Professional Documents
Culture Documents
SSL
Outline
Web Security Considerations
Secure Socket Layer (SSL) and Transport Layer
Security (TLS)
Secure Electronic Transaction (SET)
Attacks in SSL
Client
Server (multi-user)
Transmission security
Passive sniffing
Active spoofing and
masquerading
Denial of service
Active content
Java, Javascript, ActiveX, DCOM
C
Eavesdropping
A
Denialofservice
B
C
A
C
B
Interception
C
Replay/fabrication
A
B
C
E-Commerce Security
Authorization, Access Control:
protect intranet from hordes: Firewalls
Authentication:
both parties prove identity before starting transaction:
Digital certificates
Non-repudiation:
proof that the document originated by you & you only:
Digital signature
Certification authority
Henric Johnson
Authentication
Collect user ID information from end users (logging
in)
usually by means of browser dialog / interface
user ID information normally refers to username and
password
Authentication
Verify ID and passwd with backend Realms
(security database)
Realms maintain username, password, roles, etc., and can
be organized by means of LDAP, RDBMS, Flat-file, etc.
Validation: the web server checks if the collected user ID &
passwd match with these in the realms.
10
11
12
A Sample Certificate
This is a certificate issued by Ace CA:
Data
Version: v1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=Ace Certificate Authority, O=Ace Ltd, C=US
Validity: Not Before: Fri Nov 15 00:24:11 1996
Not After: Sat Nov 15 00:24:11 1997
Subject: CN=Jane Doe, O=Ace Industry, C=US
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
00:d0:e5:60:7c:82:19:14:cf:38: F7:5b:f7:35:4e:14:41:2b:ec:24:
33:73:be:06:aa:3d:8b:dc:0d:06: 35:10:92:25:da:8c:c3:ba:b3:d7:
lf:1d:5a:50:6f:9a:86:53:15:f2: 53:63:54:40:88:a2:3f:53:11:ec: 68:fa:e1:f2:57
Public Exponent: 65537 (0x10001)
Signature
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
12:f6:55:19:3a:76:d4:56:87:a6: 39:65:f2:66:f7:06:f8:10:de:cd:
1f:2d:89:33:90:3d:a7:e3:ec:27: ac:e1:c0:29:c4:5a:69:17:51:dc:
1e:0c:c6:5f:eb:dc:53:55:77:01: 83:8f:4a:ab:41:46:02:d7:c8:9a: fe:7a:91:5c
In Real World
In Real World
In Real World
In Real World
Browser connects to SSL port 443 on the web server, and Hello msg
exchange btn browser & server on key-exchange, encrypt alg, etc
Web server sends back its SSL certificate. Web browser decides if it
wants to trust the web servers SSL certificate
Web Browser
Web browser and web server both calculate a session key by agreed
key-generation method
Web browser and web server negotiate an encryption cipher
Web Server
18
CA Root Certificate
Web browser needs the root certificate of the CA that issued the
SSL certificate to the web-server to verify if the web server is
trustable.
If the browser does not have/trust the CA root certificate, most web
browsers will warn you
19
2.
3.
20
What is SSL/TLS?
Transport Layer Security protocol, version 1.0
De facto standard for Internet security
The primary goal of the TLS protocol is to provide privacy and
data integrity between two communicating applications
In practice, used to protect information transmitted between
browsers and Web servers
Application-Level Protection
applicati
on
presentati
on
sessio
n
transpo
rt
networ
k
data
link
physic
al
email, Web,
NFS
RP
C
TC
P
IP
802.1
1
SSL 2.0
Published by Netscape, November 1994
Several weaknesses
SSL 3.0
Designed by Netscape and Paul Kocher, November 1996
TLS 1.0
Internet standard based on SSL 3.0, January 1999
Not interoperable with SSL 3.0
TLS uses HMAC instead of MAC; can run on any port
TLS Basics
TLS consists of two protocols
Familiar pattern for key exchange protocols
Handshake protocol
Use public-key cryptography to establish a shared
secret key between the client and the server
Record protocol
Use the secret key established in the handshake
protocol to protect communication between the
client and the server
SSL
Change
Cipher
Spec
Protocol
SSL Alert
HTTP, other
Protocol
apps
SSL Record
Protocol
TCP
SSL Handshake
Client hello
Server hello
Present Server Certificate
*Request Client Certificate
Server Key Exchange
Client
Client Finish
*Present Client Certificate
Client Key Exchange
*Certificate Verify
Change Cipher Spec
Server Finish
Change Cipher Spec
Application Data
Server
[Certificate],
ClientKeyExchange,
[CertificateVerify]
switch to negotiated cipher
Finished
ClientHello
ClientHello
ClientHello (RFC)
Highest version of the
protocol supported by the
client
struct {
ProtocolVersion client_version;
Session id (if the client
Random random;
wants to resume an old
session)
SessionID session_id;
Set of cryptographic
algorithms supported by the
RSA or DiffieCipherSuite cipher_suites; client (e.g.,
Hellman)
CompressionMethod
compression_methods;
} ClientHello
ServerHello
Versionc, suitec, Nc
ServerHello
ServerKeyExchange
Versionc, suitec, Nc
ClientKeyExchange
Versionc, suitec, Nc
ClientKeyExchange
{Secretc}Ks
If the protocol is correct, C and S share
some secret key material (secretc) at this point
switch to key derived
from secretc, Nc, Ns
The book shows the above protocol which is the same as the protocol
in the previous slide. Find out the correspondence between the
different notations that denote the same thing in these two protocols.
