Abstract image of a woman sitting on books and studying on a laptop

TLS/SSL Protocol Design 201006

Nate Lawson, profile picture
Nate Lawson

Nate Lawson presents an overview of the TLS/SSL protocol design. He discusses the security goals of privacy, integrity, and authentication. He explains how these goals are achieved using cryptography primitives like symmetric encryption, public key encryption, certificates, message authentication codes, and secure PRNGs. He walks through the TLS handshake protocol in detail and discusses various attacks against SSL/TLS like side channel attacks, similarly-named certificate attacks, and data injection via renegotiation attacks.

TechnologyEducation
1 of 38
Downloaded 118 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
TLS/SSL protocol design Nate Lawson nate@rootlabs.com Presented at Cal Poly June 3, 2010
Overview • Introduction to SSL/TLS – Focus on HTTP+SSL • Design goals and result • Cryptography primer – Desired properties – Primitives for implementing them • Protocol walkthrough in detail • Attacks and mitigation
My background • Root Labs founder – Design and analyze security systems – Emphasis on embedded, kernel, and crypto • Previously, Cryptography Research – Paul Kocher’s company (author of SSL 3.0) – Co-designed Blu-ray disc security layer, aka BD+ • Crypto engineer at Infogard Labs
Security is hard but rewarding • Protocols and crypto are susceptible to very minor mistakes • Example: SSL timing attacks over the Internet • Hard = fun and $ – Breaking and building things is exciting – Security is a desired skill for any resumé
SSL history • SSL (Secure Sockets Layer) v2.0 (1994) – Serious security problems including incomplete MAC coverage of padding – Designed by Netscape • SSL v3.0 (1996) – Major revision to address security problems – Paul Kocher + Netscape • TLS (Transport Layer Security) 1.0 (1999) – Added new crypto algorithm support – IETF takes over • TLS 1.1 (2006) – Address Vaudenay’s CBC attacks on record layer – Provide implementation guidance
Layered model • SSL provides security at the transport layer (OSI model L4) – Stream of bytes in, private/untampered stream of bytes out – Application logic is unmodified – Can be adapted to datagram service also (DTLS) • Compare to IPSEC – Mostly used as an L3 protocol
SMTP over SSL • HTTP, SMTP, POP, IMAP, etc. all have SSL variants • Two design choices to add SSL – Use alternate port since SSL session establishment differs from original protocol – SMTPS (TCP port 465 and 587) – Add protocol-specific message to toggle SSL mode – STARTTLS over port 25 (RFC 3207) • SMTP session over SSL is unchanged
Security goals • Privacy – Data within SSL session should not be recoverable by anyone except the endpoints • Integrity – Data in transit should not be modified without detection except by the endpoints • Authentication – No endpoint should be able to masquerade as another
Attacker capabilities • Sorted by increasing power • Normal participant – Can talk to server that is also talking to other parties • Passive eavesdropping – Observe any or all messages sent by other parties • Active (Man in the Middle) – Insert or replay old messages – Modify – Delete or reorder • Secure protocols must address all these threats
Crypto property: privacy • No one other than the intended recipient of a message can determine its contents • Caveats – Adversary could have powers of knowing or choosing plaintext – Traffic analysis – Length, latency, unencrypted data like IP or Ethernet addresses – Side channel attacks: power consumption, EM, timing of operations
Crypto property: integrity • Any change made to a message after it has been sent will be detected by the recipient – Corollary: reordering, replay, insertion, or deletion of messages will also be detected • Caveats – Privacy is not integrity protection – Error recovery – You can’t always terminate the session – Root of trust (shared system?)
Crypto property: authentication • Messages can be associated with a given identity with high level of confidence • Caveats – Managing identification – Lost keys, forgotten passwords, laptop walks away – Revocation of old keys and refreshing to new ones – Bootstrapping: what is your root of trust?
Security goal implementation • Privacy – Data is encrypted with block cipher (e.g., AES) – Cipher key is exchanged via public key crypto (e.g., RSA) • Integrity – Data is protected by a MAC (e.g., SHA1-HMAC) • Authentication – Server and/or client identity is verified via certificates
Primitive: symmetric crypto • Block ciphers turn plaintext block into ciphertext using a secret key – Recipient inverts (decrypts) block using same key • Examples: AES, 3DES, RC5
Primitive: symmetric crypto • Often requires “chaining” to encrypt messages longer than a single block • This does not provide integrity protection
Primitive: public key crypto • Data transformed with one key can only be inverted with the other key (asymmetric) • Examples: RSA, Diffie-Hellman, DSA – And elliptic curve variants • Can encrypt data to a recipient without also being able to decrypt it afterward • Can sign data by encrypting it with one key and publishing the other
Primitive: public key crypto
Primitive: certificates • Associate a name with a public key – Trusted party uses private key to sign the message “joe.com = 0x09f9…” – Public key of trusted party came with your web browser • Key management still a problem – Expire certs and explicitly revoke them if a private key is compromised (CRL) – Or, check with the trusted party each time you want to use one (OCSP)
Primitive: message authentication code • A MAC combines a hash function and secret key with the data to protect – Resulting MAC is transmitted with message – Recipient performs same process and verifies result matches • Attacker cannot… – Modify message without changing its hash – Forge a new MAC value without knowing the key • Examples: SHA1-HMAC, AES CMAC
