Secure Socket Layer

1

Secure Socket LayerSecure Socket Layer

• Originally by Yu Yang and Originally by Yu Yang and Lilly WangLilly Wang• Modified by T. A. YangModified by T. A. Yang

2

AgendaAgenda

• SSL BasicsSSL Basics

• WTLSWTLS

3

SSL FactsSSL Facts

• SSL was first developed by SSL was first developed by Netscape in 1994 and became an Netscape in 1994 and became an internet standard in 1996 ( RFC internet standard in 1996 ( RFC 2246 – TLS V1.0)2246 – TLS V1.0)

• SSL is a cryptographic protocol to SSL is a cryptographic protocol to secure network across a secure network across a connection-orientedconnection-oriented layer layer

• Any program using TCP can be Any program using TCP can be modified to use SSL connectionmodified to use SSL connection

4

SSL FactsSSL Facts

• SSL connection uses a dedicated SSL connection uses a dedicated TCP/IP socket (e.g. port 443 for https)TCP/IP socket (e.g. port 443 for https)

• SSL is flexible in choice of which SSL is flexible in choice of which symmetric encryption, message symmetric encryption, message digest, and authentication can be useddigest, and authentication can be used

• SSL provides built-in data SSL provides built-in data compressioncompression

5

SSL UsageSSL Usage• Authenticate the server to the clientAuthenticate the server to the client

• Allow the client and the server to select Allow the client and the server to select cryptographic algorithms, or ciphers, cryptographic algorithms, or ciphers, that they both supportthat they both support

• Optionally authenticate the client to the Optionally authenticate the client to the serverserver

• Use public key encryption techniques to Use public key encryption techniques to generate a shared secretgenerate a shared secret

• Establish an encrypted SSL connection Establish an encrypted SSL connection

6

Secure Socket LayerSecure Socket LayerSSL is a secure protocol which runs SSL is a secure protocol which runs above TCP/IP and allows users to encrypt above TCP/IP and allows users to encrypt data and to securely authenticate a data and to securely authenticate a server’s (or a vendor’s) identityserver’s (or a vendor’s) identity

Application layer

Transport layerTCP/IP layer

SMTPSFTPSHTTPS

SECURE SOCKET LAYER

7

SSL StackSSL Stack

8

SSL Record Protocol SSL Record Protocol OperationOperation

9

SSL Record FormatSSL Record Format

10

SSL HandshakeSSL Handshake

SSL handshake verifies the server SSL handshake verifies the server and allows the client and the server and allows the client and the server to agree on an encryption set to agree on an encryption set before before any data is sent outany data is sent out

11

SSL HandshakeSSL Handshake

12

SSL HandshakeSSL Handshake

Server

Client

Public key

Private key

Client request

Public key

13

SSL Session KeySSL Session Key

Server

Client

Public key

Private key

Public key Pre-Master

Pre-Master

Pre-Master

Session key

Session key

14

Secure Data on Secure Data on NetworkNetwork

Server

Client

Public key

Private key

Session key

Data Session key Data

Data

Data Session key Data

15

Man-in-the-Middle Man-in-the-Middle AttackAttack

Server

Client

Public key

Private key

HackerPublic

keyPrivate

keyPre-

master

Public key

Public key

Public key

Session key

Pre-master

Public key

Pre-master

Pre-master

Session key

16

Key exchange and Key exchange and certificatecertificate

SSL version number supported by

the client (v2, v3)

Ciphers supported by the client (DES, RC2, RC4)

Client Random Number

SSL version number picked by the server (v2, v3)

Ciphers picked by the server (DES, RC2, RC4)

Server Random Number

Server

Client

Public key

Private key

Public key

Certificate

17

Verify CertificateVerify Certificate

Checking

Server

Client

Public key

Private key

Client request

Certificate

Certificate

Valid

Public key

Certificate is Good and Valid

Server/vendor has been verified and authenticated

Client has vendor’s public key and Client has vendor’s public key and can now encrypt pre-master to send can now encrypt pre-master to send to server/vendorto server/vendor

18

Not-recognizable Not-recognizable CertificateCertificate

19

SSL HandshakeSSL Handshake• The TLS Handshake Protocol involves the following steps: The TLS Handshake Protocol involves the following steps:

- Exchange hello messages to agree on algorithms, exchange random Exchange hello messages to agree on algorithms, exchange random

values, and check for session resumption. values, and check for session resumption.

- Exchange the necessary cryptographic parameters to allow the Exchange the necessary cryptographic parameters to allow the

client and server to agree on a premaster secret. client and server to agree on a premaster secret.

