-scep-20 (Cisco, expired June 2010)
SCEP is a PKI communication protocol which leverages existingtechnology by using PKCS#7, PKCS#10 and LDAP.
SCEP is the evolution of the enrollment protocol developed by Verisign,Inc. for Cisco Systems, Inc. It now enjoys wide support in both clientand CA implementations.SCEP supported by MS Win. Servers 2000-2003
OpenSSL supports SCEP Client (network device) for U nix only (?)N etwork Device Enrollment Service (Win. Server 2008)
N etwork Device Enrollment Service allows software on routers andother network devices running without domain credentials to obtaincertificates based on SCEP.
The protocol supports CA and RA public key distribution, certificateenrollment, certificate revocation, certificate queries, and certificaterevocation queries
-
8/7/2019 TLS-Intro Meir Sept 2010
60/63
N E T W O R K S
60
Changes from SSL 3.0 to TLS
Fortezza algorithm removed in TLS
Additional Alerts added
Modification to hash calculationsDifferent Master Secret & Key materialscalculations
TLS Protocol version 3.1 in ClientHello andServerHello (SSL last version is 3.0)
Separate Cipher Suites codes
-
8/7/2019 TLS-Intro Meir Sept 2010
61/63
N E T W O R K S
61
TLS version 1.1 enhancements
Added protection against Cipher block chaining (CBC)attacks.
The implicit Initialization Vector (IV) was replaced with anexplicit IV.
Change in handling padding errorsSupport for IA N A registration of parameters
-
8/7/2019 TLS-Intro Meir Sept 2010
62/63
N E T W O R K S
62
TLS version 1.2 enhancements
The MD5/SHA-1 combination in the pseudorandom function(PRF) was replaced with SHA-256, with an option to use cipher-suite specified PRFs.The MD5/SHA-1 combination in the Finished message hashwas replaced with SHA-256, with an option to use cipher-suitespecific hash algorithms.The MD5/SHA-1 combination in the digitally-signed elementwas replaced with a single hash negotiated during handshake,defaults to SHA-1.Enhancement in the client's and server's ability to specify whichhash and signature algorithms they will accept.
Expansion of support for authenticated encryption ciphers, usedmainly for Galois/Counter Mode (GCM) and CCM mode of AESencryption.TLS Extensions definition and Advanced Encryption Standard(AES) CipherSuites were added.
-
8/7/2019 TLS-Intro Meir Sept 2010
63/63
N E T W O R K S
Thank You