Page 1
CSE484/CSEM584:ComputerSecurityandPrivacy
SSL/TLS
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Page 2
Wehaveallthepieces!
• SymmetricEncryption(privacy!)• MACs(integrity!)• AsymmetricCrypto(bootstrapping!)• CertificateAuthorities(authenticity!)
11/4/16 CSE484/CSEM584-Fall2016 2
Page 3
SSL/TLS
• SecureSocketsLayerandTransportLayerSecurity– Sameprotocol,newversion(TLSiscurrent)
• DefactostandardforInternetsecurity– “TheprimarygoaloftheTLSprotocolistoprovide
privacyanddataintegritybetweentwocommunicatingapplications”
• DeployedineveryWebbrowser;alsoVoIP,paymentsystems,distributedsystems,etc.
11/4/16 CSE484/CSEM584-Fall2016 3
Page 4
SSL/TLS
• TLSistypicallyusedontopofaTCPconnection
TLS
• Canbeusedoverothertransportprotocols
11/4/16 CSE484/CSEM584-Fall2016 4
Page 5
TLSBasics
• TLSconsistsoftwoprotocols– Familiarpatternforkeyexchangeprotocols
• Handshakeprotocol– Usepublic-keycryptographytoestablishasharedsecretkeybetweentheclientandtheserver
• Recordprotocol– Usethesecretsymmetrickeyestablishedinthehandshakeprotocoltoprotectcommunicationbetweentheclientandtheserver
11/4/16 CSE484/CSEM584-Fall2016 5
Page 6
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 6
C
ClientHello
S
Clientannounces(inplaintext):• Protocolversionitisrunning• Cryptographicalgorithmsitsupports• Fresh,randomnumber
Page 7
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 7
C
C,versionc,suitesc,Nc
ServerHello
SServerresponds(inplaintext)with:• Highestprotocolversionsupportedby
boththeclientandtheserver• Strongestcryptographicsuiteselected
fromthoseofferedbytheclient• Fresh,randomnumber
Page 8
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 8
C
versions,suites,Ns,ServerKeyExchange
SServersendsitspublic-keycertificatecontainingeitheritsRSA,orhisDiffie-Hellmanpublickey(dependingonchosencryptosuite)
C,versionc,suitesc,Nc
Page 9
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 9
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
ClientKeyExchange
Theclientgeneratessecretkeymaterialandsendsittotheserverencryptedwiththeserver’spublickey(ifusingRSA)
Page 10
BasicHandshakeProtocol
11/4/16 CSE484/CSEM584-Fall2016 10
C
versions,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
Recordofallsentandreceivedhandshakemessages
Page 11
“Core”SSL3.0Handshake(NotTLS)
11/4/16 CSE484/CSEM584-Fall2016 11
C
versions=3.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{Secretc}PKsifusingRSA
switchtokeysderivedfromsecretc,Nc,Ns
CandSsharesecretkeymaterial(secretc)atthispoint
switchtokeysderivedfromsecretc,Nc,Ns
FinishedFinished
Page 12
VersionRollbackAttack
11/4/16 CSE484/CSEM584-Fall2016 12
C
Versions=2.0,suites,Ns,certificate,“ServerHelloDone”
S
C,versionc=2.0,suitesc,Nc
{Secretc}PKsifusingRSA
CandSendupcommunicatingusingSSL2.0(weakerearlierversionoftheprotocolthat
doesnotinclude“Finished”messages)
ServerisfooledintothinkingheiscommunicatingwithaclientwhosupportsonlySSL2.0
Page 13
“Chosen-Protocol”Attacks
• Whydopeoplereleasenewversionsofsecurityprotocols?Becausetheoldversiongotbroken!
• Newversionmustbebackward-compatible– Noteverybodyupgradesrightaway
• Attackercanfoolsomeoneintousingtheold,brokenversionandexploitknownvulnerability– Similar:foolvictimintousingweakcryptoalgorithms
• Defenseishard:mustauthenticateversioninearlydesigns• Manyprotocolshavehad“versionrollback”attacks
– SSL,SSH,GSM(cellphones)
11/4/16 CSE484/CSEM584-Fall2016 13
Page 14
VersionCheckinSSL3.0
11/4/16 CSE484/CSEM584-Fall2016 14
C
versions=3.0,suites,Ns,certificateforPKs,“ServerHelloDone”
S
C,versionc=3.0,suitesc,Nc
{versionc,secretc}PKs
CandSsharesecretkeymaterialsecretcatthispoint
“Embed”versionnumberintosecret
CheckthatreceivedversionisequaltotheversioninClientHello
switchtokeyderivedfromsecretc,Nc,Ns
switchtokeyderivedfromsecretc,Nc,Ns
Page 15
Network
WebSecurity!BigPicture:BrowserandNetwork
11/4/16 CSE484/CSEM584-Fall2016 15
Browser
OS
Hardware
websiterequest
reply
ThebrowserrendersorexecutesarbitraryHTML,CSS,andJavascriptsendbyhostsontheInternet.
