8-1

Secure Sockets Layer (SSL) and Transport layer security (TLS)

IS511

8-2Network Security

Network SecurityGoals: understand principles of network security:

cryptography and its many uses beyond “confidentiality”

authentication message integrity

security in practice: firewalls and intrusion detection systems security in application, transport, network, link

layers

8-3Network Security

What is network security?

confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message

authentication: sender, receiver want to confirm identity of each other

message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

access and availability: services must be accessible and available to users

8-4Network Security

Friends and enemies: Alice, Bob, Trudy

well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages

securesender s

securereceiver

channel data, control messages

data data

Alice Bob

Trudy

8-5Network Security

Who might Bob, Alice be?

… well, real-life Bobs and Alices! Web browser/server for electronic

transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?

8-6Network Security

There are bad guys (and girls) out there!

Q: What can a “bad guy” do?A: A lot!

eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source

address in packet (or any field in packet) hijacking: “take over” ongoing connection by

removing sender or receiver, inserting himself in place

denial of service: prevent service from being used by others (e.g., by overloading resources)

8-7Network Security

The language of cryptography

m plaintext messageKA(m) ciphertext, encrypted with key KA

m = KB(KA(m))

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

8-8Network Security

Symmetric key cryptography

symmetric key crypto: Bob and Alice share same (symmetric) key: K

e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

Q: how do Bob and Alice agree on key value?

plaintextciphertext

K S

encryptionalgorithm

decryption algorithm

S

K S

plaintextmessage, m

K (m)S

m = KS(KS(m))

8-9Network Security

AuthenticationGoal: Bob wants Alice to “prove” her

identity to himProtocol ap1.0: Alice says “I am Alice”

Failure scenario??“I am Alice”

8-10Network Security

in a network,Bob can not “see” Alice, so Trudy simply declares

herself to be Alice“I am Alice”

AuthenticationGoal: Bob wants Alice to “prove” her

identity to himProtocol ap1.0: Alice says “I am Alice”

8-11Network Security

Authentication: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address

Failure scenario??

“I am Alice”Alice’s

IP address

8-12Network Security

Trudy can createa packet “spoofing”

Alice’s address“I am Alice”

Alice’s IP address

Authentication: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address

8-13Network Security

Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.

Failure scenario??

“I’m Alice”Alice’s IP addr

Alice’s password

OKAlice’s IP addr

Authentication: another try

8-14Network Security

playback attack: Trudy records Alice’s packet

and laterplays it back to Bob

“I’m Alice”Alice’s IP addr

Alice’s password

OKAlice’s IP addr

“I’m Alice”Alice’s IP addr

Alice’s password

Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.

Authentication: another try

8-15Network Security

Authentication: yet another try

Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.

Failure scenario??

“I’m Alice”Alice’s IP addr

encrypted password

OKAlice’s IP addr

8-16Network Security

recordand

playbackstill works!

“I’m Alice”Alice’s IP addr

encryptedpassword

OKAlice’s IP addr

“I’m Alice”Alice’s IP addr

encryptedpassword

Authentication: yet another try

Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.

8-17Network Security

Goal: avoid playback attack

Failures, drawbacks?

nonce: number (R) used only once-in-a-lifetimeap4.0: to prove Alice “live”, Bob sends Alice

nonce, R. Alicemust return R, encrypted with shared secret

key“I am Alice”

R

K (R)A-B

Alice is live, and only Alice knows

key to encrypt nonce, so it must

be Alice!

Authentication: yet another try

8-18Network Security

Authentication: ap5.0ap4.0 requires shared symmetric key can we authenticate using public key

techniques?ap5.0: use nonce, public key cryptography

“I am Alice”

RBob computes

K (R)A-

“send me your public key”

K A+

(K (R)) = RA

-K A

+

and knows only Alice could have the private key, that encrypted R

such that

(K (R)) = RA

-K A

+

8-19Network Security

ap5.0: security holeman (or woman) in the middle attack: Trudy

poses as Alice (to Bob) and as Bob (to Alice)

I am Alice I am Alice

R

TK (R)

-

Send me your public key

TK

+A

K (R)-

Send me your public key

AK

+

TK (m)+

Tm = K (K (m))

+

T

-Trudy gets

sends m to Alice encrypted with

Alice’s public key

AK (m)+

Am = K (K (m))

+

A

-

R

8-20Network Security

difficult to detect:Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation!)problem is that Trudy receives all messages as well!

ap5.0: security holeman (or woman) in the middle attack: Trudy

poses as Alice (to Bob) and as Bob (to Alice)

8-21Network Security

Public-key certification motivation: Trudy plays pizza prank on

Bob Trudy creates e-mail order:

Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob

Trudy signs order with her private key Trudy sends order to Pizza Store Trudy sends to Pizza Store her public key, but

