tls-intro meir sept 2010

8/7/2019 TLS-Intro Meir Sept 2010

1/63

N E T W O R K S

Introduction to TLS Meir LeshemSept 2010


2/63

N E T W O R K S

2

SSL/TLS Protocol Overview

The SSL/TLS protocol allows client/server applications tocommunicate across a network in a way designed toprevent eavesdropping and alteration of the messages.

TLS provides endpoint (peer) authentication and

communications confidentiality and Integrity over theInternet using cryptography (encryption/ decryption) .

Feature Service Method Attack

Hiding info Confidentiality Encryption Eavesdropping(anyone can see content)

Provingidentity

Authentication Public Key Forgery and Masquerade

(verify who you are talking to)

Verifying

info

Msg. Integrity HMAC Alteration

(someone may alter content)


3/63

N E T W O R K S

3

Network Layer (IpSec) Vs. Transport Layer (SSL/TLS) Security


4/63

N E T W O R K S

4

SSL/TLS History

TLS 1.1 TLS 1.2

RFC 2246 RFC 4346 RFC 5246

2006 2008


5/63

N E T W O R K S

5

The SSL with its (sub) layers and (sub) protocols


6/63

N E T W O R K S

6

SSL/TLS sub layers and protocols

HANDLES COMMU NICATIONWITH THE APPL ICATION

P rotocolsINITIALIZES COMMU NCATIONBETWEEN CLIENT & SERVER

INITIALIZES SE CU RECOMMU NICATION

HANDLES DATACOM PRESS ION and

transfers TLS messages

ERR OR HANDL ING


7/63

N E T W O R K S

7

SSL/TLS Main principles

Key Exchange (for Symmetric Encryption) using Public Key

Data Integrity using HMAC (Hashed Message Auth. Key)

Server Authentication using Certificates with public key

Client / Server Protocol

Establish a Security Session Agree on algorithms

Share secretsPerform server authentication (and optionally the client)

Transfer encrypted application dataEnsure privacy and integrity


8/63

N E T W O R K S

8

Encryption Types

S ymmetric encryption (= S ecret key cryptography):U ses the same key for encryption and decryption. It is alsoknown as secret-key cryptography. The symmetricalgorithms are normally used to encrypt the content of a

message Asymmetric encryption (= P ublic key cryptography):each of the two parties use separate keys - one for encryption and a different one for decryption. The criticalaspect of public key cryptography is that only one of these

two keys ( private key ) needs to be kept secret. The other key, the public key , need not be secret at all.

Symmetric encryption does not need as much processingpower as asymmetric encryption. The encryption comes ata much lower cost.


9/63

N E T W O R K S

9

Public/Private (RSA) Key functionality

The function provided depends on the cryptographickey in use:

If the recipients public key is used to encrypt a plaintextmessage (by the sender), then the RSA public key

cryptosystem yields an asymmetric encryption system.In this case, the recipients private key is used todecrypt the ciphertext. Ideally, this can only be done bythe recipient of the message.

If the senders private key is used to encrypt a plaintextmessage (or hash value thereof), then the RSA keycryptosystem yields a digital signature system.

In this case, the senders public key is used to verifythe digital signature. This can be done by anybody.


10/63

N E T W O R K S

10

TLS: Key Exchange algorithms for Encryption

N eed secure method to exchange secret key

U se public key encryption for thiskey pair is used - either one can encrypt and then theother can decrypt

slower than conventional cryptography

share one key, keep the other private

Choices are RSA or Diffie-Hellman


11/63

N E T W O R K S

11

TLS: Key Exchange Call Flow

Call Flow for Client (Alice) to Server (Bob) key exchange :Bob publishes its public key

Alice generates random number and creates secret using Bobspublic key

Bob decrypts the secret using its private key.