- Exchange certificates and cryptographic information to allow the Exchange certificates and cryptographic information to allow the

client and server to authenticate themselves. client and server to authenticate themselves.

- Generate a master secret from the premaster secret and exchanged Generate a master secret from the premaster secret and exchanged

random values. random values.

- Provide security parameters to the record layer. Provide security parameters to the record layer.

- Allow the client and server to verify that their peer has calculated Allow the client and server to verify that their peer has calculated

the same security parameters and that the handshake occurred the same security parameters and that the handshake occurred

without tampering by an attacker.without tampering by an attacker.

20

SSL HandshakeSSL Handshake1. Client hello

2. Server hello

Present Server Certificate*Request Client Certificate

Server Key Exchange

3. Client Finish

*Present Client CertificateClient Key Exchange

*Certificate VerifyChange Cipher Spec

4. Server Finish

Change Cipher Spec

Client

Server

Application Data

21

Client HelloClient Hello• Sent by the client Sent by the client

–When first connecting to a serverWhen first connecting to a server–In response to a hello request or on In response to a hello request or on its ownits own

• ContainsContains–32 bytes random number created by 32 bytes random number created by a secure random number generatora secure random number generator

–Protocol versionProtocol version–Session IDSession ID–A list of supported ciphersA list of supported ciphers–A list of compression methodsA list of compression methods

22

Server HelloServer Hello• Sent as response if client hello is Sent as response if client hello is acceptedaccepted

– If not, a handshake failure alert is sent If not, a handshake failure alert is sent

• ContainsContains– 32 bytes random number created by a 32 bytes random number created by a

secure random number generatorsecure random number generator– Protocol versionProtocol version– Session IDSession ID– Cipher suite chosenCipher suite chosen– Compression method selectedCompression method selected

23

Server CertificatesServer Certificates

• Immediately following the server hello, the server sends its certificate– Generally an X.509.v3 certificate

• Server sends server hello done message, indicating that the hello-message phase of the handshake is complete

24

Verify Server CertificateVerify Server Certificate

25

Client Certificate Client Certificate ((optional)optional)

Client only sends a certificate upon Client only sends a certificate upon the receipt of a certificate requestthe receipt of a certificate request

– Sends after receiving server hello done

– If the client does not have a suitable certificate, it sends a certificate message with no certificates.•Server will respond with a fatal handshake failure if a client certificate is necessary

26

Key ExchangeKey Exchange

• Client sends 48-bytes pre-master, Client sends 48-bytes pre-master, encrypted using server’s public encrypted using server’s public key, to the serverkey, to the server

• Both server and client use the Both server and client use the pre-master to generate the pre-master to generate the master secretmaster secret

• The same session key is The same session key is generated on both client and generated on both client and server side using the master server side using the master secretsecret

27

Final StepsFinal Steps

• Client sends Client sends change_cipher_specchange_cipher_spec• Client sends finished Client sends finished messagemessage• Server sends Server sends change_cipher_specchange_cipher_spec• Server sends finished Server sends finished messagemessage

28

SSL ArchitectureSSL Architecture

29

Record LayerRecord Layer

• Compression and decompressionCompression and decompression

• A MAC is applied to each record A MAC is applied to each record using the MAC algorithm defined in using the MAC algorithm defined in the current cipher specthe current cipher spec

• Encryption occurs Encryption occurs afterafter compression compression• May need fragmentationMay need fragmentation

30

SSL ArchitectureSSL Architecture

31

Alert LayerAlert Layer

• Explain severity of the message and a Explain severity of the message and a descriptiondescription–fatalfatal

•Immediate terminationImmediate termination•Other connections in session may continueOther connections in session may continue•Session ID invalidated to prevent failed Session ID invalidated to prevent failed session to open new sessionssession to open new sessions

• Alerts are compressed same as other Alerts are compressed same as other datadata

32

SSL ArchitectureSSL Architecture

33

Change Cipher Spec Change Cipher Spec ProtocolProtocol

• Notify the other party to use Notify the other party to use the new cipher suitethe new cipher suite

• Before the Finished messageBefore the Finished message

34

Comparison of SSL V2.0 Comparison of SSL V2.0 and V3.0and V3.0

• SSL 2.0 is vulnerable to “man-SSL 2.0 is vulnerable to “man-in-the-middle” attack.in-the-middle” attack. The The hello messagehello message can be can be modified to use 40 bits modified to use 40 bits encryption. encryption.

