Professional Documents
Culture Documents
Web Security
Web Security
10/19/2004 2
TCP/IP Protocol Stack
10/19/2004 3
Security -- At What Level?
Secure traffic at various levels in the network
Where to implement security? -- Depends on
the security requirements of the application
and the user
Basic services need to be implemented:
Key management
Confidentiality
Nonrepudation
Integrity/authentication
Authorization
10/19/2004 4
TCP/IP Protocol Stack
5
Transport Layer Security
Advantages:
Does not require enhancement to each
application
Disadvantages:
Obtaining user context gets complicated
10/19/2004 6
Transport Layer Security
Protocols
Connectionless and connection-oriented
transport layer service:
Security Protocol 4 (SP4) – NSA, NIST
Transport Layer Security (TLSP) – ISO
Connection-oriented transport layer service:
Encrypted Session Manager (ESM) – AT&T Bell Labs.
Secure Socket Layer (SSL) – Netscape Communications
Transport Layer Security (TLS) – IETF TLS WG
Most popular transport layer security protocols
10/19/2004 7
SSL
SSL versions:
1.0: serious security flaws – never released
to public
2.0: some weaknesses (man-in-the-middle
attack) – in Netscape Navigator 1.0-2.x
3.0: no serious security flaws – in Netscape
Navigator 3.0 and higher, MS Explorer 3.0
and higher
10/19/2004 8
SSL
Intermediate security layer between the
transport layer and the application layer
Based on connection-oriented and
reliable service (e.g., TCP)
Able to provide security services for any
TCP-based application protocol, e.g.,
HTTP,FTP, TELNET, POP3, etc.
Application independent
10/19/2004 9
SSL Services
SSL provides
Client- server authentication (public-key
cryptography)
Data traffic confidentiality
Message authentication and integrity check
SSL does not provide
Traffic analysis
TCP implementation oriented attacks
10/19/2004 10
SSL State Information
SSL session is stateful SSL protocol
must initialize and maintain session
state information on either side of the
session
SSL session can be used for several
connections connection state
information
10/19/2004 11
SSL Session State Information
Elements
10/19/2004 13
SSL Protocol Architecture
10/19/2004 14
SSL Protocol
Components:
SSL Record Protocol
Layered on top of a connection-oriented and
reliable transport layer service
Provides message origin authentication, data
confidentiality, and data integrity
SSL sub-protocols
Layered on top of the SSL Record Protocol
Provides support for SSL session and connection
establishment
10/19/2004 15
SSL Record Protocol
Receives data from higher layer SSL
sub-protocols
Addresses
Data fragmentation
Compression
Authentication
Encryption
10/19/2004 16
SSL Record Protocol
confidentiality
using symmetric encryption with a shared secret
key defined by Handshake Protocol
IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-
40, RC4-128
message is compressed before encryption
(optional)
message integrity
using a MAC with shared secret key
similar to HMAC but with different padding
10/19/2004 17
SSL Record Protocol Operation
10/19/2004 18
SSL Sub-protocols
Alert Protocol
Used to transmit alerts via SSL Record Protocol
Handshake Protocol
Used to mutually authenticate client and server and
Application Protocol
Used to directly pass application data to the SSL Record
Protocol
10/19/2004 19
SSL Alert Protocol
Use two-byte message to convey SSL-related
alerts to peer entity
First byte is severity level
warning(1) or fatal(2)
Second byte is specific alert
Always fatal: unexpected_message, bad_record_mac,
decompression_failure, handshake_failure, illegal_parameter
Other alerts: close_notify, no_certificate, bad_certificate,
unsupported_certificate, certificate_revoked,
certificate_expired, certificate_unknown
Compressed and encrypted like all SSL data
10/19/2004 20
SSL Handshake Protocol
Allow server and client to
authenticate each other
negotiate encryption and MAC algorithms
negotiate cryptographic keys to be used
Comprise a series of messages in phases
Establish Security Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
10/19/2004 21
SSL Handshake Messages
10/19/2004 22
SSL Handshake
1. C S: CLIENTHELLO
2. S C: SERVERHELLO
[CERTIFICATE]
[SERVERKEYEXCHANGE]
[CERTIFICATEREQUEST]
SERVERHELLODONE
3. C S: [CERTIFICATE]
CLIENTKEYEXCHANGE
[CERTIFICATEVERIFY]
CHANGECIPHERSPEC
FINISH
4. S C: CHANGECIPHERSPEC
FINISH
10/19/2004 23
1. C S: CLIENTHELLO
SSL Handshake
CLIENTHELLO message is sent by the client
When the client wants to establish a TCP connection to the
server,
When a HELLOREQUEST message is received, or
existing connection
Message content:
Number of highest SSL understood by the client
pseudorandom number)
Session ID client wishes to use (ID is empty for existing sessions)
10/19/2004 24
S C: SERVERHELLO
[CERTIFICATE]
[SERVERKEYEXCHANGE]
[CERTIFICATEREQUEST]
SSL Handshake
SERVERHELLODONE
pseudorandom number
Session ID: corresponding to this connection
list
10/19/2004 25
2. S C: SERVERHELLO
[CERTIFICATE]
[SERVERKEYEXCHANGE]}
[CERTIFICATEREQUEST]
SSL Handshake
SERVERHELLODONE
Optional messages:
CERTIFICATE:
If the server is using certificate-based authentication
SERVERKEYEXCHANGE:
If the client does not have certificate, has certificate that
client
10/19/2004 26
3. C S: [CERTIFICATE]
CLIENTKEYEXCHANGE
SSL Handshake
[CERTIFICATEVERIFY]
CHANGECIPHERSPEC
FINISH
Client processing:
Verifies site certification
10/19/2004 27
3. C S: [CERTIFICATE]
CLIENTKEYEXCHANGE
[CERTIFICATEVERIFY]
SSL Handshake
CHANGECIPHERSPEC
FINISH
Client messages:
CERTIFICATE
If server requested a client authentication, client sends
CLIENTKEYEXCHANGE
Format depends on the key exchange algorithm selected by the server
key
Diffie-Hellman: public parameters between server and client in
private parameters
Premaster key is transformed into a 48-byte master secret, stored in
10/19/2004 28
3. C S: [CERTIFICATE]
CLIENTKEYEXCHANGE
SSL Handshake
[CERTIFICATEVERIFY]
CHANGECIPHERSPEC
FINISH
Client messages:
CERTIFICATEVERIFY
(personal certificate)
CHANGECIPHERSPEC
FINISH
10/19/2004 29
4. S C: CHANGECIPHERSPEC
SSL Handshake
FINISH
10/19/2004 30
SSL Handshake to Resume
session
1. C S: CLIENTHELLO
2. S C: SERVERHELLO
CHANGECIPHERSPEC
FINISH
3. C S: CHANGECIPHERSPEC
FINISH
10/19/2004 31
SSL Change Cipher Spec Protocol
A single message with only one byte “1”
Cause pending state to become current,
hence updating the cipher suite in use
10/19/2004 32
Transport Layer Security (TLS)
Specified as IETF standard RFC 2246
Similar to SSLv3 but with minor differences
in record format version number
use HMAC for MAC
a pseudo-random function expands secrets
has additional alert codes
some changes in supported ciphers
changes in certificate negotiations
changes in use of padding
10/19/2004 33