Embed Size (px)
Citation preview
Secure Socket Secure Socket Layer (SSL)Layer (SSL)
2
TCP/IP Protocol StackTCP/IP Protocol Stack
IP
TCP
ApplicationLayer
TransportLayer
NetworkLayer
PhysicalLayerIP packet
HTTP
ICMP
UDP
LDAPIMAP
DNS NFS PINGTELNET
3
ProtocolsProtocols IP (Internet Protocol)IP (Internet Protocol)
has IP address (32 bits, has IP address (32 bits, network + host portions)network + host portions)
ICMP (Internet Control ICMP (Internet Control Message Protocol) Message Protocol) control IP trafficcontrol IP traffic
TCP (Transmission TCP (Transmission Control Protocol) Control Protocol) implements virtual implements virtual
circuit for reliable circuit for reliable connection-oriented connection-oriented comm.comm.
UDP (User Datagram UDP (User Datagram Protocol) Protocol) implements implements
connectionless comm.connectionless comm.
HTTP -- for WWWHTTP -- for WWW LDAP – directory accessLDAP – directory access IMAP – access email IMAP – access email
over Internet over Internet TELNET -- for remote TELNET -- for remote
loginlogin DNS -- translates names DNS -- translates names
into IP addressesinto IP addresses NFS -- network file NFS -- network file
system, for sharing files system, for sharing files among systemsamong systems
PING -- checks other PING -- checks other machinesmachines
4
Let us find out the routers Let us find out the routers when we shop on-linewhen we shop on-line
When we connect from campus When we connect from campus computers to computers to http://www.amazon.com/ via IE or via IE or Netscape, our packets have a long Netscape, our packets have a long trip to get there:trip to get there:
5
6
Such IP Tracing is available on sites like http://visualroute.visualware.com and http://samspade.org/
7
Location of SSLLocation of SSL
IP
TCP
IP packet
HTTP
SSL
ApplicationLayer
TransportLayer
NetworkLayer
PhysicalLayer
8
TCP
SSL v.s. IPSec and othersSSL v.s. IPSec and others
IP
Networkdriver
AppIKE (ISAKMP/Oakley in IPSec),S/MIME, Kerberos, Proxies, SET, PGP
ApplicationLayer
TransportLayer
NetworkLayer
Data linkLayer
SSL, TLS,SOCKS
AH, ESP (in IPSec),Packet filtering,
Tunneling (L2TP, PPTP, L2F),CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP
9
X.509 public key X.509 public key certificatecertificate11 VersionVersion
22 Serial numberSerial number
33 Sign. alg. Sign. alg. identifieridentifier
44 IssuerIssuer
55 Period of Period of validityvalidity
66 SubjectSubject
77 Subject’s public Subject’s public keykey
88 Issuer unique IDIssuer unique ID
99 Subject unique Subject unique IDID
1010 ExtensionsExtensions
1111 SignatureSignature
10
Flow of actions in SSLFlow of actions in SSL
Authenticate the server to the client. Authenticate the server to the client. Allow the client and server to select the Allow the client and server to select the
cryptographic algorithms they both cryptographic algorithms they both support. support.
Optionally authenticate the client to the Optionally authenticate the client to the server. server.
Use public-key encryption to generate Use public-key encryption to generate shared secrets. shared secrets.
Establish an encrypted SSL connection. Establish an encrypted SSL connection.
11
Capabilities of SSL Capabilities of SSL
1.1. To establish an encrypted, not To establish an encrypted, not necessarily authenticated, necessarily authenticated, communication channel between communication channel between a client and a server.a client and a server.
2.2. To authenticate the server, and To authenticate the server, and establish an secure channel (the establish an secure channel (the case of RSA).case of RSA).
3.3. To authenticate the server, and To authenticate the server, and establish an secure channel establish an secure channel (general case, incl RSA).(general case, incl RSA).
