1 / 11

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk). SSL. De facto Standard for client-server security IETF RFC: The TLS Protocol Version 1.0 (RFC 2246) All commodity browsers support SSL

dacian
Download Presentation

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Crash course on SSL/TLSRan CanettiDecember 2009( Based on slided by Jörg Schwenk)

  2. SSL • De facto Standard for client-server security • IETF RFC: • The TLS Protocol Version 1.0 (RFC 2246) • All commodity browsers support SSL • Open implementations (e.g. SSLRef, SSLPlus, SSLava, SSLeay, openSSL, modSSL)

  3. HTTP(S) Hand-shake Change Cipher Alert Application Record Layer TCP SSL/TLS Framework Key Exchange Data Enc/Auth

  4. HTTP-Data Fragmentation Compression http http http 3.1 3.1 3.1 Length Length Length Encryption MAC Padd. P. Length SSL/TLS Record Layer

  5. SSL/TLS: Handshake bank. com bank. com

  6. Protocol Specification

  7. SSL/TLS: ciphersuites

  8. SSL/TLS: ciphersuites

  9. TLS Renegotiation • The spec allows a party (either I or R) to initiate a “change cipher” procedure by sending a special message, authenticated under the current session key. • As a result, a new key is negotiated from scratch. • There is no “binding” between the old and new keys – these are two independent sessions. Still the two sessions appear for applications as the same “stream”. • Consequently, it is possible to attack the protocol:

  10. TLS Renegotiation attack Client Attacker Server <----------- Handshake ----------> <======= Initial Traffic ====> <--------------------- Handshake===================> <=============== Client Traffic==================>

  11. TLS Renegotiation attack • Client Attacker Server <----------- Handshake ----------> • <======= Initial Traffic ====> • <--------------------- Handshake===================> <=============== Client Traffic==================> • There is much work currently done at the IETF on how to fix the protocol. • This is a great example for the importance of modeling and proof in practical crypto.

More Related