Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Security
(SSL / TLS, SSH)
Chapter 17 of Stallings
Web Security
Web Security
Confidentiality
eavesdropping on the net
can be prevented by encryption
Authentication
impersonation, data forgery
we will see some cryptographic techniques
have seen
this lecture
have seen
and will see
developed by Netscape
version 3 designed with public input
subsequently Internet standardization
effort started at IETF
TLS (Transport Layer Security) working
group established
TLS can be viewed as SSL v3.1 and
compatible with SSL v3
SSL session
an association between client and server
define a set of cryptographic parameters created by the
Handshake Protocol
may be shared by multiple SSL connections
SSL connection
a transient, peer-to-peer, secure communication link
associated with (derived from) a SSL session
A session is used several times to create connections
Session identifier
chosen by server
Peer certificate
certificate of the peer entity (servers if the entity is client, clients if the
entity is server)
may be null (which is the likely case for server)
Compression method
algorithm used for compression
Cipher Spec
bulk data encryption algorithm (AES, etc.) - may be null (rarely)
hash algorithm used in MAC calculation (MD5 or SHA-1 or SHA-2)
Master Secret
48-bytes secret shared between client and server
Is resumable
a flag that is set if the session can be used later for new connections
numbers
secret
encryption key
initialization vector
if CBC mode is used
confidentiality
AES, IDEA, DES, 3DES, RC4, etc.
message integrity
using a MAC with shared secret key
similar to HMAC but pads are concatenated rather than
XORed
header fields
content type (higher layer protocol)
change_cipher_spec, alert, handshake, application data
version
compressed length (or plaintext length if no compression) of the fragment
Record Protocol
Payload
Alert Protocol
Handshake Protocol
Handshake Protocol
a
4. Finish
Handshake message format
Message types
Handshake
Protocol
session ID
nonzero means client wants to use an existing session state for a new
connection state (abbreviated handshake); zero means new
connection on a new session
session ID
if client offered one and it is also supported by server, then
the same ID (abbreviated handshake)
otherwise a new ID assigned by server
Ephemeral DH
server and client certificates contain RSA or DSS public keys
server creates DH parameters (used one-time) and signs by its
private key. For client, see later.
Anonymous DH
no certificates, no authentication, just send out DH parameters
vulnerable to man-in-the-middle-attacks
Cipher type
stream or block
IV size
size of the init. vector for CBC mode
Ephemeral DH
same as anon-DH plus a signature on them
Certificate types
fixed DH (certificate may be signed with RSA or DSS)
ephemeral DH (certificate may contain RSA or DSS key)
signature only (not used for key exchange but for auth.)
Certificate may contain RSA or DSS key
Clients Certificate
is sent if requested and available
fixed-DH
client DH parameters are in client certificate, so key exchange
message is null
Anon or ephemeral DH
Client DH parameters and DH public key are sent
no signature even for ephemeral DH
Finished message
a MAC on exchanged handshake messages using
the master secret
to verify that handshake is successful and both
parties have the same master secret
clients finished is verified by server and vice versa
the connection state of the record protocol that
encrypts and MACs the finished message is the
new one
so this is also verification of all the keys that are recently
created
Master Secret
48-byte value generated for a session
Generation of cryptographic
parameters
key_block =
MD5(master_secret ||
ServerHello.random
MD5(master_secret ||
ServerHello.random
MD5(master_secret ||
ServerHello.random
SHA('A' || master_secret ||
|| ClientHello.random)) ||
SHA('BB' || master_secret ||
|| ClientHello.random)) ||
SHA('CCC' || master_secret ||
|| ClientHello.random)) || [...]
Abbreviated Handshake
Version number
record format is the same, but the major version 3,
minor version 3 (v3.3)
MAC
TLS uses HMAC with pads XORed (unlike SSL
where pads are appended)
HTTPS
encrypts
URL, document contents, form data, cookies, HTTP
headers
connection closure
have Connection: close in HTTP headers
which normally causes to close the TCP connection
but there is SSL/TLS protocols between HTTP and
TCP
thus, SSL/TLS should control connection closure at
TCP level
Also provides
forward secrecy
Server authentication
PKC operation using the host key pair (public/private)
A server may have different host keys
Clients should know the public host keys of the server
May keep in a database
May obtain in a cerificate
Or just use it without any guarantee (the mostly used method)
but vulnerable to MitM attacks
Packet exchange
establish TCP connection
can then exchange data
identification string exchange, algorithm negotiation, key
exchange, end of key exchange, service request
SSH Transport
Layer Protocol
Packet
Exchanges
Identification string exchange
To know which SSH version,
which SSH implementation
Algorithm Negotitation
For the crypto algorithms
(key exchange, encryption,
MAC) and compression algo.
A list in the order of
preference of the client
For each category, the
algorithm chosen is the first
algorithm on the client's list
that is also supported by the
server.
key exchange
SSH Transport
Layer Protocol
Packet
Formation
authentication methods
public-key
Client signs a message and server verifies
password
Client sends pasword which is encrypted and MACed using the
keys agreed
SSH
Connection
Protocol
Exchange