CSCE 815 Network Security CSCE 815 Network Security Lecture 16 Lecture 16CSCE 815 Network Security CSCE 815 Network Security Lecture 16 Lecture 16

Web SecurityWeb Security

Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)

March 18, 2003

– 2 – CSCE 815 Sp 03

OverviewOverview

PGP one more timePGP one more time1. Note session key will be automatically generated

2. pgp –h // help

3. pgp –k // help on keys

4. pgp –g // help on groups

Key distribution Key distribution

SSLSSL

SETSET

– 3 – CSCE 815 Sp 03

PGP Key distributionPGP Key distribution

Generating key and getting it into a fileGenerating key and getting it into a file pgp –kg pgp –kx matthews mykey.pgp

Approaches Page 137Approaches Page 137

1.1. Physical – write to floppy, hand to friendPhysical – write to floppy, hand to friend

2.2. Verify key by telephoneVerify key by telephone Read the key in radix 64 over the phone (not cell phone) Email key then verify by having PGP generate 160 bit SHA-1

digest of the key, read the hex digits (fingerprint)

3.3. Obtain key from a trusted mutual friendObtain key from a trusted mutual friend

4.4. Obtain key from a certifying authorityObtain key from a certifying authority

– 4 – CSCE 815 Sp 03

Web Security OutlineWeb Security Outline

Web Security ConsiderationsWeb Security Considerations

Secure Socket Layer (SSL) and Transport Layer Secure Socket Layer (SSL) and Transport Layer Security (TLS)Security (TLS)

Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)

– 5 – CSCE 815 Sp 03

Security facilities in the TCP/IP protocol stackSecurity facilities in the TCP/IP protocol stack

– 6 – CSCE 815 Sp 03

SSL and TLSSSL and TLS

SSL was originated by NetscapeSSL was originated by Netscape

TLS working group was formed within IETFTLS working group was formed within IETF

First version of TLS can be viewed as an SSLv3.1First version of TLS can be viewed as an SSLv3.1

– 7 – CSCE 815 Sp 03

SSL ArchitectureSSL Architecture

– 8 – CSCE 815 Sp 03

SSL Record Protocol ServicesSSL Record Protocol Services

Confidentiality – the handshake protocol defines a Confidentiality – the handshake protocol defines a shared key for encryptions of SSL payloadsshared key for encryptions of SSL payloads

Message Integrity – the handshake protocol defines a Message Integrity – the handshake protocol defines a shared key used to form message authentication shared key used to form message authentication code (MAC)code (MAC)

– 9 – CSCE 815 Sp 03

SSL Record Protocol OperationSSL Record Protocol Operation

– 10 – CSCE 815 Sp 03

Mac CalculationMac Calculation

Hash(MAC_secret_key || pad2 ||Hash(MAC_secret_key || pad2 ||

hash(MAC_secret_key || pad1 || seqNum || hash(MAC_secret_key || pad1 || seqNum ||

SSLcompressed.type ||SSLcompressed.type ||

SSLcompressed.length ||SSLcompressed.length ||

SSLcompressed.fragment))SSLcompressed.fragment))

Where:Where: Mac_secret_key – pad1 = 0x36 repeated 48 times for MD5 40 times for SHA-1 pad2 = 0x5C repeated … SSLcompressed.type = the higher level protocol used to

process this fragment

Similar to HMAC figure 3.9 p67 (SSL based on draft)Similar to HMAC figure 3.9 p67 (SSL based on draft)

– 11 – CSCE 815 Sp 03

Encryption Methods for SSL Encryption Methods for SSL

Fragments 2Fragments 21414 = 16384 bytes = 16384 bytes

Compression must be lossless and must not increase Compression must be lossless and must not increase length more than 1024length more than 1024

No compression algorithm specified in SSLv3 – default No compression algorithm specified in SSLv3 – default no compressionno compression

Block Cipher Encryption MethodsBlock Cipher Encryption Methods IDEA (128) RC2-40, DES-40, DES (56), 3DES (168),

Fortezza(80)

