Secure Socket Layer •Yu Yang •Lilly Wang Agenda • SSL Basics • WTLS • Security for Web Service.
Download
Report
Transcript Secure Socket Layer •Yu Yang •Lilly Wang Agenda • SSL Basics • WTLS • Security for Web Service.
Secure Socket Layer
•Yu Yang
•Lilly Wang
1
Agenda
• SSL Basics
• WTLS
• Security for Web Service
2
SSL Facts
• SSL was first developed by Netscape in 1994
and became an internet standard in 1996 (
RFC 2246 – TLS V1.0)
• SSL is a cryptographic protocol to secure
network across a connection-oriented layer
• Any program using TCP can be modified to
use SSL connection
3
SSL Facts
• SSL connection uses a dedicated TCP/IP
socket(e.g. port 443 for https)
• SSL is flexible in choice of which symmetric
encryption, message digest, and authentication can
be used
• SSL provides built in data compression
4
SSL Usage
• Authenticate the server to the client
• Allow the client and server to select cryptographic
algorithms, or ciphers, that they both support
• Optionally authenticate the client to the server
• Use public key encryption techniques to generate
shared secret
• Establish an encrypted SSL connection
5
Secure Socket Layer
SSL is a secure protocol which runs above TCP/IP
and allows users to encrypt data and authenticate
servers/vendors identity securely
HTTPS
FTPS
SMTPS
Application
layer
SECURE SOCKET LAYER
TCP/IP layer
Transport
layer
6
SSL Stack
7
SSL Record Protocol Operation
8
SSL Record Format
9
SSL Handshake
SSL handshake verifies the server and allows
client and server to agree on an encryption set
before any data is sent out
10
SSL Handshake
11
SSL Handshake
Server
Public
key
Private
key
Client
request
Client
Public key
12
SSL Session Key
Server
Private
key
Public
key
PreMaster
Session key
PreMaster
Client
Public key
Pre-Master
Session key
13
Secure Data on Network
Server
Private
key
Public
key
Session
key
Data
Session key
Data
Data
Client
Data
Session key
Data
14
Man-in-the-Middle Attack
Server
Private
key
Public
key
Public
key
Session
key
Premaster
Hacker
Private
key
Public
key
Public
key
Session
key
Premaster
PrePublic
master
key
Client
Public key
Pre-master
15
Key exchange and certificate
Server
Private
key
Public
key
SSL version number client supported
(v2, v3)
SSL version number server picked
(v2, v3)
Ciphers supported client
(DES, RC2, RC4)
Ciphers server picked
(DES, RC2, RC4)
Client Random Number
Server Random Number
Certificate
Client
Public key
16
Verify Certificate
Server
Private
key
Public
key
Certificate is Good and Valid
Server/vendor has been verified and authenticated
Client
request
Certificate
Client has vendor’s public key and
can now encrypt pre-master to send
to server/vendor
Valid
Checking
Client
Public key
Certificate
17
Not-recognizable Certificate
18
Review the Certificate In IE
19
SSL Handshake
Client hello
Server hello
Present Server Certificate
*Request Client Certificate
Server Key Exchange
Client
Client Finish
*Present Client Certificate
Client Key Exchange
*Certificate Verify
Change Cipher Spec
Server Finish
Change Cipher Spec
Server
Application Data
20
Server Hello Request
• Notifies the client that they should send a client hello
message to begin the negotiation process
• Sent by the server at any time
• After the server sends a request, it does not send
another one until a handshake has been completed
• Client can choose to ignore them or send a Client
Hello
21
Client Hello
• Sent by the client
– When first connecting to a server
– In response to a hello request or on its own
• Contains
– 32 bytes random number created by a
secure random number generator
– Protocol version
– Session ID
– A list of supported ciphers
– A list of compression methods
22
Server Hello
• Sent as response if client hello is accepted
– If not, a handshake failure alert is sent
• Contains
– 32 bytes random number created by a secure random
number generator
– Protocol version
– Session ID
– Cipher suite chosen
– Compression method selected
23
Server Certificates
• Immediately following the server hello, the
server sends its certificate
– Generally an X.509.v3 certificate
• Server sends server hello done message
24
Verify Server Certificate
25
Client Certificate (optional)
Client only sends a certificate upon the receipt of
a certificate request
– Sends after receiving server hello done
– If the client does not have a suitable
certificate, it sends a no certificate alert
• Server will respond with a fatal handshake failure
if a client certificate is necessary
26
Verify Client Certificate
27
Key Exchange
• Client sends 48-bytes pre-master, encrypted
using server’s public key, to the server
• Both server and client use the pre-master to
generate the master secret
• A same session key is generated on both
client and server side using the master secret
28
Final Steps
•
•
•
•
Client sends change_cipher_spec
Client sends finished message
Server sends change_cipher_spec
Server sends finished message
29
SSL Architecture
30
Record Layer
• Compression and decompression
• A MAC is applied to each record using the MAC
algorithm defined in the current cipher spec
• Encryption occurs after compression
• May need fragmentation
31
SSL Architecture
32
Alert Layer
• Explain severity of the message and a description
–fatal
•Immediate termination
•Other connections in session may continue
•Session ID invalidated to prevent failed session to open new
sessions
• Alerts are compressed same as other data
33
SSL Architecture
34
Change Cipher Spec Protocol
• Notify the other party to use the new
cipher suite
• Before the Finished message
35
Comparison of SSL V2.0 and
V3.0
• SSL 2.0 is vulnerable to “man-in-themiddle” attack. The hello message can
be modified to use 40 bits encryption.
