SSL Prof Ravi Sandhu CONTEXT v Mid to
- Slides: 67
SSL Prof. Ravi Sandhu
CONTEXT v Mid to late 90’s Ø Ø v SSL 1. 0 never released SSL 2. 0 flawed SSL 3. 0 complete redesign TLS from Netscape to IETF Competitors Ø Ø SET backed by credit card companies S-HTTP (as opposed to https) IPSEC backed by IETF committees SSH for secure remote access to Unix hosts © Ravi Sandhu 2
CRYPTOGRAPHIC SERVICES v Confidentiality Ø Encryption leaks profusely via side channels v Authentication Ø No + Integrity point having one without the other v Non-repudiation Ø Requires © Ravi Sandhu asymmetric cryptography 3
SYMMETRIC KEY ENCRYPTION INSECURE CHANNEL Plaintext Ciphertext Encryption Algorithm E Decryption Algorithm D A Plaintext B Symmetric Key K shared by A and B K CONFIDENTIAL AND AUTHENTICATED CHANNEL © Ravi Sandhu 4
SYMMETRIC KEY AUTHENTICATION INSECURE CHANNEL Plaintext + MAC Algorithm M Yes/No Verification Algorithm V A B K © Ravi Sandhu K CONFIDENTIAL AND AUTHENTICATED CHANNEL MAC: Message Authentication Code 5
ASYMMETRIC KEY ENCRYPTION INSECURE CHANNEL Plaintext Ciphertext Encryption Algorithm E Decryption Algorithm D A B B's Public Key © Ravi Sandhu Plaintext B's Private Key AUTHENTICATED CHANNEL 6
ASYMMETRIC KEY DIGITAL SIGNATURES INSECURE CHANNEL Plaintext + Signature Algorithm S Verification Algorithm V A B A's Private Key © Ravi Sandhu Yes/No A's Public Key AUTHENTICATED CHANNEL 7
SPEED OF ASYMMETRIC KEY VERSUS SYMMETRIC KEY v Asymmetric key runs 2 -3 orders of magnitude slower than symmetric key v This large difference in speed is likely to remain independent of technology advances © Ravi Sandhu 8
MESSAGE DIGEST original message no practical limit to size message digest algorithm sign the message digest not the message easy © Ravi Sandhu message digest 160 bit hard 9
CHALLENGE RESPONSE AUTHENTICATION NETWORK STATION HOST User ID Challenge Response © Ravi Sandhu 10
PUBLIC-KEY CERTIFICATES v authenticated distribution of public- keys v public-key encryption Ø sender needs public key of receiver v public-key Ø receiver digital signatures needs public key of sender v public-key agreement Ø either one or both need the other’s public key © Ravi Sandhu 11
X. 509 v 1 CERTIFICATE authenticated distribution of public-keys VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT PUBLIC KEY INFO SIGNATURE © Ravi Sandhu 12
X. 509 v 1 CERTIFICATE 1 1234567891011121314 RSA+MD 5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99 -1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu RSA, 1024, xxxxxxxxxxxxx SIGNATURE © Ravi Sandhu 13
CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE © Ravi Sandhu 14
X. 509 CERTIFICATES v X. 509 v 1 Ø very basic v X. 509 v 2 Ø adds unique identifiers to prevent against reuse of X. 500 names v X. 509 v 3 Ø adds many extensions Ø can be further extended © Ravi Sandhu 15
CERTIFICATE TRUST v how to acquire public key of the issuer to verify signature v whether or not to trust certificates signed by the issuer for this subject © Ravi Sandhu 16
SINGLE ROOT CA MODEL Root CA a b c User © Ravi Sandhu d e f g h i j k l m n o p Root CA 17
SINGLE ROOT CA MULTIPLE RA’s MODEL Root CA a b c User d e f g h i k l m n o p RA User RA © Ravi Sandhu j Root CA 18
MULTIPLE ROOT CA’s MODEL Root CA a b © Ravi Sandhu c Root CA d e f g h i Root CA j k l m n User Root CA o p 19
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL ESTABLISHED BROWSER MODEL X S Q A a R C b © Ravi Sandhu c T E d e G f g I h i K j k M l m O n o p 20
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Geo-Political © Ravi Sandhu Bank Acquirer Customer Merchant 21
THE CERTIFICATE TRIANGLE user X. 509 attribute certificate X. 509 identity certificate attribute public-key SPKI certificate © Ravi Sandhu 22
