An Introduction to SSL/TLS and Certificates Providing secure communication over the Internet...
-
Upload
breana-jacobi -
Category
Documents
-
view
220 -
download
0
Transcript of An Introduction to SSL/TLS and Certificates Providing secure communication over the Internet...
An Introduction to SSL/TLS and Certificates
Providing secure communication over the
InternetFrederick J. [email protected]
2
CertCo Overview
• BackgroundEstablished in 1996. Banker’s Trust spinoff. Privately held.
• MissionCertCo provides secure and cost-effective business solutions that enable trust institutions to build a worldwide trust infrastructure to support high-value, secure electronic commerce.
• ExpertiseCryptography, risk management, law, technology and banking.
• LocationHeadquarters: New York City
Regional Offices: Cambridge (MA), Washington, DC, United Kingdom.
3
Outline
• Problem: Creating applications which can communicate securely over the Internet
• TLS: Transport Layer Security (SSL)• Certificates• Related technology: S-HTTP, IPSec, SET,
SASL
• References
4
Security Issues
• Privacy
– Anyone can see content
• Integrity
– Someone might alter content
• Authentication
– Not clear who you are talking with
5
TLS: Transport Layer Security
• formerly known as SSL: Secure Sockets Layer
• Addresses issues of privacy, integrity and authentication
– What is it?– How does it address the issues?– How is it used
6
What is TLS?
• Protocol layer • Requires reliable transport layer
(e.g. TCP)• Supports any application protocols
IPTCPTLS
HTTP Telnet FTP LDAP
7
TLS: Privacy
• Encrypt message so it cannot be read
• Use conventional cryptography with shared key– DES, 3DES– RC2, RC4– IDEA
AMessage Message
B$%&#!@
8
TLS:Key Exchange
• Need secure method to exchange secret key
• Use public key encryption for this– “key pair” is used - either one can
encrypt and then the other can decrypt– slower than conventional cryptography– share one key, keep the other private
• Choices are RSA or Diffie-Hellman
9
TLS: Integrity
• Compute fixed-length Message Authentication Code (MAC)– Includes hash of message– Includes a shared secret– Include sequence number
• Transmit MAC with message
10
TLS: Integrity
• Receiver creates new MAC– should match transmitted MAC
• TLS allows MD5, SHA-1
A BMessage’
MAC’
MAC
=?
Message
MAC
11
TLS: Authentication
• Verify identities of participants• Client authentication is optional• Certificate is used to associate
identity with public key and other attributes
ACertificate
B
Certificate
12
TLS: Overview
• Establish a session – Agree on algorithms– Share secrets– Perform authentication
• Transfer application data– Ensure privacy and integrity
13
TLS: Architecture
• TLS defines Record Protocol to transfer application and TLS information
• A session is established using a Handshake Protocol
TLS Record Protocol
Handshake Protocol
Alert Protocol
ChangeCipher Spec
14
TLS: Record Protocol
15
TLS: Handshake
• Negotiate Cipher-Suite Algorithms– Symmetric cipher to use– Key exchange method– Message digest function
• Establish and share master secret• Optionally authenticate server
and/or client
16
Handshake Phases
• Hello messages• Certificate and Key Exchange
messages• Change CipherSpec and Finished
messages
17
TLS: Hello
• Client “Hello” - initiates session– Propose protocol version– Propose cipher suite– Server chooses protocol and suite
• Client may request use of cached session– Server chooses whether to honor
request
18
TLS: Key Exchange
• Server sends certificate containing public key (RSA) or Diffie-Hellman parameters
• Client sends encrypted “pre-master” secret to server using Client Key Exchange message
• Master secret calculated – Use random values passed in Client and
Server Hello messages
19
Public Key Certificates
• X.509 Certificate associates public key with identity
• Certification Authority (CA) creates certificate– Adheres to policies and verifies identity– Signs certificate
• User of Certificate must ensure it is valid
20
Validating a Certificate
• Must recognize accepted CA in certificate chain– One CA may issue certificate for
another CA
• Must verify that certificate has not been revoked– CA publishes Certificate Revocation
List (CRL)
21
X.509: Certificate Content
• Version• Serial Number• Signature Algorithm
Identifier– Object Identifier (OID)– e.g. id-dsa: {iso(1)
member-body(2) us(840) x9-57 (10040) x9algorithm(4) 1}
• Issuer (CA) X.500 name• Validity Period (Start,End)
• Subject X.500 name• Subject Public Key
– Algorithm– Value
• Issuer Unique Id (Version 2 ,3)
• Subject Unique Id (Version 2,3)
• Extensions (version 3)– optional
• CA digital Signature
22
Subject Names
