Embed Size (px)
DESCRIPTION
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Citation preview
SSL & TLS ArchitectureBy Avirot M. LiangsiriSenior Technical SpecialistProfessional Computer Co., Ltd.
1
Web Security Essential
• Web now widely used by business, government, individuals for multiple application
• But Internet & Web are vulnerable• Have a variety of threats
• integrity• confidentiality• denial of service• authentication
• Need added security mechanisms
2
Security Architecture• ITU-T Recommendation X.805 Security
architecture for systems providing end‑to‑end communications had been developed by ITU-T SG 17 (ITU-T Lead Study Group on Telecommunication Security) and was published in October 2003.
• The group has developed a set of the well-recognized Recommendations on security. Among them are X.800 Series of Recommendations on security and X.509 v3 - Public-key and Attribute Certificate Frameworks.
3
ITU-T X.800 Threat Model(simplified)
4
4
X
X1 - Destruction (an attack on availability):
– Destruction of information and/or network resources
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset
3 - Removal (an attack on availability):
– Theft, removal or loss of information and/or other resources
4 - Disclosure (an attack on confidentiality):
– Unauthorized access to an asset
5 - Interruption (an attack on availability):
– Interruption of services. Network becomes unavailable or unusable
5
5
Access Control
Authentication
Non-repudiation
Data Confidentiality
Communication Security
Data Integrity
Availability
Privacy
• Limit & control access to network elements, services & applications
• Examples: password, ACL, firewall
• Prevent ability to deny that an activity on the network occurred
• Examples: system logs, digital signatures
• Ensure information only flows from source to destination
• Examples: VPN, MPLS, L2TP
• Ensure network elements, services and application available to legitimate users
• Examples: IDS/IPS, network redundancy, BC/DR
• Provide Proof of Identity• Examples: shared secret,
PKI, digital signature, digital certificate
• Ensure confidentiality of data • Example: encryption
• Ensure data is received as sent or retrieved as stored
• Examples: MD5, digital signature, anti-virus software
• Ensure identification and network use is kept private
• Examples: NAT, encryption
ITU-T X.800 Eight Security Dimensions Address the Breadth of Network
Vulnerabilities
Eight Security Dimensions applied to each Security Perspective (layer and plane)
6
6
ITU-T X.800 Three Security Layers
• Each Security Layer has unique vulnerabilities, threats• Infrastructure security enables services security enables applications security
Infrastructure Security
Applications Security
Services Security
THREATS
VULNERABILITIES
ATTACKS
Destruction
Disclosure
Corruption
Removal
Infrastructure Security
Applications Security
Services SecurityVULNERABILITIES
InterruptionVulnerabilities Can ExistIn Each Layer
1 - Infrastructure Security Layer:• Fundamental building blocks of networks
services and applications• Examples:
– Individual routers, switches, servers– Point-to-point WAN links– Ethernet links
2 - Services Security Layer:• Services Provided to End-Users• Examples:
– Frame Relay, ATM, IP– Cellular, Wi-Fi,– VoIP, QoS, IM, Location services– Toll free call services
3 - Applications Security Layer:• Network-based applications accessed by
end-users• Examples:
– Web browsing– Directory assistance– Email– E-commerce
7
7
ITU-T X.800 Applying Security Planes to Network Protocols
End User Security Plane Activities
•End-user data transfer•End-user – application interactions
Protocols• HTTP, RTP, POP, IMAP• TCP, UDP, FTP• IPsec, TLS
Control/Signaling Security Plane Activities
•Update of routing/switching tables•Service initiation, control, and teardown•Application control
Protocols
• BGP, OSPF, IS-IS, RIP, PIM
• SIP, RSVP, H.323, SS7.• IKE, ICMP• PKI, DNS, DHCP, SMTP
Management Security Plane
•Operations•Administration•Management•Provisioning
Activities Protocols•SNMP•Telnet•FTP•HTTP
SSL (Secure Socket Layer)
• transport layer security service• originally developed by Netscape• version 3 designed with public input• subsequently became Internet standard known as
