Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | peregrine-hodge |
View: | 218 times |
Download: | 0 times |
December 2008 Prof. Reuven Aviv, SSL 1
Web Security with SSL
Network Security
Prof. Reuven Aviv
King Mongkut’s University of Technology
Faculty of information Technology
December 2006 Prof. Reuven Aviv, SSL 2
WEB Security with SSL/TLS• Introduction – Risks and counter measures
• Secure Socket Layer (SSL) architectu
• SSL Record Protocol
• SSL Handshake Protocol
• In Closing: What does the SSL Really Protect?
• Appendix: Usage of SSL and Certificates in Win2K/IIS
Why the Web Service is special?
December 2006 Prof. Reuven Aviv, SSL 3
Web Security risks & counter-measures
• Corrupt server or browser data
– done by Trojans, ActiveX, Applets
• Corrupt data in transit and session hijacking
– Cryptographic checksum, Encryption
– web proxy (later lecture)
• Denial of Service: flooding server, DNS attacks
– Network Mitigation procedures
• Impersonation of users, and programs
– signatures
December 2006 Prof. Reuven Aviv, SSL 4
Approaches to network Security
Advantages and Disadvantages?
SECURE SOCKET LAYER (SSL)
December 2006 Prof. Reuven Aviv, SSL 5
December 2006 Prof. Reuven Aviv, SSL 6
SSL (Secure Socket Layer) & TLS
• SSL: Netscape, later Microsoft
– SSL 3.0 Submitted to IETF
• IRTF TLS: Transport Layer Security
– essentially SSLv3.1
• Free Implementations: SSLRef, OpenSSL
• SSL support included in Microsoft IIS & IE
What methods are used for:
Privacy, Integrity, Authentication,
Non-Repudiation?
December 2006 Prof. Reuven Aviv, SSL 7
SSL Protocol Architecture• SSL Record Protocol: transmission of blocks of
data (records) between applications (e.g. HTTP)
What are the purpose of the
SSL Handshake & Alert protocols?
SSL Record Protocol
December 2006 Prof. Reuven Aviv, SSL 8
December 2006 Prof. Reuven Aviv, SSL 9
SSL Record Protocol: Services
• Encryption/Decryption of payloads (HTTP, …)
– conventional encryption algorithms (DES…)
• Message integrity
• using MAC How the MAC is constructed?
• hash of (message + secret)
• secrets as agreed by a Handshake Protocol
December 2006 Prof. Reuven Aviv, SSL 10
SSL Record Protocol Operation
What’s in the header?
December 2006 Prof. Reuven Aviv, SSL 11
SSL Record Format
What is to be agreed by client/server during handshake?
SSL Handshake Protocol
December 2006 Prof. Reuven Aviv, SSL 12
December 2006 Prof. Reuven Aviv, SSL 13
What is to be agreed: Cipher Suit
• Key Exchange algorithm: method to be used to
create SSL Pre-Master Secret (1 of 4. e.g. D.H)
• Specifications of Encryption/Hash algorithms
• Encryption: from RC4, or 3DES,…
– Cipher Type: Stream or Block
• MAC Algorithm: HMAC-MD5 / HMAC-SHA-1
– IV size, Hash size, …
December 2006 Prof. Reuven Aviv, SSL 14
SSL: 6 Secrets
• two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC
• Procedure for derivation of secrets
• Pre_Master_Secret --> Master Secret --> Secrets
– 48 Bytes PMS: one time value
• 4 methods for deriving PMS
• Who calculates PMS / Master / Secrets?
December 2006 Prof. Reuven Aviv, SSL 15
PMS derivation methods
• [1] RSA Method:
• Client creates PMS (random)
• send PMS to server encrypted by Server’s RSA
public key
– Client needs Server’s Public Key Certificate
December 2006 Prof. Reuven Aviv, SSL 16
PMS derivation methods
• [2] Anonymous Diffie Hellman
– q, agreed by two sides
– Public keys (Y) are exchanged
– PMS (calculated by both parties) = YX(modq)
– No exchange of Authenticating Certificates
• [3] Fixed Diffie Hellman
– Server is authenticated by its D.H. certificate (inc
D.H. public key). Rest is Anonymous D.H.
Disadvantage relative to RSA method?
December 2006 Prof. Reuven Aviv, SSL 17
PMS derivation methods
• [4] Authenticated Diffie Hellman:
– Most secure way - both parties are
authenticated
– D.H. public keys are exchanged by messages
– signed by senders’ private RSA or DSS keys
– PMS is created by both parties
• Signing keys (RSA or DSS) keys are presented
via Certificates, themselves signed by CAs
December 2006 Prof. Reuven Aviv, SSL 18
Handshake Protocol:
full scenario
December 2006 Prof. Reuven Aviv, SSL 19
1. Hello Phase
December 2006 Prof. Reuven Aviv, SSL 20
Hello messages: Establishing Security Capabilities • Client sends ClientHello (1)
– ProtocolVersion (3.1 for TLS 1.0)
– timestamp + random_num1
What are the purpose of these?
• Session ID
What is the purpose of this?
• Lists of Algorithms & Compression methods
supported by client
December 2006 Prof. Reuven Aviv, SSL 21
Hello messages: Establishing Security Capabilities
• Server sends ServerHello (2)
• Protocol Version, Timestamp, random num2
– Session ID: new value (or, if updating, old)
– Selected Cipher-Suite, compression method
Is the PMS Derivation method
determined at this stage?