Primitive: secure PRNG • Outputs a cryptographically-strong, pseudo-random stream of data based on initial seed – Initial seed needs to have enough entropy – PRNGs used many places (key generation, IVs, nonces) • Examples: /dev/random, Yarrow – Often based on a hash function like SHA-1
Overview of typical session Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
Decoding with WireShark
Message: Client/ServerHello • Initiates connection and specifies parameters – Initiator sends list (i.e., CipherSuites) and responder selects one item from list – SessionID is used for resuming (explained later) Client/ServerHello Version RandomData SessionID CipherSuites CompressionMethods
Message: Certificate • Provides a signed public key value to the other party – Almost always the server although clients can also authenticate with a cert – Other side must verify information in cert (i.e., the CN field is myhost.com = IP address in my TCP connection) Certificate ASN.1Cert
Message: ServerHelloDone • Signifies end of server auth process – Allows multi-pass authentication handshake – Otherwise unimportant • Cert-based auth is single-pass
Message: ClientKeyExchange • Client sends encrypted premaster secret to server – Assumes RSA public key crypto (most common) – Server checks ClientVersion matches highest advertised version ClientKeyExchange RSA-PubKey-Encrypt( ClientVersion PreMasterSecret[48] )
Message: ChangeCipherSpec • Indicates following datagrams will be encrypted – Disambiguates case where next message may be error or encrypted data • Each side now calculates data encryption key (K) MasterSecret computation Hash( PreMasterSecret ClientRandom ServerRandom )
Message: Finished • Indicates all protocol negotiation is complete and data may be exchanged – First encrypted message of each party – Includes hashes of all handshake messages seen by each side – Also, magic integers 0x434C4E54 or 0x53525652 (why?) Finished AES-K-Encrypt( Magic MD5(handshake_messages) SHA1(handshake_messages) )
Message: ApplicationData • Encapsulates encrypted data – Includes MAC for integrity protection – Can span multiple TCP packets ApplicationData AES-CBC-K-Encrypt( Type Version Length Data MAC Padding PaddingLength )
Session resumption Client Server ClientHello ServerHello ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
Formal verification of protocol security • Goal: formal system for finding any security problems in design – BAN logic (BAN89) – Formalized authentication with primitives like “X said” and “Y believes” – Model checking (MMS98) – Build a FSM model of the system and enumerate states • Difficult and time consuming but worth it if your protocol is important
Attack: similarly-named certs • What if server has valid certificate but a similar name to another server? – Example: Microsoft vs. Micr0soft • Outside the scope of SSL but relevant • Used all the time with phishing emails – But few bother with SSL currently – Yellow lock JPEG on page sufficient – Now, please enter your PIN
Attack: side channel • Side effects of handling secure data can be indirectly observed • Example: timing attack on server’s private key [BB03] – Observe how long the server takes to return an error when sending invalid ClientKeyExchange – Bits of the key can slowly be discovered … over the Internet • Tricky problem to be sure you’ve solved adequately
Conclusions • SSL provides a well-tested secure transport layer • Security protocols require careful interdependence of primitives – Privacy – Integrity protection – Authentication • Easy to make mistakes designing security and crypto in particular • This stuff is a lot of fun!
Attack: 0-byte in CN field • Certs are ASN.1 encoded – Length-counted strings vs. nul-terminated – Allows for i18n hostname in CommonName • sslsniff (Marlinspike, 2009/7) – Browser may use C string routines while CA used length- counted routines – Attacker gets a cert for: – www.paypal.com0.example.org – Worse: *0.example.org
Attack: data injection via renegotiation • Session can be renegotiated by client or server – Often used to go from anonymous to client-cert authenticated session (IIS) – Different from session resume • MITM can insert bad data into authenticated session (Ray/Dispensa, 2009/11) – Client connects to server, blocked by MITM – MITM starts anon SSL session to server and sends malicious POST request over it – MITM forwards original ClientHello and all subsequent (re)negotiation messages • Attacker has now run command as user, but can’t decrypt any of the output
Fixing v2.0: downgrade attacks • Backwards compatibility with insecure protocol is difficult – Active attacker could change ServerHello to advertise v2- only • Clever solution: put 64 bits of 0x3 in the RSA padding – Attacker cannot substitute their own key without breaking the server cert – Luckily, SSL v2 only supported RSA key exchange
Recommended reading • [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1. http://tools.ietf.org/html/rfc4346 • [Resc02] Rescarola, E. Introduction to OpenSSL programming. http://www.rtfm.com/openssl-examples/ • [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol. 1996. http://citeseer.ist.psu.edu/wagner96analysis.html • [MMS98] John C. Mitchell, Vitaly Shmatikov, and Ulrich Stern. Finite-state analysis of SSL 3.0. In Seventh USENIX Security Symposium, pages 201 - 216, 1998. http://citeseer.ist.psu.edu/mitchell98finitestate.html • [BAN90] Burrows, M., Abadi, M., and Needham, R. M. "A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb 1990, pp. 18 - 36. A Formal Semantics for Evaluating Cryptographic Protocols p 14. http://citeseer.ist.psu.edu/burrows90logic.htm • [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical. Proceedings of the 12th USENIX Security Symposium, August 2003. http://citeseer.ist.psu.edu/article/boneh03remote.html • M. Marlinspike, Null Prefix Attacks Against SSL/TLS Certificates. July 29, 2009. http://www.thoughtcrime.org/software/sslsniff/ • M. Ray and S. Dispensa, Renegotiating TLS. November 4, 2009. http://extendedsubset.com/?p=10

