Title: CMPE 526 Operating System and Network Security, Spring 2005
1CMPE 526 Operating System and Network Security,
Spring 2005
- PRESENTATION ON WEB SECURITY
- SSL (SECURE SOCKETS LAYER)
MEHMET GÜVENIS 2004720551
Presentation Date 14/04/2005
2Outline
- Web Security Considerations
- What is SSL?
- SSL Applications
- SSL Protocols
- SSL Overhead
3Web Security Considerations
- Internet and web are extremely vulnerable to
compromises of various sorts - Web has variety of threats
- Integrity modification of user data
- Confidentiality eavesdropping on the Net
- Denial Of Service preventing any part of system
from functioning - Authentication impersonation of legitimate
users
4Web Security Considerations
- Web threats can access to mainly 3 locations
- Web server
- Web browser
- Traffic between browser server
Fall into category of job of computer system
security
Fall into category of network security
5What is SSL?
- SSL is the Secure Sockets Layer, a general
purpose protocol for sending encrypted
information over the Internet - Transport layer security service
- Makes use of TCP to provide end-to-end secure
service - Originally developed by Netscape
- Since 1995, version 3.0 has grown in popularity
and became a standard. SSL 3.0 is the version
most Web servers, such as IIS 5.0 and IIS 4.0,
support today - Subsequently became Internet Standard known as
TLS - Works at the Transport and Session layers of the
Open System Interconnection (OSI) model to
support the Application layer, where both the Web
server and browser interoperate
6More On SSL
- SSL provides security for Web traffic
- Security includes confidentiality, message
integrity, and authentication. SSL achieves these
elements of security through the use of
cryptography, digital signatures, and
certificates - SSL uses symmetric cryptography for the bulk data
encryption during the transfer phase however,
asymmetric cryptography is used to negotiate the
key used for that symmetric encryption
7SSL Applications
- HTTP original application
- Secure mail password encryption, encryption of
incoming e-mail messages - Server to client connection
- Telnet client authentication is performed with
client certificate - FTP
8Credit Cards, Encryption and the Web
- When people try to buy something from an online
vendor with their credit card over the Internet,
basically 2 risks appear - The credit card number might be learnt by some
electronic villain as it travels accross the
Internet. This person could then use the credit
card number to commit fraud - The credit card might get billed, bu the desired
process might never be proceed. This means that
the online transaction was a scam and the money
is lost - Netsacpe's SSL was designed to combat against
these problems - It uses encryption, a mathematical technique for
scrambling information, so that data sent between
customer's web browser and online vendor can't be
monitored while it is in transit. SSL also
supports a sophisticated system for digital
identification, so customer becomes sure that
people operating online shops are really who they
claim to be
9Credit Cards, Encryption and the Web(cont.)
10Using SSL to Send Credit Card Numbers Securely
- If you use an SSL-aware web browser (Netscape
Navigator, Microsofts Internet Explorer) and if
the web server that you are trying to access is
cryptographically enabled, you can instruct the
browser to create an encrypted connection to your
server by simply replacing http in your URL
with https - If you have a form which allows people to submit
sensitive information (credit card number), you
can force the information to be submitted
cryptographically by simply modifying the
actionclause in your HTML file, again changing
the http to https - Example
-
- http//www.company.com/document.html
- ltform methodPOST actionhttp//www.company.com
/cgi-bin/entergt - https//www.company.com/document.html
- ltform methodPOST actionhttps//www.company.co
m/cgi-bin/entergt
11SSL Concepts
- SSL Connection
- A transient, P2P communication link
- Every connection is associated with one session
- SSL Session
- Association between client server
- Created by handshake protocol
- Define a set of cryptographic parameters
- Used to avoid expensive negotiation of new
security parameters for each connection - May be shared by multiple SSL connections
12SSL Session Key
- A session key is a pair of secret words that a
server and client share these keys are used in
the encryption process of every SSL session - The longer the session key, the harder it is to
break the encryption of the SSL session and read
the transmitted data
13Encryption Keys Of SSL
- Can be implemented in either 40-bit or 128-bit
encryption(40-bit and 128-bit refer to the size
of the session key) - It is not very difficult for modern computers to
crack 240 combinations in a reasonable time
period - The makers of Web browser software recognized the
need to increase the strength of encryption and
moved to a new standard, 128-bit encryption
several years ago - Compared to 40-bit encryption, 128-bit encryption
offers 88 additional bits of key length. This
translates to 288 or 309,485,009,821,345,068,724,7
81,056 additional combinations required for a
brute-force crack
14SSL as a Transport Level Security Approach
15SSL as a Transport Level Security Approach
- SSL has 2 implementation choices
- Provides as a part of underlying protocol suite
and transparent to applications - It can be embedded in specific packages(Netscape
Internet Explorer are equipped with SSL)
16SSL Protocol Stack
17 SSL Protocols
- The client authenticates the server during the
Handshake Protocol - When the session is initiated and the handshake
is complete, the data transfer is encrypted
during the Record Protocol phase - If there are any alarms at any point during the
session, the alert is attached to the
questionable packet and handled according to the
Alert Protocol -
18SSL Protocols(cont.)
