CMPE 526 Operating System and Network Security, Spring 2005

1
CMPE 526 Operating System and Network Security,
Spring 2005

• PRESENTATION ON WEB SECURITY
• SSL (SECURE SOCKETS LAYER)

MEHMET GÜVENIS 2004720551
Presentation Date 14/04/2005
2
Outline

• Web Security Considerations
• What is SSL?
• SSL Applications
• SSL Protocols
• SSL Overhead

3
Web Security Considerations

• Internet and web are extremely vulnerable to
  compromises of various sorts
• Web has variety of threats
• Integrity modification of user data
• Confidentiality eavesdropping on the Net
• Denial Of Service preventing any part of system
  from functioning
• Authentication impersonation of legitimate
  users

4
Web Security Considerations

• Web threats can access to mainly 3 locations
• Web server
• Web browser
• Traffic between browser server

Fall into category of job of computer system
security
Fall into category of network security
5
What is SSL?

• SSL is the Secure Sockets Layer, a general
  purpose protocol for sending encrypted
  information over the Internet
• Transport layer security service
• Makes use of TCP to provide end-to-end secure
  service
• Originally developed by Netscape
• Since 1995, version 3.0 has grown in popularity
  and became a standard. SSL 3.0 is the version
  most Web servers, such as IIS 5.0 and IIS 4.0,
  support today
• Subsequently became Internet Standard known as
  TLS
• Works at the Transport and Session layers of the
  Open System Interconnection (OSI) model to
  support the Application layer, where both the Web
  server and browser interoperate

6
More On SSL

• SSL provides security for Web traffic
• Security includes confidentiality, message
  integrity, and authentication. SSL achieves these
  elements of security through the use of
  cryptography, digital signatures, and
  certificates
• SSL uses symmetric cryptography for the bulk data
  encryption during the transfer phase however,
  asymmetric cryptography is used to negotiate the
  key used for that symmetric encryption

7
SSL Applications

• HTTP original application
• Secure mail password encryption, encryption of
  incoming e-mail messages
• Server to client connection
• Telnet client authentication is performed with
  client certificate
• FTP

8
Credit Cards, Encryption and the Web

• When people try to buy something from an online
  vendor with their credit card over the Internet,
  basically 2 risks appear
• The credit card number might be learnt by some
  electronic villain as it travels accross the
  Internet. This person could then use the credit
  card number to commit fraud
• The credit card might get billed, bu the desired
  process might never be proceed. This means that
  the online transaction was a scam and the money
  is lost
• Netsacpe's SSL was designed to combat against
  these problems
• It uses encryption, a mathematical technique for
  scrambling information, so that data sent between
  customer's web browser and online vendor can't be
  monitored while it is in transit. SSL also
  supports a sophisticated system for digital
  identification, so customer becomes sure that
  people operating online shops are really who they
  claim to be

9
Credit Cards, Encryption and the Web(cont.)
10
Using SSL to Send Credit Card Numbers Securely

• If you use an SSL-aware web browser (Netscape
  Navigator, Microsofts Internet Explorer) and if
  the web server that you are trying to access is
  cryptographically enabled, you can instruct the
  browser to create an encrypted connection to your
  server by simply replacing http in your URL
  with https
• If you have a form which allows people to submit
  sensitive information (credit card number), you
  can force the information to be submitted
  cryptographically by simply modifying the
  actionclause in your HTML file, again changing
  the http to https
• Example
• http//www.company.com/document.html
• ltform methodPOST actionhttp//www.company.com
  /cgi-bin/entergt
• https//www.company.com/document.html
• ltform methodPOST actionhttps//www.company.co
  m/cgi-bin/entergt

11
SSL Concepts

• SSL Connection
• A transient, P2P communication link
• Every connection is associated with one session
• SSL Session
• Association between client server
• Created by handshake protocol
• Define a set of cryptographic parameters
• Used to avoid expensive negotiation of new
  security parameters for each connection
• May be shared by multiple SSL connections