• SSL 3.0 defends against this SSL 3.0 defends against this attack by having the last attack by having the last handshake message include a handshake message include a hash of all the previous hash of all the previous handshake messagehandshake message

35

Comparison of SSL V2.0 Comparison of SSL V2.0 and V3.0and V3.0

• SSL 2.0 uses a weak MAC SSL 2.0 uses a weak MAC constructionconstruction

• In SSL 3.0, the Message In SSL 3.0, the Message Authentication Hash uses a Authentication Hash uses a full 128 bits of key material full 128 bits of key material for Export cipherfor Export cipher++, while SSL , while SSL 2.0 uses only 40 bits2.0 uses only 40 bits

+ See + See http://en.wikipedia.org/wiki/Export_of_cryptography

36

Comparison of SSL V2.0 Comparison of SSL V2.0 and V3.0 and V3.0

• SSL 2.0 only allows a handshake at the SSL 2.0 only allows a handshake at the beginning of the connection. In 3.0, the beginning of the connection. In 3.0, the client can initiate a handshake routine client can initiate a handshake routine any timeany time

• SSL 3.0 allows server and client to send SSL 3.0 allows server and client to send chains of certificatechains of certificate

• SSL 3.0 has a generalized key exchange SSL 3.0 has a generalized key exchange protocol. It allows Diffie-Hellman and protocol. It allows Diffie-Hellman and Fortezza key exchangeFortezza key exchange

• SSL 3.0 allows for record compression SSL 3.0 allows for record compression and decompressionand decompression

37

Problem Free?Problem Free?• Side channel attack Side channel attack – any attack based on – any attack based on

information gained from the information gained from the physical physical implementation implementation of a cryptosystem, rather of a cryptosystem, rather than than brute force brute force or theoretical weaknesses or theoretical weaknesses in the algorithms (compare in the algorithms (compare cryptanalysiscryptanalysis). ). See See http://en.wikipedia.org/wiki/Side_channel_attack for for details.details.

• Information leak in encrypted connections. Information leak in encrypted connections. Vulnerable openssl versions do not perform Vulnerable openssl versions do not perform a MAC computation if an incorrect block a MAC computation if an incorrect block cipher padding is used. An active attacker cipher padding is used. An active attacker who can insert data into an existing who can insert data into an existing encrypted connection is then able to encrypted connection is then able to measure time differences between the error measure time differences between the error messages the server sends. This messages the server sends. This information can make it easier to launch information can make it easier to launch cryptographic attacks that rely on cryptographic attacks that rely on distinguishing between padding and MAC distinguishing between padding and MAC verification errors, possibly leading to verification errors, possibly leading to extraction of the original plaintext.extraction of the original plaintext.

38

Wireless Transport Layer Wireless Transport Layer SecuritySecurity

•Part of the WAP (wireless Part of the WAP (wireless application protocol) standardapplication protocol) standard

39

WTLS OverviewWTLS Overview

40

WTLS FactsWTLS Facts

•Mainly used to secure data Mainly used to secure data transport between wireless device transport between wireless device and gatewayand gateway

•Built on top of datagram (UDP) Built on top of datagram (UDP) instead of TCPinstead of TCP

•WTLS provides full, optimized and WTLS provides full, optimized and abbreviated handshake to reduce abbreviated handshake to reduce roundtrips in high-latency networksroundtrips in high-latency networks

41

WTLS FactsWTLS Facts

• WTLS uses different format of WTLS uses different format of certificates, mainly WTLS certificate, certificates, mainly WTLS certificate, X509v1 and 968. It also supports X509v1 and 968. It also supports additional cipher suites, such as RC5, additional cipher suites, such as RC5, short hashes, ECC, etc;short hashes, ECC, etc;

• WTLS provides built-in key-refresh WTLS provides built-in key-refresh mechanism for renegotiation;mechanism for renegotiation;

• WTLS can also set session resumable WTLS can also set session resumable to continue on a previous session.to continue on a previous session.

42

ReferenceReference

[1[1] http://www.faqs.org/faqs/computer-security/ssl-talk faq/

[2] [2]

http://www.pcwebopedia.com/TERM/S/SShttp://www.pcwebopedia.com/TERM/S/SS

L.htmL.htm

[3][3]http://developer.netscape.com/docs/http://developer.netscape.com/docs/manuals/security/sslin/contents.htmmanuals/security/sslin/contents.htm

[4] [4] http://www.ece.wpi.edu/~sunar/ee578/SShttp://www.ece.wpi.edu/~sunar/ee578/SSL.ppt L.ppt