{Secretc}Ks
Truncation attack
Weak MAC construction
MAC hash uses only 40 bits in export mode
No support for certificate chains or non-RSA algorithms,
no handshake while session is open
Chosen-Protocol Attacks
Why do people release new versions of security
protocols? Because the old version got broken!
New version must be backward-compatible
Not everybody upgrades right away
Embed version
number into
secret
{Versionc,Secretc}Ks
ServerHelloDone
Check that received version is
equal to the version in ClientHello
Session resumption
Public key operation is avoided
SSL/TLS Applications
Secure e-commerce using SSL/TLS.
Client authentication not needed until client decides to buy
something.
SSL provides secure channel for sending credit card
information.
Client authenticated using credit card information, merchant
bears (most of) risk.
Wildly successful (amazon.com, on-line supermarkets,)
Some famous disasters (boo.com, webvan), nothing to do with
security though.
SSL/TLS Applications
Secure e-commerce: some issues.
No guarantees about what happens to client data (including
credit card details) after session: may be stored on insecure
server.
Does client understand meaning of certificate expiry and
other security warnings?
Does client software actually check complete certificate
chain?
Does the name in certificate match the URL of e-commerce
site? Does the user check this?
Is the site the one the client thinks it is?
Is the client software proposing appropriate ciphersuites?
SSL/TLS Applications
Secure electronic banking.
Client authentication may be enabled using client
certificates.
Issues of registration, secure storage of private keys,
revocation and re-issue.
Timing attacks.
analysis of OpenSSL server response times allows attacker in
same LAN segment to derive servers private key!
.
SSL/TLS
Applications
Commerce
E-Commerce
Automation of commercial transactions using
computer and communication technologies
Facilitated by Internet and WWW
Business-to-Business: EDI
Business-to-Consumer: WWW retailing
Some features:
Easy, global access, 24 hour availability
Customized products and services
Back Office integration
Additional revenue stream
E-Commerce Steps
Attract prospects to your site
Positive online experience
Value over traditional retail
E-Commerce Participants
E-Commerce Problems
Snoope
r
Unknown
customer
Unreliable
Merchant
E-Commerce risks
Customer's risks
Merchants risk
Server-Browser negotiate
Property: cryptographic scheme to be used
Value: specific algorithm to be used
Direction: One way/Two way security
E-Payments: Atomicity
Money atomicity: no creation/destruction of money
when transferred
Goods atomicity: no payment w/o goods and
viceversa.
Eg: pay on delivery of parcel
Anonymity of purchaser
Electronic Cheques
NetCheque
Anonymous payments
Digicash
CAFE
Micropayments
SmartCards
First virtual
Cybercash
Customer opens account with cybercash, gives
credit card number and gets a PIN
Special software on customer side sends PIN,
signature, transaction amount to merchant
Merchant forwards to cybercash server that
completes credit card transaction
Pros: credit card # not shown to server, fast
Cons: not for microtransactions
SET Participants
Henric Johnson
72
Dual Signature
DS E KRc [ H ( H ( PI ) || H(OI))]
73
Payment processing
Payment processing
Payment processing
Payment Authorization:
Authorization Request
Authorization Response
Payment Capture:
Capture Request
Capture Response
76
Electronic Cheques
Leverages the check payments system, a core
competency of the banking industry.