SSL SERVICES v peer entity authentication v data confidentiality v data authentication and integrity v compression/decompression v generation/distribution of session keys Ø integrated v security © Ravi Sandhu into protocol parameter negotiation 23
SSL ARCHITECTURE SSL Change SSL Handshake Cipher Spec Alert Protocol Other HTTP Application Protocols SSL Record Protocol TCP IP © Ravi Sandhu 24
APPLICATION PORTS https v ssmtp v snntp v sldap v spop 3 v © Ravi Sandhu 443 465 563 636 995 ftp-data v ftps v imaps v telnets v ircs v 889 990 991 992 993 25
SSL ARCHITECTURE v Handshake protocol: complicated Ø Ø v Record protocol: straightforward Ø v fragment, compress, MAC, encrypt Change Cipher Spec protocol: straightforward Ø Ø v embodies key exchange & authentication 10 message types single 1 byte message with value 1 could be considered part of handshake protocol Alert protocol: straightforward Ø 2 byte messages • © Ravi Sandhu 1 byte alert level- fatal or warning; 1 byte alert code 26
SSL SESSION v SSL session negotiated by handshake protocol Ø session ID • Ø X. 509 public-key certificate of peer • Ø Ø • 48 byte shared secret is resumable flag • • © Ravi Sandhu encryption algorithm message digest algorithm master secret • Ø possibly null compression algorithm cipher spec • Ø chosen by server can be used to initiate new connections each session is created with one connection, but additional connections within the session can be further created 27
SSL CONNECTION STATE v v v connection end: client or server client and server random: 32 bytes each keys generated from master secret, client/server random Ø Ø Ø v v v client_write_MAC_secret server_write_MAC_secret client_write_key server_write_key client_write_IV server_write_IV compression state cipher state: initially IV, subsequently next feedback block sequence number: starts at 0, max 264 -1 © Ravi Sandhu 28
SSL CONNECTION STATE v 4 parts to state Ø Ø v current read state current write state pending read state pending write state handshake protocol Ø Ø © Ravi Sandhu initially current state is empty either pending state can be made current and reinitialized to empty 29
SSL RECORD PROTOCOL v 4 steps by sender (reversed by receiver) Ø Fragmentation Ø Compression Ø MAC Ø Encryption © Ravi Sandhu 30
SSL RECORD PROTOCOL v each SSL record contains Ø content type: 8 bits, only 4 defined • • Ø Ø change_cipher_spec alert handshake application_data protocol version number: 8 bits major, 8 bits minor length: max 16 K bytes (actually 214+2048) data payload: optionally compressed and encrypted message authentication code (MAC) © Ravi Sandhu 31
SSL HANDSHAKE PROTOCOL v initially SSL session has null compression and cipher algorithms v both are set by the handshake protocol at beginning of session v handshake protocol may be repeated during the session © Ravi Sandhu 32
SSL HANDSHAKE PROTOCOL v Type: Ø 10 1 byte message types defined v length: 3 bytes v content © Ravi Sandhu 33
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 34
SSL HANDSHAKE PROTOCOL v Phase 1: Ø Establish v Phase 2: Ø Server v Phase authentication and key exchange 3: Ø Client v Phase security capabilities authentication and key exchange 4: Ø Finish © Ravi Sandhu 35
SSL 1 -WAY HANDSHAKE WITH RSA Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 36
SSL 2 -WAY HANDSHAKE WITH RSA Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 37
SSL HANDSHAKE PROTOCOL these 9 handshake messages must occur in order shown v optional messages can be eliminated v 10 th message explained later v Ø v hello_request message change_cipher_spec is a separate 1 message protocol Ø © Ravi Sandhu functionally it is just like a message in the handshake protocol 38
SSL HANDSHAKE PROTOCOL © Ravi Sandhu 39
SSL HANDSHAKE PROTOCOL hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient v can be ignored by client v Ø Ø if already negotiating a session don’t want to renegotiate a session • © Ravi Sandhu client may respond with a no_renegotiation alert 40
