CCM4332

Lecture 9

SSL"

Objectives"
Introduction to the design of network security
protocols, based on the Internet security
protocols SSL/TLS.

2"

Overview Network Security Protocols"

A number of approaches to providing Network security are
possible. They differ with respect to their scope of
applicability and their relative location within the TCP/IP
protocol stack.

SSL/TLS Overview"
SSL = Secure Sockets Layer.
unreleased v1, flawed but useful v2, good v3.
TLS = Transport Layer Security [RFC 2246]
TLS1.0 = SSL3.0 with minor tweaks (see later)
SSL/TLS provides security at TCP layer.
Uses TCP to provide reliable end-to-end transport.
Usually a thin layer between TCP and HTTP.
Applications need to be aware of SSL/TLS..
Widely used in Web browsers and servers to support
secure e-commerce over HTTP.
4"

Secure Socket Layer - SSL"

SSL is not a single protocol but rather two layers of
protocols
The SSL Record Protocol provides basic security
services to higher-layer protocols (e.g., HTTP).
Three higher-layer protocols are defined as part of SSL
(they are used in the management of SSL exchanges).

SSL/TLS Basic Features"

SSL Record Protocol: Provides secure,
reliable channel to second layer.
Second layer carries SSL Handshake
Protocol, Change Cipher Spec. Protocol, Alert
Protocol, HTTP, and other application
protocols.
SSL Handshake Protocol establishes keys for
MAC and encryption at Record Layer.
Different keys in each direction.
6"

SSL Handshake Protocol

Goals"
Entity authentication of participants.
Participants are client and server.
Server nearly always authenticated, client more
rarely.
Appropriate for most e-commerce applications.
Establish a fresh, shared secret.
Shared secret used to derive further keys.
For confidentiality and authentication in SSL
Record Protocol.
Secure ciphersuite negotiation.
Encryption and hash algorithms
Authentication and key establishment methods.

7"

Sessions & Connections"

Two important concepts of SSL are session and connection
Session:
Created by handshake protocol.
Defines set of cryptographic parameters (encryption
and hash algorithm, master secret, certificates).
Carries multiple connections to avoid repeated use of
expensive handshake protocol.
Connection:
State defined by nonces, secret keys for MAC and
encryption, IVs, sequence numbers.
Keys for many connections derived from single master
secret created during handshake protocol.

8"

SSL Handshake Protocol: Run"

We sketch the most common use of SSL:
No client authentication.
Client sends pre_master_secret using Servers
public encryption key from Server certificate.
Server authenticated by ability to decrypt to obtain
pre_master_secret, and construct correct
finished message.

Other protocol runs are similar.

9"

SSL Handshake Protocol Run"

M1: ClientHello

client

M2: ServerHello, ServerCertChain,

ServerHelloDone

M3: ClientKeyExchange,

ChangeCipherSpec, ClientFinished

server

M4: ChangeCipherSpec,

ServerFinished

10"

M1: ClientHello
Client initiates connection.
Sends client version number.
3.1 for TLS.

Sends ClientNonce.
28 random bytes plus 4 bytes of time.

Offers list of ciphersuites:

Key exchange and authentication options, encryption
algorithms, hash functions.
E.g. TLS_RSA_WITH_3DES_EDE_CBC_SHA.

11"

M2: ServerHello,

Sends server version number.

Sends ServerNonce and SessionID.
Selects single ciphersuite from list offered by client.
Sends ServerCertChain message.

Allows client to validate servers public key back to acceptable

root of trust.

(optional) CertRequest message.

Omitted in this protocol run no client authentication.

Finally, ServerHelloDone.

12"

M3: ClientKeyExchange,
ClientKeyExchange contains encryption of
pre_master_secret under servers public key.
ChangeCipherSpec indicates that client is updating cipher suite to
be used on this session.
Sent using SSL Change Cipher Spec. Protocol.

Optional (only when client is authenticated):

ClientCertificate, ClientCertificateVerify
messages.
Finally, ClientFinished message.
MAC on all messages sent so far (both sides).
MAC computed using master_secret.

13"

M4: ChangeCipherSpec,
ChangeCipherSpec indicates that server is
updating cipher suite to be used on this session.
Sent using SSL Change Cipher Spec. Protocol.

Finally, ServerFinished message.

MAC on all messages sent so far (both sides).
MAC computed using master_secret.
Server can only compute MAC if it can decrypt
pre_master_secret in M3.

