More on SSL/TLS

daughterinsectAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

51 views

More on SSL/TLS

Internet security: TLS


TLS is one of the more prominent internet security
protocols.


Transport
-
level on top of TCP


Good example of practical application of cryptography


End
-
to
-
end protocol: it secures communication from
originating client to intended server destination


No need to trust intermediaries


Has API which is similar to “socket” interface used for
normal network programming.


So fairly easy to use.

Threats


Eavesdropping?


Encrypts communication


Manipulation (such as injection or MITM attacks)?


Guarantees integrity through use of a MAC


(Also avoids replay attacks this way)


Impersonation?


Uses signatures


Availability?


Well, no. (This is the internet.)

SSL/TSL


SSL = Secure Sockets Layer (the old version)


TLS = Transport Layer Security (current standard)


Terms are often used interchangeably at this point


Big picture: Add security to ANY application that uses TCP

SSL/
TLS
I
n
Net
work
Layeri
ng
Ap
p
l
i
c
a
t
i
o
n
Tr
anspor
t
(In
te
r)N
e
tw
o
rk
Li
nk
Physi
cal
7
4
3
2
1
Tr
anspor
t

(
TC
P)
(In
te
r)N
e
tw
o
rk
Li
nk
Physi
cal
SSL
/

TLS
7
4
3
2
1
Ap
p
l
i
c
a
t
i
o
n
7
Normal
webbrowsing

R
e
g
u
l
a
r
w
e
b

su
rf
i
n
g

-
h
t
t
p
:

U
R
L
Bu
t

i
f

w
e

cl
i
ck
h
e
re


TLS adds the “s” to https

W
e
b

su
rf
i
n
g

w
i
t
h

T
L
S/
SSL

-
h
t
t
p
s:

U
R
L
N
o
t
e
:

Ama
zo
n

ma
ke
s
su
re

t
h
a
t

a
l
l

o
f
t
h
e
se

i
ma
g
e
s,

e
t
c.
,

a
re

n
o
w

al
s
o

f
e
t
ch
e
d
vi
a

h
t
t
p
s:

U
R
L
s.
D
o
i
n
g

so

g
i
ve
s
t
h
e

w
e
b

p
a
g
e

f
u
l
l

i
n
t
e
g
ri
t
y,
i
n

ke
e
p
i
n
g

w
i
t
h

e
n
d
-t
o
-e
n
d

se
cu
ri
t
y.
(Bro
w
se
rs
d
o

n
o
t

p
ro
vi
d
e

t
h
i
s

p
ro
mo
t
i
o
n

a
u
t
o
ma
t
i
ca
l
l
y.
)
How connection starts


The client (browser) connects
via TCP to https server


Client picks 256
-
bit random
number R
B

and sends along a
list of supported crypto
options it supports


Server then picks 256
-
bit
random number R
S

and picks
the protocol


Server sends certificate


Client must then validate
certificate


Note: all of this is in
cleartext

HTTPS

C
o
n
n
e
c
ti
o
n

(SSL

/

T
L
S)

Bro
w
se
r
(cl
i
e
n
t
)
co
n
n
e
ct
s
vi
a
T
C
P
t
o

Ama
zo
n

s
HT
T
P
S

se
rve
r

C
l
i
e
n
t

p
i
cks
2
5
6
-b
i
t

r
andom
n
u
mb
e
r
R
B
,
s
e
n
d
s
o
ve
r
l
i
st

o
f
cryp
t
o

p
ro
t
o
co
l
s
i
t

su
p
p
o
rt
s

Se
rve
r
p
i
cks
2
5
6
-b
i
t

ra
n
d
o
m
n
u
mb
e
r
R
S
,

se
l
e
ct
s
p
ro
t
o
co
l
s
t
o
u
se

f
o
r
t
h
i
s
se
ssi
o
n

Se
rve
r
se
n
d
s
o
ve
r
i
t
s
ce
rt
i
f
i
ca
t
e

(a
l
l

o
f

t
h
i
s
i
s
i
n

t
h
e

cl
e
a
r)

C
l
i
e
n
t
n
o
w

v
a
l
i
d
a
te
s

c
e
r
t
S
Y
N
S
Y
N

A
C
K
A
C
K
Brow
s
e
r
A
m
a
z
on
S
e
rve
r
H
e
l
l
o
.


