SSL and IPSec CS 461ECE 422 Spring 2012

SSL and IPSec CS 461/ECE 422 Spring 2012

Reading • Chapter 22 of text • Look at relevant IETF standards

SSL • Transport layer security – Provides confidentiality, integrity, authentication of endpoints – Developed by Netscape for WWW browsers and servers • Internet protocol version: TLS – Compatible with SSL – Standard rfc 2712

Working at Transport Level • Data link, Network, and Transport headers sent unchanged • Original transport header can be protected if tunneling Ethernet Frame Header IP Header TCP data stream Encrypted/authenticated Regardless of application

SSL Sessions and Connections • SSL Sessions – Association between client and server – Created by Handshake protocol – Defines set of cryptographic security parameters • SSL Connections – A transport-level connection – Potentially many connections per session – Share cryptographic parameters of session

SSL Protocol Stack

SSL Record Protocol Operation

Record Protocol Overview • Lowest layer, taking messages from higher – Max block size 16, 384 bytes – Bigger messages fragmented into multiple blocks – Construction – Block b compressed; call it bc – MAC computed for bc • If MAC key not selected, no MAC computed – bc, MAC enciphered • If enciphering key not selected, no enciphering done – SSL record header prepended Slide #11 -8

SSL Handshake Protocol • Used to initiate connection – Sets up parameters for record protocol – 4 rounds • Upper layer protocol – Invokes Record Protocol • Note: what follows assumes client, server using RSA as interchange cryptosystem

Handshake Protocol: Phase 1 and 2

Handshake Round 1 Client v. C v r 1 , r 2 s 1 ciphers comps cipher comp { v. C || r 1 || s 1 || ciphers || comps } {v || r 2 || s 1 || cipher || comp } Server Client’s version of SSL Highest version of SSL that Client, Server both understand nonces (timestamp and 28 random bytes) Current session id (0 if new session) Ciphers that client understands Compression algorithms that client understand Cipher to be used Compression algorithm to be used

Handshake Round 2 Client {certificate } {mod || exp || Sig. S(h(r 1 || r 2 || mod || exp)) } {ctype || gca } {er 2 } Server Note: if Server not to authenticate itself, only last message sent; third step omitted if Server does not need Client certificate k. S Server’s private key ctype Certificate type requested (by cryptosystem) gca Acceptable certification authorities er 2 End round 2 message

Handshake Protocols: Phases 3 and 4

Handshake Round 3 Client { client_cert } { pre }Pub. S Server Both Client, Server compute master secret master: master = MD 5(pre || SHA(‘A’ || pre || r 1 || r 2) || MD 5(pre || SHA(‘BB’ || pre || r 1 || r 2) || MD 5(pre || SHA(‘CCC’ || pre || r 1 || r 2) Client { h(master || opad || h(msgs || master | ipad)) } Server msgs Concatenation of previous messages sent/received this handshake opad, ipad As above

Handshake Round 4 Client sends “change cipher spec” message using that protocol Client Server { h(master || opad || h(msgs || 0 x 434 C 4 E 54 || master || ipad )) } Client Server sends “change cipher spec” message using that protocol Client Server { h(master || opad || h(msgs || 0 x 53525652 || master | ipad)) } Client msgs Server Concatenation of messages sent/received this handshake in previous rounds (does notinclude these messages) opad, ipad, master As above

Supporting Crypto Algorithms • The standard dictates algorithms that must be supported – Classical ciphers ensure confidentiality, cryptographic – checksums added for integrity • Only certain combinations allowed – Won’t allow really weak confidentiality algorithm with really strong authentication algorithm • Standard is augmented over time – E. g. , AES added in 2002 by rfc 3268

RSA: Cipher, MAC Algorithms

MITM Attacks • Classic attack foiled by certificates • Assuming certificates can be verified correctly • Not necessarily the case if the root certificates cannot be trusted • More subtle attacks appear over time – TLS Authentication Gap • Interaction of TLS and HTTP • http: //www. phonefactor. com/sslgap • Application above SSL/TLS tends to be HTTP but does not have to be

IPsec • Network layer security – Provides confidentiality, integrity, authentication of endpoints, replay detection • Protects all messages sent along a path dest IP IP+IPsec gw 2 IP gw 1 security gateway src

Standards • • Original RFC’s 2401 -2412 Mandatory portion of IPv 6 Bolted onto IPv 4 Newer standards – IKE: Standardized Key Management Protocol RFC 2409 – NAT-T: UDP encapsulation for traversing address translation RFC 3948

Network Level Encryption • Data link header and network header is unchanged • With tunneling original IP header can be protected Ethernet Frame Header IP packet Encrypted/authenticated Regardless of application

IPsec Transport Mode IP header encapsulated data body • Encapsulate IP packet data area • Use IP to send IPsec-wrapped data packet • Note: IP header not protected

IPsec Tunnel Mode IP header encapsulated IP header and data body • Encapsulate IP packet (IP header and IP data) • Use IP to send IPsec-wrapped packet • Note: IP header protected

IPsec Protocols • Authentication Header (AH) – Integrity of payload – Integrity of outer header – Anti-replay • Encapsulating Security Payload (ESP) – Confidentiality of payload and inner header – Integrity of payload (and now header)

ESP and integrity • Originally design, use AH to add integrity if needed. • Bellovin showed integrity is always needed – So added directly to ESP – http: //www. cs. columbia. edu/~smb/pape rs/badesp. pdf

IPsec Architecture • Security Association (SA) – Association between peers for security services • Identified uniquely by dest address, security protocol (AH or ESP), unique 32 -bit number (security parameter index, or SPI) – Unidirectional • Can apply different services in either direction – SA uses either ESP or AH; if both required, 2 SAs needed

SA Database Entries Sequence number counter Sequence counter overflow Anti-replay window AH or ESP information: algorithms, key lifetimes • Lifetime of SA • IPSec mode: Tunnel or transport • Path. MTU • •

ESP Header

Key Points • Separation of negotiation phase and operational phase • Standardized elements for algorithm support • Similar functionality between SSL and IPSec • Difference in network stack level Slide #11 -29