SSL Prof Ravi Sandhu SECURE SOCKETS LAYER SSL
- Slides: 45
SSL Prof. Ravi Sandhu
SECURE SOCKETS LAYER (SSL) v layered on top of TCP v SSL versions 1. 0, 2. 0, 3. 1 v Netscape protocol v later refitted as IETF standard TLS (Transport Layer Security) v TLS 1. 0 very close to SSL 3. 1 © Ravi Sandhu 2002 2
SECURE SOCKETS LAYER (SSL) v application protocol independent v does not specify how application protocols add security with SSL Ø how to initiate SSL handshaking Ø how to interpret certificates v left to designers of upper layer protocols to figure out © Ravi Sandhu 2002 3
SSL ARCHITECTURE SSL Change SSL Handshake Cipher Spec Alert Protocol Other HTTP Application Protocols SSL Record Protocol TCP IP © Ravi Sandhu 2002 4
SSL ARCHITECTURE v Handshake protocol: complicated Ø Ø v Record protocol: straightforward Ø v fragment, compress, MAC, encrypt Change Cipher Spec protocol: straightforward Ø Ø v embodies key exchange & authentication 10 message types single 1 byte message with value 1 could be considered part of handshake protocol Alert protocol: straightforward Ø 2 byte messages • © Ravi Sandhu 2002 1 byte alert level- fatal or warning; 1 byte alert code 5
SSL/TLS DIFFERENCES TLS uses HMAC, SSL uses a precursor v TLS MAC covers compression version field in addition to what SSL MAC covers v TLS defines additional alert codes v other minor differences v TLS has a mode to fall back to SSL v © Ravi Sandhu 2002 6
SSL SERVICES v peer entity authentication v data confidentiality v data authentication and integrity v compression/decompression v generation/distribution of session keys Ø integrated v security © Ravi Sandhu 2002 into protocol parameter negotiation 7
SSL SESSIONS AND CONNECTIONS v Every connection is associated with one session v Session can be reused across multiple secure connections v Handshake protocol Ø establishes new session and connection together Ø uses existing session for new connection © Ravi Sandhu 2002 8
SSL SESSION v SSL session negotiated by handshake protocol Ø session ID • Ø X. 509 public-key certificate of peer • Ø Ø • encryption algorithm message digest algorithm master secret • Ø possibly null compression algorithm cipher spec • Ø chosen by server 48 byte shared secret is resumable flag • © Ravi Sandhu 2002 can be used to initiate new connections 9
SSL CONNECTION STATE v v v connection end: client or server client and server random: 32 bytes each keys generated from master secret, client/server random Ø Ø Ø v v v client_write_MAC_secret server_write_MAC_secret client_write_key server_write_key client_write_IV server_write_IV compression state cipher state: initially IV, subsequently next feedback block sequence number: starts at 0, max 264 -1 © Ravi Sandhu 2002 10
SSL CONNECTION STATE v 4 parts to state Ø Ø v current read state current write state pending read state pending write state handshake protocol Ø Ø initially current state is empty either pending state can be made current and reinitialized to empty © Ravi Sandhu 2002 11
SSL RECORD PROTOCOL v 4 steps by sender (reversed by receiver) Ø Fragmentation Ø Compression Ø MAC Ø Encryption © Ravi Sandhu 2002 12
SSL RECORD PROTOCOL v each SSL record contains Ø content type: 8 bits, only 4 defined • • Ø Ø change_cipher_spec alert handshake application_data protocol version number: 8 bits major, 8 bits minor length: max 16 K bytes (actually 214+2048) data payload: optionally compressed and encrypted message authentication code (MAC) © Ravi Sandhu 2002 13
SSL HANDSHAKE PROTOCOL v initially SSL session has null compression and cipher algorithms v both are set by the handshake protocol at beginning of session v handshake protocol may be repeated during the session © Ravi Sandhu 2002 14
SSL HANDSHAKE PROTOCOL v Type: Ø 10 1 byte message types defined v length: 3 bytes v content © Ravi Sandhu 2002 15