More Related Content

PPT
SSL/TLS
Dr Anjan Krishnamurthy
 
PDF
TLS/SSL Protocol Design
Nate Lawson
 
PDF
TLS Optimization
Nate Lawson
 
PPTX
SSL And TLS
Ghanshyam Patel
 
PPT
Secure Socket Layer (SSL)
amanchaurasia
 
PPTX
Securing TCP connections using SSL
Sagar Mali
 
PPTX
Secure Socket Layer
Pina Parmar
 
PPT
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL/TLS
Dr Anjan Krishnamurthy
 
TLS/SSL Protocol Design
Nate Lawson
 
TLS Optimization
Nate Lawson
 
SSL And TLS
Ghanshyam Patel
 
Secure Socket Layer (SSL)
amanchaurasia
 
Securing TCP connections using SSL
Sagar Mali
 
Secure Socket Layer
Pina Parmar
 
Ssl (Secure Sockets Layer)
Asad Ali
 

What's hot (20)

PPTX
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
PPSX
Secure socket layer
Nishant Pahad
 
PPTX
Transport Layer Security
Chhatra Thapa
 
PPTX
All you need to know about transport layer security
Maarten Smeets
 
PPTX
Secure Socket Layer
Abhishek Gupta
 
PDF
SSL/TLS Handshake
Arpit Agarwal
 
PPTX
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
PPTX
Transport Layer Security
Huda Seyam
 
