Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Transport Layer SecurityChapter 5. Network security and policy
2016. 04. 04
Presenter : Seonghyeon Gong
Table of contents
1. Introduction
2. TLS(SSL) & HTTPS1) TLS structure
2) Record Protocol
3) Higher-Layer protocols
4) TLS case
5) HTTPS
3. SSH1) SSH protocols
2) Port forwarding
2
IntroductionWeb security considerations
3
Introduction
The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers.
But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts.
Web security considerations
• The Internet is two-way, so Web is vulnerable to attacks on the Web server over the Internet.
• If server are attacked, reputation and finance of firm can be lost.
• Because development of Web is so complicated, the underlying softwares may hide many potential security flaws.
• Once Web server is subverted, an attacker may be able to gain access to data and system not only part of Web server but also connected local sites.
• Untrained users are common clients for Web service.
4
5
Web security considerations
Classification Threats Consequences Countermeasures
Integrity
• Modification of user data• Trojan horse browser• Modification of memory• Modification of traffic
• Loss of information• Infection of machine• Vulnerability to other
threats
• Cryptographic checksum
Confidentiality
• Eavesdropping on network• Theft of server information• Theft of client information• Information about network
• Loss of information• Loss of privacy
• Encryption, Web proxies.
Denial of Service
• Killing of user thread• Flooding machine with fake
requests• Filling up disk or memory• Isolating machine by DNS
attacks
• Disruptive• Annoying• Prevent user’s work
• Difficult to prevent
Authentication• Impersonation of legitimate
users• Data forgery
• Misrepresentation of user• Trust of false information
• Cryptographic techniques
Web security considerations
A number of approaches to providing Web security are possible.
• The various approaches that have been considered are similar in the service they provide.
6
TLS(SSL) & HTTPSTransport Layer Protocol
7
8
TSL / SSL
TLS and SSL are cryptographic protocols designed
to provide communications security over a
computer network.
The goal of TLS is to provide privacy and data
integrity between two communicating applications.
TLS is a proposed IETF standard, It is based on the
earlier SSL specifications developed by Netscape.
Protocol Released
SSL 1.0 not released
SSL 2.0 1995
SSL 3.0 1996
TLS 1.0 1999
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 2016 (Draft)
TLS structure
TLS is designed to make use of TCP to provide a reliable end-to-end secure service.
• TLS is not a single protocol but rather two layers of protocols.
• TLS Record protocol provide basic security service to various higher-layer protocols.
• Three higher-layer protocols are defined as part of TLS.
9
TLS structure
Record Protocol provides Confidentiality and Integrity using Encryption and MAC.
Handshake Protocol is used to authentication and negotiation.
Change Cipher Spec Protocol updates the cipher suite.
Alert Protocol sends error information about TLS connections and sessions.
10
Connection and Session
Connection : is a transport that provides a suitable type of service, and every connection is associated with one session.
Session : is an association between a client and a server. Session are created by Handshake protocol, and defined as a set of security parameters which can be shared among multiple connections.
11
12
TLS session parametersType Details
Session identifier An arbitrary byte sequence chosen by the server to identify an active session state.
Peer certificate An X509.v3 certificate of the peer. This element of the state may be null.
Compression method The algorithm used to compress data prior to encryption.
Cipher spec Specifies the bulk data encryption algorithm and a hash algorithm used for MAC calculation.
Master secret 48-byte secret shared between the client and server.
Is resumable A flag indicating whether the session can be used to initiate new connections.
Server and client random Byte sequences that are chosen by the server and client for each connection.
Server write MAC secret The secret key used in MAC operations on data sent by the server.
Client write MAC secret The secret key used in MAC operations on data sent by the client.
Server write key The secret encryption key for data encrypted by the server and decrypted by the client.
Client write key The symmetric encryption key for data encrypted by the client and decrypted by the server.
Initialization vectors When a block cipher in CBC mode is used, an initialization vector is maintained for each key.
Sequence numbers Each party maintains separate sequence numbers for transmitted and received messages.
Record protocol
The Record protocol provides two services for TLS connections :
• Confidentiality – Handshake protocol defines a shared secret key that is used for encryption.
