Transport-Level Security

Web Security
• Web now widely used by business,
government, individuals
• but Internet & Web are vulnerable
• have a variety of threats
– integrity
– confidentiality
– denial of service
– authentication
• need added security mechanisms
Comparison of threats on the web
Web Traffic Security Approaches
 Transport Layer Security
• One of the most widely used security services is Transport
Layer Security (TSL);
• the current version is Version 1.2, defined in RFC 5246.
• TLS is an Internet standard that evolved from a commercial
protocol known as Secure Sockets Layer(SSL)
• Although SSL implementations are still around, it has been
deprecated by IETF and is disabled by most corporations
offering TLS software.
• TLS is a general purpose service implemented as a set of
protocols that rely on TCP
 Transport Layer Security
• At this level, there are two implementation choices.
For full generality, TLS could be provided as
– part of the underlying protocol suite and therefore be
transparent to applications.
– Alternatively, TLS can be embedded in specific packages.
For example, most browsers come equipped with TLS, and
most Web servers have implemented the protocol
 TLS Architecture
• TLS is designed to make use of TCP to provide a reliable end-
to-end secure service.
• TLS is not a single protocol but rather two layers of protocols,
as illustrated in figure
 TLS Architecture…
• The TLS Record Protocol provides basic security services to
various higher layer protocols. In particular, HTTP, which
provides the transfer service for Web client/server interaction,
can operate on top of TLS. Three higher-layer protocols are
defined as part of TLS:
1. The Handshake Protocol
2. The Change Cipher Spec Protocol
3. The Alert Protocol
• These TLS specific protocols are used in the management of TLS
exchanges
• A fourth protocol, the Heartbeat Protocol, is defined in a
separate RFC
 TLS Architecture …

• Two important TLS concepts are

– the TLS session and the TLS connection,
• Connection:
– A connection is a transport that provides a suitable type of
service.
– For TLS, such connections are peer-to-peer relationships.
– The connections are transient.
– Every connection is associated with one session.
•
 TLS Architecture…
• Session:
– A TLS session is an association between a client and a
server.
– Created by the Handshake Protocol.
– Defines a set of cryptographic security parameters, which
can be shared among multiple connections.
– used to avoid the expensive negotiation of new security parameters
for each connection
 TLS Architecture…
• Between any pair of parties there may be multiple secure
connections.
• There are a number of states associated with each session.
• Once a session is established, there is a current operating
state for both read and write (i.e., receive and send).
• In addition, during the Handshake Protocol, pending read
and write states are created.
• Upon successful conclusion of the Handshake Protocol, the
pending states become the current states.
 TLS Architecture
• A session state is defined by the following
parameters:
• Session identifier: An arbitrary byte sequence
chosen by the server to identify an active or
resumable session state.
• Peer certificate: An X509.v3 certificate of the peer.
This element of the state may be null.
 TLS Architecture
■ Compression method: The algorithm used to
compress data prior to encryption.
■ Cipher spec: Specifies the bulk data encryption
algorithm (such as null, AES, etc.) and a hash algorithm
(such as MD5 or SHA-1) used for MAC calculation.It also
defines cryptographic attributes such as the hash_size.
■ Master secret: 48-byte secret shared between the
client and server.
■ Is resumable: A flag indicating whether the session
can be used to initiate new connections.
 TLS Architecture…
• A connection state is defined by the following
parameters:
■ Server and client random: Byte sequences
that are chosen by the server and client for
each connection.
■Server write MAC secret: The secret key used
in MAC operations on data sent by the server.
■ Client write MAC secret: The symmetric key
used in MAC operations on data sent by the
client
 TLS Architecture…
■Server write key: The symmetric encryption key for data encrypted by the
server and decrypted by the client.
■ Client write key: The symmetric encryption key for data encrypted by the
client and decrypted by the server.
■Initialization vectors: When a block cipher in CBC mode is used, an
initialization vector (IV) is maintained for each key. This field is first initialized
by the TLS Handshake Protocol. Thereafter, the final ciphertext block from
each record is preserved for use as the IV with the following record.
■ Sequence numbers: Each party maintains separate sequence numbers for
transmitted and received messages for each connection. When a party sends
or receives a “change cipher spec message,” the appropriate sequence
number is set to zero. Sequence numbers may not exceed 264 - 1
 TLS Record Protocol
• The TLS Record Protocol provides two services for TLS connections:
■ Confidentiality: The Handshake Protocol defines a shared
secret key that is used for conventional encryption of TLS payloads.
■ Message Integrity: The Handshake Protocol also defines a shared
secret key that is used to form a message authentication code
(MAC).
• Figure 17.3 indicates the overall operation of the TLS Record
Protocol
• The Record Protocol takes an application message to be
transmitted, fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts ,adds a header, and
transmits the resulting unit in a TCP segment.
• Received data are decrypted, verified, decompressed, and
reassembled before being delivered to higher-level users.
 TLS Record Protocol…

• The first step is fragmentation.