4.4. To authenticate the server AND To authenticate the server AND the client, and establish an the client, and establish an authenticated secure channel.authenticated secure channel.
preferred
Lesspreferred
12
Establish encrypted, but Establish encrypted, but unauthenticated, channelunauthenticated, channel
(Browser)Client
(Web)Server
ServerHello,ServerKeyExchange,ServerHelloDone
(2)
ChangeCipherSpec,Finished
(4)
ClientKeyExchange,ChangeCipherSpec,Finished
(3)
(1) ClientHello
13
4 moves & 9 messages in 4 moves & 9 messages in SSLSSL
11 ClientHelloClientHello C proposes SSL optionsC proposes SSL options
22 ServerHelloServerHello S selects the SSL optionsS selects the SSL options
33 ServerKeyExchServerKeyExchangeange
S sends its public keyS sends its public key
44 ServerHelloDoServerHelloDonene
S sends its part of negotiationS sends its part of negotiation
55 ClientKeyExchaClientKeyExchangenge
C sends session key, encrypted with S’s C sends session key, encrypted with S’s public keypublic key
66 ChangeCipherSChangeCipherSpecpec
C agrees on negotiated/activated options C agrees on negotiated/activated options for all future messagesfor all future messages
77 FinishedFinished C sends an authentication message to C sends an authentication message to allow S to verify the activated optionsallow S to verify the activated options
88 ChangeCipherSChangeCipherSpecpec
S agrees on activated options for all S agrees on activated options for all future messagesfuture messages
99 FinishedFinished S sends an authentication message to S sends an authentication message to allow C to verify the activated optionsallow C to verify the activated options
14
1. ClientHello (C 1. ClientHello (C S) S) VersionVersion
Identifies the highest version of the SSL protocol that the Identifies the highest version of the SSL protocol that the client can supportclient can support
RandonNumberRandonNumber 32-bit random number used to seed the cryptographic 32-bit random number used to seed the cryptographic
computationcomputation Session IDSession ID
Identifies a specific SSL sessionIdentifies a specific SSL session CipherSuitesCipherSuites
A list of cryptographic parameters/schemes that the client A list of cryptographic parameters/schemes that the client can supportcan support
CompressionMethodsCompressionMethods Identifies data compression methods that the client can Identifies data compression methods that the client can
supportsupport
15
2. ServerHello (C 2. ServerHello (C S) S) VersionVersion
Identifies the highest version of the SSL protocol Identifies the highest version of the SSL protocol to be used for this communicationto be used for this communication
RandonNumberRandonNumber 32-bit random number used to seed the 32-bit random number used to seed the
cryptographic computationcryptographic computation Session IDSession ID
Identifies a specific SSL sessionIdentifies a specific SSL session CipherSuitesCipherSuites
The cryptographic parameters/schemes to be usedThe cryptographic parameters/schemes to be used CompressionMethodsCompressionMethods
The data compression methods to be usedThe data compression methods to be used
16
3. ServerKeyExchange 3. ServerKeyExchange (C (C S) S)
Contains the (public) key Contains the (public) key informationinformation Exact format depends on the particular Exact format depends on the particular
public key algorithm selectedpublic key algorithm selected Not encrypted !Not encrypted !
17
4. ServerHelloDone (C 4. ServerHelloDone (C S)S)
Contains no information, other than Contains no information, other than that it’s done !that it’s done !
18
5. ClientKeyExchange (C 5. ClientKeyExchange (C S) S)
Client tells the server key Client tells the server key information for symmetric ciphers to information for symmetric ciphers to be usedbe used
Encrypted using the server’s public Encrypted using the server’s public key !key !