Both sides send Finish confirmation message with encryptedindication


12/63

N E T W O R K S

12

TLS: Data Integrity

Compute fixed-length Message Authentication Code (MAC)

Includes hash of message

Includes a shared secret

Transmit MAC with message

TLS allows:MD5 (16 bytes output)

SHA-1 (20 bytes output)


13/63

N E T W O R K S

13

Message Authentication Code (MAC, HMAC)MAC is a cryptographic checksum that is used to ensure the integrity of the message during transmission

The hash-based MAC (HMAC) is the most popular MAC type

Hashing properties:Processes a variable-length message into a fixed-length output (128,160 bits)

One way encryption (impossible/difficult to get the original message)Collision free output (at least infeasible to find 2 inputs with same output)

Sequence N umber (in SSL/TLS)

MD5 or SHA-1 are defined in TLS

RFC 2104 defined HMAC for authentication:

HMAC(K,M) = H(K XOR opad,H (K XOR ipad,M))where opad is the string 0X5c and ipad is the string 0x36K = Secret, H = Hash function (MD5 or SHA-1)

MD5("The quick brown fox jumps over the lazy dog ") =9e107d9d372bb6826bd81d3542a419d6

MD5("") = d41d8cd98f00b204e9800998ecf8427e


14/63

N E T W O R K S

14

Hashed MAC for TLS according RFC 2104

HMA C = H[K xor 0x5c , H(K xor 0x36 , text)]

K - secret

H Hash using MD 5 or S HA -1


15/63

N E T W O R K S

15

Message Authentication using HMAC


16/63

N E T W O R K S

16

TLS: Authentication

Verify identities of participants

Client authentication is optional

Certificate is used to associate endpoint identitywith public key and other attributes

ACertific ate

B

Certific ate


17/63

N E T W O R K S

17

Handshake Protocol

N egotiate Cipher-Suite AlgorithmsSymmetric cipher to use

Key exchange method (RSA or DH)

Message digest function

Establish and share master secret

Authenticate server and optionally the client


18/63

N E T W O R K S

18

The SSL record processing


19/63

N E T W O R K S

19

SSL Record Protocol Elements

Fragmentation: SSL Record Protocol fragments thehigher-layer protocol data into blocks of 16,384 bytes or less.

Compression: SSL Record Protocol compresses the SSLPlaintext structure according to the compression methodspecified in the SSL session state. This method is initiallyset to null.

MAC: Message Authentication Code (MD-5 or SHA-1).Cryptographic Protection: Key Exchange, Encryption andMessage authentication.


20/63

N E T W O R K S

20

SSL Record Structure


21/63

N E T W O R K S

21

Record Header

Three pieces of information:Content type (1 byte) Application data ( 23)

Alert ( 21 )

Handshake ( 22 )

Change_cipher_spec ( 20 )SSL version (2 bytes)

The major and minor version of the SSL

specification to which this message conformsRedundant check for version agreement

Content length (2 bytes)The length of the following higher-layer protocol messages as a 16-bit binarynumber.

The SSL specification requires that this value not exceed 2**14 (16 384)


22/63

N E T W O R K S

22

Handshake Protocol Messages


23/63

N E T W O R K S

23

Handshake Protocol Message Types


24/63

N E T W O R K S

24

SSL Messages

OFF ER CIPHER S UITEMEN U TO SERVER

SELE CT A CIPHER S UITE

SEND CERT IFIC ATE ANDCHAIN TO C A ROO T

CLIE N T SIDE SERVER SIDE

SEND P UBL IC K EY TO

EN CRYPT SY MM KEYSERVER NEG OTIATIONFINISHED

SEND ENCRYPTEDSY MMETR IC KEY

ACTIVATEEN CRYPT ION

CLIENT P ORT IONDONE

( SERVER CHECK S OPT IONS )

ACTIVATESERVEREN CRYPT ION

SERVER P ORT IONDONE

( CLIENT CHE CK S OPT IONS )

NOW THE PART IES CAN USE SY MMETR IC EN CRYPT ION


25/63

N E T W O R K S

25

Handshake Protocol - Detailed


26/63

N E T W O R K S

26

Handshake Protocol Detailed (Cont.)


27/63

N E T W O R K S

27

Resuming a S ession

Client Hello sent with previously est ablished Session Id


28/63

N E T W O R K S

28

Client Hello

Protocol versionSSLv3(major=3, minor=0)

TLS (major=3, minor=1)

Random N umber

32 bytesFirst 4 bytes, time of the day in seconds, other 28 bytes random

Prevents replay attack

Session ID

32 bytes indicates the use of previous cryptographic material,maybe null in 1 st Client Hello

CipherSuites

A list of cryptographic parameters that the client can support.

