December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King...

December 2008 Prof. Reuven Aviv, SSL 1

Web Security with SSL

Network Security

Prof. Reuven Aviv

King Mongkut’s University of Technology

Faculty of information Technology


WEB Security with SSL/TLS• Introduction – Risks and counter measures

• Secure Socket Layer (SSL) architectu

• SSL Record Protocol

• SSL Handshake Protocol

• In Closing: What does the SSL Really Protect?

• Appendix: Usage of SSL and Certificates in Win2K/IIS

Why the Web Service is special?


Web Security risks & counter-measures

• Corrupt server or browser data

– done by Trojans, ActiveX, Applets

• Corrupt data in transit and session hijacking

– Cryptographic checksum, Encryption

– web proxy (later lecture)

• Denial of Service: flooding server, DNS attacks

– Network Mitigation procedures

• Impersonation of users, and programs

– signatures


Approaches to network Security

Advantages and Disadvantages?

SECURE SOCKET LAYER (SSL)



SSL (Secure Socket Layer) & TLS

• SSL: Netscape, later Microsoft

– SSL 3.0 Submitted to IETF

• IRTF TLS: Transport Layer Security

– essentially SSLv3.1

• Free Implementations: SSLRef, OpenSSL

• SSL support included in Microsoft IIS & IE

What methods are used for:

Privacy, Integrity, Authentication,

Non-Repudiation?


SSL Protocol Architecture• SSL Record Protocol: transmission of blocks of

data (records) between applications (e.g. HTTP)

What are the purpose of the

SSL Handshake & Alert protocols?

SSL Record Protocol



SSL Record Protocol: Services

• Encryption/Decryption of payloads (HTTP, …)

– conventional encryption algorithms (DES…)

• Message integrity

• using MAC How the MAC is constructed?

• hash of (message + secret)

• secrets as agreed by a Handshake Protocol


SSL Record Protocol Operation

What’s in the header?


SSL Record Format

What is to be agreed by client/server during handshake?

SSL Handshake Protocol



What is to be agreed: Cipher Suit

• Key Exchange algorithm: method to be used to

create SSL Pre-Master Secret (1 of 4. e.g. D.H)

• Specifications of Encryption/Hash algorithms

• Encryption: from RC4, or 3DES,…

– Cipher Type: Stream or Block

• MAC Algorithm: HMAC-MD5 / HMAC-SHA-1

– IV size, Hash size, …


SSL: 6 Secrets

• two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC

• Procedure for derivation of secrets

• Pre_Master_Secret --> Master Secret --> Secrets

– 48 Bytes PMS: one time value

• 4 methods for deriving PMS

• Who calculates PMS / Master / Secrets?


PMS derivation methods

• [1] RSA Method:

• Client creates PMS (random)

• send PMS to server encrypted by Server’s RSA

public key

– Client needs Server’s Public Key Certificate



• [2] Anonymous Diffie Hellman

– q, agreed by two sides

– Public keys (Y) are exchanged

– PMS (calculated by both parties) = YX(modq)

– No exchange of Authenticating Certificates

• [3] Fixed Diffie Hellman

– Server is authenticated by its D.H. certificate (inc

D.H. public key). Rest is Anonymous D.H.

Disadvantage relative to RSA method?



• [4] Authenticated Diffie Hellman:

– Most secure way - both parties are

authenticated

– D.H. public keys are exchanged by messages

– signed by senders’ private RSA or DSS keys

– PMS is created by both parties

• Signing keys (RSA or DSS) keys are presented

via Certificates, themselves signed by CAs


Handshake Protocol:

full scenario


1. Hello Phase


Hello messages: Establishing Security Capabilities • Client sends ClientHello (1)

– ProtocolVersion (3.1 for TLS 1.0)

– timestamp + random_num1

What are the purpose of these?

• Session ID

What is the purpose of this?

• Lists of Algorithms & Compression methods

supported by client


Hello messages: Establishing Security Capabilities

• Server sends ServerHello (2)

• Protocol Version, Timestamp, random num2

– Session ID: new value (or, if updating, old)

– Selected Cipher-Suite, compression method

Is the PMS Derivation method

determined at this stage?