• X.500 Distinguished Name (DN)• Associated with node in
hierarchical directory (X.500)• Each node has Relative
Distinguished Name (RDN)– Path for parent node– Unique set of attribute/value pairs for
this node
23
Example Subject Name
• Country at Highest Level (e.g. US)• Organization typically at next level
(e.g. CertCo)• Individual below (e.g. Common Name
“Elizabeth” with Id = 1)DN = {
• C=US; • O=CertCo; • CN=Elizabeth, ID=1}
24
Version 3 Certificates
• Version 3 X.509 Certificates support alternative name formats as extensions– X.500 names– Internet domain names– e-mail addresses– URLs
• Certificate may include more than one name
25
Certificate Signature
• RSA Signature– Create hash of certificate– Encrypt using CA’s private key
• Signature verification – Decrypt using CA’s public key– Verify hash
26
TLS: ServerKeyExchange
Client
ClientHello
Server
ServerHello Certificate
ServerKeyExchange
27
TLS: Certificate Request
Client
ClientHello
Server
ServerHello Certificate ServerKeyExchange CertificateRequest
28
TLS: Client Certificate
Client
ClientHello
ClientCertificate ClientKeyExchange
Server
ServerHello Certificate ServerKeyExchange CertificateRequest
29
TLS: Change Cipher Spec, Finished
Client
[ChangeCipherSpec] Finished
Application Data
Server
[ChangeCipherSpec] Finished
Application Data
30
TLS: Change Cipher Spec/Finished
• Change Cipher Spec– Announce switch to negotiated
algorithms and values
• Finished– Send copy of handshake using new
session– Permits validation of handshake
31
TLS: Using a Session
Client
ClientHello (Session #)
[ChangeCipherSpec] Finished
Application Data
Server
ServerHello (Session #)
[ChangeCipherSpec] Finished
Application Data
32
Changes from SSL 3.0 to TLS
• Fortezza removed• Additional Alerts added• Modification to hash calculations• Protocol version 3.1 in ClientHello,
ServerHello
33
TLS: HTTP Application
• HTTP most common TLS application– https://
• Requires TLS-capable web server• Requires TLS-capable web browser
– Netscape Navigator– Internet Explorer– Cryptozilla
• Netscape Mozilla sources with SSLeay
34
Web Servers
• Apache-SSL• Apache mod_ssl• Stronghold• Roxen• iNetStore
35
Other Applications
• Telnet• FTP• LDAP• POP• SSLrsh• Commercial Proxies
36
TLS: Implementation
• Cryptographic Libraries– RSARef, BSAFE
• TLS/SSL packages– SSLeay– SSLRef
37
X.509 Certificate Issues
• Certificate Administration is complex– Hierarchy of Certification Authorities– Mechanisms for requesting, issuing,
revoking certificates
• X.500 names are complicated• Description formats are
cumbersome (ASN.1)
38
X.509 Alternative: SDSI
– SDSI: Simple Distributed Security Infrastructure (Rivest, Lampson)• Merging with IETF SPKI: Simple Public-Key
Infrastructure in SDSI 2.0• Eliminate X.500 names - use DNS and
text• Everyone is their own CA• Instead of ASN.1 use “S-expressions” and
simple syntax• Name and Authorization certificates
39
TLS “Alternatives”
• S-HTTP: secure HTTP protocol, shttp://
• IPSec: secure IP• SET: Secure Electronic Transaction
– Protocol and infrastructure for bank card payments
• SASL: Simple Authentication and Security Layer (RFC 2222)
40
Summary
• SSL/TLS addresses the need for security in Internet communications– Privacy - conventional encryption– Integrity - Message Authentication
Codes– Authentication - X.509 certificates
• SSL in use today with web browsers and servers
41
References - 1
• Engelschall, Ralph, mod_ssl, <http://www.engelschall.com/sw/mod_ssl>
• Ford, Warwick, Baum, Michael S. Secure Electronic Commerce, Prentice Hall 1997.
• Hirsch, Frederick J. “Introduction to SSL and Certificates Using SSLeay”, World Wide Web Journal, Summer 1997, <http://www.fjhirsch.com/wwwj/>
• Hudson, Tim J, Young, Eric A , “SSLeay and SSLapps FAQ”, <http://www.psy.uq.oz.au/~ftp/Crypto/>
• Kaufman, Charlie, Perlman, Radia, Speciner,Mike Network Security: PRIVATE Communication in a PUBLIC World, Prentice Hall, 1995.
42
References - 2
• Rivest, Ron, SDSI, <http://theory.lcs.mit.edu/~cis/sdsi.html>
• Stallings, William Cryptography and Network Security: Principles and Practice, 2nd Edition, Prentice Hall, 1999.
• Wagner, David, Schneier, Bruce “Analysis of the SSL 3.0 Protocol” <http://www.counterpane.com/ssl.html>
• Internet Drafts and RFCs <http://www.ietf.org/>. Use the keyword search on TLS or SSL in the Internet Drafts section to find the TLS Protocol specification and other relevant documents.
• PKCS standards: <http://www.rsa.com/rsalabs/pubs/PKCS/>
43
References - 3
• Microsoft Security Documents <http://www.microsoft.com/workshop/security/contents.htm>
• Netscape Security Documents <http://www.netscape.com/eng/security/>
44
http://www.fjhirsch.com/~fhirsch/SSL/