Embed Size (px)
Citation preview
1
Secure Socket LayerSecure Socket Layer
•Yu YangYu Yang•Lilly Lilly WangWang
2
AgendaAgenda
• SSL BasicsSSL Basics• WTLSWTLS• Security for Web ServiceSecurity for Web Service
3
SSL FactsSSL Facts
• SSL was first developed by SSL was first developed by Netscape in 1994 and became an Netscape in 1994 and became an internet standard in 1996 ( RFC internet standard in 1996 ( RFC 2246 – TLS V1.0)2246 – TLS V1.0)
• SSL is a cryptographic protocol to SSL is a cryptographic protocol to secure network across a secure network across a connection-orientedconnection-oriented layer layer
• Any program using TCP can be Any program using TCP can be modified to use SSL connectionmodified to use SSL connection
4
SSL FactsSSL Facts
• SSL connection uses a dedicated SSL connection uses a dedicated TCP/IP socket(e.g. port 443 for https)TCP/IP socket(e.g. port 443 for https)
• SSL is flexible in choice of which SSL is flexible in choice of which symmetric encryption, message symmetric encryption, message digest, and authentication can be useddigest, and authentication can be used
• SSL provides built in data SSL provides built in data compressioncompression
5
SSL UsageSSL Usage• Authenticate the server to the clientAuthenticate the server to the client
• Allow the client and server to select Allow the client and server to select cryptographic algorithms, or ciphers, cryptographic algorithms, or ciphers, that they both supportthat they both support
• Optionally authenticate the client to the Optionally authenticate the client to the serverserver
• Use public key encryption techniques to Use public key encryption techniques to generate shared secretgenerate shared secret
• Establish an encrypted SSL connection Establish an encrypted SSL connection
6
Secure Socket LayerSecure Socket LayerSSL is a secure protocol which runs SSL is a secure protocol which runs above TCP/IP and allows users to encrypt above TCP/IP and allows users to encrypt data and authenticate servers/vendors data and authenticate servers/vendors identity securelyidentity securely
Application layer
Transport layerTCP/IP layer
SMTPSFTPSHTTPS
SECURE SOCKET LAYER
7
SSL StackSSL Stack
8
SSL Record Protocol SSL Record Protocol OperationOperation
9
SSL Record FormatSSL Record Format
10
SSL HandshakeSSL Handshake
SSL handshake verifies the server SSL handshake verifies the server and allows client and server to and allows client and server to agree on an encryption set agree on an encryption set before before any data is sent outany data is sent out
11
SSL HandshakeSSL Handshake
12
SSL HandshakeSSL Handshake
Server
Client
Public key
Private key
Client request
Public key
13
SSL Session KeySSL Session Key
Server
Client
Public key
Private key
Public key Pre-Master
Pre-Master
Pre-Master
Session key
Session key
14
Secure Data on Secure Data on NetworkNetwork
Server
Client
Public key
Private key
Session key
Data Session key Data
Data
Data Session key Data
15
Man-in-the-Middle Man-in-the-Middle AttackAttack
Server
Client
Public key
Private key
HackerPublic
keyPrivate
keyPre-
master
Public key
Public key
Public key
Session key
Pre-master
Public key
Pre-master
Pre-master
Session key
16
Key exchange and Key exchange and certificatecertificate
SSL version number client supported (v2, v3)
Ciphers supported client (DES, RC2, RC4)
Client Random Number
SSL version number server picked (v2, v3)
Ciphers server picked (DES, RC2, RC4)
Server Random Number
Server
Client
Public key
Private key
Public key
Certificate
17
Verify CertificateVerify Certificate
Checking
Server
Client
Public key
Private key
Client request
Certificate
Certificate
Valid
Public key
Certificate is Good and Valid
Server/vendor has been verified and authenticated
Client has vendor’s public key and Client has vendor’s public key and can now encrypt pre-master to send can now encrypt pre-master to send to server/vendorto server/vendor
18
Not-recognizable Not-recognizable CertificateCertificate
19
Review the Certificate Review the Certificate In IEIn IE
20
SSL HandshakeSSL HandshakeClient hello
Server hello
Present Server Certificate*Request Client Certificate
Server Key Exchange
Client Finish
*Present Client CertificateClient Key Exchange
*Certificate VerifyChange Cipher Spec
Server Finish
Change Cipher Spec
Client
Server
Application Data
21
Server Hello RequestServer Hello Request
• Notifies the client that they should send a Notifies the client that they should send a client hello message to begin the client hello message to begin the negotiation processnegotiation process
• Sent by the server at any timeSent by the server at any time• After the server sends a request, it does After the server sends a request, it does
not send another one until a handshake not send another one until a handshake has been completedhas been completed
• Client can choose to ignore them or send Client can choose to ignore them or send a Client Helloa Client Hello
22
Client HelloClient Hello• Sent by the client Sent by the client
