Secure Socket Layer (SSL) Handshake Protocol

Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Secure Socket Layer (SSL)
Chapter 2: Security Techniques Background
Chapter 3: Security on Network and Transport Layer
• Network Layer: IPSec
• Transport Layer: SSL/TLS
Chapter 4: Security on
the Application Layer
Chapter 5: Security Concepts for Networks
3.2: Transport Layer: SSL/TLS
• Secure Socket Layer
(SSL)
• Transport Layer Security
(TLS) Protocol
Chapter 3.2: Transport Layer – SSL/TLS
Page 1
SSL, initially developed by Netscape, provides authentication, data integrity, and privacy
between two applications (not complete hosts as in IPSec)
• SSL is located on top of TCP/IP and has become a de-facto standard for securitysensitive applications over intranets or the Internet
• Most widely used as secure transport layer for HTTP traffic, e.g. e-commerce
• Version 3.1 of SSL is known as TLS
• Special port numbers are assigned to applications which use SSL, e.g. https = 443,
telnets = 992
SSL comprises four mechanisms:
• SSL Handshake Protocol (authentication, negotiates an encryption algorithm and
cryptographic keys)
• SSL Record Protocol (data encryption and compression)
• SSL Change Cipher Spec (signal the begin of encryption)
• SSL Alert Protocol (reaction to error situations)
Page 2
Chapter 3.2: Transport Layer – SSL/TLS
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Handshake Protocol
Session Establishment
client_hello
, cipher suite
s, RA
Responsible for “secure session establishment” between two applications.
Session means:
• Association between a client and a server
• Can comprise several connections
• Definition of encryption and compression algorithms for these connections
• Contains a “master secret” for all connections (from which keys for the
connections are generated)
certificate,
{S}B, hash
of K and th
keyed hash
Chapter 3.2: Transport Layer – SSL/TLS
Page 3
, RB
cipher suite
Bob
Alice
The handshake protocol has the following tasks:
1.) Negotiation of an encryption algorithm
2.) Mutual authentication
3.) Key exchange
Hello message of Alice, including:
• A set of possible encryption and compression
algorithms (start of negotiation)
• A random number RA
e handshak
e message
s
sages
shake mes
of the hand
Chapter 3.2: Transport Layer – SSL/TLS
Answer message of Bob, including:
• Certificate of Bob (authentication, often RSA)
• Chosen algorithms (end of negotiation, often 3DES)
• A random number RB
Alice chooses a random number S, computes a
master secret K = f(S, RA, RB) and sends to Bob:
• S encrypted with Bob’s public key
• A hash (MD5) of K the messages before to proof
knowing K and K corresponds to the handshake
Bob responds with a hash of the messages before,
encrypted with a key generated from K, RA, and RB
Page 4
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Session Keys and Change Cipher Spec
Record Protocol
Responsible for encryption and
compression of all messages following
the change cipher spec as follows:
K, RA, and RB are used to generate 6 keys:
• Two keys for encryption
• Two keys for integrity
• Two keys as initalization vector
1. Break down data to be transferred in block
of fixed length
The two keys are used to treat both communication directions different, e.g. for encryption:
• Alice does encryption with her so-called write key and decryption with her read key
• Bob also has a write and a read key, but his write key is Alice’s read key and vice versa
• Same for integrity
2. Compression
At the end of handshake:
• Together with the last message, Bob sends a change cipher spec
• Only one byte, signaling that all following messages now are encrypted with the
mechanism/keys from the handshake phase
4. Encryption using the encryption key
Chapter 3.2: Transport Layer – SSL/TLS
Page 5
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
…
3. Append a Message Authentication Code
(MAC) computed with the integrity key
5. Add SSL header which contains:
• Content Type (e.g. HTTPS)
• Protocol Version Number
• Length,
3.2: Transport
•Chapter
Sequence
NumberLayer – SSL/TLS
Page 6
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Alert Protocol
Transport Layer Security (TLS)
Only needed in case of errors – defines error messages and actions to be taken
TLS in basic version is SSLv3.1 with some additions:
• Addition of Kerberos Cipher Suites
• Upgrading to TLS Within HTTP/1.1 to change to encryption within an existing TCP
connection
• HTTP Over TLS for separating secure and unsecure traffic
• Addition of AES
• Addition of new alert messages
Level 1: Warning
• No special actions defined
• Maybe displayed to the user
Level 2: Fatal
• Connection will be closed
• No more connections are opened within the current session
• Examples are
unexpected message
bad record MAC
decryption/decompression failure
handshake failure
Chapter 3.2: Transport Layer – SSL/TLS
Page 7
Chapter 3.2: Transport Layer – SSL/TLS
Page 8
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Comparison IPSec and SSL
IPSec
Network Layer
Implemented transparently for the user
Can be automated
Central management
SSL
Transport Layer
Interaction with the user (e.g. acceptance of
certificates)
Management by application or user
Independent of certain mechanisms (encryption, compression, hash...)
Conclusion: it is impossible to state that one mechanism is better than the other – they
are thought for different scenarios
→ Variety of security mechanisms necessary in the Internet!
Chapter 3.2: Transport Layer – SSL/TLS
Page 9