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 41
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v client hello Ø Ø 4 byte timestamp, 28 byte random value session ID: • non-zero for new connection on existing session zero for new connection on new session client version: highest version cipher_suite list: ordered list compression list: ordered list • Ø Ø Ø © Ravi Sandhu 42
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v server hello Ø Ø 32 byte random value session ID: • Ø version • Ø Ø © Ravi Sandhu new or reuse lower of client suggested and highest supported cipher_suite list: single choice compression list: single choice 43
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v cipher suite Ø key exchange method • • • © Ravi Sandhu RSA: requires receiver’s public-key certificates Fixed DH: requires both sides to have public-key certificates Ephemeral DH: signed ephemeral keys are exchanged, need signature keys and public-key certificates on both sides Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack Fortezza: Fortezza key exchange we will ignore Fortezza from here on 44
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v cipher suite Ø cipher spec • • © Ravi Sandhu Cipher. Algorithm: RC 4, RC 2, DES, 3 DES, DES 40, IDEA, Fortezza MACAlgorithm: MD 5 or SHA-1 Cipher. Type: stream or block Is. Exportable: true or false Hash. Size: 0, 16 or 20 bytes Key Material: used to generate write keys IV Size: size of IV for CBC 45
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 46
SSL HANDSHAKE: PHASE 2 SERVER AUTHENTICATION & KEY EXCHANGE v Certificate message Ø Ø v server’s X. 509 v 3 certificate followed by optional chain of certificates required for RSA, Fixed DH, Ephemeral DH but not for Anonymous DH Server Key Exchange message Ø Ø Ø not needed for RSA, Fixed DH needed for Anonymous DH, Ephemeral DH needed for RSA where server has signature-only key • © Ravi Sandhu server sends temporary RSA public encryption key to client 47
SSL HANDSHAKE: PHASE 2 SERVER AUTHENTICATION & KEY EXCHANGE v Server Key Exchange message Ø Ø signed by the server signature is on hash of • • v Certificate Request message Ø Ø request a certificate from client specifies Certificate Type and Certificate Authorities • v Client. Hello. random, Server. Hello. random Server Key Exchange parameters certificate type specifies public-key algorithm and use Server Done message Ø © Ravi Sandhu ends phase 2, always required 48
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 49
SSL HANDSHAKE: PHASE 3 CLIENT AUTHENTICATION & KEY EXCHANGE v Certificate message Ø send if server has requested certificate and client has appropriate certificate • v Client Key Exchange message Ø v otherwise send no_certificate alert content depends on type of key exchange (see next slide) Certificate Verify message Ø Ø Ø © Ravi Sandhu can be optionally sent following a client certificate with signing capability signs hash of master secret (established by key exchange) and all handshake messages so far provides evidence of possessing private key corresponding to certificate 50
SSL HANDSHAKE: PHASE 3 CLIENT AUTHENTICATION & KEY EXCHANGE v Client Key Exchange message Ø RSA client generates 48 -byte pre-master secret, encrypts with server’s RSA public key (from server certificate or temporary key from Server Key Exchange message) Ephemeral or Anonymous DH • client’s public DH value • Ø Ø Fixed DH • © Ravi Sandhu null, public key previously sent in Certificate Message 51
SSL HANDSHAKE: POST PHASE 3 CRYPTOGRAPHIC COMPUTATION v 48 byte pre master secret Ø RSA • • generated by client sent encrypted to server Ø DH • • © Ravi Sandhu both sides compute the same value each side uses its own private value and the other sides public value 52