says it’s Bob’s public key Pizza Store verifies signature; then delivers

four pepperoni pizzas to Bob Bob doesn’t even like pepperoni

8-22Network Security

Certification authorities certification authority (CA): binds public

key to particular entity, E. E (person, router) registers its public key with

CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by

CA – CA says “this is E’s public key”Bob’s public

key K B+

Bob’s identifying

information

CA private

key K CA-

K B+

certificate for Bob’s public key,

signed by CA

8-23Network Security

when Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate,

get Bob’s public key

Bob’s public

key K B+

CA public

key K CA

+

K B+

Certification authorities

8-24Network Security

SSL: Secure Sockets Layerwidely deployed security

protocol supported by almost all

browsers, web servers https billions $/year over SSL

mechanisms: [Woo 1994], implementation: Netscape

variation -TLS: transport layer security, RFC 2246

provides confidentiality integrity authentication

original goals: Web e-commerce

transactions encryption (especially

credit-card numbers) Web-server

authentication optional client

authentication minimum hassle in

doing business with new merchant

available to all TCP applications secure socket interface

8-25Network Security

SSL and TCP/IP

Application

TCP

IP

normal application

Application

SSL

TCP

IP

application with SSL

SSL provides application programming interface (API) to applications

C and Java SSL libraries/classes readily available

8-26Network Security

Toy SSL: a simple secure channel handshake: Alice and Bob use their

certificates, private keys to authenticate each other and exchange shared secret

key derivation: Alice and Bob use shared secret to derive set of keys

data transfer: data to be transferred is broken up into series of records

connection closure: special messages to securely close connection

8-27Network Security

Toy: a simple handshake

MS: master secretEMS: encrypted master secret

hello

public key certificate

KB+(MS) = EMS

8-28Network Security

Toy: key derivation considered bad to use same key for more than one

cryptographic operation use different keys for message authentication code (MAC) and

encryption four keys:

Kc = encryption key for data sent from client to server

Mc = MAC key for data sent from client to server

Ks = encryption key for data sent from server to client

Ms = MAC key for data sent from server to client keys derived from key derivation function (KDF)

takes master secret and (possibly) some additional random data and creates the keys

8-29Network Security

Toy: data records why not encrypt data in constant stream as we

write it to TCP? where would we put the MAC? If at end, no message

integrity until all data processed. e.g., with instant messaging, how can we do integrity

check over all bytes sent before displaying? instead, break stream in series of records

each record carries a MAC receiver can act on each record as it arrives

issue: in record, receiver needs to distinguish MAC from data want to use variable-length records

length data MAC

8-30Network Security

Toy: sequence numbers

problem: attacker can capture and replay record or re-order records

solution: put sequence number into MAC: MAC = MAC(Mx, sequence||data) note: no sequence number field

problem: attacker could replay all records

solution: use nonce

8-31Network Security

Toy: control information

problem: truncation attack: attacker forges TCP connection close segment one or both sides thinks there is less data

than there actually is. solution: record types, with one type for

closure type 0 for data; type 1 for closure

MAC = MAC(Mx, sequence||type||data)

length type data MAC

8-32Network Security

Toy SSL: summary

hello

certificate, nonce

KB+(MS) = EMS

type 0, seq 1, datatype 0, seq 2, data

type 0, seq 1, data

type 0, seq 3, data

type 1, seq 4, close

type 1, seq 2, close

enc

rypt

ed

bob.com

8-33Network Security

Toy SSL isn’t complete

how long are fields? which encryption protocols? want negotiation?

allow client and server to support different encryption algorithms

allow client and server to choose together specific algorithm before data transfer

8-34Network Security

SSL cipher suite cipher suite

public-key algorithm symmetric encryption

algorithm MAC algorithm

SSL supports several cipher suites

negotiation: client, server agree on cipher suite client offers choice server picks one

common SSL symmetric ciphers DES – Data Encryption

Standard: block 3DES – Triple strength: block AES RC2 – Rivest Cipher 2: block RC4 – Rivest Cipher 4:

stream

SSL Public key encryption RSA

8-35Network Security

Real SSL: handshake (1)

Purpose1. server authentication2. negotiation: agree on crypto

algorithms3. establish keys4. client authentication (optional)

8-36Network Security

Real SSL: handshake (2)1. client sends list of algorithms it supports, along

with client nonce2. server chooses algorithms from list; sends back:

choice + certificate + server nonce3. client verifies certificate, extracts server’s public

key, generates pre_master_secret, encrypts with server’s public key, sends to server

4. client and server independently compute encryption and MAC keys from pre_master_secret and nonces

5. client sends a MAC of all the handshake messages6. server sends a MAC of all the handshake

messages

8-37Network Security

Real SSL: handshaking (3)

last 2 steps protect handshake from tampering

client typically offers range of algorithms, some strong, some weak

man-in-the middle could delete stronger algorithms from list

last 2 steps prevent this last two messages are encrypted

8-38Network Security

Real SSL: handshaking (4)

why two random nonces? suppose Trudy sniffs all messages

between Alice & Bob next day, Trudy sets up TCP connection

with Bob, sends exact same sequence of records Bob (Amazon) thinks Alice made two

separate orders for the same thing solution: Bob sends different random nonce

for each connection. This causes encryption keys to be different on the two days

Trudy’s messages will fail Bob’s integrity check

8-39Network Security

SSL record protocol

data

data fragment

data fragment

MAC MAC

encrypteddata and MAC

encrypteddata and MAC

recordheader

recordheader

record header: content type; version; length

MAC: includes sequence number, MAC key Mx

fragment: each SSL fragment 214 bytes (~16 Kbytes)

8-40Network Security

SSL record format

contenttype SSL version length

MAC

data

1 byte 2 bytes 3 bytes

data and MAC encrypted (symmetric algorithm)

8-41Network Security

handshake: ClientHello

handshake: ServerHello

handshake: Certificate

handshake: ServerHelloDone

handshake: ClientKeyExchangeChangeCipherSpec

handshake: Finished

ChangeCipherSpec

handshake: Finished

application_data

application_data

Alert: warning, close_notify

Real SSLconnection

TCP FIN follows

everythinghenceforth

is encrypted

8-42Network Security

Key derivation Step 4: Using the same key derivation

function, the client and server compute the MS from the PMS and nonces. The PMS is sliced up to generate the two encryption and two MAC keys. Also, when the cipher method is CBC, it also generates two initialization vectors (one for each side).

client MAC key server MAC key client encryption key server encryption key client initialization vector (IV) server initialization vector (IV)