8 Transport Layer Security

greenpepperwhinnySecurity

Nov 3, 2013 (4 years and 5 days ago)

73 views

ITA,
2.11.2011, 8
-
TLS.pptx
1

Internet Security 1 (
IntSi1
)


Prof. Dr. Andreas Steffen


Institute for Internet Technologies and Applications (ITA)

8
Transport Layer Security
(TLS
)

ITA,
2.11.2011, 8
-
TLS.pptx
2

TLS Session
Example

ITA,
2.11.2011, 8
-
TLS.pptx
3

TLS Market Share
of

Certification

Authorities

2010
Netcraft

Ltd

https://ssl.netcraft.com/ssl
-
sample
-
report/CMatch/certs

ITA,
2.11.2011, 8
-
TLS.pptx
4

Secure Network Protocols for the OSI Stack

Application layer

ssh
, S/MIME, PGP,
Kerberos
, WSS

Transport layer

TLS, [SSL]

Network layer

IPsec

Data Link layer

[PPTP, L2TP], IEEE 802.1X,

IEEE 802.1AE, IEEE 802.11i (WPA2)

Physical layer

Quantum
Cryptography

Communication layers

Security protocols

ITA,
2.11.2011, 8
-
TLS.pptx
5

TLS/SSL
Protocol
Layers

Secure

Transport Layer

TLS

TCP

IP

Application

Transport

Fragmentation

Compression

Authentication

Encryption

Insecure
Transport Layer

TCP

IP

Application

Application

Sockets

ITA,
2.11.2011, 8
-
TLS.pptx
6

Handshake

Change

CipherSpec

Alert

Application

Application

Data (
messages
)

TLS
-

Record

Protocol (
records
)

TLS
Record

Protocol

TCP
-

Transport Protocol (
stream
)

IP
-

Network Protocol (
packets
)

ITA,
2.11.2011, 8
-
TLS.pptx
7

[Compressed] Data

MAC

Padding

TCP
Header

Record
Header

n * Block Cipher
Size

Record Body

TLS
Record

Structure

Application

Data (Segment 1)

Record
Header

Encrypted Data

Application

Data (Segment 2)

5 Bytes

ITA,
2.11.2011, 8
-
TLS.pptx
8

TLS
Handshake Protocol

Server

Server Hello

R
S

ServerHelloDone

Client

Client Hello

R
C

Application Data
°

Application Data
°

Certificate*

ClientKeyExchange

CertificateVerify*

*optional

ServerKeyExchange*

Certificate*

CertificateRequest*

*optional

Finished
°

ChangeCipherSpec

Finished
°

ChangeCipherSpec

°
encrypted

ITA,
2.11.2011, 8
-
TLS.pptx
9

Resuming

a
TLS
Session

Client

Client Hello

R
C

Application Data
°

Application Data
°

Finished
°

ChangeCipherSpec

Server

Server Hello

R
S

Finished
°

ChangeCipherSpec

°
encrypted

ITA,
2.11.2011, 8
-
TLS.pptx
10

Implemented

SSL/TLS Protocol Versions


SSL


Secure Sockets Layer Version 2.0


Initially

developed

by

Netscape


SSL 2.0
is

sensitive
to

man
-
in
-
the
-
middle

attacks

leading

e.g.
to

the

negotiation

of

weak

encryption

keys


SSL 2.0
should

not
be

used

anymore


SSL


Secure Sockets Layer Version 3.0


Internet
Draft

authored

by

Netscape, November
1996


Supported

by

all
browsers


Vulnerable
to

the

BEAST
Cipher
-
Block
-
Chaining

(CBC)
attack


TLS


Transport Layer Security Version
1.0 (SSL 3.1)


IETF RFC 2246,
January

1999


TLS 1.0 ist not
backwards

compatible

to

SSL 3.0 (
differences

in

MAC
computation
, PRF
function

for

master_secret

and

key

material
)


Supported

by

all
browsers


Vulnerable
to

the

BEAST
Cipher
-
Block
-
Chaining

(CBC)
attack

ITA,
2.11.2011, 8
-
TLS.pptx
11

BEAST


Browser
Exploit

Against

SSL/TLS


Authors


Thai Duong
and

Juliano

Rizzo
presented

their

exploit

on September 23
2011
at

the

7th
ekoparty

Security Conference in Buenos Aires.


Exploit


The
exploit

uses

a
known
-
plaintext

attack

on
the

Cipher
-
Block
-
Chaining

(CBC)
encryption

vulnerability

of

SSL 3.0
and

TLS 1.0

which

has

been

known

since

2001
and

was
fixed

by

TLS 1.1 in 2006.


Approach


The BEAST JavaScript
code

running

in a
browser

decrypts

encrypted

cookies

sent

via HTTPS
within

a
couple

of

seconds
.


Fix


Temporary

workaround
: Set
up

HTTPS web
servers

with

stream

ciphers

(e.g.
the

rather

outdated

RC4
algorithm
)


Migration
of

HTTPS web
servers

and

browsers

to

TLS 1.1
or

1.2.

ITA,
2.11.2011, 8
-
TLS.pptx
12

Latest

TLS
Protocol Versions


TLS


Transport Layer Security Version 1.1 (SSL 3.2)


IETF RFC 4346, April 2006


Protection

against

CBC
attacks

(Serge
Vaudenay
, EPFL, 2004):


Implicit

Initialization

Vector

(IV)
is

replaced

with

an explicit IV


Handling
of

padding

errors

is

changed

to

use

the

bad_record_mac

alert
rather

then

decryption_failed
.


TLS


Transport Layer Security Version 1.2 (SSL 3.3)


IETF RFC 5246, August 2008,
updated

by

RFC


Combined

MD5/SHA
-
1

hash

and

PRF
functions

replaced

by

SHA
-
256
based

default

algorithms

or

cipher
-
suite

specified

methods
.


Support
of

Authenticated

Encryption
with

Additional Data (AEAD)
modes

(e.g. AES
-
GCM
accelerated

by

Intel AES
-
NI
instruction

set
)


TLS 1.1
and

1.2 Support


Windows 7, Windows Server 2008 R2


GnuTLS

library
,
the

OpenSSL

1.0.1
snapshot

and

strongSwan

libtls
.



ITA,
2.11.2011, 8
-
TLS.pptx
13

SSL/TLS
Configuration

Options

Mozilla

Firefox

ITA,
2.11.2011, 8
-
TLS.pptx
14

SSL/TLS
Configuration

Options

Mozilla

Firefox

ITA,
2.11.2011, 8
-
TLS.pptx
15

SSL/TLS
Configuration

Options

Microsoft Internet Explorer

ITA,
2.11.2011, 8
-
TLS.pptx
16

TLS
Enhanced TCP
-
based

Application

Protocols

Service Name


Port


Secured

Service


https

443/
tcp


http
protocol

over

TLS


smtps


465/
tcp


smtp

protocol

over

TLS

smtp



25/
tcp

STARTTLS
keyword

(RFC 2487)


imaps


993/
tcp


imap4
protocol

over

TLS

imap4


143/
tcp

STARTTLS
keyword

(RFC 2595)


pop3s

995/
tcp


pop3
protocol

over

TLS

pop3


110/
tcp

STLS
keyword

(RFC 2595)


ldaps


636/
tcp

ldap

protocol

over

TLS


ircs


994/
tcp


irc

protocol

over

TLS


nntps


563/
tcp


nntp

protocol

over

TLS