Page 16
WhereDoestheAttackerLive?
11/4/16 CSE484/CSEM584-Fall2016 16
Network
Browser
OS
Hardware
websiterequest
replyWeb
attacker
Networkattacker
Malwareattacker
Page 17
AllofTheseShouldBeSafe
• Safetovisitanevilwebsite
• Safetovisittwopagesatthesametime
• Safedelegation
11/4/16 CSE484/CSEM584-Fall2016 17
Page 18
BuildingBlocksoftheWeb(andWebSecurity)
• HTTP(S)• Cookies
11/4/16 CSE484/CSEM584-Fall2016 18
Page 19
HTTP:HyperTextTransferProtocol
• Applicationlayerprotocolusedbybrowsersandwebservers
• Statelessrequest/responseprotocol– Eachrequestisindependentofpreviousrequests
– Statelessnesshasasignificantimpactondesignandimplementationofapplications
11/4/16 CSE484/CSEM584-Fall2016 19
Page 20
HTTPRequest
11/4/16 CSE484/CSEM584-Fall2016 20
GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT
Method File HTTP version Headers
Data – none for GET Blank line
Page 21
HTTPResponse
11/4/16 CSE484/CSEM584-Fall2016 21
HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>
HTTP version Status code Reason phrase Headers
Data
Page 22
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource– POSTsendsinformation– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 22
Page 23
HTTPResources
• URLstandsforUniformResourceLocator• Specifiesthelocationofaresourceonanetwork–whatserverisiton,whereisitonthatserver?
• ResourcescouldincludeHTMLpages,images,data,etc.
11/4/16 CSE484/CSEM584-Fall2016 23
Page 24
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource– POSTsendsinformation– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 24
Page 25
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource(Givemethisimage)– POSTsendsinformation– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 25
Page 26
HTTPVerbs
• HTTPdeclaresanumberof“verbs”thatclientscanusetorequestorprovideinformation– GETasksforaresource(Givemethisimage)– POSTsendsinformation(Iwanttologin)– HEADgetsmetadata(headers)foraresource
– Also:PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH
11/4/16 CSE484/CSEM584-Fall2016 26
Page 27
HTTP:HyperTextTransferProtocol
• Applicationlayerprotocolusedbybrowsersandwebservers
• Statelessrequest/responseprotocol– Eachrequestisindependentofpreviousrequests
– Statelessnesshasasignificantimpactondesignandimplementationofapplications
11/4/16 CSE484/CSEM584-Fall2016 27
Page 28
Cookies–StatefulnessforHTTP
11/4/16 CSE484/CSEM584-Fall2016 28
Acookieisafilecreatedbyawebsitetostoreinformationinthebrowser
BrowserServer
POSTlogin.cgiusernameandpwd
BrowserServer
GETrestricted.html
Cookie:userID=Alice
HTTPisastatelessprotocol;cookiesaddstate
HTTPHeader:Set-cookie: userID=Alice;
Page 29
CookieFormat
• CookiesarejustKEY=VALUEpairs,e.g.,– language=ENGLISH – userID=Alice – sessionID= 8113d906-62e8-49e1-80e1-65805cb51cab
– adID= 9c740c60-8d88-4da6-bb83-041e95c1efac
11/4/16 CSE484/CSEM584-Fall2016 29
Page 30
Cookies–StatefulnessforHTTP
11/4/16 CSE484/CSEM584-Fall2016 30
Acookieisafilecreatedbyawebsitetostoreinformationinthebrowser
BrowserServer
POSTlogin.cgiusernameandpwd
BrowserServer
GETrestricted.html
Cookie:NAME=VALUE
HTTPisastatelessprotocol;cookiesaddstate
Ifexpires=NULL,thissessiononly
HTTPHeader:Set-cookie: NAME=VALUE;
domain=(whocanread);expires=(whenexpires);secure=(sendonlyoverHTTPS)
Page 31
WhatAreCookieUsedFor?