M
y

r
n
d

#

=

R
B
.


I

s
u
p
p
o
r
t
(
T
L
S
+
R
S
A
+
A
E
S
1
2
8
+
S
H
A
1
)

o
r
(
S
S
L
+
R
S
A
+
3
D
E
S
+
M
D
5
)

o
r



M
y

r
n
d

#

=

R
S
.


L
e
t

s

u
s
e
T
L
S
+
R
S
A
+
A
E
S
1
2
8
+
S
H
A
1
H
e
r
e

s

m
y

c
e
r
t
~
2
-
3

K
B

o
f

d
a
t
a
Next:


Assuming RSA is chosen, client
next constructs a longer (368
-
bit) “premaster secret” PS


The value PS is encrypted
using the server’s public key


Then using PS, R
B
, and R
S
,
both sides can derive
symmetric keys and MAC
integrity keys (two pairs, one
for each direction)


Actually, these 3 values seed a
pseudo
-
random number
generator, which allows client
and server to repeatedly query

HTTPS

C
o
n
n
e
c
ti
o
n

(SSL

/

T
L
S),

c
o
n
ʼ
t

For

R
SA,

b
ro
ws
e
r

c
o
n
s
t
r
u
c
t
s

l
o
n
g
(3
6
8
b
its
)

Pr
e
m
as
t
e
r

Se
c
r
e
t


P
S

Br
ows
er

s
ends

P
S
e
n
c
r
y
p
t
e
d

u
s
i
n
g
Am
az
on

s

publ
i
c

RSA
k
ey

K
Am
a
z
o
n

Us
i
n
g

P
S
,
R
B
,
a
n
d

R
S
,
b
r
o
w
s
e
r

&
ser
ver

der
i
ve
sy
m
m
.
ci
p
h
e
r

k
e
y
s
(
C
B
,
C
S
)
&

M
A
C

in
t
e
g
r
i
t
y

k
e
y
s
(
I
B
,
I
S
)

O
n
e

p
a
i
r
t
o

u
se

i
n

e
a
ch

d
i
re
ct
i
o
n
Brow
s
e
r
H
e
r
e

s

m
y

c
e
r
t
~
2
-
3

K
B

o
f

d
a
t
a
{
P
S
}
K
A
m
a
z
o
n
PS
PS
A
m
a
z
on
S
e
rve
r
And final bits…


The client and server exchange
MACs computed over the
dialog so far


If it’s a good MAC, you see the
little lock in your browser


All traffic is now encrypted
with symmetric protocol
(generally AES)


Messages are also numbered
to stop replay attacks

HTTPS

C
o
n
n
e
c
ti
o
n

(SSL

/

T
L
S),

c
o
n
ʼ
t

For

R
SA,

b
ro
ws
e
r

c
o
n
s
t
r
u
c
t
s

l
o
n
g
(3
6
8
b
its
)

Pr
e
m
as
t
e
r

Se
c
r
e
t


P
S

Br
ows
er

s
ends

P
S
e
n
c
r
y
p
t
e
d

u
s
i
n
g
Am
az
on

s

publ
i
c

RSA
k
ey

K
Am
a
z
o
n

Us
i
n
g

P
S,

R
B
,
a
n
d

R
S
,
b
r
o
w
s
e
r

&
ser
ver

der
i
ve
sy
m
m
.
ci
p
h
e
r

k
e
y
s
(
C
B
,
C
S
)
&

M
A
C

in
t
e
g
r
i
t
y

k
e
y
s
(
I
B
,
I
S
)

