Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
description
Transcript of Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)
Crash course on SSL/TLS
Ran CanettiDecember 2009
( Based on slided by Jörg Schwenk)
SSL De facto Standard for client-server security IETF RFC:
The TLS Protocol Version 1.0 (RFC 2246)
All commodity browsers support SSL Open implementations (e.g. SSLRef, SSLPlus, SSLava,
SSLeay, openSSL, modSSL)
SSL/TLS Framework
HTTP(S)
TCP
Hand-shake
ChangeCipher
Application
Alert
Record Layer
Key Exchange
Data Enc/Auth
SSL/TLS Record Layer
HTTP-Data
Lengthhttp 3.1
Lengthhttp 3.1
Lengthhttp 3.1 Padd.MAC P. Length
Fragmentation
Compression
Encryption
SSL/TLS: Handshake
bank.com
bank.com
Protocol Specification
SSL/TLS: ciphersuites
Key Exchange-Algorithm
Certificate Type
ServerKey-Exchange
ClientKey-Exchange
Description
RSA RSA Encryption
No Encrypted premaster secret
Client encrypts premaster secret with server's public key
RSAExport (>512 Bit)
RSA Signing Yes (ephemeral RSAKey ≤ 512 Bit)
Encrypted premaster secret
Client encrypts premaster secret with server's ephemeral public key
DHE-DSS DSS Signing Yes(gs mod p)
gc mod p Diffie-Hellman key exchange, Server signs (gs mod p) with DSS-signature.
SSL/TLS: ciphersuites
Key ExchangeAlgorithm.
Certificate Typ
ServerKey-Exchange
ClientKey-Exchange
Description
DHE-RSA RSA Signing Yes (gs mod p)
gc mod p Diffie-Hellman Key exchange, Server signs (gs mod p) with RSA signature
DH-DSS signed DH, using DSS signature
No(gs mod p in server certificate)
gc mod p Diffie-Hellman key exchange with server's static DH exponent
DH-RSA signed DH, using RSA signature
No(gs mod p in server certificate)
gc mod p Diffie-Hellman key exchange with server's static DH exponent
TLS Renegotiation
• The spec allows a party (either I or R) to initiate a “change cipher” procedure by sending a special message, authenticated under the current session key.
• As a result, a new key is negotiated from scratch.
• There is no “binding” between the old and new keys – these are two independent sessions. Still the two sessions appear for applications as the same “stream”.
•Consequently, it is possible to attack the protocol:
TLS Renegotiation attack
Client Attacker Server <----------- Handshake ---------->
<======= Initial Traffic ====> <--------------------- Handshake===================> <=============== Client Traffic==================>
TLS Renegotiation attack
Client Attacker Server <----------- Handshake ---------->
<======= Initial Traffic ====> <--------------------- Handshake===================> <=============== Client Traffic==================>
•There is much work currently done at the IETF on how to fix the protocol.• This is a great example for the importance of modeling and proof in practical crypto.