Compression algorithmN ot used (null)


29/63

N E T W O R K S

29

Client Hello - Cipher Suites

INITIAL (NULL) CIPHER S UITE

P UBL IC-K EYALG ORITHM

SY MMETR ICALG ORITHM

HASHALG ORITHM

CIPHER S UITE CO DES USEDIN SSL MESSAGES

SSL_N ULL_W ITH_N ULL_N ULL = { 0, 0 }

SSL_RSA_W ITH_N ULL_ MD5 = { 0, 1 }

SSL_RSA_W ITH_N ULL_SHA = { 0, 2 }

SSL_RSA_EXP ORT_W ITH_R C4_4 0 _MD5 = { 0, 3 }

SSL_RSA_W ITH_R C4_ 1 28 _MD5 = { 0, 4 }

SSL_RSA_W ITH_R C4_ 1 28 _SHA = { 0, 5 }

SSL_RSA_EXP ORT_W ITH_R C2 _CBC _4 0 _MD5 = { 0, 6 }

SSL_RSA_W ITH_ IDEA_ CBC _SHA = { 0, 7 }

SSL_RSA_EXP ORT_W ITH_DES4 0 _CBC _SHA = { 0, 8 }

SSL_RSA_W ITH_DES_ CBC _SHA = { 0, 9 }

SSL_RSA_W ITH_3DES_EDE_ CBC _SHA = { 0, 10 }


30/63

N E T W O R K S

30

Block vs. Stream Ciphers

A stream cipher operates on individual bits or bytes, and theactual transformation varies during the encryption process.Example: RC4 (key size: U SA domestic unlimited, international limited to 40bit). U sed also in WiFi (802.11).

A block cipher operates on fixed-length groups of bits (i.e.,blocks) with an unvarying transformation (determined by thekey).Examples: DES (64 bit), 3DES (192 bit), AES (key size: 128,192,256,block size: 128)Modes: electronic code book (ECB), cipher block chaining (CBC), cipher feedback (CFB), output feedback (OFB).

Block ciphers require less computation resources, lessvulnerable, less convenient to use.N eed add of padding at the last block and requireinitialization vector at the beginning of the encryptionprocess .


31/63

N E T W O R K S

31

ClientHello Message Structure


32/63

N E T W O R K S

32

Server Hello

VersionSSLv3(major=3, minor=0)

TLS (major=3, minor=1

Random N umber 32 byte random number, protects against handshake replay

Session IDProvided to the client for later resumption of the session

Cipher suiteU sually picks clients best preference N o obligation

Compression methodN ull


33/63

N E T W O R K S

33

ServerHello Message Structure


34/63

N E T W O R K S

34

Certificates

X.509 Certificate associates public key with identity

Certification Authority (CA) creates certificate Adheres to policies and verifies identity

Signs certificateU ser of Certificate must ensure it is valid

A Public Key Certificate compromises at least 3 types of information:

A Public KeyN aming Information

Digital Signature

CA types: Private (private network, corporate) or Public


35/63

N E T W O R K S

35

X.509: Certificate Content (ASN.1 DER format)

Version ( X.5 09 version , e .g . 3)S erial Number (integer)

S ignature Algorithm Identifier Object Identifier (OI D) of the algorithm used to digitally sign thecertificate

e .g . sha 1 RSA : {iso( 1 ) member-body(2) us( 8 40 ) rsadsi( 11 354 9 )pkcs( 1 ) pkcs- 1 (1 ) sha 1 -with-rsa-signature( 5)}

Issuer (C A) X.5 00 nameIdentifies the organization issued this certificate (see later slide)

Validity P eriod ( S tart ,End)


36/63

N E T W O R K S

36

X.509: Certificate Content (Cont.)S ubject X.5 00 name (Owner)

S ame format as Issuer , see next slide

S ubject P ublic KeyAlgorithm Id (OI D)Algorithm parametersP ublic key Value

Issuer Unique Id (enables several ids to same issuer)S ubject Unique Id (several ids to same subject)

ExtensionsOptional (used by browsers)

CA digital S ignatureDigital signature of the content of the certificate with C A private keyThis signature shall be verified by the user using the C A public key


37/63

N E T W O R K S

37

Digital Signature principle

The sign atorys priv ate key is used to encrypt a mess age (or itshash v alue).The RS A sign ature is gener ated for th at particul ar mess age.The sender pu blic key is used to successfully decrypt thesign ature, proving th at only someone possessing the priv ate keycould h ave cre ated it.