O
n
e

p
a
i
r
t
o

u
se

i
n

e
a
ch

d
i
re
ct
i
o
n

Br
ows
er

&
s
er
v
er

ex
c
hange
MA
C
s
com
put
ed
over

ent
i
r
e
di
al
og
so
f
ar

If g
o
o
d
M
A
C
, B
ro
w
s
e
r d
is
p
la
y
s

Al
l

s
ubs
equent

c
om
m
uni
c
at
i
on
encr
ypt
ed
w/

sy
m
m
e
t
r
i
c

c
i
p
h
e
r

(
e
.
g
.
,
AES128
)
c
i
p
h
e
r

k
e
y
s
,

MA
C
s

Me
ssa
g
e
s
a
l
so

n
u
mb
e
re
d

t
o

th
w
a
rt
re
p
l
a
y
a
t
t
a
cks
Brow
s
e
r
H
e
r
e

s

m
y

c
e
r
t
~
2
-
3

K
B

o
f

d
a
t
a
{
P
S
}
K
A
m
a
z
o
n
PS
PS
{
M
1
,

M
A
C
(
M
1
,
I
B
)
}
C
B
{
M
2
,

M
A
C
(
M
2
,
I
S
)
}
C
S
M
A
C
(
d
i
a
l
o
g
,
I
S
)
M
A
C
(
d
i
a
l
o
g
,
I
B
)
A
m
a
z
on
S
e
rve
r
Or, with
Diffie
-
Hellman


Server instead generates a
random a, and sends
g
a

mod p


Signed with server’s public key


Client verifies and then
generates b and sense the
value
g
b

mod b over


Both sides can then compute
PS = g
ab

mod p


Communication is then the
same


from PS, R
B
, and R
S
,
both sides get cipher keys and
integrity keys.

A
l
te
r
n
a
ti
v
e
:
K
e
y

Ex
c
h
a
n
g
e

v
i
a

D
i
ffi
e
-H
e
l
l
m
a
n

For

Di
f
f
i
e
-
H
e
l
l
m
a
n
,
s
e
r
v
e
r
gener
at
es
r
andom

a
,
s
e
n
d
s

p
u
b
l
i
c
par
am
s
and
g
a

mo
d

p

Si
g
n
e
d

w
i
t
h

se
rve
r

s

p
u
b
l
i
c
ke
y

Br
ows
er

v
er
i
f
i
es

s
i
gnat
ur
e

Br
ows
er

gener
at
es

r
andom

b
,
com
put
es
PS
=

g
ab
mo
d
p
,
s
e
n
d
s
to
s
e
rv
e
r

Ser
v
er

al
s
o

c
o
m
p
u
t
e
s
PS
=

g
ab
m
o
d

p

Re
ma
i
n
d
e
r

i
s

a
s

b
e
f
o
r
e
:

fr
o
m

P
S
,
R
B
,
a
n
d

R
S
,
br
ow
ser

&
ser
ver
der
i
ve
sy
mm
.
ci
p
h
e
r

k
e
y
s

(
C
B
,
C
S
)
and
M
A
C

in
t
e
g
r
i
t
y

k
e
y
s
(
I
B
,
I
S
),
et
c

Brow
s
e
r
H
e
r
e

s

m
y

c
e
r
t
~
2
-
3

K
B

o
f

d
a
t
a
g
b

m
o
d

p
PS
PS
{
M
1
,

M
A
C
(
M
1
,
I
B
)
}
C
B
M
A
C
(
d
i
a
l
o
g
,
I
S
)
M
A
C
(
d
i
a
l
o
g
,
I
B
)
{
g
,

p
,

g
a

m
o
d

p
}

K
-
1
A
m
a
z
o
n

A
m
a
z
on
S
e
rve
r
But wait…


I glossed over that bit about validating a certificate!


A certificate is a signed statement about someone else’s
public key.


Note: Doesn’t say anything about who gave you that public
key! It just states that a given public key belongs to “Bob”,
and verifies this with a digital signature made from a
different key/pair


say from “Alice”



Bob can then prove who he is when you send him
something, since the only way to read it is to BE him


However, you have to trust Alice! She is basically
testifying that this is Bob’s key.