• Message Integrity – Handshake protocol defines a shared secret key that is used to form a message authentication code
13
14
Record protocol
Process of Record protocol
• takes an application data from
application layer
• fragments into manageable size
• optionally compress – lossless
(in SSL v3, default compression is null)
• applies MAC
• encrypts
Record protocol - Compression
TLS used DEFLATE compression method.
DEFLATE is associated file format that uses a combination of the LZ77 algorithm and Huffman Coding.
But TLS 1.2 provide ‘NULL’ compression option as a default, and TLS 1.3 (Draft) do not provide compression methods.
Attacker can exploit the compression time.
• CRIME and BREACH attack
15
16
Record protocol - MAC
MAC calculation process with HMAC
Type Length (bit)
Sequence Number
64
Content Type 8
Major Version 8
Minor Version 8
Compression Length
16
Fragment MAX 214+2045
17
Record protocol - MAC
MAC algorithms in SSL/TLS
Algorithms SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
HMAC-MD5 Yes Yes Yes Yes Yes
HMAC-SHA1 No Yes Yes Yes Yes
HMAC-SHA256/384
No No No No Yes
AEAD NoNo
No No Yes
GOST No Yes Yes Yes Yes
GOST R No Yes Yes Yes Yes
18
Record protocol - EncryptionCipher Protocol version
Type Algorithm Strength (bit) SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (Draft)
Block cipher with mode of operation
AES-GCM
256, 128
N/A N/A N/A N/A Secure Secure
ARS-CCM N/A N/A N/A N/A Secure Secure
AES-CBC N/A N/A partially insecure Secure Secure N/A
Camellia GCM256, 128
N/A N/A N/A N/A Secure Secure
Camellia CBC N/A N/A partially insecure Secure Secure N/A
ARIA GCM256, 128
N/A N/A N/A N/A Secure Secure
ARIA CBC N/A N/A partially insecure Secure Secure N/A
SEED CBC 128 N/A N/A partially insecure Secure Secure N/A
3DES EDE CBC 112 Insecure Insecure partially insecure partially insecure partially insecure N/A
GOST 256 N/A N/A Secure Secure Secure -
IDEA CBC 128 Insecure Insecure partially insecure Secure N/A N/A
DES CBC56 Insecure Insecure Insecure Insecure N/A N/A
40 Insecure Insecure Insecure N/A N/A N/A
RC2 CBC 40 Insecure Insecure Insecure N/A N/A N/A
Stream cipher
ChaCha20 256 N/A N/A N/A N/A Secure Secure
RC4128 Insecure Insecure Insecure Insecure Insecure N/A
40 Insecure Insecure Insecure N/A N/A N/A
None NULL - N/A Insecure Insecure Insecure Insecure Insecure
19
Record protocol
Change cipher spec protocol
Change cipher spec protocol
• This protocol consists of a single message, which consists of a single byte with the value 1.
• The purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.
20
Alert protocol
Alert protocol
• The Alert Protocol is used to send alert information to the peer entity.
• The first byte takes the value warning (1) or fatal (2) to convey the severity of the message.
• The second byte contains a code that indicates the specific alert.
21
22
Alert protocol
Code Description Level type Code Description Level type
0 Close notify warning 49 Access denied fatal
10 Unexpected message fatal 50 Decode error fatal
20 Bad record MAC fatal 51 Decrypt error warning
21 Decryption failed fatal 60 Export restriction fatal
22 Record overflow fatal 70 Protocol version fatal
30 Decompression failure fatal 71 Insufficient security fatal
40 Handshake failure fatal 80 Internal error fatal
41 No certificate warning 90 User canceled fatal
42 Bad certificate warning 100 No renegotiation warning
43 Unsupported certificate warning 110 Unsupported extension warning
44 Certificate revoked warning 111 Certificate unobtainable warning
45 Certificate expired warning 113 Bad certificate status response fatal
46 Certificate unknown warning 114 Bad certificate hash value fatal
47 Illegal parameter fatal 115 Unknown PSD identity fatal
48 Unknown CA fatal 120 No Application protocol fatal
Handshake protocol
This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic key.
The Handshake Protocol is used before any application data is transmitted, and the Handshake Protocol consists of three parts.