SSL 3.0 defends against this attack by
having the last handshake message
include a hash of all the previous
handshake message
36
Comparison of SSL V2.0 and V3.0
•
SSL 2.0 uses a weak MAC construction
•
In SSL 3.0, the Message Authentication
Hash uses a full 128 bits of key material
for Export cipher, while SSL 2.0 uses
only 40 bits
37
Comparison of SSL V2.0 and V3.0
• SSL 2.0 only allows a handshake at the beginning of
the connection. In 3.0, the client can initiate a
handshake routine any time
• SSL 3.0 allows server and client to send chains of
certificate
• SSL 3.0 has a generalized key exchange protocol. It
allows Diffie-Hellman and Fortezza key exchange
• SSL 3.0 allows for record compression and
decompression
38
Problem Free?
• Side channel attack – discovered by Swiss Federal
Institute of Technology in Lausanne
http://www.newsfactor.com/perl/story/20843.html
• Information leak in encrypted connections. Vulnerable
openssl versions do not perform a MAC computation if
an incorrect block cipher padding is used. An active
attacker who can insert data into an existing encrypted
connection is then able to measure time differences
between the error messages the server sends. This
information can make it easier to launch cryptographic
attacks that rely on distinguishing between padding and
MAC verification errors, possibly leading to extraction of
the original plaintext.
39
Wireless Transport Layer Security
40
WTLS Overview
41
WTLS Facts
• Mainly used to secure data transport between
wireless device and gateway
• Built on top of datagram (UDP) instead of
TCP
• WTLS provides full, optimized and abbreviated
handshake to reduce roundtrips in high-latency
networks
42
WTLS Facts
• WTLS uses different format of certificates, mainly
WTLS certificate, X509v1 and 968. It also supports
additional cipher suites, such as RC5, short hashes,
ECC, etc;
• WTLS provides built-in key-refresh mechanism for
renegotiation;
• WTLS can also set session resumable to continue
on a previous session.
43
Web Service Security
44
Comparison of Traditional Web
Application and Web Service
• Client-server system vs multi-party
• Simple protocol sets vs complicated
protocol sets
45
Point-to-Point
End-to-End
46
Proposed Security Specification
Initial Specifications
•WS-Security
•WS-Policy
•WS-Trust
•WS-Privacy
Follow-on Specifications
•WS-SecureConversation
•WS-Federation
•WS-Authorization
47
WS-Security
• A“ what” not “how”
• Security token is embedded inside
SOAP headers
• Message integrity is provided by XML
Signature and security tokens
• Message confidentiality is provided by
XML Encryption with security tokens
48
WS-Security
49
Web Service Security
50
Reference
[1] http://www.faqs.org/faqs/computer-security/ssl-talk faq/
[2] http://www.pcwebopedia.com/TERM/S/SSL.htm
[3]http://developer.netscape.com/docs/manuals/security/sslin
/contents.htm
[4] http://www.ece.wpi.edu/~sunar/ee578/SSL.ppt
[5] http://nas.cl.uh.edu/yang/teaching/csci5931webSecurity/
ThesisProWS_Rajiv.doc
51