PDF
Transport Layer Security
Ibrahiem Mohammed
 
PPTX
Transport layer security
Hrudya Balachandran
 
PPTX
Ssl and tls
Rana assad ali
 
PDF
Basics of ssl
n|u - The Open Security Community
 
PDF
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
PPTX
secure socket layer
Amar Shah
 
PDF
SSL Secure socket layer
Ahmed Elnaggar
 
PPT
Introduction to Secure Sockets Layer
Nascenia IT
 
PPTX
SSL/TLS 101
Chul-Woong Yang
 
PPT
security in transport layer ssl
STUDENT
 
PPTX
Transport layer security
Hrudya Balachandran
 
PPTX
Secure Socket Layer (SSL)
Samip jain
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
Secure socket layer
Nishant Pahad
 
Transport Layer Security
Chhatra Thapa
 
All you need to know about transport layer security
Maarten Smeets
 
Secure Socket Layer
Abhishek Gupta
 
SSL/TLS Handshake
Arpit Agarwal
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
Transport Layer Security
Huda Seyam
 
Transport Layer Security
Ibrahiem Mohammed
 
Transport layer security
Hrudya Balachandran
 
Ssl and tls
Rana assad ali
 
Basics of ssl
n|u - The Open Security Community
 
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
secure socket layer
Amar Shah
 
SSL Secure socket layer
Ahmed Elnaggar
 
Introduction to Secure Sockets Layer
Nascenia IT
 
SSL/TLS 101
Chul-Woong Yang
 
security in transport layer ssl
STUDENT
 
Transport layer security
Hrudya Balachandran
 
Secure Socket Layer (SSL)
Samip jain
 
Ad

Viewers also liked (18)

PDF
ACPI and FreeBSD (Part 1)
Nate Lawson
 
PDF
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
PDF
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
PDF
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Nate Lawson
 
PDF
Foundations of Platform Security
Nate Lawson
 
PDF
ACPI and FreeBSD (Part 2)
Nate Lawson
 
PDF
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Nate Lawson
 
PDF
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Nate Lawson
 
PDF
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
PPTX
TIM HIEU SSL VA UNG DUNG TREN WEB SERVER
conglongit90
 
PDF
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
PDF
TLS/SSL MAC security flaw
Nate Lawson
 
PDF
Giao thức bảo mật SSL
conglongit90
 
PPTX
Transport layer security (tls)
Kalpesh Kalekar
 
PDF
Secure electronic transaction (set)
Agnė Chomentauskaitė
 
PDF
SSL/TLS
pavansmiles
 
PDF
Q2 fy17 earnings slides final no guidance1
ir_cisco
 
PPT
Network security
Gichelle Amon
 
ACPI and FreeBSD (Part 1)
Nate Lawson
 
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
When Crypto Attacks! (Yahoo 2009)
Nate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Nate Lawson
 
Foundations of Platform Security
Nate Lawson
 
ACPI and FreeBSD (Part 2)
Nate Lawson
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Nate Lawson
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Nate Lawson
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
TIM HIEU SSL VA UNG DUNG TREN WEB SERVER
conglongit90
 
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
TLS/SSL MAC security flaw
Nate Lawson
 
Giao thức bảo mật SSL
conglongit90
 
Transport layer security (tls)
Kalpesh Kalekar
 
Secure electronic transaction (set)
Agnė Chomentauskaitė
 
SSL/TLS
pavansmiles
 
Q2 fy17 earnings slides final no guidance1
ir_cisco
 
Network security
Gichelle Amon
 
Ad

Similar to TLS/SSL Protocol Design 201006 (20)

PPT
Ip sec and ssl
Mohd Arif
 
PPTX
ssl-tls-ipsec-vpn.pptx
jithu26327
 
PPT
Transportsec
Bogdan Korniyenko
 
PPTX
TLS/SSL - Study of Secured Communications
Nitin Ramesh
 
PPT
ch22.ppt
ImXaib
 
PPT
Ip sec talk
anoean
 
PDF
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
PPT
03-SSL (1).ppt
ZAKARIAABED1
 