Stream Cipher Encryption choicesStream Cipher Encryption choices RC4-40, RC4-128

Fortezza used in smart cardsFortezza used in smart cards

– 12 – CSCE 815 Sp 03

SSL Record FormatSSL Record Format

– 13 – CSCE 815 Sp 03

SSL Record Protocol PayloadSSL Record Protocol Payload

– 14 – CSCE 815 Sp 03

Change Cipher Spec and Alert ProtocolsChange Cipher Spec and Alert Protocols

Change Cipher Spec Protocol Change Cipher Spec Protocol

consists of a single message of a single byte with consists of a single message of a single byte with value 1value 1

it means copy pending state to current stateit means copy pending state to current state

Alert Protocol – use to convey SSL-related alertsAlert Protocol – use to convey SSL-related alerts

Two Bytes:Two Bytes:1. Level – severity of alert 1=warning, 2=fatal2. Alert type:

Unexpected message Bad-record_mac Decompression failure Handshake failure Illegal_parameter …

– 15 – CSCE 815 Sp 03

Handshake ProtocolHandshake Protocol

The most complex part of SSL.The most complex part of SSL.

Allows the server and client to authenticate each other.Allows the server and client to authenticate each other.

Negotiate encryption, MAC algorithm and cryptographic Negotiate encryption, MAC algorithm and cryptographic keys.keys.

Used before any application data are transmitted.Used before any application data are transmitted.

Message FieldsMessage Fields Type (8) Length (24) Content (>= 1 byte) parameters

– 16 – CSCE 815 Sp 03

SSL Handshake Protocol Message TypesSSL Handshake Protocol Message Types

Table 7.2Table 7.2

Message typeMessage type ParametersParameters

1.1. Hello-requestHello-request nullnull

2.2. Client-helloClient-hello version,random(32B), sessionID, version,random(32B), sessionID, cipher suite, compression cipher suite, compression

methodmethod

3.3. Server_helloServer_hello dittoditto

4.4. CertificateCertificate chain of X.509v3 certificateschain of X.509v3 certificates

5.5. Server_key_exchangeServer_key_exchange parameters, signatureparameters, signature

6.6. Certificate_requestCertificate_request type, authoritiestype, authorities

7.7. Server_doneServer_done nullnull

8.8. Certificate_verifyCertificate_verify signaturesignature

9.9. Client_key_exchangeClient_key_exchange parameters, signatureparameters, signature

10.10. FinishedFinished hash valuehash value

– 17 – CSCE 815 Sp 03

Handshake Protocol ActionHandshake Protocol Action

– 18 – CSCE 815 Sp 03

Handshake Protocol Phase 1Handshake Protocol Phase 1

Establish security capabilitiesEstablish security capabilities

Client_hello Client_hello Version = highest SSL understood by client Random 32 bit time stamp + 28 random bytes (secure

random number generator) sessionID: 0 establish new connection, non-zero means

update parameters of an existing session Ciphersuite: sequence of cryptographic algorithms in

decreasing order of preference (key exchange + CipherSpec) Compression methods: sequence of compression methods

Server_hello Server_hello is sent back is sent back same as above but confirmation Highest common version, new random field, same

sessionID if nonzero, new sessionID otherwise, the selected ciphersuite and the selected compression technique

– 19 – CSCE 815 Sp 03

Handshake Protocol Phase 1Handshake Protocol Phase 1

Key Exchange methodsKey Exchange methods1. RSA – secrt key is encrypted with receiver’s RSA public key

2. Fixed Diffie-Hellman

3. Ephemeral Diffie Hellman

4. Anonymous Diffie-Hellman

5. Fortezza

CipherSpec follows containing the fieldsCipherSpec follows containing the fields1. Cipher algorithm

2. MAC algorithm

3. CipherType: block or stream

4. Hash size: 0, 16 for MD5 or 20 for SHA-1 bytes

5. Key material – sequence of bytes used to generate keys

6. IV size of Initial Value for Cipher Block Chaining (CBC)

– 20 – CSCE 815 Sp 03

Handshake Protocol Phase 2Handshake Protocol Phase 2

Server Authentication and Key ExchangeServer Authentication and Key Exchange

Server sendsServer sends1. Certificate: X.509 certificate chain (not required for

anonymous Diffie-Hellman)

2. Server_key_exchange (not always need e.g. fixed Diffie-Hellman) Hash(Client_hello.random||ServerHello.random||ServerParms)

3. Certificate_request: certificate type and certificate authorities

4. Server_hello_done: I’m done and I’ll wait on response

– 21 – CSCE 815 Sp 03

Handshake Protocol Phase 3Handshake Protocol Phase 3

Client Authentication and Key ExchangeClient Authentication and Key Exchange

Client verifies server certificate a checks the server Client verifies server certificate a checks the server hello paramtershello paramters

