SSL Trust Pitfalls Prof. Ravi Sandhu. 2 © Ravi Sandhu 2002 THE CERTIFICATE TRIANGLE user attributepublic-key X.509 identity certificate X.509 attribute.

SSL Trust Pitfalls

Prof. Ravi Sandhu

2© Ravi Sandhu 2002

THE CERTIFICATE TRIANGLE

user

attribute public-key

X.509identity

certificate

X.509attribute

certificate

SPKIcertificate

3© Ravi Sandhu 2002

SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate <-------- ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

RecordProtocol

HandshakeProtocol

4© Ravi Sandhu 2002

CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate CertificateRequest <-------- ServerHelloDone Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

RecordProtocol

HandshakeProtocol

5© Ravi Sandhu 2002

SINGLE ROOT CA MODEL

RootCA

a b c d e f g h i j k l m n o p

RootCAUser

6© Ravi Sandhu 2002

SINGLE ROOT CAMULTIPLE RA’s MODEL

RootCA

a b c d e f g h i j k l m n o p

RootCA

User RA

User RA

User RA

7© Ravi Sandhu 2002

MULTIPLE ROOT CA’s MODEL

RootCA

a b c d e f g h i j k l m n o p

RootCAUser

RootCA

RootCA

RootCAUser

RootCAUser

8© Ravi Sandhu 2002

ROOT CA PLUS INTERMEDIATE CA’s MODEL

Z

X

Q

A

Y

R S T

C E G I K M O

a b c d e f g h i j k l m n o p

9© Ravi Sandhu 2002

SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY

Root

Brand BrandBrand

Geo-Political

Bank Acquirer

Customer Merchant

10© Ravi Sandhu 2002

MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL

X

Q

A

R

S T

C E G I K M O

a b c d e f g h i j k l m n o p

11© Ravi Sandhu 2002

MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL

X

Q

A

R

S T

C E G I K M O

a b c d e f g h i j k l m n o p

12© Ravi Sandhu 2002

MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL

X

Q

A

R

S T

C E G I K M O

a b c d e f g h i j k l m n o p

13© Ravi Sandhu 2002

MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL

Essentially the model on the web today

Deployed in server-side SSL mode Client-side SSL mode yet to happen

14© Ravi Sandhu 2002

SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate <-------- ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

RecordProtocol

HandshakeProtocol

15© Ravi Sandhu 2002

SERVER-SIDE MASQUARADING

BobWeb browser

www.host.comWeb serverServer-side SSL

UltratrustSecurityServices

www.host.com

16© Ravi Sandhu 2002

SERVER-SIDE MASQUARADING

BobWeb browser

www.host.comWeb server

Server-side SSL UltratrustSecurityServices

www.host.comMallory’sWeb server

BIMMCorporation

www.host.com

Server-side SSL

17© Ravi Sandhu 2002

SERVER-SIDE MASQUARADING

BobWeb browser

www.host.comWeb server

Server-side SSL UltratrustSecurityServices

www.host.comMallory’sWeb server

Server-side SSL

BIMMCorporation

UltratrustSecurityServices

www.host.com

18© Ravi Sandhu 2002

CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA

Client Server ClientHello --------> ServerHello Certificate CertificateRequest <-------- ServerHelloDone Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data

RecordProtocol

HandshakeProtocol

19© Ravi Sandhu 2002

MAN IN THE MIDDLEMASQUARADING PREVENTED

BobWeb browser

www.host.comWeb server

Client-side SSL

UltratrustSecurityServices

www.host.com

Mallory’sWeb server

BIMMCorporation

Client-side SSL

UltratrustSecurityServices

www.host.com

Client Side SSLend-to-endUltratrust

SecurityServices

Bob

BIMMCorporation

UltratrustSecurityServices

Bob

20© Ravi Sandhu 2002

ATTRIBUTE-BASED CLIENT SIDE MASQUARADING

Joe@anywhereWeb browser

BIMM.comWeb serverClient-side SSL

UltratrustSecurityServices

BIMM.com

UltratrustSecurityServices

Joe@anywhere

21© Ravi Sandhu 2002

ATTRIBUTE-BASED CLIENT SIDE MASQUARADING

Alice@SRPCWeb browser

BIMM.comWeb serverClient-side SSL

UltratrustSecurityServices

BIMM.com

SRPC

Alice@SRPC

22© Ravi Sandhu 2002

ATTRIBUTE-BASED CLIENT SIDE MASQUARADING

Bob@PPCWeb browser

BIMM.comWeb serverClient-side SSL

UltratrustSecurityServices

BIMM.com

PPC

Bob@PPC

23© Ravi Sandhu 2002

ATTRIBUTE-BASED CLIENT SIDE MASQUARADING

Alice@SRPCWeb browser

BIMM.comWeb serverClient-side SSL

UltratrustSecurityServices

BIMM.com

SRPC

PPC

Bob@PPC

24© Ravi Sandhu 2002

PKI AND TRUST

Got to be very careful Not a game for amateurs Not many professionals as yet

25© Ravi Sandhu 2002

REFERENCES

"An overview of PKI trust models" by Perlman, R. IEEE Network, Volume: 13 Issue: 6 , Nov.-Dec. 1999 Page(s): 38-43

"The problem with multiple roots in Web browsers-certificate masquerading" by Hayes, J.M. Proceedings Seventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, IEEE 1998. (WET ICE '98) 17-19 June 1998 Page(s): 306 -311.

"Restricting access with certificate attributes in multiple root environments - a recipe for certificate masquerading" by Hayes, J.M. Proc. 15th Annual Computer Security Applications Conference, IEEE, 2001, Page(s): 386-390.