19SSL Handshake Protocol
- Used before any application data is transmitted
- Allows server client to
- authenticate each other
- to negotiate encryption MAC algorithms
- to negotiate cryptographic keys to be used
- Consists of series of messages exchanged by
client and server - Establish Security Capabilities
- Server Authentication and Key Exchange
- Client Authentication and Key Exchange
- Finish
20SSL Handshake Protocol(cont.)
- Each message has 3 fields
- Type(1 byte) type of the message(one of 10
messages) - Length (3 bytes) the length of the message in
bytes - Content (1 byte) parameters associated with the
message - 1 byte 3 bytes 1 byte
-
21SSL Handshake Protocol Action
22SSL Handshake Protocol Phase 1 Establish
Security Capabilities
- Initiate a logical connection and establish the
security capabilities that will be associated
with it - SSL client attempts to negotiate session
parameters with SSL server such as which
algorithm to encrypt with, which version of SSL
protocol to use, whether authentication is
necessary(required by either of them), which type
of public key encryption to use to swap shared
secrets
23SSL Handshake Protocol Phase 1 Establish
Security Capabilities(cont.)
- The exchange is started by the client which sends
client_hello message - Version defines which version of SSL protocol to
use. This is the highest version understood by
the client - Random Numbers serve as nonce and used in key
exchange to prevent replay attacks - Session ID variable length session identifier.
When it is nonzero, this means that client wishes
to update the parameters of an existing
connection or create a new connection on this
session. A zero value indicates that the client
wishes to establish a new connection on a new
session. - CipherSuite list that contains the combinations
of cryptographic algorithms supported by the
client, in decreasing order of preference. Each
element on the list (each cipher suite) defines
both a key exchange algorithm (key exchange
method the means by which the cryptographic
keys for conventional encryption and MAC are
exchanged. As an example RSA, Diffie-Hellman,
Fortezza) and a CipherSpec (cipher algorithm(DES,
3DES, Fortezza), MAC algorithm(MD5, SHA-1), hash
size) - Compression Method list of compression methods
that client supports
24SSL Handshake Protocol Phase 1 Establish
Security Capabilities(cont.)
- After client_hello message, client waits for the
server_hello message from server - Version SSL version that will be used for the
SSL session. Lower of version suggested by client
the highest supported by server - Random Numbers(32 bytes) independent of client's
Random field. - Session ID when it is nonzero, the same value is
used by server. Otherwise, server's SessionID
field contains the value for the new session - CipherSuite contains the single cipher suite
selected by server from those selected by client - Compression Method contains the compression
method selected by server from those selected by
client
25SSL Handshake Protocol Phase 2 Server
Authentication and Key Exchange
- If the client asked the SSL server to present a
client certificate, the server presents it (if it
needs to be authenticated) (certificate). The
server offers a certificate that is usually
X.509-compatible - If the server has no certificate or the
certificate used doesn't support the
Diffie-Hellman protocol, the server must exchange
public keys with the client(server_key_exchange) - The server may send certificate_request to the
client, asking the client to authenticate. The
client will respond with either a certificate
message or a no_certificate alert - The final message in this phase is
server_hello_done message which is sent by the
server to indicate the end of server hello and
associated messages. After this, server waits for
a client response
26SSL Handshake Protocol Phase 3 Client
Authentication and Key Exchange
- After receiving the server_hello_done message,
the client should verify that the server provided
a valid certificate if required and check that
the server_hello parameters are acceptable - If the server is requested a certificate, the
client begins this phase by sending a certificate
message. If no suitable certificate is available,
the client sends a no_certificate alert instead - The client then sends the client_key_exchange
message. The content of this message depends on
the type of key exchange. Client uses sender's
public key to encrypt a pre-master secret and
send it to the server. The pre-master secret is
used to generate a master secret which in turn
will be used to generate symmetric keys for data
exchange - The client may send a certificate_verify message
to provide explicit verification of a client
certificate. Thus, this message is used to ask
for the client's certificate in return for
validation
27SSL Handshake Protocol Phase 4 Finish
- This phase completes the setting up of a secure
connection. - The client sends a change_cipher_spec message and
copies the pending CipherSpec into the current
CipherSpec - Not a part of Handshake Protocol, message is sent
using Change Cipher Spec Protocol - Then the client immediately sends the finished
message to verify that the key exchange and
authentication processes were successful - In response to these 2 messages, the server sends
its own change_cipher_spec message, transfers the
pending to the current CipherSpec and sends its
finished message - After this point, the handshake is complete, so
the client and server may begin to exchange
application layer data
28SSL Record Protocol
- Provides basic security to various higher layer
protocols - Builds the data path between sender and receiver
- This data path starts out unencrypted, but before
the server sends any secrets or application data,
SSL uses public-key encryption to encrypt the
data path - All other SSL messages and application data will
ride on this protocol - SSL Record protocol is the foundation for all
data transfer
29SSL Record Protocol(cont.)