PPT
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
ghorilemin
 
PPT
this is ppt this is ppt this is ppt this is ppt
ghorilemin
 
PPT
03-SSL (2).ppt
ShounakDas16
 
PDF
Computer network (4)
NYversity
 
PPSX
BSET_Lecture_Crypto and SSL_Overview_FINAL
Glenn Haley
 
PDF
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
PPT
Lecture 6 web security
rajakhurram
 
PPT
Unit08
Nurul Nadirah
 
PDF
CS6004 CYBER FORENSICS
Kathirvel Ayyaswamy
 
PDF
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
PPT
cryptography and network security thid.ppt
ubaidullah75790
 
Ip sec and ssl
Mohd Arif
 
ssl-tls-ipsec-vpn.pptx
jithu26327
 
Transportsec
Bogdan Korniyenko
 
TLS/SSL - Study of Secured Communications
Nitin Ramesh
 
ch22.ppt
ImXaib
 
Ip sec talk
anoean
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
03-SSL (1).ppt
ZAKARIAABED1
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
ghorilemin
 
this is ppt this is ppt this is ppt this is ppt
ghorilemin
 
03-SSL (2).ppt
ShounakDas16
 
Computer network (4)
NYversity
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
Glenn Haley
 
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Lecture 6 web security
rajakhurram
 
Unit08
Nurul Nadirah
 
CS6004 CYBER FORENSICS
Kathirvel Ayyaswamy
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
cryptography and network security thid.ppt
ubaidullah75790
 

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Unlock new opportunities with location data.pdf
Precisely
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 

