8 Transport Layer Security (SSL/TLS)

Download Report

Transcript 8 Transport Layer Security (SSL/TLS)

Internet Security 1 (IntSi1)
8 Transport Layer Security
(TLS)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
ITA, 2.11.2011, 8-TLS.pptx 1
TLS Session Example
ITA, 2.11.2011, 8-TLS.pptx 2
TLS Market Share of Certification Authorities
2010 Netcraft Ltd
https://ssl.netcraft.com/ssl-sample-report/CMatch/certs
ITA, 2.11.2011, 8-TLS.pptx 3
Secure Network Protocols for the OSI Stack
Communication layers Security protocols
Application layer
ssh, S/MIME, PGP, Kerberos, WSS
Transport layer
TLS, [SSL]
Network layer
IPsec
Data Link layer
[PPTP, L2TP], IEEE 802.1X,
IEEE 802.1AE, IEEE 802.11i (WPA2)
Physical layer
Quantum Cryptography
ITA, 2.11.2011, 8-TLS.pptx 4
TLS/SSL Protocol Layers
Application
Application
Application
TCP
TLS
Fragmentation
IP
TCP
Sockets
IP
Insecure
Transport Layer
Secure
Transport Layer
Compression
Authentication
Encryption
Transport
ITA, 2.11.2011, 8-TLS.pptx 5
TLS Record Protocol
Application
Handshake
Change
CipherSpec
Alert
Application Data (messages)
TLS - Record Protocol (records)
TCP - Transport Protocol (stream)
IP - Network Protocol (packets)
ITA, 2.11.2011, 8-TLS.pptx 6
TLS Record Structure
Application Data (Segment 1)
Application Data (Segment 2)
[Compressed] Data
Record Header
5 Bytes
TCP Header
Record Header
MAC Padding
Record Body
n * Block Cipher Size
Encrypted Data
ITA, 2.11.2011, 8-TLS.pptx 7
TLS Handshake Protocol
Client Hello
RC
Client
Server Hello
RS
Certificate*
*optional
ServerKeyExchange*
CertificateRequest*
Certificate*
ClientKeyExchange
CertificateVerify*
ServerHelloDone
*optional
Server
ChangeCipherSpec
ChangeCipherSpec
Finished°
°encrypted
Application Data°
Finished°
Application Data°
ITA, 2.11.2011, 8-TLS.pptx 8
Resuming a TLS Session
Client Hello
RC
Server Hello
RS
ChangeCipherSpec
Finished°
ChangeCipherSpec
°encrypted
Finished°
Application Data°
Application Data°
Client
Server
ITA, 2.11.2011, 8-TLS.pptx 9
Implemented SSL/TLS Protocol Versions
•
SSL – Secure Sockets Layer Version 2.0
• Initially developed by Netscape
• SSL 2.0 is sensitive to man-in-the-middle attacks leading
•
e.g. to the negotiation of weak encryption keys
SSL 2.0 should not be used anymore
•
SSL – Secure Sockets Layer Version 3.0
•
TLS – Transport Layer Security Version 1.0 (SSL 3.1)
• Internet Draft authored by Netscape, November 1996
• Supported by all browsers
• Vulnerable to the BEAST Cipher-Block-Chaining (CBC) attack
• IETF RFC 2246, January 1999
• TLS 1.0 ist not backwards compatible to SSL 3.0 (differences in
•
•
MAC computation, PRF function for master_secret and key material)
Supported by all browsers
Vulnerable to the BEAST Cipher-Block-Chaining (CBC) attack
ITA, 2.11.2011, 8-TLS.pptx 10
BEAST – Browser Exploit Against SSL/TLS
•
Authors
• Thai Duong and Juliano Rizzo presented their exploit on September 23
2011 at the 7th ekoparty Security Conference in Buenos Aires.
•
Exploit
• The exploit uses a known-plaintext attack on the Cipher-Block-Chaining
(CBC) encryption vulnerability of SSL 3.0 and TLS 1.0
which has been known since 2001 and was fixed by TLS 1.1 in 2006.
•
Approach
• The BEAST JavaScript code running in a browser decrypts encrypted
cookies sent via HTTPS within a couple of seconds.
•
Fix
• Temporary workaround: Set up HTTPS web servers with stream
•
ciphers (e.g. the rather outdated RC4 algorithm)
Migration of HTTPS web servers and browsers to TLS 1.1 or 1.2.
ITA, 2.11.2011, 8-TLS.pptx 11
Latest TLS Protocol Versions
•
•
TLS – Transport Layer Security Version 1.1 (SSL 3.2)
•
•
•
•
TLS – Transport Layer Security Version 1.2 (SSL 3.3)
• IETF RFC 5246, August 2008, updated by RFC
• Combined MD5/SHA-1 hash and PRF functions replaced by SHA-256
•
•
IETF RFC 4346, April 2006
Protection against CBC attacks (Serge Vaudenay, EPFL, 2004):
Implicit Initialization Vector (IV) is replaced with an explicit IV
Handling of padding errors is changed to use the bad_record_mac
alert rather then decryption_failed.
based default algorithms or cipher-suite specified methods.
Support of Authenticated Encryption with Additional Data (AEAD)
modes (e.g. AES-GCM accelerated by Intel AES-NI instruction set)
TLS 1.1 and 1.2 Support
• Windows 7, Windows Server 2008 R2
• GnuTLS library, the OpenSSL 1.0.1 snapshot and strongSwan libtls.
ITA, 2.11.2011, 8-TLS.pptx 12
SSL/TLS Configuration Options
Mozilla Firefox
ITA, 2.11.2011, 8-TLS.pptx 13
SSL/TLS Configuration Options
Mozilla Firefox
ITA, 2.11.2011, 8-TLS.pptx 14
SSL/TLS Configuration Options
Microsoft Internet Explorer
ITA, 2.11.2011, 8-TLS.pptx 15
TLS Enhanced TCP-based Application Protocols
Service Name
Port
Secured Service
•
•
https
443/tcp
http protocol over TLS
•
smtps
smtp
465/tcp
25/tcp
smtp protocol over TLS
STARTTLS keyword (RFC 2487)
imaps
imap4
993/tcp
143/tcp
imap4 protocol over TLS
STARTTLS keyword (RFC 2595)
pop3s
pop3
995/tcp
110/tcp
pop3 protocol over TLS
STLS keyword (RFC 2595)
ldaps
636/tcp
ldap protocol over TLS
ircs
994/tcp
irc protocol over TLS
nntps
563/tcp
nntp protocol over TLS
•
•
•
•
ITA, 2.11.2011, 8-TLS.pptx 16