TLS (Transport Layer Security)• uses TCP to provide a reliable end-to-end service• SSL has two layers of protocols
Where SSL Fits
HTTP SMTP POP3
80 25 110
HTTPS SSMTP SPOP3
443 465 995
Secure Sockets Layer
Transport
Network
Link
Uses Public Key Scheme
• Each client-server pair uses• 2 public keys
• one for client (browser)• created when browser is installed on client machine
• one for server (http server)• created when server is installed on server hardware
• 2 private keys• one for client browser• one for server (http server)
SSL Architecture
SSL Architecture• SSL session
• an association between client & server• created by the Handshake Protocol• define a set of cryptographic parameters• may be shared by multiple SSL connections (by using
same session symmetric key)• SSL connection
• a transient, peer-to-peer, communications link• associated with 1 SSL session
SSL Record Protocol
• confidentiality• using symmetric encryption with a shared secret key
defined by Handshake Protocol• IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40,
RC4-128• message is compressed before encryption
• message integrity• using a MAC (Message Authentication Code) created
using a shared secret key and a short message
SSL Alert Protocol
• conveys SSL-related alerts to peer entity• severity
• warning or fatal
• specific alert• unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter• close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
• compressed & encrypted like all SSL data
SSL Handshake Protocol
• allows server & client to:• authenticate each other• to negotiate encryption & MAC algorithms• to negotiate cryptographic keys to be used
• comprises a series of messages in phases• Establish Security Capabilities• Server Authentication and Key Exchange• Client Authentication and Key Exchange• Finish
SSL Handshake Protocol
17
Changes from SSL 3.0 to TLS
• Fortezza removed• Additional Alerts added• Modification to hash calculations• Protocol version 3.1 in ClientHello,
ServerHello
TLS (Transport Layer Security)• IETF standard RFC 2246 similar to SSLv3• with minor differences
• in record format version number• uses HMAC for MAC• a pseudo-random function expands secrets• has additional alert codes• some changes in supported ciphers• changes in certificate negotiations• changes in use of padding
19
TLS:Key Exchange
• Need secure method to exchange secret key• Use public key encryption for this
• “key pair” is used - either one can encrypt and then the other can decrypt
• slower than conventional cryptography• share one key, keep the other private
• Choices are RSA or Diffie-Hellman
20
TLS: Integrity
• Compute fixed-length Message Authentication Code (MAC)• Includes hash of message• Includes a shared secret• Include sequence number
• Transmit MAC with message
21
TLS: Integrity
• Receiver creates new MAC• should match transmitted MAC
• TLS allows MD5, SHA-1
A B
Message’
MAC’
MAC
=?
Message
MAC
22
TLS: Authentication
• Verify identities of participants• Client authentication is optional• Certificate is used to associate identity with
public key and other attributes
A
Certificate
B
Certificate
23
TLS: Overview
• Establish a session • Agree on algorithms• Share secrets• Perform authentication
• Transfer application data• Ensure privacy and integrity
24
TLS: Architecture
• TLS defines Record Protocol to transfer application and TLS information
• A session is established using a Handshake Protocol
TLS Record Protocol
Handshake Protocol
Alert Protocol
ChangeCipher Spec
25
TLS: Record Protocol
26
TLS: Handshake
• Negotiate Cipher-Suite Algorithms• Symmetric cipher to use• Key exchange method• Message digest function
• Establish and share master secret• Optionally authenticate server and/or client
27
Handshake Phases
• Hello messages• Certificate and Key Exchange messages• Change CipherSpec and Finished messages
28
TLS: Hello
• Client “Hello” - initiates session• Propose protocol version• Propose cipher suite• Server chooses protocol and suite
• Client may request use of cached session• Server chooses whether to honor request
29