2. Server Authentication & Key exchange

• Certificate (3): one (or more) X.509 certificate

• Certificate present public key, that will be used for encrypting secrets and/or signing

Serverclient

These are optional.Who determines if these Messages are sent?


Server Key_exchange_Message (4)

• Sent from the Server to provide its public key

– Not needed in RSA [1] method (public key of

Server was already sent by Certificate (3))

– not needed in fixed D.H [3] method why?

• What is the content of this message?

• The Diffie Hellman public key (Y)

• Message required in the Anonymous D.H. [2]

– Message not signed Why not?


Server Key_exchange_Message (4)

• Message required in the Ephemeral D.H [4]

– Message signed by what?

• by RSA or DSS private key

What is the signature?

• encrypted hash of D.H. parameters and the rand.

in the Hello messages why?

• KRSA{hash(Cl.Hello.rand|| Ser.Hello.rand || D.H.

parameters)}


End of Phase 2: Server

• In all methods except Anonymous D.H. [2]

– Server sends Ceritificate_Request (5)

• requesting Client to provide its Certificate(s)

• List of acceptable certificates & CAs

• Server sends ServerDone (6) message

What will the client do?


End of Phase 2: Client

• Client Checks the acceptability of parameters in

ServerHello (selected algorithms & PMS method)

• Client checks receipt of the required certificates

• Client checks the validity of received certificates

• How?


Phase 3: Client Authentication & Key Exchange

What’s in Client_key_Exchange (8)?

• CertificateVerify (9): a signed hash of previous

messages. What is the purpose of this?

Client Server


ClientKeyExchange (8): Required

• Content depends on method of key generation:

• RSA [1]: Client sends a random 48-byte PMS, encrypted with the certified Server’s public key

• Authenticated or Anonymous D.H. [4], [2]:

– Client sends its public D.H. key (Y)

• Fixed D.H. (3): null, (Client’s public D.H. sent in previous message, Certificate (7))

– In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS


Certificate_Verify (9)

• Sent by Client – if previously sent a Certificate

with signing capabilities

– i.e. Not Certificate with D.H. parameters

• Purpose: Authenticating the client - proving that

the client knows its private key

• What should be in this message?

• Specific agreed info, signed by the client

– Alternative to challenge response


Certificate_Verify (cont’d)

• Hash of collected shared knowledge

– KClient{hash(Master_Secret || pad2 || hash

(handshake_messages||Master_Secret||pad1))}

• Signed by Client Private key

• cannot be done by one who stole the Client

certificate why?


4. Finish phase

• ChangeCipherSpec:

– Let’s start using agreed Cipher-Suite

• Finished: hash of master secret, & other info

– Using the agreed upon Cipher Suit


In closing: What does SSL really protect?

• It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform

• It does not solve the hard problems of E-Commerce:

– DOS Attacks

– Application Layer Attacks on the client and servers. (BO)

• By which credit cards may be stolen


Appendix

Configuring SSL & Certificates in

Win2K

Internet Information Server (IIS)


Selecting the Web Server to be configured

Tool: mmc


Web Server Properties: Certificate

(SSL)


Web Server certificate


Configuring “Secure Communication” (SSL)


Web Server: Client Authentication Methods


IIS: Client (Browser) Authentication

• Anonymous: No authentication

• Basic: domain password sent in the clear

• Digest: challenge response

– Challenge (from IIS): Workstation ID, domain/realm, time

– Response: Thumbprint (hash with password)

– Server needs to know password

• Integrated Windows Authentication

– Browser obtains and sends Kerberos ticket

• Certificate based authentication


Web Server Certificate Trust List


IIS Access Control

• Mapping Client Certificates to accounts

– Define subjects’ rights of access to www pages


Controlling Authentication for certain pages

• Selecting the page


Authentication methods for this page


Accessing the page

Date post:	02-Jan-2016
Category:	Documents
Upload:	peregrine-hodge
View:	218 times
Download:	0 times

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King...

Documents