SSL HANDSHAKE PROTOCOL © Ravi Sandhu 2002 16
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 17
SSL HANDSHAKE PROTOCOL v Phase 1: Ø Establish v Phase 2: Ø Server v Phase authentication and key exchange 3: Ø Client v Phase security capabilities authentication and key exchange 4: Ø Finish © Ravi Sandhu 2002 18
SSL 1 -WAY HANDSHAKE WITH RSA Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 19
SSL 2 -WAY HANDSHAKE WITH RSA Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 20
SSL HANDSHAKE PROTOCOL these 9 handshake messages must occur in order shown v optional messages can be eliminated v 10 th message explained later v Ø v hello_request message change_cipher_spec is a separate 1 message protocol Ø functionally it is just like a message in the handshake protocol © Ravi Sandhu 2002 21
SSL HANDSHAKE PROTOCOL © Ravi Sandhu 2002 22
SSL HANDSHAKE PROTOCOL hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient v can be ignored by client v Ø Ø if already negotiating a session don’t want to renegotiate a session • © Ravi Sandhu 2002 client may respond with a no_renegotiation alert 23
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 24
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v client hello Ø Ø 4 byte timestamp, 28 byte random value session ID: • non-zero for new connection on existing session zero for new connection on new session client version: highest version cipher_suite list: ordered list compression list: ordered list • Ø Ø Ø © Ravi Sandhu 2002 25
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v server hello Ø Ø 32 byte random value session ID: • Ø version • Ø Ø new or reuse lower of client suggested and highest supported cipher_suite list: single choice compression list: single choice © Ravi Sandhu 2002 26
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v cipher suite Ø key exchange method • • • © Ravi Sandhu 2002 RSA: requires receiver’s public-key certificates Fixed DH: requires both sides to have public-key certificates Ephemeral DH: signed ephemeral keys are exchanged, need signature keys and public-key certificates on both sides Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack Fortezza: Fortezza key exchange we will ignore Fortezza from here on 27
SSL HANDSHAKE: PHASE 1 ESTABLISH SECURITY CAPABILITIES v cipher suite Ø cipher spec • • © Ravi Sandhu 2002 Cipher. Algorithm: RC 4, RC 2, DES, 3 DES, DES 40, IDEA, Fortezza MACAlgorithm: MD 5 or SHA-1 Cipher. Type: stream or block Is. Exportable: true or false Hash. Size: 0, 16 or 20 bytes Key Material: used to generate write keys IV Size: size of IV for CBC 28
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 29
SSL HANDSHAKE: PHASE 2 SERVER AUTHENTICATION & KEY EXCHANGE v Certificate message Ø Ø v server’s X. 509 v 3 certificate followed by optional chain of certificates required for RSA, Fixed DH, Ephemeral DH but not for Anonymous DH Server Key Exchange message Ø Ø Ø not needed for RSA, Fixed DH needed for Anonymous DH, Ephemeral DH needed for RSA where server has signature-only key • © Ravi Sandhu 2002 server sends temporary RSA public encryption key to client 30
SSL HANDSHAKE: PHASE 2 SERVER AUTHENTICATION & KEY EXCHANGE v Server Key Exchange message Ø Ø signed by the server signature is on hash of • • v Certificate Request message Ø Ø request a certificate from client specifies Certificate Type and Certificate Authorities • v Client. Hello. random, Server. Hello. random Server Key Exchange parameters certificate type specifies public-key algorithm and use Server Done message Ø ends phase 2, always required © Ravi Sandhu 2002 31
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 32