TLS: Key Exchange
• Server sends certificate containing public key (RSA) or Diffie-Hellman parameters
• Client sends encrypted “pre-master” secret to server using Client Key Exchange message
• Master secret calculated • Use random values passed in Client and Server
Hello messages
30
Public Key Certificates
• X.509 Certificate associates public key with identity
• Certification Authority (CA) creates certificate• Adheres to policies and verifies identity• Signs certificate
• User of Certificate must ensure it is valid
31
Validating a Certificate
• Must recognize accepted CA in certificate chain• One CA may issue certificate for another CA
• Must verify that certificate has not been revoked• CA publishes Certificate Revocation List (CRL)
32
X.509: Certificate Content• Version• Serial Number• Signature Algorithm Identifier
• Object Identifier (OID)• e.g. id-dsa: {iso(1) member-
body(2) us(840) x9-57 (10040) x9algorithm(4) 1}
• Issuer (CA) X.500 name• Validity Period (Start,End)
• Subject X.500 name• Subject Public Key
• Algorithm• Value
• Issuer Unique Id (Version 2 ,3)• Subject Unique Id (Version
2,3) • Extensions (version 3)
• optional
• CA digital Signature
33
Subject Names
• X.500 Distinguished Name (DN)• Associated with node in hierarchical directory
(X.500)• Each node has Relative Distinguished Name
(RDN)• Path for parent node• Unique set of attribute/value pairs for this
node
34
Example Subject Name
• Country at Highest Level (e.g. US)• Organization typically at next level (e.g. CertCo)• Individual below (e.g. Common Name
“Elizabeth” with Id = 1)DN = {
• C=US; • O=CertCo; • CN=Elizabeth, ID=1}
35
Version 3 Certificates
• Version 3 X.509 Certificates support alternative name formats as extensions• X.500 names• Internet domain names• e-mail addresses• URLs
• Certificate may include more than one name
36
Certificate Signature
• RSA Signature• Create hash of certificate• Encrypt using CA’s private key
• Signature verification • Decrypt using CA’s public key• Verify hash
37
TLS: ServerKeyExchangeClient
ClientHello
Server
ServerHello Certificate ServerKeyExchange
38
TLS: Certificate RequestClient
ClientHello
Server
ServerHello Certificate ServerKeyExchange CertificateRequest
39
TLS: Client CertificateClient
ClientHello
ClientCertificateClientKeyExchange
Server
ServerHello Certificate ServerKeyExchange CertificateRequest
40
TLS: Change Cipher Spec, FinishedClient
[ChangeCipherSpec]Finished
Application Data
Server
[ChangeCipherSpec] Finished
Application Data
41
TLS: Change Cipher Spec/Finished• Change Cipher Spec
• Announce switch to negotiated algorithms and values
• Finished• Send copy of handshake using new session• Permits validation of handshake
42
TLS: Using a SessionClient
ClientHello (Session #)
[ChangeCipherSpec]Finished
Application Data
Server
ServerHello (Session #)[ChangeCipherSpec] Finished
Application Data
43
TLS: HTTP Application
• HTTP most common TLS application• https://
• Requires TLS-capable web server• Requires TLS-capable web browser
• Netscape Navigator• Internet Explorer• Cryptozilla
• Netscape Mozilla sources with SSLeay
44
X.509 Certificate Issues
• Certificate Administration is complex• Hierarchy of Certification Authorities• Mechanisms for requesting, issuing, revoking
certificates• X.500 names are complicated• Description formats are cumbersome (ASN.1)
45
X.509 Alternative: SDSI
• SDSI: Simple Distributed Security Infrastructure (Rivest, Lampson)• Merging with IETF SPKI: Simple Public-Key
Infrastructure in SDSI 2.0• Eliminate X.500 names - use DNS and text• Everyone is their own CA• Instead of ASN.1 use “S-expressions” and simple
syntax• Name and Authorization certificates
46
TLS “Alternatives”
• S-HTTP: secure HTTP protocol, shttp://• IPSec: secure IP• SET: Secure Electronic Transaction
• Protocol and infrastructure for bank card payments
• SASL: Simple Authentication and Security Layer (RFC 2222)
47
Summary
• SSL/TLS addresses the need for security in Internet communications• Privacy - conventional encryption• Integrity - Message Authentication Codes• Authentication - X.509 certificates
• SSL in use today with web browsers and servers• Equivalent to TLS