–When first connecting to a When first connecting to a serverserver
–In response to a hello request or In response to a hello request or on its ownon its own
• ContainsContains–32 bytes random number 32 bytes random number created by a secure random created by a secure random number generatornumber generator
–Protocol versionProtocol version–Session IDSession ID–A list of supported ciphersA list of supported ciphers–A list of compression methodsA list of compression methods
23
Server HelloServer Hello• Sent as response if client hello is Sent as response if client hello is acceptedaccepted
– If not, a handshake failure alert is sent If not, a handshake failure alert is sent
• ContainsContains– 32 bytes random number created by a 32 bytes random number created by a
secure random number generatorsecure random number generator– Protocol versionProtocol version– Session IDSession ID– Cipher suite chosenCipher suite chosen– Compression method selectedCompression method selected
24
Server CertificatesServer Certificates
• Immediately following the server Immediately following the server hello, the server sends its hello, the server sends its certificatecertificate– Generally an X.509.v3 certificateGenerally an X.509.v3 certificate
• Server sends server hello done Server sends server hello done messagemessage
25
Verify Server CertificateVerify Server Certificate
26
Client Certificate Client Certificate ((optional)optional)
Client only sends a certificate upon Client only sends a certificate upon the receipt of a certificate requestthe receipt of a certificate request
– Sends after receiving server hello Sends after receiving server hello donedone
– If the client does not have a If the client does not have a suitable certificate, it sends a no suitable certificate, it sends a no certificate alertcertificate alert•Server will respond with a fatal Server will respond with a fatal handshake failure if a client handshake failure if a client certificate is necessarycertificate is necessary
27
Verify Client CertificateVerify Client Certificate
28
Key ExchangeKey Exchange
• Client sends 48-bytes pre-master, Client sends 48-bytes pre-master, encrypted using server’s public encrypted using server’s public key, to the serverkey, to the server
• Both server and client use the Both server and client use the pre-master to generate the pre-master to generate the master secretmaster secret
• A same session key is generated A same session key is generated on both client and server side on both client and server side using the master secretusing the master secret
29
Final StepsFinal Steps
• Client sends Client sends change_cipher_specchange_cipher_spec• Client sends finished Client sends finished messagemessage• Server sends Server sends change_cipher_specchange_cipher_spec• Server sends finished Server sends finished messagemessage
30
SSL ArchitectureSSL Architecture
31
Record LayerRecord Layer
• Compression and decompressionCompression and decompression
• A MAC is applied to each record A MAC is applied to each record using the MAC algorithm defined in using the MAC algorithm defined in the current cipher specthe current cipher spec
• Encryption occurs Encryption occurs afterafter compression compression• May need fragmentationMay need fragmentation
32
SSL ArchitectureSSL Architecture
33
Alert LayerAlert Layer
• Explain severity of the message and a Explain severity of the message and a descriptiondescription–fatalfatal
•Immediate terminationImmediate termination•Other connections in session may continueOther connections in session may continue•Session ID invalidated to prevent failed session Session ID invalidated to prevent failed session to open new sessionsto open new sessions
• Alerts are compressed same as other Alerts are compressed same as other datadata
34
SSL ArchitectureSSL Architecture
35
Change Cipher Spec Change Cipher Spec ProtocolProtocol
• Notify the other party to use Notify the other party to use the new cipher suitethe new cipher suite
• Before the Finished messageBefore the Finished message
36
Comparison of SSL V2.0 Comparison of SSL V2.0 and V3.0and V3.0
• SSL 2.0 is vulnerable to “man-SSL 2.0 is vulnerable to “man-in-the-middle” attack.in-the-middle” attack. The The hello messagehello message can be can be modified to use 40 bits modified to use 40 bits encryption. encryption. SSL 3.0 defends SSL 3.0 defends against this attack by having against this attack by having the last handshake message the last handshake message include a hash of all the include a hash of all the previous handshake messageprevious handshake message
37
Comparison of SSL V2.0 Comparison of SSL V2.0 and V3.0and V3.0
• SSL 2.0 uses a weak MAC SSL 2.0 uses a weak MAC constructionconstruction
• In SSL 3.0, the Message In SSL 3.0, the Message Authentication Hash uses a Authentication Hash uses a full 128 bits of key material for full 128 bits of key material for Export cipher, while SSL 2.0 Export cipher, while SSL 2.0 uses only 40 bitsuses only 40 bits
38
Comparison of SSL V2.0 Comparison of SSL V2.0 and V3.0 and V3.0
