15-1©2009 Raj JainCSE571SWashington University in St. LouisSecure Socket Layer (SSL) Secure Socket Layer (SSL) and Transport Layer and Transport Layer Security (TLS)Security (TLS)Raj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-09/15-2©2009 Raj JainCSE571SWashington University in St. LouisOverviewOverview History and overview of SSL/TLS Products and Implementations Datagram Transport Layer Security (DTLS) Current TLS Issues and Extensions Secure Remote Password (SRP)First part from the textbook. Remainder from Wikipedia and IETF15-3©2009 Raj JainCSE571SWashington University in St. LouisKey FeaturesKey Features User level ⇒ Not operating system specific Uses TCP ⇒ Reliable transmission (No retransmissions at application layer) Features:¾ Crypto negotiation¾ Key Generation for encryption and Integrity¾ Authentication: Servers use Certificates Clients use password or certificates15-4©2009 Raj JainCSE571SWashington University in St. LouisSSL/TLS ApplicationsSSL/TLS Applications HTTPS = HTTP over port 443 FTPS = FTP over SSL (different from SFTP = FTP over SSH) NNTP over SSL OpenVPN15-5©2009 Raj JainCSE571SWashington University in St. LouisHistoryHistory Secure Socket Layer (SSL) V2 on Netscape Navigator 1.1 1995 Private Communication Technology (PCT) by Microsoft fixed some bugs in SSL V2 SSL v3 is most commonly deployed protocol Transport Layer Security (TLS) by IETF [RFC 2246 1999] TLS v1.1 [RFC 4346 2006] TLS v1.2 [draft-ietf-tls-rfc4346-bis-05.txt June 2007]15-6©2009 Raj JainCSE571SWashington University in St. LouisSSL v2 vs. v3SSL v2 vs. v3 Downgrade Attack: Crypto choices not protected in V2. Finished message in v3 contains digest of all previous messages Truncation Attack: V2 closes SSL on TCP connection close ⇒ Not protected. V3 added session finished message to close SSL session.15-7©2009 Raj JainCSE571SWashington University in St. LouisSSL/TLS Basic ProtocolSSL/TLS Basic Protocol R’s are 32B. First 4B = Unix time  Secrets: Pre-master secret S, master secret K 6 Keys: Encryption, Integrity, IV (1 per direction) Authenticates server. Client authenticated by password.[Session ID], Ciphers I support, RAliceCertificate, cipher I choose, RBob{S}Bob, {Keyed Hash of handshake msgs}{Keyed hash of handshake msgs}Choose SK = f(S, RAlice, RBob)K = f(S, RAlice, RBob)ClientServer15-8©2009 Raj JainCSE571SWashington University in St. LouisSession ResumptionSession Resumption Similar to Phase 2 of IKE Multiple session keys from master secret K HTTP 1.0 used many TCP connections Server stores session ID and master secret15-9©2009 Raj JainCSE571SWashington University in St. LouisVersion #Version # 0.2 ⇒ SSL v2 3.0 ⇒ SSL v3 3.1 ⇒ TLS v1 V3 clients send v2 client-hello with version 3.0 V2 servers respond with v2 server-hello V3 servers respond with a v3 server-hello15-10©2009 Raj JainCSE571SWashington University in St. LouisCipher SuitesCipher Suites V3 has a 2B field for cipher suite Standard numbers for 30 Cipher suites, e.g., SSL_RSA_EXPOERT_WITH _DES40_CBC_SHA Server decides one of the choices offered by Client Crypto Algorithms¾ Key exchange: RSA, Diffie-Hellman, DSA, SRP, PSK¾ Symmetric ciphers: RC4, Triple DES, AES or Camellia.¾ Hash function: HMAC-MD5 or HMAC-SHA15-11©2009 Raj JainCSE571SWashington University in St. LouisExport IssuesExport Issues Only 40 bits master secret allowed. Servers can encrypt keys using 512b RSA keys. Normally RSA keys are 1024b. 512b Ephemeral key. Server Gated Cryptography/Step-Up: Financial transactions allowed to use longer keys. Server certificates signed by Verisign or Thawte contain SGC extension allowed. Initial handshake using 40b. Client would then send Change Cipher Spec message to renegotiate.15-12©2009 Raj JainCSE571SWashington University in St. LouisEncrypted RecordsEncrypted Records Integrity is provided by HMAC using the integrity key Data prefixed by 64b sequence # but the sequence # not sent Block cipher ⇒ 40B padding in SSLv3, 44B in TLS. Final block of each record is used as IV for the next15-13©2009 Raj JainCSE571SWashington University in St. LouisEncodingEncoding All exchanges are in records up to 214B or 216-1B. Standard allows multiple messages in one record or multiple records. Most implementations use one message per record. Four Record Types:¾ 20 = Change Cipher Spec¾ 21 = Alerts (1 = Warning, 2 = Fatal)¾ 22 = Handshake¾ 23 = Application Data Record header: Each message starts with a 1B message-type and 3B message length.Record Type Version # Length1B 2B 2B15-14©2009 Raj JainCSE571SWashington University in St. LouisHandshake MessagesHandshake Messages1 = Client Hello: Version, RAlice, Session ID, Cipher Suites, Compressions2 = Server Hello: Version, RBob, Session ID, Chosen Cipher, Chosen Compression14 = Server Hello Done16 = Client Key Exchange: Encrypted pre-master key12 = Server Key Exchange: Modulus p, Exponent g, Signature (export only)13 = Certificate Request: CA Names (requested by server)11 = Certificate: sent by server15 = Certificate Verify:signature of Hash of messages20 = Handshake Finished: MD5 and SHA Digest of message halves15-15©2009 Raj JainCSE571SWashington University in St. LouisTLS Message ExchangeTLS Message ExchangeClient Hello: Crypto Choices, RCServer Hello: Crypto Selected, RSCertificate: Server CertificateCertificate RequestCertificate: Kclient Private Key{Client Certificate}Client Key Exchange: Kserver Public Key{PreMasterSecret}Change Cipher SpecHandshake Finished: Hash and MAC of Previous messagesChange Cipher SpecHandshake FinishedClient ServerGenerate random PMS SCompute MS KCompute MS K15-16©2009 Raj JainCSE571SWashington University in St. LouisAlertsAlerts0 Close notify (warning or fatal)10 Unexpected message (fatal)20 Bad record MAC (fatal)21 Decryption failed (fatal, TLS only)22 Record overflow (fatal, TLS only)30 Decompression failure (fatal)40 Handshake failure (fatal)41 No certificate (SSL v3 only) (warning or fatal)42 Bad certificate (warning or fatal)43 Unsupported certificate (warning or fatal)44 Certificate revoked (warning or fatal)45 Certificate expired (warning or fatal)15-17©2009 Raj JainCSE571SWashington University in St. LouisAlerts