Computer Science CSC/ECE 574 Computer and Network Security Topic 8.3 SSL/TLS CSC/ECE 574 Dr. Peng Ning 1 Computer Science Outline I. Overview II. The SSL Record Protocol III. The SSL Handshake and Other Protocols CSC/ECE 574 2 Dr. Peng Ning Computer Science Overview of SSL CSC/ECE 574 3 Dr. Peng NingComputer Science Reminder: What Layer? CSC/ECE 574 4 OS Appl. TCP IPSec IP LANlayer TCP SSL IP LANlayer Application Application Dr. Peng Ning Computer Science Protocols • Goal: application independent security – Originally for HTTP, but now used for many applications – Each application has an assigned TCP port, e.g., https (HTTP over SSL) uses port 443 • Secure Sockets Layer (SSL) – the de facto standard for web-based security – v3 was developed with public review • Transport Layer Security (TLS) – TLS v1.0 very close to SSL v3.1 CSC/ECE 574 5 Dr. Peng Ning Computer Science SSL Architecture • Relies on TCP for reliable communication CSC/ECE 574 6 HTTP and other applications SSL Handshake Protocol SSL Change Cipher Protocol SSL Alert Protocol SSL API SSL Record Protocol TCP IP … Dr. Peng NingComputer Science Architecture (Cont’d) • Handshake protocol: establishment of a session key • Change Cipher protocol: start using the previously-negotiated encryption / message authentication • Alert protocol: notification (warnings or fatal exceptions) • Record protocol: protected (encrypted, authenticated) communication between client and server CSC/ECE 574 7 Dr. Peng Ning Computer Science SSL Services • Peer authentication • Negotiation of security parameters • Generation / distribution of session keys • Data confidentiality • Data integrity CSC/ECE 574 8 Dr. Peng Ning Computer Science Connections and Sessions • SSL Session – an association between peers – created through a handshake, negotiates security parameters, can be long-lasting • SSL Connection – a type of service (i.e., an application) between a client and a server – transient • Multiple connections can be part of a single session CSC/ECE 574 9 Dr. Peng NingComputer Science Session Parameters • Session ID • X.509 public-key certificate of peer • Compression algorithm to use • Cipher specification: encryption algorithm, message digest, etc. • Master (session) secret: 48-byte (384 bits) secret negotiated between peers CSC/ECE 574 10 Dr. Peng Ning Computer Science Connection Parameters • Server and client nonces • Server and client authentication keys • Server and client encryption keys • Server and client initialization vectors • Current message sequence number CSC/ECE 574 11 Dr. Peng Ning Computer Science Ciphers Supported by SSL • DES+HMAC/SHA-1 • 3DES+HMAC/SHA-1 • RC4+MD5 • RC2+MD5 • +others CSC/ECE 574 12 Dr. Peng NingComputer Science The SSL Record Protocol CSC/ECE 574 13 Dr. Peng Ning Computer Science Protocol Steps 1. Fragment data stream into records – each with a maximum length of 214 (=16K) bytes 2. Compress each record 3. Create message authentication code for each record 4. Encrypt each record CSC/ECE 574 14 Dr. Peng Ning Computer Science Steps… (cont’d) CSC/ECE 574 15 Application Data Fragment Compress Add MAC Encrypt Add SSL Hdr Dr. Peng NingComputer Science SSL Record Format • There is, unfortunately, some version number silliness between v2 and v3; see text for (ugly) details CSC/ECE 574 16 Record Type SSL Version Payload Length Application Data (optionally compressed) Optional MAC (16 or 20 bytes) Encrypted Dr. Peng Ning Computer Science Possible Record “Payloads” CSC/ECE 574 17 Dr. Peng Ning Computer Science SSL Handshake Protocol CSC/ECE 574 18 Dr. Peng NingComputer Science Phases of Protocol I. Establish security capabilities • version of SSL to use • cipher + parameters to use II. Authenticate server (optional), and perform key exchange III. Authenticate client (optional), and perform key exchange IV. Finish up CSC/ECE 574 19 Dr. Peng Ning Computer Science All the Messages CSC/ECE 574 20 Dr. Peng Ning Computer Science I. Establish Security Capabilities • Messages marked with * are mandatory CSC/ECE 574 21 Client Server Dr. Peng NingComputer Science Client_Hello Message • Transmitted in plaintext • Contents – highest SSL version understood by client – RC: a 4-byte timestamp + 28-byte random number – session ID: 0 for a new session, non-zero for a previous session – list of supported cryptographic algorithms – list of supported compression methods CSC/ECE 574 22 Dr. Peng Ning Computer Science Server_Hello Message • Also transmitted in plaintext • Contents – minimum of (highest version supported by server, highest version supported by client) – RS: 4-byte timestamp and 28-byte random number – session ID – a cryptographic choice selected from the client’s list – a compression method selected from the client’s list CSC/ECE 574 23 Dr. Peng Ning Computer Science II. Server Auth. / Key Exchange • The Server_Certificate message is optional, but almost always used in practice CSC/ECE 574 24 Client Server Server_Certificate Server_Key_Exchange Client_Certificate_Request Dr. Peng NingComputer Science Server_Certificate Message • Contains a certificate with server’s public key, in X.509 format – or, a chain of certificates if required • The server certificate is necessary for any key exchange method except for anonymous Diffie-Hellman CSC/ECE 574 25 Dr. Peng Ning Computer Science Authenticating the Server • Step #4: Domain name in certificate must match domain name of server (not part of SSL protocol, but clients should check this) CSC/ECE 574 26 source: sun.com Dr. Peng Ning Computer Science Key Exchange Methods Supported • RSA (server must have a certificate) • Ephemeral Public Key – public keys are exchanged, signed using long-term RSA keys • (Fixed Diffie-Hellman – server provides the D-H public parameters in a certificate – client responds with D-H public key either in a certificate, or in a key exchange message • Anonymous Diffie-Hellman) CSC/ECE 574 27 Dr. Peng NingComputer Science Server_Key_Exchange Message • Needed for… – anonymous D-H – ephemeral public key