23
24
Handshake protocol
SSL Handshake parameters and
process
Message Type Parameters
hello_request null
client_helloversion, random, session id, cipher suite,
compression method
server_helloversion, random, session id, cipher suite,
compression method
certificate chain of X.509v3 certificates
server_key_exchange parameters, signature
certificate_request type, authorities
server_done null
certificate_verify signature
client_key_exchange parameters, signature
finished hash value
25
Handshake protocol
Handshake phase 1
• Server and Client hello
• used to initiate a logical connection and
to establish the security capabilities.
• hello message exchange is initialted by
client
26
Handshake protocol
Type Details
VersionThe highest SSL version understood by
the client.
Random
A client-generated random structure consisting of a 32-bit timestamp and 28
bytes generated by a secure random number generator.
Session ID A variable-length session identifier.
CipherSuiteThis is a list that contains the
combinations of cryptographic algorithms supported by the client.
Cpmression Method
This is a list of the compression methods the client supports.
Handshake phase 1
• composition of hello message
• Cipher Suite
1) Key exchange method
2) Encryption algorithm
3) MAC algorithm
4) whether block or stream
5) isExportable
6) HashSize
7) Key Material
8) IV size (in CBC)
Handshake protocol
Handshake phase 1
• Calculating master secret
• 𝑚𝑎𝑠𝑡𝑒𝑟_𝑠𝑒𝑐𝑟𝑒𝑡 = 𝑃𝑅𝐹(𝑝𝑚𝑠, "master secret", 𝑐𝑙𝑖𝑒𝑛𝑡_𝑟𝑎𝑛𝑑𝑜𝑚, 𝑠𝑒𝑟𝑣𝑒𝑟_𝑟𝑎𝑛𝑑𝑜𝑚)@ 𝑝𝑚𝑠 𝑚𝑒𝑎𝑛𝑠 𝑝𝑟𝑒_𝑚𝑎𝑠𝑡𝑒𝑟_𝑠𝑒𝑐𝑟𝑒𝑡
27
28
Handshake protocol
Handshake phase 2
• Server authenticate itself and exchange
the key.
• Server begins this step by sending its
certificate.
• Sending message contains one or a
chain of X.509 certificate.
29
Handshake protocol
Handshake phase 3
• Client authenticate itself and exchange
the key.
• Upon receipt of the server hello done,
client should verify that server’s
certificate and server hello parameters
are valid.
30
Handshake protocol
Handshake phase 3
• Certificate verifying
signature
• All handshake messages
mean all messages sent
or received before.
• This phase make it
impossible for misusing
of certificate.
31
Handshake protocol
Handshake phase 4
• Completes the setting up of a secure
connection.
• Server and Client copy the pending
Cipher Spec into current Cipher Spec.
• Finish message is similar with certificate
verify message.
32
TLS case
TLS padding
Variable length padding method
• In SSL, the padding is the minimum amount required so that the total size of the data to be encrypted is a multiple of the cipher’s block length.
• In TLS, the padding can be any amount that results in a total that is a multiple of the cipher’s block length, up to a maximum of 255 bytes.
• A variable padding length may be used to frustrate attacks based on an analysis of the lengths of exchanged messages.
33
HTTPS
HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server.
• URL addresses begin with “https://” rather than “http://”.
• If HTTPS is specified, port 443 is used, which invokes SSL.
HTTPS encrypt following elements.
• URL of the requested document
• Contents of the document
• Contents of browser forms (filled in by browser)
• Cookies sent from browser to server and from server to browser
• Contents of HTTP header
34
HTTPS
Connection initiation process
• The client initiates a connection to the server on the appropriate port and then sends the TLS “ClientHello” to begin the TLS handshake.
• All HTTP data is to be sent as TLS application data.
Connection closure process
• The closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection.
• At the TLS level, the proper way to close a connection is for each side to use the TLS alert protocol to send a close_notify alert.
35
SSHSecure shell
36
Secure shell (SSH)
Secure Shell (SSH) is a protocol for secure network communications designed to be relatively simple and inexpensive to implement.
SSH provides a more general client/server capability and can be used for such network functions as file transfer and e-mail.
37
38
Secure shell (SSH)
SSH protocol stack
• SSH Transport Layer Protocol :
Provides server authentication, data confidentiality,
and data integrity with perfect forward secrecy.