19
6 & 8. 6 & 8. ChangeCipherSpec ChangeCipherSpec
(C (C S & C S & C S) S) After the message #5, a preliminary After the message #5, a preliminary
SSL negotiation is complete, and SSL negotiation is complete, and both parties are ready to use both parties are ready to use security services negotiatedsecurity services negotiated
These 2 messages are to explicitly These 2 messages are to explicitly indicate that security services indicate that security services should now be invokedshould now be invoked
In other words, to activate the In other words, to activate the optionsoptions
20
7 & 9. Finished7 & 9. Finished
To authenticateTo authenticate Key informationKey information Contents of all previous SSL handshake Contents of all previous SSL handshake
messages exchanged between the 2 messages exchanged between the 2 partiesparties
A special value to indicate whether the A special value to indicate whether the sender is a client or a serversender is a client or a server
21
Establish encrypted channel, Establish encrypted channel, with server being with server being
authenticatedauthenticated
ServerHello,Certificate,ServerKeyExchange,ServerHelloDone
(2)
ChangeCipherSpec,Finished
(4)
ClientKeyExchange,ChangeCipherSpec,Finished
(3)
(1) ClientHello(Browser)Client
(Web)Server
22
Certificate message from Certificate message from serverserver
Contains a certificate chain Contains a certificate chain beginning with the server’s public beginning with the server’s public key certificate and ending with the key certificate and ending with the root certificate authority’s certificateroot certificate authority’s certificate
The client browser usually has well The client browser usually has well known CA certificates preloadedknown CA certificates preloaded
The certificate contains Internet The certificate contains Internet domain name of the server which domain name of the server which must be verified by the clientmust be verified by the client
23
AdvantagesAdvantages
Separating encryption from authenticationSeparating encryption from authentication Applicable to not only RSA but also other Applicable to not only RSA but also other
digital signature-only schemes such as DSSdigital signature-only schemes such as DSS Preferred to the previous technique which did Preferred to the previous technique which did
NOT separate encryption from authentication NOT separate encryption from authentication (ServerKeyExchange is signed using the (ServerKeyExchange is signed using the
server’s private key, for the client to verify server’s private key, for the client to verify using the server’s matching public key !)using the server’s matching public key !)
24
Establish encrypted channel, Establish encrypted channel, with mutual authenticationwith mutual authentication
ServerHello,Certificate,CertificateRequest,ServerHelloDone
(2)
ChangeCipherSpec,Finished
(4)
Certificate,ClientKeyExchange,CertificateVerify,ChangeCipherSpec,Finished
(3)
(1) ClientHello
(Browser)Client
(Web)Server
25
CertificateRequest (C CertificateRequest (C S)S)
CertificateTypesCertificateTypes A list of certificate types acceptable to the A list of certificate types acceptable to the
serverserver DistinguishedNamesDistinguishedNames
A list of distinguished names of certificate A list of distinguished names of certificate authorities acceptable to the server (X.500 authorities acceptable to the server (X.500 names)names)
(the server MUST authenticate itself, (the server MUST authenticate itself, ie, must have “Certificate” from S to C)ie, must have “Certificate” from S to C)
26
Certificate (C Certificate (C S) S)
The client’s public key is used for The client’s public key is used for signature verification only, not for signature verification only, not for encryptionencryption
If the client does not have a If the client does not have a certificate, it sends a certificate, it sends a “NoCertificateAlert”“NoCertificateAlert”
27
CertificateVerify (C CertificateVerify (C S) S)
The client signs The client signs Key informationKey information Contents of all previous SSL handshake Contents of all previous SSL handshake
messages exchanged between themmessages exchanged between them The server verifies the identify of the The server verifies the identify of the
client using its public keyclient using its public key
28
Cryptographic Cryptographic algorithms supported by algorithms supported by
SSL v3.0SSL v3.0 Public key encryption/key-distributionPublic key encryption/key-distribution
RSA, Diffie-HellmanRSA, Diffie-Hellman Digital signatureDigital signature
RSA, DSSRSA, DSS Symmetric ciphersSymmetric ciphers
RC2, RC4, DES, 3DES, IDEA, FORTEZZARC2, RC4, DES, 3DES, IDEA, FORTEZZA 1-Way hash1-Way hash
MD5, SHAMD5, SHA
29
Securing Securing other other applicationsapplicationsusing SSLusing SSL
IP
TCP
IP packet
HTTP
SSL
LDAP IMAP FTP …
30
Components of SSLComponents of SSL
TCP
HTTP
ChangeCipher
AlertHand-shake
Appli-cation
Record LayerSSL
31
References for SSLReferences for SSL
Open source for SSL developers Open source for SSL developers http://www.openssl.org/