12
SSL Session Key

• A session key is a pair of secret words that a
  server and client share these keys are used in
  the encryption process of every SSL session
• The longer the session key, the harder it is to
  break the encryption of the SSL session and read
  the transmitted data

13
Encryption Keys Of SSL

• Can be implemented in either 40-bit or 128-bit
  encryption(40-bit and 128-bit refer to the size
  of the session key)
• It is not very difficult for modern computers to
  crack 240 combinations in a reasonable time
  period
• The makers of Web browser software recognized the
  need to increase the strength of encryption and
  moved to a new standard, 128-bit encryption
  several years ago
• Compared to 40-bit encryption, 128-bit encryption
  offers 88 additional bits of key length. This
  translates to 288 or 309,485,009,821,345,068,724,7
  81,056 additional combinations required for a
  brute-force crack

14
SSL as a Transport Level Security Approach
15
SSL as a Transport Level Security Approach

• SSL has 2 implementation choices
• Provides as a part of underlying protocol suite
  and transparent to applications
• It can be embedded in specific packages(Netscape
  Internet Explorer are equipped with SSL)

16
SSL Protocol Stack
17
SSL Protocols

• The client authenticates the server during the
  Handshake Protocol
• When the session is initiated and the handshake
  is complete, the data transfer is encrypted
  during the Record Protocol phase
• If there are any alarms at any point during the
  session, the alert is attached to the
  questionable packet and handled according to the
  Alert Protocol

18
SSL Protocols(cont.)
19
SSL Handshake Protocol

• Used before any application data is transmitted
• Allows server client to
• authenticate each other
• to negotiate encryption MAC algorithms
• to negotiate cryptographic keys to be used
• Consists of series of messages exchanged by
  client and server
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
• Finish

20
SSL Handshake Protocol(cont.)

• Each message has 3 fields
• Type(1 byte) type of the message(one of 10
  messages)
• Length (3 bytes) the length of the message in
  bytes
• Content (1 byte) parameters associated with the
  message
• 1 byte 3 bytes 1 byte

21
SSL Handshake Protocol Action
22
SSL Handshake Protocol Phase 1 Establish
Security Capabilities

• Initiate a logical connection and establish the
  security capabilities that will be associated
  with it
• SSL client attempts to negotiate session
  parameters with SSL server such as which
  algorithm to encrypt with, which version of SSL
  protocol to use, whether authentication is
  necessary(required by either of them), which type
  of public key encryption to use to swap shared
  secrets

23
SSL Handshake Protocol Phase 1 Establish
Security Capabilities(cont.)

• The exchange is started by the client which sends
  client_hello message
• Version defines which version of SSL protocol to
  use. This is the highest version understood by
  the client
• Random Numbers serve as nonce and used in key
  exchange to prevent replay attacks
• Session ID variable length session identifier.
  When it is nonzero, this means that client wishes
  to update the parameters of an existing
  connection or create a new connection on this
  session. A zero value indicates that the client
  wishes to establish a new connection on a new
  session.
• CipherSuite list that contains the combinations
  of cryptographic algorithms supported by the
  client, in decreasing order of preference. Each
  element on the list (each cipher suite) defines
  both a key exchange algorithm (key exchange
  method the means by which the cryptographic
  keys for conventional encryption and MAC are
  exchanged. As an example RSA, Diffie-Hellman,
  Fortezza) and a CipherSpec (cipher algorithm(DES,
  3DES, Fortezza), MAC algorithm(MD5, SHA-1), hash
  size)
• Compression Method list of compression methods
  that client supports

24
SSL Handshake Protocol Phase 1 Establish
Security Capabilities(cont.)

• After client_hello message, client waits for the
  server_hello message from server
• Version SSL version that will be used for the
  SSL session. Lower of version suggested by client
  the highest supported by server
• Random Numbers(32 bytes) independent of client's
  Random field.
• Session ID when it is nonzero, the same value is
  used by server. Otherwise, server's SessionID
  field contains the value for the new session
• CipherSuite contains the single cipher suite
  selected by server from those selected by client
• Compression Method contains the compression
  method selected by server from those selected by
  client