December 2006 Prof. Reuven Aviv, SSL 22
2. Server Authentication & Key exchange
• Certificate (3): one (or more) X.509 certificate
• Certificate present public key, that will be used for encrypting secrets and/or signing
Serverclient
These are optional.Who determines if these Messages are sent?
December 2006 Prof. Reuven Aviv, SSL 23
Server Key_exchange_Message (4)
• Sent from the Server to provide its public key
– Not needed in RSA [1] method (public key of
Server was already sent by Certificate (3))
– not needed in fixed D.H [3] method why?
• What is the content of this message?
• The Diffie Hellman public key (Y)
• Message required in the Anonymous D.H. [2]
– Message not signed Why not?
December 2006 Prof. Reuven Aviv, SSL 24
Server Key_exchange_Message (4)
• Message required in the Ephemeral D.H [4]
– Message signed by what?
• by RSA or DSS private key
What is the signature?
• encrypted hash of D.H. parameters and the rand.
in the Hello messages why?
• KRSA{hash(Cl.Hello.rand|| Ser.Hello.rand || D.H.
parameters)}
December 2006 Prof. Reuven Aviv, SSL 25
End of Phase 2: Server
• In all methods except Anonymous D.H. [2]
– Server sends Ceritificate_Request (5)
• requesting Client to provide its Certificate(s)
• List of acceptable certificates & CAs
• Server sends ServerDone (6) message
What will the client do?
December 2006 Prof. Reuven Aviv, SSL 26
End of Phase 2: Client
• Client Checks the acceptability of parameters in
ServerHello (selected algorithms & PMS method)
• Client checks receipt of the required certificates
• Client checks the validity of received certificates
• How?
December 2006 Prof. Reuven Aviv, SSL 27
Phase 3: Client Authentication & Key Exchange
What’s in Client_key_Exchange (8)?
• CertificateVerify (9): a signed hash of previous
messages. What is the purpose of this?
Client Server
December 2006 Prof. Reuven Aviv, SSL 28
ClientKeyExchange (8): Required
• Content depends on method of key generation:
• RSA [1]: Client sends a random 48-byte PMS, encrypted with the certified Server’s public key
• Authenticated or Anonymous D.H. [4], [2]:
– Client sends its public D.H. key (Y)
• Fixed D.H. (3): null, (Client’s public D.H. sent in previous message, Certificate (7))
– In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS
December 2006 Prof. Reuven Aviv, SSL 29
Certificate_Verify (9)
• Sent by Client – if previously sent a Certificate
with signing capabilities
– i.e. Not Certificate with D.H. parameters
• Purpose: Authenticating the client - proving that
the client knows its private key
• What should be in this message?
• Specific agreed info, signed by the client
– Alternative to challenge response
December 2006 Prof. Reuven Aviv, SSL 30
Certificate_Verify (cont’d)
• Hash of collected shared knowledge
– KClient{hash(Master_Secret || pad2 || hash
(handshake_messages||Master_Secret||pad1))}
• Signed by Client Private key
• cannot be done by one who stole the Client
certificate why?
December 2006 Prof. Reuven Aviv, SSL 31
4. Finish phase
• ChangeCipherSpec:
– Let’s start using agreed Cipher-Suite
• Finished: hash of master secret, & other info
– Using the agreed upon Cipher Suit
December 2006 Prof. Reuven Aviv, SSL 32
In closing: What does SSL really protect?
• It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform
• It does not solve the hard problems of E-Commerce:
– DOS Attacks
– Application Layer Attacks on the client and servers. (BO)
• By which credit cards may be stolen
December 2006 Prof. Reuven Aviv, SSL 33
Appendix
Configuring SSL & Certificates in
Win2K
Internet Information Server (IIS)
December 2006 Prof. Reuven Aviv, SSL 34
Selecting the Web Server to be configured
Tool: mmc
December 2006 Prof. Reuven Aviv, SSL 35
Web Server Properties: Certificate
(SSL)
December 2006 Prof. Reuven Aviv, SSL 36
Web Server certificate
December 2006 Prof. Reuven Aviv, SSL 37
Configuring “Secure Communication” (SSL)
December 2006 Prof. Reuven Aviv, SSL 38
Web Server: Client Authentication Methods
December 2006 Prof. Reuven Aviv, SSL 39
IIS: Client (Browser) Authentication
• Anonymous: No authentication
• Basic: domain password sent in the clear
• Digest: challenge response
– Challenge (from IIS): Workstation ID, domain/realm, time
– Response: Thumbprint (hash with password)
– Server needs to know password
• Integrated Windows Authentication
– Browser obtains and sends Kerberos ticket
• Certificate based authentication
December 2006 Prof. Reuven Aviv, SSL 40
Web Server Certificate Trust List
December 2006 Prof. Reuven Aviv, SSL 41
IIS Access Control
• Mapping Client Certificates to accounts
– Define subjects’ rights of access to www pages
December 2006 Prof. Reuven Aviv, SSL 42
Controlling Authentication for certain pages
• Selecting the page
December 2006 Prof. Reuven Aviv, SSL 43
Authentication methods for this page
December 2006 Prof. Reuven Aviv, SSL 44
Accessing the page