Transport layer security
Jun 14, 2015
- 1. Presented By Hrudya Transport Layer Security
2. TLS IETF standard RFC 2246 similar to SSLv3 with minor differences in record format version number uses HMAC for MAC a pseudo-random function expands secrets based on HMAC using SHA-1 or MD5 has additional alert codes some changes in supported ciphers changes in certificate types & negotiations changes in crypto computations & padding 3. Goals The goals of TLS Protocol, in order of their priority, are: Cryptographic security: TLS should be used to establish a secure connection between two parties. Interoperability: Independent programmers should be able to develop applications utilizing TLS that will then be able to successfully exchange cryptographic parameters without knowledge of one another's code. Extensibility: TLS seeks to provide a framework into which new public key and bulk encryption methods can be incorporated as necessary. This will also accomplish two sub-goals: to prevent 4. Record Layer 5. Continue The record layer encapsulates messages for transmission over the underlying communications protocol, usually TCP/IP. A record begins with a header which includes the version of the protocol, the length of the data in bytes and the type of the message etc 6. After the header comes the message data. This is compressed by the compression algorithm that has been negotiated for the connection. The MAC is then calculated for the compressed data and appended to the record. If a block cipher is in effect for the connection then then a pad is added in order for the message size to be a multiple of the block size of the cipher. 7. General format of all TLS records 8. Version Number The TSL record format is the same as that of SSL Record format. Record format and the fields in the header have the same meanings. The one difference is in the version values. For major version of TLS Major version = 3 Minor Version = 1 9. The Record Protocol When the record protocol receives the data from the application layer, it might perform the following tasks: Fragments the data into blocks or reassembles fragmented data into its original structure. Numbers the sequence of data blocks in the message to protect against attacks that attempt to reorder data. Compresses or decompresses the data using the compression algorithm negotiated in the handshake protocol. Encrypts or decrypts the data using the encryption keys and cryptographic algorithm negotiated during the handshake protocol. Applies an HMAC (or, for SSL 3.0, a MAC) to outgoing data. It then computes the HMAC and verifies that it is identical to the value that was transmitted in order to check data integrity when a message is received. 10. Message Authentication Codes A Message Authentication Codes (MAC) are used to ensure that messages are not tampered with or otherwise corrupted during transit. This can be thought of as a digest of the message which includes a secret key. It is constructed when data is sent, and verified when it is received. It is not possible to reproduce the digest without knowing both the input text and the key, and thus a would-be attacker needs to know the secret in order to construct a valid MAC for a message that has been altered. 11. Message Authentication Code The Message Authentication Code (MAC) used for TLS is HMAC HMAC is expressed by the following equation, HMACK(M) = H[(K+ opad)||H[(K+ ipad)||M]] Where: : is concatenation M : is the plain-text to be encrypted H : is the hashing function (either MD-5 or SHA-1) K+ : secret key padded with zeros on the left so that the result is equal to the block length of the hash code (for MD-5 and SHA- 1 block length is 512 bits) ipad : 00110110 (36 in hexa decimal) repeated 64 times (512 bits) opad : 01011101 (5c in hexa decimal) repeated 64 times (512 bits) 12. SSLv3 uses the same algorithm , except that The padding bits are concatenated with the secret key rather than being XORed with the secret key padded to the block length. The level of security is same in both the cases . 13. Generation Of Cryptographic Secrets The generation of cryptographic secrets is more complex in TSL than in SSL. TSL first defines two functions Pseudorandom Function Data Expansion Function 14. Data Expansion Function First, we define a data expansion function, P_hash(secret, data) which uses a single hash function to expand a secret and seed into an arbitrary quantity of output. This function can be considered as multiple section function, where each section creates one hash value . Each section uses HMAC , secret and seed The second seed is the output of the first HMAC of previous function. P_hash can be iterated as many times as is necessary to produce the required quantity of data. For example, if P_SHA-1 was being used to create 64 bytes of data, it would have to be iterated 4 times , creating 80 bytes of output data; the last 16 bytes of the final iteration would then be 15. Pseudorandom Function TLS makes use of a pseudo random function, referred to as PRF to expand secrets into blocks of data for purpose of key generation and validation. It uses a relatively small shared secret value to generate longer blocks of data in way that is secure from the kind of attacks made on hash functions and MACs The PRF is based on Data Expansion Function and is given as P_hash(secret, seed) = HMAC_hash(secret, A(1) || seed)|| HMAC_hash(secret, A(2) || seed) || HMAC_hash(secret, A(3) || seed) || ... Where + indicates concatenation. A() is defined as: A(0) = seed A(i) = HMAC_hash(secret, A(i-1)) 16. Usually pseudo random function is the combination of two data- expansion functions one using MD-5 and other using SHA-1 PRF takes 3 inputs a secret , a label and a seed. The label and seed are concatenated and serve as the seed for each data expansion function. The secret is divided into two halves; each half is used as the secret for each data expansion function. The output of two data expansion functions is exclusive or-ed together to create the final expanded secret. The PRF is then defined as PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed); S1 and S2 are the two halves of the secret and each is the same length. S1 is taken from the first half of the secret, S2 from the second half. 17. Alert Codes TSL supports all of the alert codes defined in SSLv3 with the exception of no-certificate. A number of additional codes are also defined : 18. Cipher Suites Cipher suites define the encryption and hashing functions that will be used by the connection once the handshake concludes as well as the key- exchange method used during the handshake. There are several small differences between the cipher suites available under SSLv3 and under TLS Key Exchange :TLS supports all of the key exchange techniques of SSLv3 with the exception of Fortezza. Symmetric Encryption Algorithms: TLS includes all of the TLS encryption algorithms found in SSLv3 with the exception of Fortezza. 19. Client Certificate Types In TLS Client Authentication, the client (browser) uses a certificate to authenticate itself during the TLS handshake. When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. TLS defines the following certificate types to be requested in a certificate_request message: Rsa_sign Dss_sign Rsa_fixed_dh Dss_fixed_dh These are all defined in SSLv3. 20. Certificate Verified and Finished Messages Certificate Verified : In TLS certificate_verify message , the MD5 and SHA-1 hashes are calculated only over handshake_message (master secret and pads are excluded because they provide no additional security ) The finished message in TSL is a hash based on the shared master_secret , previous handshake messages and a label that identifies client or server PRF(master_secret,finished_label,MD5(handshake_messa ges)||SHA-1(handshake_messages)) Where finished_label is the string client finished for client and server finished for server 21. Cryptographic Computations Pre-master Secret The generation of the premaster secret in TLS is exactly same as in SSL. Master Secret TLS uses the PRF function to create the master secret from the pre-master secret. This is achieved by using Pre-master secret as the secret The string as the label & Concatenation of client random number and server random number as seed Note: label is actually ASCII code of the string master secret i.e. label defines the output we want to create - the master secret. Master_secret = PRF(pre_master_secret,master secret,Clienthello.random||serverhello.random) 22. Key Material TLS uses the PRF function to create the key material from the master secret . This time the secret is the master secret , the label is the string key expansion and Seed is the concatenation of server random number and client random number. Key_block = PRF ( master_secret, key expansion, SecurityParameters.server_random || SecurityParameters.client_random) 23. MASTER SECRET KEY EXPANSION SR| CR PSEUDORANDOM FUNCTION (PRF) KEY MATERIAL Secret Label Seed