• Each upper-layer message is fragmented into blocks of 214 bytes (16,384 bytes) or
less.
• Next, compression is optionally applied. Compression must be lossless and may not
increase the content length by more than 1024 bytes.
• In TLSv2, no compression algorithm is specified, so the default compression
algorithm is null.
 TLS Record Protocol…
• The next step in processing is to compute a message
authentication code over the compressed data.
• TLS makes use of the HMAC algorithm defined in RFC 2104.
• HMAC is defined as

where
H = embedded hash function (for TLS, either MD5 or SHA-1)
M = message input to HMAC
K+ = secret key padded with zeros on the left so that the result is equal to
the block length of the hash code (for MD5 and SHA-1, block length = 512 bits)
ipad = 00110110 (36 in hexadecimal) repeated 64 times (512 bits)
opad = 01011100 (5C in hexadecimal) repeated 64 times (512 bits)
 TLS Record Protocol…
• For TLS, the MAC calculation encompasses the fields indicated in
the following expression:
• HMAC_hash (MAC_write_secret, seq_num ‘ TLSCompressed.type ‘
• TLSCompressed.version ‘ TLSCompressed.length ‘
TLSCompressed.fragment)
• The MAC calculation covers all of the fields XXX, plus the field
TLSCompressed. version, which is the version of the protocol being
employed.
• Next, the compressed message plus the MAC are encrypted using
symmetric encryption.
• Encryption may not increase the content length by more than 1024
bytes, so that the total length may not exceed 214 + 2048
 TLS Record Protocol…
• The following encryption algorithms are
permitted

For stream encryption, the compressed message plus the MAC are
encrypted.
Note that the MAC is computed before encryption takes place and that
the MAC is then encrypted along with the plaintext or compressed
plaintext.
 TLS Record Protocol…
• For block encryption, padding may be added after the MAC prior to
encryption.
• The padding is in the form of a number of padding bytes followed
by a one byte indication of the length of the padding.
• The padding can be any amount that results in a total that is a
multiple of the cipher’s block length, up to a maximum of 255
bytes.
• For example, if the cipher block length is 16 bytes (e.g., AES) and if
the plaintext (or compressed text if compression is used) plus MAC
plus padding length byte is 79 bytes long, then the padding length
(in bytes) can be 1, 17, 33, and so on, up to 161.
• At a padding length of 161, the total length is 79 + 161 = 240. A
• variable padding length may be used to frustrate attacks based on
an analysis of the lengths of exchanged messages.
 TLS Record Protocol…
• The final step of TLS Record Protocol processing is to
prepend a header consisting of the following fields:
• ■ Content Type (8 bits): The higher-layer protocol used
to process the enclosed fragment.
• ■ Major Version (8 bits): Indicates major version of TLS
in use. For TLSv2, the value is 3.
• ■ Minor Version (8 bits): Indicates minor version in
use. For TLSv2, the value is 1.
• ■ Compressed Length (16 bits): The length in bytes of
the plaintext fragment(or compressed fragment if
compression is used). The max value is 214 + 2048.
 TLS Record Protocol…
• The content types that have been defined are change_cipher_spec, alert,
handshake, and application_data.
• The first three are the TLS specific protocols
• Figure 17.4 illustrates the TLS record format
 TLS Record Protocol…
Change Cipher Spec Protocol
•The Change Cipher Spec Protocol is one of the four
TLS-specific protocols that use the TLS Record
Protocol, and it is the simplest.
•This protocol consists of a single message (Figure
17.5a), which consists of a single byte with the
value 1.
•The sole purpose of this message is to cause the
pending state to be copied into the current state,
which updates the cipher suite to be used on this
connection
TLS Record Protocol…
 TLS Record Protocol…
Alert Protocol
•The Alert Protocol is used to convey TLS-related alerts to the peer entity. As with
other applications that use TLS, alert messages are compressed and encrypted, as
specified by the current state.
•Each message in this protocol consists of two bytes (Figure 17.5b). The first
byte takes the value warning (1) or fatal (2) to convey the severity of the message.
•If the level is fatal, TLS immediately terminates the connection. Other connections
on the same session may continue, but no new connections on this session may be
established.
•The second byte contains a code that indicates the specific alert.
•Examples of fatal alerts are bad_record_mac (an incorrect MAC was received)
and handshake_failure (sender was unable to negotiate an acceptable set of secu-
rity parameters given the options available).
•An example of a warning alert is unsupported_certificate (the type of the received
certificate is
 TLS Record Protocol…
Handshake Protocol
•The most complex part of TLS is the Handshake
Protocol.
• This protocol allows the server and client to
authenticate each other and to negotiate an encryption
and MAC algorithm and cryptographic keys to be used
to protect data sent in a TLS record.
• The Handshake Protocol is used before any
application data is transmitted.
 TLS Record Protocol…
• The Handshake Protocol consists of a series of
messages exchanged by client and server. All of these
have the format shown in Figure 17.5c . Each
message has three fields:
■ Type (1 byte): Indicates one of 10 messages. Table
17.2 lists the defined message types.
■ Length (3 bytes): The length of the message in bytes.
■ Content (# 0 bytes): The parameters associated with
this message; these are
TLS Record Protocol…
 SSL (Secure Socket Layer)
• transport layer security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard
known as TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end
service
• SSL has two layers of protocols
SSL Architecture
 SSL Architecture
• SSL connection
– a transient, peer-to-peer, communications link
– associated with 1 SSL session
• SSL session
– an association between client & server
– created by the Handshake Protocol
– define a set of cryptographic parameters
– may be shared by multiple SSL connections
 SSL Record Protocol Services
• confidentiality
– using symmetric encryption with a shared secret
key defined by Handshake Protocol
– AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128
– message is compressed before encryption
• message integrity
– using a MAC with shared secret key
– similar to HMAC but with different padding
SSL Record Protocol Operation
 SSL Change Cipher Spec Protocol