TLS/SSL Protocol Design 201006

  • 1. TLS/SSL protocol design Nate Lawson [email protected] Presented at Cal Poly June 3, 2010
  • 2. Overview • Introduction to SSL/TLS – Focus on HTTP+SSL • Design goals and result • Cryptography primer – Desired properties – Primitives for implementing them • Protocol walkthrough in detail • Attacks and mitigation
  • 3. My background • Root Labs founder – Design and analyze security systems – Emphasis on embedded, kernel, and crypto • Previously, Cryptography Research – Paul Kocher’s company (author of SSL 3.0) – Co-designed Blu-ray disc security layer, aka BD+ • Crypto engineer at Infogard Labs
  • 4. Security is hard but rewarding • Protocols and crypto are susceptible to very minor mistakes • Example: SSL timing attacks over the Internet • Hard = fun and $ – Breaking and building things is exciting – Security is a desired skill for any resumé
  • 5. SSL history • SSL (Secure Sockets Layer) v2.0 (1994) – Serious security problems including incomplete MAC coverage of padding – Designed by Netscape • SSL v3.0 (1996) – Major revision to address security problems – Paul Kocher + Netscape • TLS (Transport Layer Security) 1.0 (1999) – Added new crypto algorithm support – IETF takes over • TLS 1.1 (2006) – Address Vaudenay’s CBC attacks on record layer – Provide implementation guidance
  • 6. Layered model • SSL provides security at the transport layer (OSI model L4) – Stream of bytes in, private/untampered stream of bytes out – Application logic is unmodified – Can be adapted to datagram service also (DTLS) • Compare to IPSEC – Mostly used as an L3 protocol
  • 7. SMTP over SSL • HTTP, SMTP, POP, IMAP, etc. all have SSL variants • Two design choices to add SSL – Use alternate port since SSL session establishment differs from original protocol – SMTPS (TCP port 465 and 587) – Add protocol-specific message to toggle SSL mode – STARTTLS over port 25 (RFC 3207) • SMTP session over SSL is unchanged
  • 8. Security goals • Privacy – Data within SSL session should not be recoverable by anyone except the endpoints • Integrity – Data in transit should not be modified without detection except by the endpoints • Authentication – No endpoint should be able to masquerade as another
  • 9. Attacker capabilities • Sorted by increasing power • Normal participant – Can talk to server that is also talking to other parties • Passive eavesdropping – Observe any or all messages sent by other parties • Active (Man in the Middle) – Insert or replay old messages – Modify – Delete or reorder • Secure protocols must address all these threats
  • 10. Crypto property: privacy • No one other than the intended recipient of a message can determine its contents • Caveats – Adversary could have powers of knowing or choosing plaintext – Traffic analysis – Length, latency, unencrypted data like IP or Ethernet addresses – Side channel attacks: power consumption, EM, timing of operations
  • 11. Crypto property: integrity • Any change made to a message after it has been sent will be detected by the recipient – Corollary: reordering, replay, insertion, or deletion of messages will also be detected • Caveats – Privacy is not integrity protection – Error recovery – You can’t always terminate the session – Root of trust (shared system?)
  • 12. Crypto property: authentication • Messages can be associated with a given identity with high level of confidence • Caveats – Managing identification – Lost keys, forgotten passwords, laptop walks away – Revocation of old keys and refreshing to new ones – Bootstrapping: what is your root of trust?
  • 13. Security goal implementation • Privacy – Data is encrypted with block cipher (e.g., AES) – Cipher key is exchanged via public key crypto (e.g., RSA) • Integrity – Data is protected by a MAC (e.g., SHA1-HMAC) • Authentication – Server and/or client identity is verified via certificates
  • 14. Primitive: symmetric crypto • Block ciphers turn plaintext block into ciphertext using a secret key – Recipient inverts (decrypts) block using same key • Examples: AES, 3DES, RC5
  • 15. Primitive: symmetric crypto • Often requires “chaining” to encrypt messages longer than a single block • This does not provide integrity protection
  • 16. Primitive: public key crypto • Data transformed with one key can only be inverted with the other key (asymmetric) • Examples: RSA, Diffie-Hellman, DSA – And elliptic curve variants • Can encrypt data to a recipient without also being able to decrypt it afterward • Can sign data by encrypting it with one key and publishing the other
  • 18. Primitive: certificates • Associate a name with a public key – Trusted party uses private key to sign the message “joe.com = 0x09f9…” – Public key of trusted party came with your web browser • Key management still a problem – Expire certs and explicitly revoke them if a private key is compromised (CRL) – Or, check with the trusted party each time you want to use one (OCSP)
  • 19. Primitive: message authentication code • A MAC combines a hash function and secret key with the data to protect – Resulting MAC is transmitted with message – Recipient performs same process and verifies result matches • Attacker cannot… – Modify message without changing its hash – Forge a new MAC value without knowing the key • Examples: SHA1-HMAC, AES CMAC
  • 20. Primitive: secure PRNG • Outputs a cryptographically-strong, pseudo-random stream of data based on initial seed – Initial seed needs to have enough entropy – PRNGs used many places (key generation, IVs, nonces) • Examples: /dev/random, Yarrow – Often based on a hash function like SHA-1
  • 21. Overview of typical session Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
