Cybersecurity

TLS

Kasun De Zoysa

Department of Communication and Media Technologies

University of Colombo School of Computing
University of Colombo
Sri Lanka

1
How the Internet Works -1

2
How the Internet Works -2

3
 Security Requirements and User Needs

www.xyz.com
The Internet

You
4
 Security Requirements and User Needs

www.xyz.com
The Internet

1. Authenticity

www.hacker.com

You
5
 Security Requirements and User Needs

www.xyz.com
The Internet

1. Authenticity
2. Integrity
www.hacker.com

You
6
 Security Requirements and User Needs

www.xyz.com
The Internet

1. Authenticity
2. Integrity
www.hacker.com
3. Confidentiality

You
7
 Security Requirements and User Needs

www.xyz.com
The Internet

1. Authenticity
2. Integrity
www.hacker.com
3. Confidentiality
4. Availability
You
8
 Security Requirements and User Needs

www.xyz.com
The Internet

1. Authenticity
2. Integrity

3. Confidentiality
4. Availability
5. Non-repudiation
You
9
Solutions

Protection at Two Levels :

1. Lower Level (Channel protection)
(Communication security services)

2. Application/User Level
(Application level security services)
 Secure Socket Layer History
• SSL 1.0 Netscape 1994
• S-HTTP (web only)
• SSL 2.0 Netscape (buggy)
• PCT Microsoft (loser) 1996
• SSL 3.0 Netscape
• TLS 1.0 IETF 1999
• TLS 1.2 now dominant

11
 TLS: Transport Layer Security

• formerly known as
SSL: Secure Sockets Layer
• Addresses issues of privacy, integrity and
authentication
– What is it?
– How does it address the issues?
– How is it used

12
 What is TLS?
• Protocol layer
• Requires reliable transport layer (e.g. TCP)
• Supports any application protocols

HTTP Telnet FTP LDAP

TLS
TCP
IP

13
 Protocol Stack
TELNET
HTTP
SMTP

NNTP

SSL Interface : Port N

FTP

Transport - TCP
Internet - IP
Network Interface – EtherNet/etc.
Physical Layer

14
 TLS: Overview
• Establish a session
– Agree on algorithms
– Share secrets
– Perform authentication
• Transfer application data
– Ensure privacy and integrity

15
 TLS Overview
• Browser sends supported
crypto algorithms
• Server picks strongest
algorithms it supports
• Server sends certificate (chain)
• Client verifies certificate (chain)
• Client and server agree on
secret value R by exchanging
messages
• Secret value R is used to derive
keys for symmetric encryption
and hash-based authentication
of subsequent data transfer

16
 TLS:Key Exchange
• Need secure method to exchange secret
key
• Use public key encryption for this
– “key pair” is used - either one can encrypt and
then the other can decrypt
– slower than conventional cryptography
– share one key, keep the other private
• Choices are RSA or Diffie-Hellman

17
 Basic Key Exchange
• Called RSA key
exchange for historical
reasons
• Client generates random
secret value R
• Client encrypts R with
public key, PK, of server
C = EPK(R)
• Client sends C to server
• Server decrypts C with
private key, SK, of server
R = DSK(C)
18
 Forward Secrecy
• Compromise of public-key
encryption private keys
does not break
confidentiality of past
messages
• TLS with basic key
exchange does not provide
forward secrecy
• Attacker eavesdrop and
stores communication
• If server’s private key is
compromised, attacker finds
secret value R in key
exchange and derives
encryption keys
19
Diffie Hellman Key Exchange

Achieves forward secrecy

20
 Attacker in the Middle

Solution:
Browser and server send signed X and Y respectively
Requires each to know the public key of the other

21
 TLS: Privacy
• Encrypt message so it cannot be read
• Use conventional cryptography with shared
key
– DES, 3DES, AES
– RC2, RC4
– IDEA

A B
Message $%&#!@ Message
22
 TLS Encrypts
• ALL Browser-Server and Server-Browser
except which-browser is talking to which-
server
• URL of requested document
• Contents of requested document
• Contents of any submitted form fill-outs
• Cookies sent from browser to server
• Cookies sent from server to browser
• Contents of HTTP header
• Javascript communications
• Etc.
23
 TLS: Integrity
• Compute fixed-length Message
Authentication Code (MAC)
– Includes hash of message
– Includes a shared secret
– Include sequence number
• Transmit MAC with message

24
 TLS: Integrity
• Receiver creates new MAC
– should match transmitted MAC
• TLS allows MD5, SHA-1

A B
Message Message’ MAC

MAC MAC’ =?

