Secure Socket Layer SSL and Transport Layer Security TLS Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio Video recordings of this lecture are available at http www cse wustl edu jain cse571 09 Washington University in St Louis CSE571S 15 1 2009 Raj Jain Overview History and overview of SSL TLS Products and Implementations Datagram Transport Layer Security DTLS Current TLS Issues and Extensions Secure Remote Password SRP First part from the textbook Remainder from Wikipedia and IETF Washington University in St Louis CSE571S 15 2 2009 Raj Jain Key Features User level Not operating system specific Uses TCP Reliable transmission No retransmissions at application layer Features Crypto negotiation Key Generation for encryption and Integrity Authentication Servers use Certificates Clients use password or certificates Washington University in St Louis CSE571S 15 3 2009 Raj Jain SSL TLS Applications HTTPS HTTP over port 443 FTPS FTP over SSL different from SFTP FTP over SSH NNTP over SSL OpenVPN Washington University in St Louis CSE571S 15 4 2009 Raj Jain History Secure Socket Layer SSL V2 on Netscape Navigator 1 1 1995 Private Communication Technology PCT by Microsoft fixed some bugs in SSL V2 SSL v3 is most commonly deployed protocol Transport Layer Security TLS by IETF RFC 2246 1999 TLS v1 1 RFC 4346 2006 TLS v1 2 draft ietf tls rfc4346 bis 05 txt June 2007 Washington University in St Louis CSE571S 15 5 2009 Raj Jain SSL v2 vs v3 Downgrade Attack Crypto choices not protected in V2 Finished message in v3 contains digest of all previous messages Truncation Attack V2 closes SSL on TCP connection close Not protected V3 added session finished message to close SSL session Washington University in St Louis CSE571S 15 6 2009 Raj Jain SSL TLS Basic Protocol Server Client Session ID Ciphers I support RAlice Certificate cipher I choose RBob Choose S K f S RAlice RBob S Bob Keyed Hash of handshake msgs K f S RAlice RBob Keyed hash of handshake msgs R s are 32B First 4B Unix time Secrets Pre master secret S master secret K 6 Keys Encryption Integrity IV 1 per direction Authenticates server Client authenticated by password Washington University in St Louis CSE571S 15 7 2009 Raj Jain Session Resumption Similar to Phase 2 of IKE Multiple session keys from master secret K HTTP 1 0 used many TCP connections Server stores session ID and master secret Washington University in St Louis CSE571S 15 8 2009 Raj Jain Version 0 2 SSL v2 3 0 SSL v3 3 1 TLS v1 V3 clients send v2 client hello with version 3 0 V2 servers respond with v2 server hello V3 servers respond with a v3 server hello Washington University in St Louis CSE571S 15 9 2009 Raj Jain Cipher Suites V3 has a 2B field for cipher suite Standard numbers for 30 Cipher suites e g SSL RSA EXPOERT WITH DES40 CBC SHA Server decides one of the choices offered by Client Crypto Algorithms Key exchange RSA Diffie Hellman DSA SRP PSK Symmetric ciphers RC4 Triple DES AES or Camellia Hash function HMAC MD5 or HMAC SHA Washington University in St Louis CSE571S 15 10 2009 Raj Jain Export Issues Only 40 bits master secret allowed Servers can encrypt keys using 512b RSA keys Normally RSA keys are 1024b 512b Ephemeral key Server Gated Cryptography Step Up Financial transactions allowed to use longer keys Server certificates signed by Verisign or Thawte contain SGC extension allowed Initial handshake using 40b Client would then send Change Cipher Spec message to renegotiate Washington University in St Louis CSE571S 15 11 2009 Raj Jain Encrypted Records Integrity is provided by HMAC using the integrity key Data prefixed by 64b sequence but the sequence not sent Block cipher 40B padding in SSLv3 44B in TLS Final block of each record is used as IV for the next Washington University in St Louis CSE571S 15 12 2009 Raj Jain Encoding All exchanges are in records up to 214B or 216 1B Standard allows multiple messages in one record or multiple records Most implementations use one message per record Four Record Types 20 Change Cipher Spec 21 Alerts 1 Warning 2 Fatal 22 Handshake 23 Application Data Record Type Version Length Record header 1B 2B 2B Each message starts with a 1B message type and 3B message length Washington University in St Louis CSE571S 15 13 2009 Raj Jain Handshake Messages 1 Client Hello Version RAlice Session ID Cipher Suites Compressions 2 Server Hello Version RBob Session ID Chosen Cipher Chosen Compression 14 Server Hello Done 16 Client Key Exchange Encrypted pre master key 12 Server Key Exchange Modulus p Exponent g Signature export only 13 Certificate Request CA Names requested by server 11 Certificate sent by server 15 Certificate Verify signature of Hash of messages 20 Handshake Finished MD5 and SHA Digest of message halves Washington University in St Louis CSE571S 15 14 2009 Raj Jain TLS Message Exchange Client Server Client Hello Crypto Choices RC Server Hello Crypto Selected RS Certificate Server Certificate Certificate Request Generate random PMS S Certificate Kclient Private Key Client Certificate Client Key Exchange Kserver Public Key PreMasterSecret Compute MS K Compute MS K Change Cipher Spec Handshake Finished Hash and MAC of Previous messages Change Cipher Spec Handshake Finished Washington University in St Louis CSE571S 15 15 2009 Raj Jain Alerts 0 Close notify warning or fatal 10 Unexpected message fatal 20 Bad record MAC fatal 21 Decryption failed fatal TLS only 22 Record overflow fatal TLS only 30 Decompression failure fatal 40 Handshake failure fatal 41 No certificate SSL v3 only warning or fatal 42 Bad certificate warning or fatal 43 Unsupported certificate warning or fatal 44 Certificate revoked warning or fatal 45 Certificate expired warning or fatal Washington University in St Louis CSE571S 15 16 2009 Raj Jain Alerts Cont 46 47 48 49 50 51 60 70 71 80 90 100 Certificate unknown warning or fatal Illegal parameter fatal Unknown CA fatal TLS only Access denied fatal TLS only Decode error fatal TLS only Decrypt error TLS only warning or fatal Export restriction fatal TLS only Protocol version fatal TLS only Insufficient security fatal TLS only Internal error fatal TLS only User cancelled fatal TLS only No renegotiation warning TLS only Washington University in St Louis CSE571S 15 17 2009 Raj Jain SSL Products and Implementations Acceleration Offload public key encryption decryption Sometimes all SSL message H W from F5 Cisco Nortel Juniper Radware Software OpenSSL C library of SSL TLS GnuTLS C