• Personalization– Websiteremembersvisitorpreferences– language=ENGLISH
• Authentication– Thecookie“proves”clientisloggedin– sessionID=8113d906-62e8...
• Tracking– Followtheuserfromsitetosite;– adID=9c740c60-8d88…
11/4/16 CSE484/CSEM584-Fall2016 31
Page 32
GoalsofWebSecurity
• SafelybrowsetheWeb– Amaliciouswebsitecannotstealinformationfromor
modifylegitimatesitesorotherwiseharmtheuser…– …evenifvisitedconcurrentlywithalegitimatesite--in
aseparatebrowserwindow,tab,oreveniframeonthesamewebpage
• SupportsecureWebapplications– ApplicationsdeliveredovertheWebshouldhavethe
samesecuritypropertieswerequireforstandaloneapplications
11/4/16 CSE484/CSEM584-Fall2016 32
Page 33
AllofTheseShouldBeSafe
• Safetovisitanevilwebsite
• Safetovisittwopagesatthesametime
• Safedelegation
11/4/16 CSE484/CSEM584-Fall2016 33
Page 34
TwoSidesofWebSecurity
• Webbrowser– ResponsibleforsecurelyconfiningWebcontentpresentedbyvisitedwebsites
• Webapplications– Onlinemerchants,banks,blogs,GoogleApps…– Mixofserver-sideandclient-sidecode
• Server-sidecodewritteninPHP,Ruby,ASP,JSP…runsontheWebserver
• Client-sidecodewritteninJavaScript…runsintheWebbrowser
– Manypotentialbugs:XSS,XSRF,SQLinjection
11/4/16 CSE484/CSEM584-Fall2016 34
Page 35
WhereDoestheAttackerLive?
11/4/16 CSE484/CSEM584-Fall2016 35
Network
Browser
OS
Hardware
websiterequest
replyWeb
attacker
Networkattacker
Malwareattacker
Attackermaycontrol1ormoredomainsorwebsites
AttackergetstorunJavascriptandHTMLcodeinthebrowser
Attackercanmakemaliciousrequeststowebservers–canevenuseHTML/JStomakethoserequestsFromusers’browsers!
Page 36
WebAttacker
• Controlsamaliciouswebsite(attacker.com)– CanobtainanTLScertificateforattacker.com
• Uservisitsattacker.com–why?– Phishingemail,enticingcontent,searchresults,placedbyanadnetwork,blindluck…
– Or,attacker.comisembeddedonanotherpage–loadingthefriendlypageloadscontentfromattacker.com
11/4/16 CSE484/CSEM584-Fall2016 36
Page 37
WebAttacker
11/4/16 CSE484/CSEM584-Fall2016 37
www.attacker.com
Page 38
Javascript,or,SoftwareSecurityfortheWeb! <html> … <p> The script on this page is totally trustworthy <script>
doSomethingEvil() </script> … </html>
11/4/16 CSE484/CSEM584-Fall2016 38
Browserreceivescontent,displaysHTMLandexecutesscripts
Apotentiallymaliciouswebpagegetstoexecutesomecodeonuser’smachine!
www.attacker.com
Page 39
BrowserSandbox
• Goal:safelyexecuteJavaScriptcodeprovidedbyawebsite– No/limitedaccesstoOS/network/filesystem/browserdata.
– Nobufferoverflows,nowaytoexecutearbitrarynativecode,processisolationbetweentabs
– Attackershouldn’tbeabletoaccessdatafromothertabsorbrowserwindows
– attacker.comshouldn’tbeabletoaccessdatafrombank.com,evenifyou’reloggedin
11/4/16 CSE484/CSEM584-Fall2016 39
Page 40
AStrawpersonAttack
www.attacker.com
www.bank.com(e.g.,
balance:$500)
www.attacker.com(theparent)cannotaccessHTMLelementsin
theiframe(andviceversa).
11/4/16 CSE484/CSEM584-Fall2016 40
Page 41
Same-OriginPolicy:DOM
OnlycodefromsameorigincanaccessHTMLelementsonanothersite(orinaniframe).
www.example.com
www.example.com/iframe.html
www.evil.com
www.example.com/iframe.html
www.example.com(theparent)canaccessHTMLelementsintheiframe
(andviceversa).
www.evil.com(theparent)cannotaccessHTMLelementsintheiframe
(andviceversa).11/4/16 CSE484/CSEM584-Fall2016 41
Page 42
Same-OriginPolicy
Websiteorigin=(scheme,domain,port)
[ExamplethankstoWikipedia.]11/4/16 CSE484/CSEM584-Fall2016 42