  • 23. Message: Client/ServerHello • Initiates connection and specifies parameters – Initiator sends list (i.e., CipherSuites) and responder selects one item from list – SessionID is used for resuming (explained later) Client/ServerHello Version RandomData SessionID CipherSuites CompressionMethods
  • 24. Message: Certificate • Provides a signed public key value to the other party – Almost always the server although clients can also authenticate with a cert – Other side must verify information in cert (i.e., the CN field is myhost.com = IP address in my TCP connection) Certificate ASN.1Cert
  • 25. Message: ServerHelloDone • Signifies end of server auth process – Allows multi-pass authentication handshake – Otherwise unimportant • Cert-based auth is single-pass
  • 26. Message: ClientKeyExchange • Client sends encrypted premaster secret to server – Assumes RSA public key crypto (most common) – Server checks ClientVersion matches highest advertised version ClientKeyExchange RSA-PubKey-Encrypt( ClientVersion PreMasterSecret[48] )
  • 27. Message: ChangeCipherSpec • Indicates following datagrams will be encrypted – Disambiguates case where next message may be error or encrypted data • Each side now calculates data encryption key (K) MasterSecret computation Hash( PreMasterSecret ClientRandom ServerRandom )
  • 28. Message: Finished • Indicates all protocol negotiation is complete and data may be exchanged – First encrypted message of each party – Includes hashes of all handshake messages seen by each side – Also, magic integers 0x434C4E54 or 0x53525652 (why?) Finished AES-K-Encrypt( Magic MD5(handshake_messages) SHA1(handshake_messages) )
  • 29. Message: ApplicationData • Encapsulates encrypted data – Includes MAC for integrity protection – Can span multiple TCP packets ApplicationData AES-CBC-K-Encrypt( Type Version Length Data MAC Padding PaddingLength )
  • 30. Session resumption Client Server ClientHello ServerHello ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
  • 31. Formal verification of protocol security • Goal: formal system for finding any security problems in design – BAN logic (BAN89) – Formalized authentication with primitives like “X said” and “Y believes” – Model checking (MMS98) – Build a FSM model of the system and enumerate states • Difficult and time consuming but worth it if your protocol is important
  • 32. Attack: similarly-named certs • What if server has valid certificate but a similar name to another server? – Example: Microsoft vs. Micr0soft • Outside the scope of SSL but relevant • Used all the time with phishing emails – But few bother with SSL currently – Yellow lock JPEG on page sufficient – Now, please enter your PIN
  • 33. Attack: side channel • Side effects of handling secure data can be indirectly observed • Example: timing attack on server’s private key [BB03] – Observe how long the server takes to return an error when sending invalid ClientKeyExchange – Bits of the key can slowly be discovered … over the Internet • Tricky problem to be sure you’ve solved adequately
  • 34. Conclusions • SSL provides a well-tested secure transport layer • Security protocols require careful interdependence of primitives – Privacy – Integrity protection – Authentication • Easy to make mistakes designing security and crypto in particular • This stuff is a lot of fun!
  • 35. Attack: 0-byte in CN field • Certs are ASN.1 encoded – Length-counted strings vs. nul-terminated – Allows for i18n hostname in CommonName • sslsniff (Marlinspike, 2009/7) – Browser may use C string routines while CA used length- counted routines – Attacker gets a cert for: – www.paypal.com0.example.org – Worse: *0.example.org
  • 36. Attack: data injection via renegotiation • Session can be renegotiated by client or server – Often used to go from anonymous to client-cert authenticated session (IIS) – Different from session resume • MITM can insert bad data into authenticated session (Ray/Dispensa, 2009/11) – Client connects to server, blocked by MITM – MITM starts anon SSL session to server and sends malicious POST request over it – MITM forwards original ClientHello and all subsequent (re)negotiation messages • Attacker has now run command as user, but can’t decrypt any of the output
  • 37. Fixing v2.0: downgrade attacks • Backwards compatibility with insecure protocol is difficult – Active attacker could change ServerHello to advertise v2- only • Clever solution: put 64 bits of 0x3 in the RSA padding – Attacker cannot substitute their own key without breaking the server cert – Luckily, SSL v2 only supported RSA key exchange
  • 38. Recommended reading • [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1. http://tools.ietf.org/html/rfc4346 • [Resc02] Rescarola, E. Introduction to OpenSSL programming. http://www.rtfm.com/openssl-examples/ • [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol. 1996. http://citeseer.ist.psu.edu/wagner96analysis.html • [MMS98] John C. Mitchell, Vitaly Shmatikov, and Ulrich Stern. Finite-state analysis of SSL 3.0. In Seventh USENIX Security Symposium, pages 201 - 216, 1998. http://citeseer.ist.psu.edu/mitchell98finitestate.html • [BAN90] Burrows, M., Abadi, M., and Needham, R. M. "A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb 1990, pp. 18 - 36. A Formal Semantics for Evaluating Cryptographic Protocols p 14. http://citeseer.ist.psu.edu/burrows90logic.htm • [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical. Proceedings of the 12th USENIX Security Symposium, August 2003. http://citeseer.ist.psu.edu/article/boneh03remote.html • M. Marlinspike, Null Prefix Attacks Against SSL/TLS Certificates. July 29, 2009. http://www.thoughtcrime.org/software/sslsniff/ • M. Ray and S. Dispensa, Renegotiating TLS. November 4, 2009. http://extendedsubset.com/?p=10