14"

SSL Handshake Protocol Run"

1.

Is the client authenticated to the server in this protocol

run?

2.

Can an adversary learn the value of

pre_master_secret?

3.

No!

No! Client has validated servers public key; To learn

pre_master_secret the servers private key is needed to
decrypt ClientKeyExchange

Is the server authenticated to the client?

Yes! ServerFinished includes MAC on nonces computed using

key derived from pre_master_secret.

15"

SSL/TLS Applications"
Secure e-commerce using SSL/TLS.
Client authentication not needed until client
decides to buy something.
SSL provides secure channel for sending credit
card information.
Client authenticated using credit card information,
merchant bears (most of) risk.
Widely deployed (de-facto standard).
16"

Secure Socket Layer"

A session state is defined by:
Session identifier: An arbitrary byte sequence chosen
by the server to identify a session state.
Peer certificate: An X509.v3 certificate of the peer.
Compression method.
Cipher spec: data encryption and a hash algorithm
Master secret: shared between the client and server.
Is resumable: A flag indicating whether the session can
be used to initiate new connections.
17

Secure Socket Layer"

A connection state is defined by:
Server and client random numbers.
Client/Server write MAC secret: The secret key used in
MAC operations on data sent by the client/server.
Client/Server write key: A key the client/server uses for
encryption.
Initialization vectors: for CBC mode
Sequence numbers: Each party maintains separate
sequence numbers for transmitted and received
messages for each connection. When a party sends or
receives a change cipher spec message, the appropriate
sequence number is set to zero.
18

SSL Record Protocol"

The SSL Record Protocol provides two services for
SSL connections:
Confidentiality: The Handshake Protocol defines a
shared secret key that is used for conventional encryption
of SSL payloads.
Message Integrity: The Handshake Protocol also
defines a shared secret key that is used to form a message
authentication code (MAC).

19

SSL Record Protocol"

The Record Protocol takes an application message to be transmitted,
fragments the data into manageable blocks, optionally compresses the
data, applies a MAC, encrypts, adds a header, and transmits the
resulting unit in a TCP segment.).

20

SSL Record Protocol"

fragmentation: each upper-layer message is
fragmented into blocks of 214 bytes (16384 bytes)
Compression can be applied
The compressed message plus the MAC are
encrypted using symmetric encryption (AES,
IDEA, DES, 3-DES).

21

SSL Record Protocol HEADER"

The final step of SSL Record Protocol is to
prepend a header:
Content Type (8 bits): The higher layer protocol used
to process the enclosed fragment
(change_cipher_spec, alert, handshake, and
application_data).
Major Version (8 bits): Indicates major version of SSL
in use. For SSLv3, the value is 3.
Compressed Length (16 bits): The length in bytes of
the plaintext fragment (or compressed fragment if
compression is used).
22

SSL Record Protocol HEADER"

23

Change Cipher Spec Protocol"

This protocol consists of a single message
which consists of a single byte with the
value 1.
This message causes the pending state to
be copied into the current state, which
updates the cipher suite to be used on this
connection.

24

Alert Protocol"
The Alert Protocol is used to convey SSL-related
alerts to the peer entity.
Alert messages are compressed and encrypted,
as specified by the current state.
Each message consists of two bytes.
The first byte takes the value warning(1) or fatal(2)
The second byte contains a code that indicates the
specific alert.

If the level is fatal, SSL immediately terminates

the connection. Other connections on the same
session may continue.
25

Alert Protocol"
Some fatal alerts
bad_record_mac
decompression_failure
handshake_failure
illegal_parameter
unexpected_message

Other alerts
no_certificate
unsupported_certificate:
certificate_revoked:
certificate_expired

26

Creation of a Shared Master Secret"

The shared master secret is a one-time 48-byte
value generated for this session by means of secure
key exchange.
The creation is in two stages.
1. A pre_master_secret is exchanged.
2. The master_secret is calculated by both parties.

For pre_master_secret exchange, there are two

possibilities:
RSA
Diffie-Hellman

27

Generation of Cryptographic
Parameters"
CipherSpecs
require a client write MAC secret,
a server write MAC secret,
a client write key,
a server write key,
a client write IV

These parameters are generated from the

master secret by hashing the master secret
into a sequence of secure bytes of sufficient
length for all needed parameters.
28

Summary"
SSL two layered popular protocol for Websecurity
Session and Connection
Handshake, Record, Alert protocols

29"