Client sendsClient sends1. Certificate: if requested

2. Client_key_exchange message must be sent

3. Certificate_verify message to provide explicit verification of client certificate

– 22 – CSCE 815 Sp 03

Handshake Protocol Phase 4Handshake Protocol Phase 4

Finish up: switch to next cipher_specFinish up: switch to next cipher_spec

Client sendsClient sends1. Change_cipher_spec message

2. Finished message under new algorithms, keys (new cipher_spec)

Server sends backServer sends back1. Change_cipher_spec message

2. Finished message under new algorithms, keys (new cipher_spec)

– 23 – CSCE 815 Sp 03

Transport Layer SecurityTransport Layer Security

The same record format as the SSL record format.The same record format as the SSL record format.

Defined in RFC 2246.Defined in RFC 2246.

Similar to SSLv3.Similar to SSLv3.

Differences in the:Differences in the: version number message authentication code pseudorandom function alert codes cipher suites client certificate types certificate_verify and finished message cryptographic computations padding

– 24 – CSCE 815 Sp 03

Secure Electronic TransactionsSecure Electronic TransactionsAn open encryption and security specification.An open encryption and security specification.

Protect credit card transaction on the Protect credit card transaction on the InternetInternet..

Companies involved:Companies involved: MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and

Verisign

Not a payment system.Not a payment system.

Set of security protocols and formats.Set of security protocols and formats.

– 25 – CSCE 815 Sp 03

SET ServicesSET Services

Provides a secure communication channel in a Provides a secure communication channel in a transaction.transaction.

Provides tust by the use of X.509v3 digital certificates.Provides tust by the use of X.509v3 digital certificates.

Ensures privacy.Ensures privacy.

– 26 – CSCE 815 Sp 03

SET OverviewSET Overview

Key Features of SET:Key Features of SET: Confidentiality of information Integrity of data Cardholder account authentication Merchant authentication

– 27 – CSCE 815 Sp 03

SET ParticipantsSET Participants

– 28 – CSCE 815 Sp 03

Sequence of events for transactionsSequence of events for transactionsThe customer opens an account.The customer opens an account.

The customer receives a certificate.The customer receives a certificate.

Merchants have their own certificates.Merchants have their own certificates.

The customer places an order.The customer places an order.

The merchant is verified.The merchant is verified.

The order and payment are sent.The order and payment are sent.

The merchant request payment authorization.The merchant request payment authorization.

The merchant confirm the order.The merchant confirm the order.

The merchant provides the goods or service.The merchant provides the goods or service.

The merchant requests payments.The merchant requests payments.

– 29 – CSCE 815 Sp 03

Dual SignatureDual Signature

H(OI))]||)(([ PIHHEDScKR

– 30 – CSCE 815 Sp 03

Payment processingPayment processing

Cardholder sends Purchase RequestCardholder sends Purchase Request

– 31 – CSCE 815 Sp 03

Payment processingPayment processing

Merchant Verifies Customer Purchase Request

– 32 – CSCE 815 Sp 03

Payment processingPayment processing

Payment Authorization:Payment Authorization: Authorization Request Authorization Response

Payment Capture:Payment Capture: Capture Request Capture Response

– 33 – CSCE 815 Sp 03

Recommended Reading and WEB sitesRecommended Reading and WEB siteshttp://web.mit.edu/network/isakmp/http://web.mit.edu/network/isakmp/

Drew, G. Drew, G. Using SET for Secure Electronic CommerceUsing SET for Secure Electronic Commerce. Prentice . Prentice Hall, 1999Hall, 1999

Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997and Associates, 1997

MasterCard SET site MasterCard SET site http://www.mastercardintl.com/newtechnology/set/http://www.mastercardintl.com/newtechnology/set/

Visa Electronic Commerce SiteVisa Electronic Commerce Site

http://usa.visa.com/personal/about_visa/newsroom/visa_security.htmlhttp://usa.visa.com/personal/about_visa/newsroom/visa_security.html

SETCo (documents and glossary of terms)SETCo (documents and glossary of terms)

http://www.setco.org/set_specifications.htmlhttp://www.setco.org/set_specifications.html