• User Authentication Protocol
• Connection Protocol :
Multiplexes multiple logical communications channels
over a single, underlying SSH connection.
Secure shell (SSH) – Transport layer protocol
Packet exchange
• Client establishes a TCP connection to the server.
• After connection, the client and server exchange data using segment data field.
Packet structure
• Packet length – length of payload and padding
• Padding length
• Payload - Useful contents of the packet
• Padding
• MAC
39
Secure shell (SSH) – Transport layer protocol
Identification string exchange
• begins with the client sending a packet with specific forms of identification string.
40
Secure shell (SSH) – Transport layer protocol
Algorithm negotiation
• each side sends an negotiation message containing list of supported algorithms in the order of preference to the sender.
• This list include encryption, MAC, compression algorithms.
41
Secure shell (SSH) – Transport layer protocol
Key exchange & End of key exchange
• each party share the master key.
• use Diffie-Hellman key exchange method.
42
Secure shell (SSH) – User authentication protocol
User Authentication Protocol
• provides the means by which the client is authenticated to the server.
Message types and formats of client request
• byte SSH_MSG_USERAUTH_REQUEST (50 – decimal code data)
• string user_name (the authorization identity the client is claiming)
• string service_name (the facility to which the client is requesting access)
• string method_name
• … method specific fields
43
Secure shell (SSH) – User authentication protocol
Message types and formats of server response
• byte SSH_MSG_USERAUTH_RESULT (51 – failure, 52 – success)
• name-list authentications that can continue
• Boolean partial success
44
Secure shell (SSH) – User authentication protocol
Authentication method :
• The server may require one or more of the following authentication methods.
• public key When the server receives this message, it checks whether the supplied key is acceptable for authentication and, if so, it checks whether the signature is correct.
• password The client sends a message containing a plaintext password, which is protected by encryption by the Transport Layer Protocol.
• hostbased Authentication is performed on the client’s host. This method works by having the client send a signature created with the private key of the client host. SSH server verifies the identity of the client host.
45
Secure shell (SSH) – Connection protocol
Connection protocol
• The SSH Connection Protocol runs on top of the SSH Transport Layer Protocol and assumes that a secure authentication connection is in use.
• That secure authentication connection, referred to as a tunnel, is used by the Connection Protocol to multiplex a number of logical channels.
46
Secure shell (SSH) – Connection protocol
Channel type : Four channel types are recognized.
• session : The remote execution of a program. Once a session channel is opened, subsequent requests are used to start the remote program.
• x11 : This refers to the X Window System, a computer software system and network protocol that provides a graphical user interface (GUI) for networked computers.
• forwarded TCPIP : This is remote port forwarding.
• direct TCPIP : This is local port forwarding.
47
Secure shell (SSH) – Port forwarding
Port forwarding
• an application of network address translation that redirects a communication request from one address and port number combination to another.
• Port forwarding provides the ability to convert any insecure TCP connection into a secure SSH connection. (SSH tunneling)
• SSH supports two types of port forwarding: local forwarding and remote forwarding.
48
Secure shell (SSH) – Port forwarding
Local forwarding
• This allows the client to set up a “hijacker” process. This will intercept selected application-level traffic and redirect it from an unsecured TCP connection to a secure SSH tunnel.
• Case
1. The SSH client sets up a connection to the extern SSH server.
2. Select an unused local port number(A) and configure SSH to accept traffic from this port destined for port (B) on the server.
3. The SSH client informs the SSH server to create a connection to the destination (B).
4. The client takes any bits sent to local port (A) and sends them to the extern server inside the SSH session. The server decrypts the incoming bits and sends the plaintext to port (B), and vise versa.
49
Secure shell (SSH) – Port forwarding
Remote forwarding
• The user’s SSH client acts on the server’s behalf. The client receives traffic with a given destination port number, places the traffic on the correct port and sends it to the destination the user chooses.
• Case
1. From the (B) computer, set up an SSH connection to (A) computer.
2. Configure the SSH server to listen on a local port, (q), and to deliver data across the SSH connection addressed to remote port, (p).
3. You can now go to (A) computer, and configure SSH to accept traffic on port (p).
4. You now have an SSH tunnel that can be used for remote logon to the (B).
50
Thank you!
51