38/63

N E T W O R K S

38

Digital Signature in Action (e.g. certificate verification)

Sender side:

Receiver side:


39/63

N E T W O R K S

39

Issuer and Subject Name format

Name Attributes (Distinguished

Name) by ObjectIdentifier (OID):

country N ame::= SEQ U EN CE{{2.5.4.6}. StringType(size(2))}organization::= SEQ U EN CE{{2.5.4.10}. StringType(size(1..64))}locality N ame ::= SEQ U EN CE{{2.5.4.7}. StringType(size(1..64))}

stateOrProvince ::= SEQ U EN CE{{2.5.4.8}. StringType(size(1..64))}common N ame ::= SEQ U EN CE{{2.5.4.3}. StringType(size(1..64))}

Distinguished N ame (D N ) user format:

Country at highest level (e.g.U

S)Organization typically at next level (e.g. CertCo)Individual below (e.g. Common N ame Elizabeth)

Dn={* C=U S

* O=CertCo* CN =Elizabeth}


40/63

N E T W O R K S

40

Certificate Message Structure


41/63

N E T W O R K S

41

Validating a Certificate

Must recognize accepted CA in certificate chainOne CA may issue certificate for another CA

Must verify that certificate has not been revokedCA publishes Certificate Revocation List (CRL)


42/63

N E T W O R K S

42

SSL Messages - reminder

OFF ER CIPHER S UITEMEN U TO SERVER

SELE CT A CIPHER S UITE

SEND CERT IFIC ATE ANDCHAIN TO C A ROO T

CLIE N T SIDE SERVER SIDE

SEND P UBL IC K EY TO

EN CRYPT SY MM KEYSERVER NEG OTIATIONFINISHED

SEND ENCRYPTEDSY MMETR IC KEY

ACTIVATEEN CRYPT ION

CLIENT P ORT IONDONE

( SERVER CHECK S OPT IONS )

ACTIVATESERVEREN CRYPT ION

SERVER P ORT IONDONE

( CLIENT CHE CK S OPT IONS )

NOW THE PART IES CAN USE SY MMETR IC EN CRYPT ION


43/63

N E T W O R K S

43

Client Key Exchange - Assymetric encryption of Client Premaster secret

Premaster secretCreated by client; used to seed calculation of encryptionparametersRSA: 2 bytes of SSL version + 46 random bytes

D.H.: Special algorithmSent encrypted to server using servers public key


44/63

N E T W O R K S

44

ClientKeyExchange Message Structure (RSA)

For RS A key exch ange, the prem aster secret is simply 2 bytesfor the version of ssl the client supports (3 and 1, for TLS version 1.0) followed by 46 securely gener ated r andom bytes (encrypted with the pu blic key).


45/63

N E T W O R K S

45

SSL Encryption

Master secretGenerated by both parties from premaster secretand random values generated by both client andserver

Key materialGenerated from the master secret and sharedrandom values

Encryption keysExtracted from the key material


46/63

N E T W O R K S

46

SSL/TLS Master Secret Generation (using premaster secret)


47/63

N E T W O R K S

47

TLS Key materials generation

See next slide


48/63

N E T W O R K S

48

TLS Pseudorandom function


49/63

N E T W O R K S

49

Change Cipher Spec & Finished Messages

Change Cipher SpecSwitch to newly negotiated algorithms and key material

FinishedFirst message encrypted with new crypto parameters.

Approval for successful negotiation.

Digest (Hash) of negotiated master secret, the ensemble of handshake messages, sender type (client/ server).

If the receiver can not decrypt the message it closes the session


50/63

N E T W O R K S

50

ChangeChiperSpec and Alert Protocols

CCS:

Alert:


51/63

N E T W O R K S

51

Finished Message Structure


52/63

N E T W O R K S

52

Application Data Message (Stream Cipher) Structure


53/63

N E T W O R K S

53

TLS connection states

Pending ActiveRead Encr Key=

MAC=Secret=

Encr Key=MAC=Secret=

Write Encr Key=MAC=Secret=

Encr Key=MAC=Secret=

Server Hello ch anges Encryption key and MA C in Pending/Re adand Pending/Write st ates from null (or old) to new v alues in

both client and in server.Client K eyExch ange ch anges the Secret in Pending/Re adand Pending/Write st ates from null (or old) to new v alue in both client and in server.Tx Ch angeCipherSpec Moves Pending to Active in Write st ate

Rx Ch an eCi herS ec Moves Pendin to Active in Re ad st ate


54/63

N E T W O R K S

54

TLS connection states (cont.)