SSL HANDSHAKE: PHASE 3 CLIENT AUTHENTICATION & KEY EXCHANGE v Certificate message Ø send if server has requested certificate and client has appropriate certificate • v Client Key Exchange message Ø v otherwise send no_certificate alert content depends on type of key exchange (see next slide) Certificate Verify message Ø Ø Ø can be optionally sent following a client certificate with signing capability signs hash of master secret (established by key exchange) and all handshake messages so far provides evidence of possessing private key corresponding to certificate © Ravi Sandhu 2002 33
SSL HANDSHAKE: PHASE 3 CLIENT AUTHENTICATION & KEY EXCHANGE v Client Key Exchange message Ø RSA client generates 48 -byte pre-master secret, encrypts with server’s RSA public key (from server certificate or temporary key from Server Key Exchange message) Ephemeral or Anonymous DH • client’s public DH value • Ø Ø Fixed DH • © Ravi Sandhu 2002 null, public key previously sent in Certificate Message 34
SSL HANDSHAKE: POST PHASE 3 CRYPTOGRAPHIC COMPUTATION v 48 byte pre master secret Ø RSA • • generated by client sent encrypted to server Ø DH • • © Ravi Sandhu 2002 both sides compute the same value each side uses its own private value and the other sides public value 35
SSL HANDSHAKE: POST PHASE 3 CRYPTOGRAPHIC COMPUTATION PRF is composed of a sequence and nesting of HMACs © Ravi Sandhu 2002 36
SSL HANDSHAKE PROTOCOL Phase 1 Phase 2 Phase 3 Phase 4 Record Protocol © Ravi Sandhu 2002 37
SSL HANDSHAKE: PHASE 4 FINISH v Change Cipher Spec message Ø not considered part of handshake protocol but in some sense is part of it v Finished message Ø sent under new algorithms and keys Ø content is hash of all previous messages and master secret © Ravi Sandhu 2002 38
SSL HANDSHAKE: PHASE 4 FINISH v Change Cipher Spec message Ø Ø 1 byte message protected by current state copies pending state to current state • • Ø sender copies write pending state to write current state receiver copies read pending state to read current state immediately send finished message under new current state © Ravi Sandhu 2002 39
SSL HANDSHAKE: PHASE 4 FINISH Finished message © Ravi Sandhu 2002 40
SSL ALERT PROTOCOL v 2 byte alert messages Ø 1 byte level • Ø 1 • © Ravi Sandhu 2002 fatal or warning byte alert code 41
SSL ALERT MESSAGES © Ravi Sandhu 2002 42
SSL ALERT MESSAGES v always fatal Ø unexpected_message Ø bad_record_mac Ø decompression_failure Ø handshake_failure Ø illegal_parameter © Ravi Sandhu 2002 43
APPLICATIONS AND SSL v use dedicated port numbers for every application that uses SSL Ø de facto what is happening v use normal application port and negotiate security options as part of application protocol v negotiate use of SSL during normal TCP/IP connection establishment © Ravi Sandhu 2002 44
APPLICATION PORTS OFFICIAL AND UNOFFICIAL https v ssmtp v snntp v sldap v spop 3 v © Ravi Sandhu 2002 443 465 563 636 995 ftp-data v ftps v imaps v telnets v ircs v 889 990 991 992 993 45
Dr ravi sandhu
Secure socket layer and transport layer security
Secure socket layer and transport layer security
Secure socket layer and transport layer security
Secure socket layer and transport layer security
Secure sockets
Winkle sandhu
Rm osi
Higher layer ssl protocol
Secure socket layer adalah
Layer 2 e layer 3
Fig 19
Layer 2 vs layer 3 bitstream
Layer-by-layer assembly
Pharynx
Presentation layer functions
Datacenter fabric
What is a socket
Socket primitives in computer networks
D3azeg_clwi -site:youtube.com
Tcp/ip sockets in java: practical guide for programmers
Berkeley sockets
Tanenbaum linux
Reliable datagram sockets
Sockets and threads
Functions of steering
Raw socket in networking
Censer
Tcp/ip sockets in c
Cleanroom 380v sockets
Sockets direct protocol
Raw sockets
Tcp ip sockets in c
Ravi kumar kopparapu
Ravi micro
Söömishäirete ravi tallinnas
Kumar satish ravi
Ravikindlustamata isikute ravi
Ravi chandra cisco
Ravi raj sagar
Ravi patki
Ravi rajapakse
Gmail
Ravi type 240 characters
Kurttummus ravi
Ravi kandhadai madhavan