25
SSL Handshake Protocol Phase 2 Server
Authentication and Key Exchange

• If the client asked the SSL server to present a
  client certificate, the server presents it (if it
  needs to be authenticated) (certificate). The
  server offers a certificate that is usually
  X.509-compatible
• If the server has no certificate or the
  certificate used doesn't support the
  Diffie-Hellman protocol, the server must exchange
  public keys with the client(server_key_exchange)
• The server may send certificate_request to the
  client, asking the client to authenticate. The
  client will respond with either a certificate
  message or a no_certificate alert
• The final message in this phase is
  server_hello_done message which is sent by the
  server to indicate the end of server hello and
  associated messages. After this, server waits for
  a client response

26
SSL Handshake Protocol Phase 3 Client
Authentication and Key Exchange

• After receiving the server_hello_done message,
  the client should verify that the server provided
  a valid certificate if required and check that
  the server_hello parameters are acceptable
• If the server is requested a certificate, the
  client begins this phase by sending a certificate
  message. If no suitable certificate is available,
  the client sends a no_certificate alert instead
• The client then sends the client_key_exchange
  message. The content of this message depends on
  the type of key exchange. Client uses sender's
  public key to encrypt a pre-master secret and
  send it to the server. The pre-master secret is
  used to generate a master secret which in turn
  will be used to generate symmetric keys for data
  exchange
• The client may send a certificate_verify message
  to provide explicit verification of a client
  certificate. Thus, this message is used to ask
  for the client's certificate in return for
  validation

27
SSL Handshake Protocol Phase 4 Finish

• This phase completes the setting up of a secure
  connection.
• The client sends a change_cipher_spec message and
  copies the pending CipherSpec into the current
  CipherSpec
• Not a part of Handshake Protocol, message is sent
  using Change Cipher Spec Protocol
• Then the client immediately sends the finished
  message to verify that the key exchange and
  authentication processes were successful
• In response to these 2 messages, the server sends
  its own change_cipher_spec message, transfers the
  pending to the current CipherSpec and sends its
  finished message
• After this point, the handshake is complete, so
  the client and server may begin to exchange
  application layer data

28
SSL Record Protocol

• Provides basic security to various higher layer
  protocols
• Builds the data path between sender and receiver
• This data path starts out unencrypted, but before
  the server sends any secrets or application data,
  SSL uses public-key encryption to encrypt the
  data path
• All other SSL messages and application data will
  ride on this protocol
• SSL Record protocol is the foundation for all
  data transfer

29
SSL Record Protocol(cont.)

• Provides 2 services for SSL connections
• Confidentiality (a shared secret key is defined
  by the Handshake Protocol and this key is used
  for encryption of SSL payloads)
• Message Integrity (a shared secret key is defined
  by the Handshake Protocol and this key is used to
  form a message authentication code(MAC) )

30
SSL Record Protocol(cont.)
31
SSL Record Protocol(cont.)

• Fragmentation each upper layer message is
  fragmented into blocks of maximum 214 bytes.
• Compression optionally applied (in SSLv3 TLS,
  no compression algorithm is specified, so default
  compression algorithm is NULL)
• Add MAC to calculate it, a shared secret key is
  used

32
SSL Record Protocol(cont.)

• Encryption Symmetric encryption is applied
• Stream Encryption
• encrypts digital stream one bit or one byte at a
  time
• both message and MAC are encrypted

33
SSL Record Protocol(cont.)

• Block Encryption
• a block of plaintext is treated as a whole and
  used to produce a ciphertext block of equal
  length
• padding may be added after MAC prior to
  encryption to indicate the minimum amount
  required so that the total size of the data to be
  encrypted is a multiple of the cipher's block
  length.
• padding is followed by 1 byte indication of
  length of padding
• Ex
• 58 bytes plaintext 20 bytes MAC 1 byte
  padding.length79 bytes
• Encryption is done using a block length of 8
  bytes(such as DES)
• To make the total an integer multiple of 8, one
  byte of padding is added

