Title: Lecture 6: Web security: SSL
1Lecture 6 Web security SSL
- Anish Arora
- CSE 5473
- Introduction to Network Security
-
2Web security needs
- Web now widely used by business, government,
individuals, but Internet Web are vulnerable - Threats
- Revealing private information on server
- Interception of client information (client card
fraud and abuse) - Content hijacking (mimics of well known sites)
and defacement - Hostile content (recursive window pop ups)
- Cookies reveal where users have been, how many
times ads have been displayed (user profiling),
allow impersonation - Web server attacks
- Buffer overflow (longer than expected parameters)
- Dot dot URL traversal allows file system access
- Allowing attacker to execute programs (editors,
xterm), root access - Denial of service
3Web security needs
- CGI scripts
- clients can invoke services via HTML macros run
on server side - scripts allow encoding of commands
- server runs at root (port 80)
- Requirements include
- integrity
- confidentiality
- dealing with denial of service
- authentication
4Web security
- Need added security mechanisms
- authentication can be based on message digest
- cookies can help
- access control via network addresses
- multi-layered SHTTP (just for http) SSL
(generic for TCP) IPSec (host to host)
5SSL (Secure Socket Layer)
- transport layer security service, yields secure
channel - secure byte stream
- optional public-key server authentication
- optional client authentication
- originally developed by Netscape
- hash combined MD5 SHA
- encryption Diffie Helman, RSA DES, RC4
- version 3 designed with public input
subsequently became Internet standard TLS
(Transport Layer Security) - uses TCP to provide a reliable end-to-end service
- useful for HTTP, NNTP, telnet, telephony
signaling - SSL has two layers of protocols
6SSL architecture
7SSL architecture
- SSL session
- an association between client server
- created by the Handshake Protocol
- define a set of cryptographic parameters
- may be shared by multiple SSL connections
- SSL connection
- a transient, peer-to-peer, communications link
- associated with 1 SSL session
8SSL record protocol
- confidentiality
- using symmetric encryption with a shared secret
key defined by Handshake Protocol - ? stateful protocol
- IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128 - message is compressed before encryption
- message integrity
- using a MAC with shared secret key
- similar to HMAC but with different padding
9SSL record protocol operation
10SSL record format
11Crypto for Record Protocol
- Use IV (one of the parts of the keys exchanged)
for seed in CBC encryption mode - IV is used for first message
- Last ciphertext of previous message is used as IV
for new message - HMAC is appended to M padding is used
12SSL record protocol payload
13SSL change cipher specification protocol
- one of 3 SSL specific protocols which use the SSL
record protocol - a single message
- causes pending state to become current
- hence updating the cipher suite in use
14SSL alert protocol
- conveys SSL-related alerts to peer entity
- severity
- warning or fatal
- specific alert
- unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter - close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown - compressed encrypted like all SSL data
15SSL handshake protocol
- allows server client to
- authenticate each other
- to negotiate encryption MAC algorithms
- to negotiate cryptographic keys to be used
- comprises a series of messages in phases
- establish Security Capabilities
- Server Authentication and Key Exchange
- Client Authentication and Key Exchange
- finish
16Whats wrong with this handshake protocols?
Can we talk?, cipher list
cipher, certificate (Bob)
KBob
Data protected with key K
Bob
Alice
17Simplified SSL protocol
Can we talk?, cipher list, NA
cipher, certificate (Bob), NB
SBob, E(h(msgs,CLNT,K),K)
h(msgs,SRVR,K)
Data protected with key K
Bob
Alice
- S is pre-master secret, derived from random with
PKCS padding and including client version number - Key K h(S,NA,NB)
- K has three parts (i) for encryption, (ii) for
IV, (iii) for hash - msgs all previous messages CLNT and SRVR are
constant
18Certificate Verification
- Look at a browser, the certificate associated
with a secure server, and its certificate chain - Browser has embedded in it some certificate along
this chain - Basis for checking that certificate received in
the second step is valid
19SSL handshake protocol
- Colored messages are optional
- Phase 1-3 messages are plaintext
20SSL handshake protocol
- Phase 1
- C?S Client hello (to establish security
enhancement capabilities) - random challenge, which algorithms are supported
- server chooses encryption, compression algorithms
- S? C Server hello
- acknowledges algorithms
- established random connection id
- Phase 2
- S? C Server certificate
- server returns a X.509 certificate chain
- optionally asks for client certificate
21SSL handshake protocol
- Phase 3
- Client key exchange
- client verifies certificate chain against that in
web browser - if not in list of CAs, may trust the new
certificate - client generates 48 byte pre-secret
- C?S session key exchange
- pre-secret encrypted w/ servers public key in
certificate - both sides can now generate master secret
- session key now generated from master secret
- client hello random provides salt
22SSL handshake protocol
- S?C optionally ask for request certificate (in
phase 2) - send challenge phrase, encrypted with server
write key - (in phase 3) client responds with encrypted
- MD5(server challenge and certificate), client
certificate - server verifies certificate and hash
- certificate used to associate with usernamepwd,
for future logins - Phase 4
- Finished message exchange, encrypted with session
key - verifies success of key exchange and
authentication processes - Phase 5
- Now encrypted application data exchanged between
C, S
23TLS (Transport Layer Security)
- IETF standard RFC 2246 similar to SSLv3
- with minor differences
- in record format version number
- uses HMAC for MAC
- a pseudo-random function expands secrets
- has additional alert codes
- some changes in supported ciphers
- changes in certificate negotiations
- changes in use of padding