SSL HANDSHAKE: POST PHASE 3 CRYPTOGRAPHIC COMPUTATION PRF is composed of a sequence and nesting of HMACs © Ravi Sandhu 53
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 54
SSL HANDSHAKE: PHASE 4 FINISH v Change Cipher Spec message Ø not considered part of handshake protocol but in some sense is part of it v Finished message Ø sent under new algorithms and keys Ø content is hash of all previous messages and master secret © Ravi Sandhu 55
SSL HANDSHAKE: PHASE 4 FINISH v Change Cipher Spec message Ø Ø 1 byte message protected by current state copies pending state to current state • • Ø © Ravi Sandhu sender copies write pending state to write current state receiver copies read pending state to read current state immediately send finished message under new current state 56
SSL HANDSHAKE: PHASE 4 FINISH Finished message © Ravi Sandhu 57
SSL ALERT PROTOCOL v 2 byte alert messages Ø 1 byte level • Ø 1 • © Ravi Sandhu fatal or warning byte alert code 58
SSL ALERT MESSAGES © Ravi Sandhu 59
SSL ALERT MESSAGES v always fatal Ø unexpected_message Ø bad_record_mac Ø decompression_failure Ø handshake_failure Ø illegal_parameter © Ravi Sandhu 60
SERVER-SIDE SSL (OR 1 -WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol © Ravi Sandhu 61
SERVER-SIDE MASQUARADING Bob Web browser Server-side SSL www. host. com Web server Ultratrust Security Services www. host. com © Ravi Sandhu 62
SERVER-SIDE MASQUARADING Bob Web browser Server-side SSL BIMM Corporation www. host. com Web server Server-side SSL Mallory’s Web server Ultratrust Security Services www. host. com © Ravi Sandhu 63
SERVER-SIDE MASQUARADING Bob Web browser Server-side SSL www. host. com Web server Server-side SSL BIMM Corporation Ultratrust Security Services www. host. com © Ravi Sandhu Mallory’s Web server Ultratrust Security Services www. host. com 64
CLIENT-SIDE SSL (OR 2 -WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol © Ravi Sandhu 65
MAN IN THE MIDDLE MASQUARADING PREVENTED Ultratrust Security Services Bob Web browser Client Side SSL end-to-end www. host. com Web server Bob Client-side SSL Ultratrust Security Services Client-side SSL BIMM Corporation www. host. com Ultratrust Security Services www. host. com © Ravi Sandhu Mallory’s Web server Ultratrust Security Services Bob 66
SSL v Deployed in broken form v Guardian of e-commerce v World’s most successful crypto protocol © Ravi Sandhu 67
- Clark-wilson model
- Winkle sandhu
- Contoh komunikasi high context dan low context
- Nonagist
- High context vs low context culture ppt
- Constancy under negation examples
- Catabolisim
- Perifeerse neuropaatia ravi
- Ravi zaccharias
- Dr anita ravi
- Ravinin adaleti ile ilgili tenkit noktaları
- The matrix industry society
- Ravi vaswani
- Ravi sinha iit bombay
- Ravi credit card
- Ere vasli
- Kumar satish ravi
- Dermatofüütia
- Kindlustamata isikute ravi
- Ravi sayısına göre hadisler
- Ravi micro
- Ravi patki
- Ravi rajapakse
- Ravi chandra cisco
- Bruksismi ravi
- Handful of rice characters
- Ravi and minu architects
- Kurttummus ravi
- Ravi kumar kopparapu
- Ravi agarwal md
- Ravi kumar sacramento
- Ravi kandhadai madhavan
- Describe the beggar of a gift of chappals
- Indentation gonioscopy
- Ravi raj sagar
- Senedin müntehası
- Praktik ssl
- Ssl labs cipher strength 100
- Cisco ssl appliance 1500
- Nsx-t ssl passthrough
- Symantec ssl decryption
- Ssl vpn wiki
- Axgate 2300
- Fidelis ssl decryption
- Ssl certificate strand
- Rfc ssl
- Ssl orchestrator
- Resign-as-untrusted
- "symantec certificate"
- Ncsu vpn
- Fortinet vpn 漏洞
- Ssl iv
- Web security using ssl
- Ssl opportunities
- Ssl pfp
- Oracle cloud ipsec vpn
- Ssl windows 11
- Ipsec vs ssl
- Ssl inspection gdpr
- Solid-state lighting (ssl)
- In the ssl record protocol operation pad_2 is
- Web security ssl
- Public key infrastructure
- Vpn ssl cea
- Ssl information security
- Ssh ssl tls
- Rm osi
- Higher layer ssl protocol