• SSL 2.0 only allows a handshake at the SSL 2.0 only allows a handshake at the beginning of the connection. In 3.0, the beginning of the connection. In 3.0, the client can initiate a handshake routine client can initiate a handshake routine any timeany time
• SSL 3.0 allows server and client to send SSL 3.0 allows server and client to send chains of certificatechains of certificate
• SSL 3.0 has a generalized key exchange SSL 3.0 has a generalized key exchange protocol. It allows Diffie-Hellman and protocol. It allows Diffie-Hellman and Fortezza key exchangeFortezza key exchange
• SSL 3.0 allows for record compression SSL 3.0 allows for record compression and decompressionand decompression
39
Problem Free?Problem Free?• Side channel attack – discovered by Swiss Side channel attack – discovered by Swiss
Federal Institute of Technology in LausanneFederal Institute of Technology in Lausannehttp://www.newsfactor.com/perl/story/20843.htmlhttp://www.newsfactor.com/perl/story/20843.html
• Information leak in encrypted connections. Information leak in encrypted connections. Vulnerable openssl versions do not perform Vulnerable openssl versions do not perform a MAC computation if an incorrect block a MAC computation if an incorrect block cipher padding is used. An active attacker cipher padding is used. An active attacker who can insert data into an existing who can insert data into an existing encrypted connection is then able to encrypted connection is then able to measure time differences between the error measure time differences between the error messages the server sends. This messages the server sends. This information can make it easier to launch information can make it easier to launch cryptographic attacks that rely on cryptographic attacks that rely on distinguishing between padding and MAC distinguishing between padding and MAC verification errors, possibly leading to verification errors, possibly leading to extraction of the original plaintext.extraction of the original plaintext.
40
Wireless Transport Layer Wireless Transport Layer SecuritySecurity
41
WTLS OverviewWTLS Overview
42
WTLS FactsWTLS Facts
•Mainly used to secure data Mainly used to secure data transport between wireless device transport between wireless device and gatewayand gateway
•Built on top of datagram (UDP) Built on top of datagram (UDP) instead of TCPinstead of TCP
•WTLS provides full, optimized and WTLS provides full, optimized and abbreviated handshake to reduce abbreviated handshake to reduce roundtrips in high-latency networksroundtrips in high-latency networks
43
WTLS FactsWTLS Facts
• WTLS uses different format of WTLS uses different format of certificates, mainly WTLS certificate, certificates, mainly WTLS certificate, X509v1 and 968. It also supports X509v1 and 968. It also supports additional cipher suites, such as RC5, additional cipher suites, such as RC5, short hashes, ECC, etc;short hashes, ECC, etc;
• WTLS provides built-in key-refresh WTLS provides built-in key-refresh mechanism for renegotiation;mechanism for renegotiation;
• WTLS can also set session resumable WTLS can also set session resumable to continue on a previous session.to continue on a previous session.
44
Web Service SecurityWeb Service Security
45
Comparison of Traditional Comparison of Traditional Web Application and Web Web Application and Web
ServiceService
• Client-server system vs multi-Client-server system vs multi-partyparty
• Simple protocol sets vs Simple protocol sets vs complicated protocol setscomplicated protocol sets
46
Point-to-Point
End-to-End
47
Initial SpecificationsInitial Specifications•WS-SecurityWS-Security•WS-PolicyWS-Policy•WS-TrustWS-Trust•WS-PrivacyWS-Privacy
Follow-on Follow-on SpecificationsSpecifications•WS-WS-SecureConversationSecureConversation•WS-FederationWS-Federation•WS-AuthorizationWS-Authorization
Proposed Security Proposed Security SpecificationSpecification
48
WS-SecurityWS-Security
• A“ what” not “how”A“ what” not “how”• Security token is embedded Security token is embedded
inside SOAP headersinside SOAP headers
• Message integrity is provided Message integrity is provided by XML Signature and by XML Signature and security tokenssecurity tokens
• Message confidentiality is Message confidentiality is provided by XML Encryption provided by XML Encryption with security tokenswith security tokens
49
WS-SecurityWS-Security
50
Web Service SecurityWeb Service Security
51
ReferenceReference
[1[1] http://www.faqs.org/faqs/computer-security/ssl-talk faq/
[2] [2]
http://www.pcwebopedia.com/TERM/S/SSL.htmhttp://www.pcwebopedia.com/TERM/S/SSL.htm
[3][3]http://developer.netscape.com/docs/manuals/http://developer.netscape.com/docs/manuals/security/sslin/contents.htmsecurity/sslin/contents.htm
[4] [4] http://www.ece.wpi.edu/~sunar/ee578/SSL.ppt http://www.ece.wpi.edu/~sunar/ee578/SSL.ppt [5] [5]
http://nas.cl.uh.edu/yang/teaching/csci5931webhttp://nas.cl.uh.edu/yang/teaching/csci5931webSecurity/Security/
ThesisProWS_Rajiv.docThesisProWS_Rajiv.doc
