Secure Socket Layer (SSL) Handshake Protocol
Transcription
Secure Socket Layer (SSL) Handshake Protocol
Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Secure Socket Layer (SSL) Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer • Network Layer: IPSec • Transport Layer: SSL/TLS Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks 3.2: Transport Layer: SSL/TLS • Secure Socket Layer (SSL) • Transport Layer Security (TLS) Protocol Chapter 3.2: Transport Layer – SSL/TLS Page 1 SSL, initially developed by Netscape, provides authentication, data integrity, and privacy between two applications (not complete hosts as in IPSec) • SSL is located on top of TCP/IP and has become a de-facto standard for securitysensitive applications over intranets or the Internet • Most widely used as secure transport layer for HTTP traffic, e.g. e-commerce • Version 3.1 of SSL is known as TLS • Special port numbers are assigned to applications which use SSL, e.g. https = 443, telnets = 992 SSL comprises four mechanisms: • SSL Handshake Protocol (authentication, negotiates an encryption algorithm and cryptographic keys) • SSL Record Protocol (data encryption and compression) • SSL Change Cipher Spec (signal the begin of encryption) • SSL Alert Protocol (reaction to error situations) Page 2 Chapter 3.2: Transport Layer – SSL/TLS Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Handshake Protocol Session Establishment client_hello , cipher suite s, RA Responsible for “secure session establishment” between two applications. Session means: • Association between a client and a server • Can comprise several connections • Definition of encryption and compression algorithms for these connections • Contains a “master secret” for all connections (from which keys for the connections are generated) certificate, {S}B, hash of K and th keyed hash Chapter 3.2: Transport Layer – SSL/TLS Page 3 , RB cipher suite Bob Alice The handshake protocol has the following tasks: 1.) Negotiation of an encryption algorithm 2.) Mutual authentication 3.) Key exchange Hello message of Alice, including: • A set of possible encryption and compression algorithms (start of negotiation) • A random number RA e handshak e message s sages shake mes of the hand Chapter 3.2: Transport Layer – SSL/TLS Answer message of Bob, including: • Certificate of Bob (authentication, often RSA) • Chosen algorithms (end of negotiation, often 3DES) • A random number RB Alice chooses a random number S, computes a master secret K = f(S, RA, RB) and sends to Bob: • S encrypted with Bob’s public key • A hash (MD5) of K the messages before to proof knowing K and K corresponds to the handshake Bob responds with a hash of the messages before, encrypted with a key generated from K, RA, and RB Page 4 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Session Keys and Change Cipher Spec Record Protocol Responsible for encryption and compression of all messages following the change cipher spec as follows: K, RA, and RB are used to generate 6 keys: • Two keys for encryption • Two keys for integrity • Two keys as initalization vector 1. Break down data to be transferred in block of fixed length The two keys are used to treat both communication directions different, e.g. for encryption: • Alice does encryption with her so-called write key and decryption with her read key • Bob also has a write and a read key, but his write key is Alice’s read key and vice versa • Same for integrity 2. Compression At the end of handshake: • Together with the last message, Bob sends a change cipher spec • Only one byte, signaling that all following messages now are encrypted with the mechanism/keys from the handshake phase 4. Encryption using the encryption key Chapter 3.2: Transport Layer – SSL/TLS Page 5 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme … 3. Append a Message Authentication Code (MAC) computed with the integrity key 5. Add SSL header which contains: • Content Type (e.g. HTTPS) • Protocol Version Number • Length, 3.2: Transport •Chapter Sequence NumberLayer – SSL/TLS Page 6 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Alert Protocol Transport Layer Security (TLS) Only needed in case of errors – defines error messages and actions to be taken TLS in basic version is SSLv3.1 with some additions: • Addition of Kerberos Cipher Suites • Upgrading to TLS Within HTTP/1.1 to change to encryption within an existing TCP connection • HTTP Over TLS for separating secure and unsecure traffic • Addition of AES • Addition of new alert messages Level 1: Warning • No special actions defined • Maybe displayed to the user Level 2: Fatal • Connection will be closed • No more connections are opened within the current session • Examples are unexpected message bad record MAC decryption/decompression failure handshake failure Chapter 3.2: Transport Layer – SSL/TLS Page 7 Chapter 3.2: Transport Layer – SSL/TLS Page 8 Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Comparison IPSec and SSL IPSec Network Layer Implemented transparently for the user Can be automated Central management SSL Transport Layer Interaction with the user (e.g. acceptance of certificates) Management by application or user Independent of certain mechanisms (encryption, compression, hash...) Conclusion: it is impossible to state that one mechanism is better than the other – they are thought for different scenarios → Variety of security mechanisms necessary in the Internet! Chapter 3.2: Transport Layer – SSL/TLS Page 9