1 / 104

Applied Cryptography

Applied Cryptography. Spring 2014. SSL/TLS standards. SSL/TLS. SSL/TLS. What is SSL / TLS?. Transport Layer Security protocol, ver 1.0 De facto standard for Internet security

draco
Download Presentation

Applied Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Cryptography Spring 2014 SSL/TLS standards

  2. SSL/TLS

  3. SSL/TLS

  4. What is SSL / TLS? • Transport Layer Security protocol, ver 1.0 • De facto standard for Internet security • “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” • In practice, used to protect information transmitted between browsers and Web servers • Based on Secure Sockets Layers protocol, ver 3.0 • Same protocol design, different algorithms • Deployed in nearly every web browser

  5. History of the Protocol The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released. Version 2.0 was released in 1994 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996. This later served as the basis for TLS version 1.0, an IETF standard protocol first defined in RFC 2246 in January 1999.

  6. History of the Protocol • SSL 1.0 • Internal Netscape design, early 1994? • Lost in the mists of time • SSL 2.0 • Published by Netscape, November 1994 • Badly broken • SSL 3.0 • Designed by Netscape and Paul Kocher, November 1996 • TLS 1.0 • Internet standard based on SSL 3.0, January 1999 • Not interoperable with SSL 3.0 • TLS 1.1 • Update of TLS 1.0, April 2006 • Basically added protection to some attacks (IV, padding) • TLS 1.2 • August 2008 (refined 2011 – no SSL 2.0 compatibility) • AES support, replacement of MD5/SHA1 with SHA256

  7. Flaws of SSL v2 • Identical cryptographic keys are used for message authentication and encryption. • SSL v2 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks. • SSL v2 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go undetected. • SSL v2 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL v3 fixes this problem by having an explicit closure alert). • SSL v2 assumes a single service, and a fixed domain certificate, which clashes with the standard feature of virtual hosting in webservers. This means that most websites are practically impaired from using SSL. .

  8. TLS 1.0 – BEAST attack On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a "proof of concept" called BEAST ("Browser Exploit Against SSL/TLS") using a Java applet to violate same origin policy constraints, for a long-known Cipher block chaining (CBC) vulnerability in TLS 1.0. Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway in 2002. Mozilla updated the development versions of their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result. Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets.

  9. TLS 1.0 – BEAST attack CBC chaining (above) IV for each block depends from previous encrypted value, so there is a practical attack provided that there is a reliable “oracle” reporting padding errors. As it seems attack can be used to recover information from encrypted cookies. TLS 1.1+ uses “explicit IV” for each block.

  10. Sending of messages

  11. Receiving of messages

  12. Network security

  13. SSL/TLS

  14. Secure HTTP S-HTTP was developed by Allan Schiffman and Eric Rescorla around 1993. Seems to be used just in some "experimental" browser versions...

  15. IPSEC

  16. Kerberos

  17. Kerberos A third-party authentication protocol designed for TCP/IP networks. Developed at MIT. Not in public domain, but in principle it is possible to obtain it for free.

  18. SSL/TLS Some modifications of HTTP still required though - HTTPS (Hypertext Transfer Protocol Secure )

  19. Kerberos A third-party authentication protocol designed for TCP/IP networks Developed at MIT Uses Needham-Schroeder’s trusted third party protocol Not in public domain, but in principle it is possible to obtain it for free

  20. Network security

  21. TLS Basics • TLS consists of two protocols • Handshake protocol • Use public-key cryptography to establish a shared secret key between the client and the server • Record protocol • Use the secret key established in the handshake protocol to protect communication between the client and the server

  22. TLS Example

  23. TLS architecure ERROR HANDLING INITIALIZES SECURE COMMUNICATION HANDLES COMMUNICATION WITH THE APPLICATION Protocols INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER HANDLES DATA COMPRESSION

  24. TLS Handshake Protocol • Two parties: client and server • Negotiate version of the protocol and the set of cryptographic algorithms to be used • Interoperability between different implementations of the protocol • Authenticate client and server (optional) • Use digital certificates to learn each other’s public keys and verify each other’s identity • Use public keys to establish a shared secret

  25. Handshake Phases • Hello messages • Certificate and Key Exchange messages • Change CipherSpec and Finished messages

  26. SSL messages

  27. SSL messages

  28. TLS architecure ERROR HANDLING INITIALIZES SECURE COMMUNICATION HANDLES COMMUNICATION WITH THE APPLICATION Protocols INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER HANDLES DATA COMPRESSION

  29. Record layer

  30. Record layer

  31. TLS Record layer

  32. TLS architecure ERROR HANDLING INITIALIZES SECURE COMMUNICATION HANDLES COMMUNICATION WITH THE APPLICATION Protocols INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER HANDLES DATA COMPRESSION

  33. TLS Handshake protocol

  34. TLS Alert protocol

  35. TLS ChangeCipherSpec protocol

  36. TLS Application protocol MAC - optional in SSL, required in TLS MD5/SHA-1 based HMAC

  37. HMAC ipad = 0x36 opad = 0x5c K is 64 bytes long (padded to the right with 0-s) Supported by SSL3.0, “enforced” in TLS1.0

  38. SSL – establishing communications

  39. SSL Messages SERVER SIDE CLIENT SIDE OFFER CIPHER SUITE MENU TO SERVER SELECT A CIPHER SUITE SEND CERTIFICATE AND CHAIN TO CA ROOT SEND PUBLIC KEY TO ENCRYPT SYMM KEY SERVER NEGOTIATION FINISHED SEND ENCRYPTED SYMMETRIC KEY ACTIVATE ENCRYPTION ( SERVER CHECKS OPTIONS ) CLIENT PORTION DONE ACTIVATESERVER ENCRYPTION ( CLIENT CHECKS OPTIONS ) SERVER PORTION DONE NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION SOURCE: THOMAS, SSL AND TLS ESSENTIALS

  40. SSL – establishing communications

  41. SSL – establishing communications

  42. SSL – establishing communications

  43. Client Hello

  44. Client Hello

  45. Client Hello/Cypher suites

  46. Client Hello/Cypher suites

  47. Client HelloCypher suites

  48. Time requirements of public key algorithms

  49. RC4 • for i=0,…,N-1 S[i]=i • j=0 • for i=0…N-1 • j=j+S[i]+Key[i mod l] • Swap[S[i], S[j]] • i=i+1 • j=j+S[i] • Swap(S[i],S[j]) • Output z =S[S[i]+S[j]] Ron Rivest (RSA Security) 1987 Widely used in SSL, WEP etc 104-bit RC4 used in WEP can be cracked in less than a minute

  50. RC4 • Easy computation • Fast • Can use large bit blocks and keys • Stream based encryption • Key can be made to change at regular intervals using fancy programming • Implementation in Popular languages (C, perl) well documented. • Vulnerable to brute force attacks • Require a large data structure • Proven Breakable by researchers at ATT and Rice Univ. (August, 2001) • “One hour of brute force computation to break standard WEP” • Once Key is broken all messages are easily readable.

More Related