Fits within current business practices
Works like a paper check does but in pure
electronic form, with fewer manual steps.
Can be used by all bank customers who have
checking accounts
Different from Electronic fund transfers
Anonymous payments
1.Withdrawmoney:
cyrpographicallyencoded
tokens
customer
5.Deposittokenatbank.
Ifdoublespentreveal
identityandnotifypolice
3.Sendtokenafteradding
merchantsidentity
4.Checkvalidityandsendgoods
2.Transformsomerchantcancheck
validitybutidentityhidden
merchant
Micropayments on hyperlinks
Micropayments: NetBill
Customer & merchant have account with NetBill server
Protocol:
Customer request quote from merchant, gets quote and
accepts
Merchant sends goods encrypted by key K
Customer prepares & signs Electronic Purchase Order having
<price, crypto-checksum of goods>
Merchant countersigns EPO, signs K and sends both to
NetBill server
NetBill verifies signatures and transfers funds, stores K and
crypto-checksum and
NetBill sends receipt to merchant and K to customer
Payment
system
Millicent
Unique
code
mcent
IBM payment
system
Micrommerce
mpay
microm
Smartcards
8-bit micro, < 5MHz, < 2k RAM, 20k ROM
Download electronic money on a card: wallet on a
card
Efficient, secure, paperless, intuitive and speedy
Real and virtual stores accept them
Less susceptible to net attacks since disconnected
Has other uses spanning many industries, from
banking to health care
Mondex
Smart card based sales and card to card transfers
Money is secured through a password and
transactions are logged on the card
Other operation and features similar to traditional
debit cards
Card signs transaction: so no anonymity
Need card reader everywhere
Available only in prototypes
SSL 3.0 defends against this attack by having the last handshake
message include a hash of all the previous handshake message
86
87
Problem Free?
Side channel attack discovered by Swiss Federal Institute of
Technology in Lausanne
http://www.newsfactor.com/perl/story/20843.html
88
SSL Attacks
SSLstrip, Slowloris & Scary
SSL Attacks
sslstrip Steals passwords from mixed-mode Web
login pages
Slowloris Denial of Service Stops Apache Web
servers
Scary SSL Attacks--ways to completely fool
browsers
sslstrip
1. YouTube
HTTPS
2. Wikipedia HTTP
3. Craigslist
HTTPS
4. PhotobucketHTTP
5. Flickr HTTPS
6. WordPress MIXED
7. Twitter MIXED
8. IMDB HTTPS
9. Digg HTTP
10. eHow
HTTPS
11. TypePad HTTPS
12. topix HTTP
13. LiveJournal
Obfuscated HTTP
14. deviantART
MIXED
15. Technorati HTTPS
From http://www.ebizmba.com/articles/user-generated-content
Password Stealing
Medium
ssltrip
Hard
Spoofing Certificates
Easy
Wall of Sheep
Mixed Mode
HTTP Page with an HTTPS Logon Button
To
Internet
HTTPS
HTTP
Target
Using
Facebook
Attacker:
sslstrip
Proxy
in the
Middle
To
Internet
Attacker
Target
ARP Poisoning
ARP Request
ARP Reply
Client
Gateway
Facebook.com
ARP Poisoning
Attacker
ARP Replies: I
am the
Gateway
Forwarded &
Altered Traffic
Traffic to
Facebook
Client
Gateway
Facebook.com
Demonstration
slowloris
HTTP GET
OSI Model
OSI Model
DoS Attack
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Cut a cable
Demonstration
HTTPS
Target
Using
https://gmail.com
Attacker:
Cain: Fake
SSL
Certificate
Warning Message
Certificate Errors
The message indicates that the Certificate
Authority did not validate the certificate
BUT a lot of innocent problems cause those
messages
Incorrect date settings
Name changes as companies are acquired
Impersonating Verisign
Link SSL-2
Countermeasures
Verisign announced its intent to replace MD5 hashes
(presumably with SHA hashes), in certificates issued
after January, 2009
Earlier, vulnerable certificates would be replaced only if
the customer requested it
Link SSL-4
CA in an Untrustworthy Nation
Link SSL-8
Link SSL-10
Thank You
Kulo.tn@auist.net