55/63

N E T W O R K S

55

TLS connection states (cont.)


56/63

N E T W O R K S

56

PKI

PKI is as an infrastructure that can be used to issue,validate, and revoke public keys and public keycertificates. (best defined in RFC 5280)

PKI Functions

Public key cryptography Includes the generation, distribution,administration, and control of cryptographic keys.

Certificate issuance Binds a public-key to an individual, organization,or other entity.

Certificate validation Verifies that a trust relationship or bindingexists and that a certificate is still valid for specific operations.

Certificate revocation Cancels a previously issued certificate andeither publishes the cancellation to a Certificate Revocation List or enables an Online Certificate Status Protocol process.


57/63

N E T W O R K S

57

PKI standards - protocols

RFC 5280 - X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) ProfileRFC 2585 - X.509 Public Key Infrastructure Operational Protocols: FTPand HTTP

RFC 2560 - X.509 Public Key Infrastructure Online Certificate StatusProtocol (OCSP)

RFC 4210 - X.509 Public Key Infrastructure Certificate ManagementProtocol (CMP)U ses PKCS#7 and PKCS#10, maybe not deployed

RSA PKCS #7 (RFC 2315)Cryptographic message syntax standard

RSA PKCS #10 V1.7 (RFC 2986) Certificate Request syntax standard

IETF Draft-nourse-scep-20 Simple Certificate Enrollment Protocol

RFC 4510- RFC 4521 Lightweight Directory Access Protocol (LDAP)


58/63

N E T W O R K S

58

P KIX Architectural Model (from RFC 5280 )


59/63

N E T W O R K S

59

SCEP - Simple Certificate Enrollment Protocol SCEP: Simple Certificate Enrollment ProtocolDraft-nourse-scep-20 (Cisco, expired June 2010)

SCEP is a PKI communication protocol which leverages existingtechnology by using PKCS#7, PKCS#10 and LDAP.

SCEP is the evolution of the enrollment protocol developed by Verisign,Inc. for Cisco Systems, Inc. It now enjoys wide support in both clientand CA implementations.SCEP supported by MS Win. Servers 2000-2003

OpenSSL supports SCEP Client (network device) for U nix only (?)N etwork Device Enrollment Service (Win. Server 2008)

N etwork Device Enrollment Service allows software on routers andother network devices running without domain credentials to obtaincertificates based on SCEP.

The protocol supports CA and RA public key distribution, certificateenrollment, certificate revocation, certificate queries, and certificaterevocation queries


60/63

N E T W O R K S

60

Changes from SSL 3.0 to TLS

Fortezza algorithm removed in TLS

Additional Alerts added

Modification to hash calculationsDifferent Master Secret & Key materialscalculations

TLS Protocol version 3.1 in ClientHello andServerHello (SSL last version is 3.0)

Separate Cipher Suites codes


61/63

N E T W O R K S

61

TLS version 1.1 enhancements

Added protection against Cipher block chaining (CBC)attacks.

The implicit Initialization Vector (IV) was replaced with anexplicit IV.

Change in handling padding errorsSupport for IA N A registration of parameters


62/63

N E T W O R K S

62

TLS version 1.2 enhancements

The MD5/SHA-1 combination in the pseudorandom function(PRF) was replaced with SHA-256, with an option to use cipher-suite specified PRFs.The MD5/SHA-1 combination in the Finished message hashwas replaced with SHA-256, with an option to use cipher-suitespecific hash algorithms.The MD5/SHA-1 combination in the digitally-signed elementwas replaced with a single hash negotiated during handshake,defaults to SHA-1.Enhancement in the client's and server's ability to specify whichhash and signature algorithms they will accept.

Expansion of support for authenticated encryption ciphers, usedmainly for Galois/Counter Mode (GCM) and CCM mode of AESencryption.TLS Extensions definition and Advanced Encryption Standard(AES) CipherSuites were added.


63/63

N E T W O R K S

Thank You

tls-intro meir sept 2010

Documents