Network Security: SSL and IPsec, Slides of Computer Networks

Download Network Security: SSL and IPsec and more Slides Computer Networks in PDF only on Docsity!

Lecture 23

Network Security (cont)

slides are modified from Dave Hollinger

SSL: Secure Sockets Layer

• Widely deployed security protocol - Supported by almost all browsers and web servers - https - Tens of billions $ spent per year over SSL
• Originally designed by Netscape in 1993
• Number of variations:
  • TLS: transport layer security, RFC 2246
• Provides
  • Confidentiality
  • Integrity
  • Authentication
    • Original goals:
      • Had Web e-commerce transactions in mind
      • Encryption (especially credit-card numbers)
      • Web-server authentication
      • Optional client authentication
      • Minimum hassle in doing business with new merchant
    • Available to all TCP applications
      • Secure socket interface

Could do something like PGP:

4

• But want to send byte streams & interactive data
• Want a set of secret keys for the entire connection
• Want certificate exchange part of protocol:

handshake phase

H( ).^ K (^) A-( ).

K (^) A^ - (H(m)) m

K A^ -

m

K (^) S( ).

K+ (^) B ( ).

K^ + B (K S )

KS

K B^ +

Internet

KS

Toy SSL: a simple secure channel

• Handshake: Alice and Bob use their

certificates and private keys to authenticate each other and exchange shared secret

• Key Derivation: Alice and Bob use shared

secret to derive set of keys

• Data Transfer: Data to be transferred is broken

up into a series of records

• Connection Closure: Special messages to

securely close connection

Toy: Key derivation

• Considered bad to use same key for more than one

cryptographic operation

• Use different keys for message authentication code (MAC) and encryption
• Four keys:
• Kc = encryption key for data sent from client to server
• M (^) c = MAC key for data sent from client to server
• Ks = encryption key for data sent from server to client
• M (^) s = MAC key for data sent from server to client
• Keys derived from key derivation function (KDF)
• Takes master secret and (possibly) some additional random data and creates the keys

Toy: Data Records

• Why not encrypt data in constant stream as we write it to

TCP?

• Where would we put the MAC? If at end, no message integrity until all data processed.
• For example, with instant messaging, how can we do integrity check over all bytes sent before displaying?
• Instead, break stream in series of records
• Each record carries a MAC
• Receiver can act on each record as it arrives
• Issue: in record, receiver needs to distinguish MAC from

data

• Want to use variable-length records

8

length data MAC

Toy: Control information

• Truncation attack:

• attacker forges TCP connection close segment
• One or both sides thinks there is less data than there actually is.

• Solution: record types, with one type for

closure

• type 0 for data; type 1 for closure

• MAC = MAC(M x, sequence||type||data)

10

length type data MAC

Toy SSL: summary

11

encrypted

bob.com

Most common symmetric ciphers in SSL

• DES – Data Encryption Standard: block
• 3DES – Two keys: block
• RC2 – Rivest Cipher 2: block
• RC4 – Rivest Cipher 4: stream

Public key encryption

• RSA

SSL Cipher Suite

• Cipher Suite

– Public-key algorithm

– Symmetric encryption algorithm

– MAC algorithm

• SSL supports a variety of cipher suites

• Negotiation: client and server must agree on

cipher suite

• Client offers choice; server picks one

Real SSL: Handshake (2)

1. Client sends list of algorithms it supports, along with client

nonce

2. Server chooses algorithms from list; sends back: choice +

certificate + server nonce

3. Client verifies certificate, extracts server’s public key,

generates pre_master_secret, encrypts with server’s public

key, sends to server

4. Client and server independently compute encryption and

MAC keys from pre_master_secret and nonces

5. Client sends a MAC of all the handshake messages

6. Server sends a MAC of all the handshake messages

Real SSL: Handshaking (3)

Last 2 steps protect handshake from tampering

• Client typically offers range of algorithms,

some strong, some weak

• Man-in-the middle could delete the stronger

algorithms from list

• Last 2 steps prevent this

– Last two messages are encrypted

SSL Record Protocol

19

data

data fragment

data fragment

MAC MAC

encrypted data and MAC

encrypted data and MAC

record header

record header

record header: content type; version; length

MAC: includes sequence number, MAC key Mx

Fragment: each SSL fragment 2 24 bytes (~16 Kbytes)

SSL Record Format

20

content type SSL version length

MAC

data

1 byte (^) 2 bytes 3 bytes

Data and MAC encrypted (symmetric algo)