• one of 3 SSL specific protocols which use the

SSL Record protocol
• a single message
• causes pending state to become current
• hence updating the cipher suite in use
 SSL Alert Protocol
• conveys SSL-related alerts to peer entity
• severity
• warning or fatal
• specific alert
• fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
• warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown
• compressed & encrypted like all SSL data
 SSL Handshake Protocol
• allows server & client to:
– authenticate each other
– to negotiate encryption & MAC algorithms
– to negotiate cryptographic keys to be used
• comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
 SSL
Handshake
Protocol
 Cryptographic Computations
• master secret creation
– a one-time 48-byte value
– generated using secure key exchange (RSA /
Diffie-Hellman) and then hashing info
• generation of cryptographic parameters
– client write MAC secret, a server write MAC
secret, a client write key, a server write key, a
client write IV, and a server write IV
– generated by hashing master secret
 TLS (Transport Layer Security)
• IETF standard RFC 2246 similar to SSLv3
• with minor differences
– in record format version number
– uses HMAC for MAC
– a pseudo-random function expands secrets
• based on HMAC using SHA-1 or MD5
– has additional alert codes
– some changes in supported ciphers
– changes in certificate types & negotiations
– changes in crypto computations & padding
 HTTPS
• HTTPS (HTTP over SSL)
– combination of HTTP & SSL/TLS to secure
communications between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
• use https:// URL rather than http://
– and port 443 rather than 80
• encrypts
– URL, document contents, form data, cookies,
HTTP headers
 HTTPS Use
• connection initiation
– TLS handshake then HTTP request(s)
• connection closure
– have “Connection: close” in HTTP record
– TLS level exchange close_notify alerts
– can then close TCP connection
– must handle TCP close before alert exchange sent
or completed
 Secure Shell (SSH)
• protocol for secure network communications
– designed to be simple & inexpensive
• SSH1 provided secure remote logon facility
– replace TELNET & other insecure schemes
– also has more general client/server capability
• SSH2 fixes a number of security flaws
• documented in RFCs 4250 through 4254
• SSH clients & servers are widely available
• method of choice for remote login/ X tunnels
SSH Protocol Stack
 SSH Transport Layer Protocol
• server authentication occurs at transport
layer, based on server/host key pair(s)
– server authentication requires clients to know
host keys in advance
• packet exchange
– establish TCP connection
– can then exchange data
• identification string exchange, algorithm negotiation,
key exchange, end of key exchange, service request
– using specified packet format
 SSH User Authentication Protocol
• authenticates client to server
• three message types:
– SSH_MSG_USERAUTH_REQUEST
– SSH_MSG_USERAUTH_FAILURE
– SSH_MSG_USERAUTH_SUCCESS
• authentication methods used
– public-key, password, host-based
 SSH Connection Protocol
• runs on SSH Transport Layer Protocol
• assumes secure authentication connection
• used for multiple logical channels
– SSH communications use separate channels
– either side can open with unique id number
– flow controlled
– have three stages:
• opening a channel, data transfer, closing a channel
– four types:
• session, x11, forwarded-tcpip, direct-tcpip.
 SSH
Connection
Protocol
Exchange
 Port Forwarding
• convert insecure TCP connection into a secure
SSH connection
– SSH Transport Layer Protocol establishes a TCP
connection between SSH client & server
– client traffic redirected to local SSH, travels via
tunnel, then remote SSH delivers to server
• supports two types of port forwarding
– local forwarding – hijacks selected traffic
– remote forwarding – client acts for server
 Summary
• have considered:
– need for web security
– SSL/TLS transport layer security protocols
– HTTPS
– secure shell (SSH)