- Provides 2 services for SSL connections
- Confidentiality (a shared secret key is defined
by the Handshake Protocol and this key is used
for encryption of SSL payloads) - Message Integrity (a shared secret key is defined
by the Handshake Protocol and this key is used to
form a message authentication code(MAC) )
30SSL Record Protocol(cont.)
31SSL Record Protocol(cont.)
- Fragmentation each upper layer message is
fragmented into blocks of maximum 214 bytes. - Compression optionally applied (in SSLv3 TLS,
no compression algorithm is specified, so default
compression algorithm is NULL) - Add MAC to calculate it, a shared secret key is
used
32SSL Record Protocol(cont.)
- Encryption Symmetric encryption is applied
- Stream Encryption
- encrypts digital stream one bit or one byte at a
time - both message and MAC are encrypted
33SSL Record Protocol(cont.)
- Block Encryption
- a block of plaintext is treated as a whole and
used to produce a ciphertext block of equal
length - padding may be added after MAC prior to
encryption to indicate the minimum amount
required so that the total size of the data to be
encrypted is a multiple of the cipher's block
length. - padding is followed by 1 byte indication of
length of padding - Ex
- 58 bytes plaintext 20 bytes MAC 1 byte
padding.length79 bytes - Encryption is done using a block length of 8
bytes(such as DES) - To make the total an integer multiple of 8, one
byte of padding is added
34SSL Record Protocol(cont.)
- Prepend a Header It consists of the following
fields - Content Type(8 bits) higher layer protocol used
to process the enclosed fragment - Major Version(8 bits) indicates major version of
SSL in use. For SSLv3, the value is 3 - Minor Version(8 bits) indicates minor version in
use For SSLv3, the value is 0 - Compressed Length(16 bits) length in bytes of
plaintext fragment - Transmit the resulting unit in a TCP segment
35SSL Record Format
36SSL Alert Protocol
- Used to transport SSL related alerts to the peer
entity - If either sender or client detects an error, it
sends an alert containing the error - Signals problems with the SSL session ranging
from simple warnings (e.g., unknown certificate,
revoked certificate, expired certificate) to
fatal error messages that immediately terminate
the SSL connection - For example, you might receive the You are about
to leave a secure Internet connection warning
because an SSL client received a close_notify
alert from an SSL server
37SSL Alert Protocol
- Alert messages are fragmented and compressed
- Each message consists of 2 bytes
- 1 byte 1 byte
- Level
- Takes the value warning or fatal to transport the
importance of the message - If fatal, SSL immediately terminates the
connection - Alert
- Contains a code that indicates specific alert
38SSL Alerts
- Fatal Alerts
- unexpected_message an inappropriate message was
received - bad_record_mac a record is received with
incorrect MAC - decompression_failure decompression function
received improper input(e.g., unable to
decompress or decompress to greater than maximum
allowable length) - handshake_failure sender was unable to negotiate
an acceptable set of security parameters given
the options available - illegal_parameter a field in the handshake was
out of range or inconsistent with other fields
39SSL Alerts(cont.)
- Warning Alerts
- close_notify
- notifies the recipient that the sender will not
send any more messages on this connection - each party is required to send a close_notify
alert before closing the write side of a
connection - no_certificate may be sent in response to a
certificate request if no appropriate certificate
is available - bad_certificate a received certificate is
corrupt(e.g, contained a signature that did not
verify) - unsupported_certificate type of the received
certificate is not supported - certificate_revoked a certificate is revoked by
its signer - certificate_expired a certificate has expired
- certificate_unknown some other unspecified
issue arose in processing the certificate,
rendering it unacceptable
40SSL Overhead
- SSL noticeably slows the speed of transmitting
information over the Internet - 2-10 times slower than a TCP session
- The performance degragation is primarily the
result of public key encryption and decryption
that is required to initialize the first SSL
connection - Since public key encryption decryption is a
time consuming operation, SSL implementations can
cache a master secret that is pressed between
SSL connections, so new SSL connections begin
secure communication without the need to perform
more public key operations - Because SSL can cache the master key between
sessions, this delay affects only the first SSL
transaction between a client and a server - To minimize the impact of SSL, many organizations
transmit bulk of their information in the clear,
and use SSL only for encrypting sensitive data
41References
- Cryptography and Network Security, Principles and
Practice, 3rd Edition - William Stallings - Web Security Commerce Simson Garfinkel with
Gene Spafford - http//emea.windowsitpro.com/windowssecurity/Artic
le/ArticleID/16047/16047.html - http//www.w3schools.com/site/site_security.asp
- http//www.compinfo-center.com/syssec/systems_secu
rity.htm - www.cs.bham.ac.uk/mdr/teaching/modules03/security
/students/SS8a/SSLTLS.html - http//www.w3.org/Security/faq/www-security-faq.ht
ml - www.acmet.com/html/test_cases_for_ssl.html
- www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns140/
networking_solutions_white_paper09186a0080136858.s
html
42- End of presentation
- Thanks for listening
- Questions?