34
SSL Record Protocol(cont.)

• Prepend a Header It consists of the following
  fields
• Content Type(8 bits) higher layer protocol used
  to process the enclosed fragment
• Major Version(8 bits) indicates major version of
  SSL in use. For SSLv3, the value is 3
• Minor Version(8 bits) indicates minor version in
  use For SSLv3, the value is 0
• Compressed Length(16 bits) length in bytes of
  plaintext fragment
• Transmit the resulting unit in a TCP segment

35
SSL Record Format
36
SSL Alert Protocol

• Used to transport SSL related alerts to the peer
  entity
• If either sender or client detects an error, it
  sends an alert containing the error
• Signals problems with the SSL session ranging
  from simple warnings (e.g., unknown certificate,
  revoked certificate, expired certificate) to
  fatal error messages that immediately terminate
  the SSL connection
• For example, you might receive the You are about
  to leave a secure Internet connection warning
  because an SSL client received a close_notify
  alert from an SSL server

37
SSL Alert Protocol

• Alert messages are fragmented and compressed
• Each message consists of 2 bytes
• 1 byte 1 byte
• Level
• Takes the value warning or fatal to transport the
  importance of the message
• If fatal, SSL immediately terminates the
  connection
• Alert
• Contains a code that indicates specific alert

38
SSL Alerts

• Fatal Alerts
• unexpected_message an inappropriate message was
  received
• bad_record_mac a record is received with
  incorrect MAC
• decompression_failure decompression function
  received improper input(e.g., unable to
  decompress or decompress to greater than maximum
  allowable length)
• handshake_failure sender was unable to negotiate
  an acceptable set of security parameters given
  the options available
• illegal_parameter a field in the handshake was
  out of range or inconsistent with other fields

39
SSL Alerts(cont.)

• Warning Alerts
• close_notify
• notifies the recipient that the sender will not
  send any more messages on this connection
• each party is required to send a close_notify
  alert before closing the write side of a
  connection
• no_certificate may be sent in response to a
  certificate request if no appropriate certificate
  is available
• bad_certificate a received certificate is
  corrupt(e.g, contained a signature that did not
  verify)
• unsupported_certificate type of the received
  certificate is not supported
• certificate_revoked a certificate is revoked by
  its signer
• certificate_expired a certificate has expired
• certificate_unknown some other unspecified
  issue arose in processing the certificate,
  rendering it unacceptable

40
SSL Overhead

• SSL noticeably slows the speed of transmitting
  information over the Internet
• 2-10 times slower than a TCP session
• The performance degragation is primarily the
  result of public key encryption and decryption
  that is required to initialize the first SSL
  connection
• Since public key encryption decryption is a
  time consuming operation, SSL implementations can
  cache a master secret that is pressed between
  SSL connections, so new SSL connections begin
  secure communication without the need to perform
  more public key operations
• Because SSL can cache the master key between
  sessions, this delay affects only the first SSL
  transaction between a client and a server
• To minimize the impact of SSL, many organizations
  transmit bulk of their information in the clear,
  and use SSL only for encrypting sensitive data

41
References

• Cryptography and Network Security, Principles and
  Practice, 3rd Edition - William Stallings
• Web Security Commerce Simson Garfinkel with
  Gene Spafford
• http//emea.windowsitpro.com/windowssecurity/Artic
  le/ArticleID/16047/16047.html
• http//www.w3schools.com/site/site_security.asp
• http//www.compinfo-center.com/syssec/systems_secu
  rity.htm
• www.cs.bham.ac.uk/mdr/teaching/modules03/security
  /students/SS8a/SSLTLS.html
• http//www.w3.org/Security/faq/www-security-faq.ht
  ml
• www.acmet.com/html/test_cases_for_ssl.html
• www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns140/
  networking_solutions_white_paper09186a0080136858.s
  html

42

• End of presentation
• Thanks for listening
• Questions?