The server’s certificate


Inside the certificate is:


Domain name associated with certificate (such as
amazon.com
)


The public key (e.g. 2048 bits for RSA)


A bunch of other info


Physical address


Type of certificate, etc.


Name of certificate’s issuer (often
Verisign
)


Optional URL to revocation center for checking if a certificate
has been revoked


A public key signature of a hash (SHA
-
1) of all this, made
using the issuer’s private key (we’ll call this S)

How to validate


The client
c
ompares domain name in certificate with URL


Client accesses a separate certificate belonging to the
issuer


These are hardwired into client, so are trusted.


The client applies the issuer’s public key to verify S and get
hash of what issuer signed.


Then compare with its own SHA
-
1 hash of Amazon’s
certificate.


Assume the hashes match, now have high confidence we
are talking to valid server


Assuming that the issuer can be trusted!

What can we catch?


If attacker captures our traffic (maybe using
wifi

sniffer
and breaking our inadequate WEP security protocol)


No problem: communication is encrypted by us.


What about DNS cache poisoning?


No problem: client goes to wrong server, but is able to detect
the impersonation.


What if the attacker hijacks connection and injects new
traffic (MITM style)?


No problem: they can’t read our traffic, so can’t really inject!
Can’t even do a replay.


And so on


this blocks most common attacks.

But what if can’t get a certificate?

No certificate found


Well, if one is not found, most browsers will warn the user
that the connection is unverified.


You can still proceed


but authentication is missing from the
protocol now!


What security do we still have here?


We lose everything! The attacker who hijacked can read,
modify, and impersonate.


Note that OTHER attackers are still blocked, but the other
end is not verified here.

Some limitations


Cost of public
-
key cryptography: Takes non
-
trivial CPU
processing (fairly minor)


Hassel of buying and maintaining certificates (again fairly
minor these days)


DoS

amplificaiton
: The client can effectively force the
server to do public key operations.


Need to integrate with other sites not using HTTPS.


Latency (the real issue):


Extra round trips mean pages take longer to load.

Additional limitations


TCP level denial of service can still be an issue


SYN flooding


RST injection


Etc.


SQL injection or XSS or server side code issues are still a
potential problem.


Other vulnerabilities in the browser code.


Any flaws in crypto protocols.


User flaws (the big one): weak passwords, phishing, etc.

Example:

R
e
g
u
l
a
r
w
e
b

su
rf
i
n
g

-
h
t
t
p
:

U
R
L
So

no

i
n
te
g
r
i
ty

-
a

MI
T
M
a
t
t
a
cke
r
ca
n

a
l
t
e
r
p
a
g
e
s
re
t
u
rn
e
d

b
y
se
rve
r

An
d

w
h
e
n

w
e

cl
i
ck
h
e
re




a
t
t
a
cke
r
h
a
s
ch
a
n
g
e
d

t
h
e

co
rre
sp
o
n
d
i
n
g

l
i
n
k
so
that it

s

o
rd
i
n
a
ry
h
t
t
p

ra
t
h
e
r
t
h
a
n

h
t
t
p
s!
W
e

n
e
ve
r
g
e
t

a

ch
a
n
ce

t
o

u
se

TL
S

s
p
ro
t
e
ct
i
o
n
s!

:
-(

ss
l
s
t
r
i
p

a
t
t
a
c
k
Another:

Another:

Cont
:

Next:

And:

And finally, OK:

What do most users see?







Note: This is a real windows message!


Far too many just click “yes”.

The

eq
u
i
v
a
l
e
n
t

a
s

s
e
e
n

b
y

m
o
s
t

I
n
t
e
r
n
e
t

u
s
e
r
s
:
(n
o
t
e
:

a
n

a
ct
u
a
l

W
i
n
d
o
w
s
e
rro
r
me
ssa
g
e
!
)