25
 TLS: Authentication
• Verify identities of participants
• Client authentication is optional
• Certificate is used to associate identity with
public key and other attributes

A B
Certificate

Certificate

26
 TLS Transaction
1. Client says Hello & Stuff 2. Server says Hello & Stuff

3. Server sends Certifcate

4. (opt) Server requests client Certifcate

5. Client sends Certifcate

6. Client sends ClientKeyExchange

7. Client sends a Certifcate Verify message

8. Both send ChangeCipherSpec Messages

9. Both send Finished Messages

27
 TLS: Architecture
• TLS defines Record Protocol to transfer
application and TLS information
• A session is established using a Handshake
Protocol

Handshake Change Alert

Protocol Cipher Spec Protocol

TLS Record Protocol

28
TLS: Record Protocol

29
 TLS: HTTP Application
• HTTP most common TLS application
– https://
• Requires TLS-capable web server
• Requires TLS-capable web browser

30
 Public Key Certificates
• X.509 Certificate associates public key with
identity
• Certification Authority (CA) creates
certificate
– Adheres to policies and verifies identity
– Signs certificate
• User of Certificate must ensure it is valid

31
 Subject Names
• X.500 Distinguished Name (DN)
• Associated with node in hierarchical
directory (X.500)
• Each node has Relative Distinguished Name
(RDN)
– Path for parent node
– Unique set of attribute/value pairs for this node

32
 Example Subject Name
• Country at Highest Level (e.g. US)
• Organization typically at next level (e.g.
CertCo)
• Individual below (e.g. Common Name
“Kasun” with Id = 1)
DN = {
• C=LK;
• O=UCSC;
• CN=Kasun, ID=1}

33
 Certificate Authorities

Browsers accept
certificates from a
large number of CAs
 Firefox: Invalid cert dialog

Firefox 3.0: Four clicks to get firefox to accept cert

• page is displayed with full HTTPS indicators
 SSL Indicators
• Microsoft IE

• Mozilla

• Firefox

• Safari
 The lock icon: SSL indicator

Intended goal:
• Provide user with identity of page origin
• Indicate to user that page contents were not
viewed or modified by a network attacker

In reality:
•
Origin ID is not always helpful
•
Many other problems
 Version 3 Certificates
• Version 3 X.509 Certificates support
alternative name formats as extensions
– X.500 names
– Internet domain names
– e-mail addresses
– URLs
• Certificate may include more than one name

38
Extended validation (EV) certs

An Extended Validation Certificate (EV) is an X.509 public key

certificate issued according to a specific set of identity
verification criteria. These criteria require extensive verification
of the requesting entity's identity by the certificate authority
(CA) before a certificate is issued.

Certificates issued by a CA under the EV guidelines are not

structurally different from other certificates (and hence provide
no stronger cryptography than other, cheaper certificates),
 Extended Validation (EV) Certs

•
Harder to obtain than regular certs
•
requires human lawyer at CA to approve cert request

•
Designed for banks and large e-commerce sites

•
Helps block “semantic attacks”: www.bankofthevvest.com
Automatic Certificate Management
Environment (ACME)

Certificates in PKI using X.509 (PKIX) are used for a

number of purposes, the most significant of which is
the authentication of domain names.

Thus, certificate authorities in the Web PKI are trusted

to verify that an applicant for a certificate legitimately
represents the domain name(s) in the
certificate.Today, thi verification is done through a
collection of ad hoc mechanisms.

ACME protocol automates process of verification and

certificate issuance.
41
42
SSLABS – www.ssllabs.com
 Man in the Middle
Attacker's proxy server establishes TSL
session with a user

Attacker's proxy server establishes a session

with the server

Attacker's proxy sever decrypts the data

SSL Hello from the user and encrypts it back to the
server
Server Cert

SSL Hello

Attacker Cert
 Man in the middle attack using invalid certs

GET https://bank.com
BadguyCert BankCert
attacker
ClientHello ClientHello bank

ServerCert (Badguy) ServerCert (Bank)

bad cert
warning!

SSL key exchange SSL key exchange

k1 k1 k2 k2

HTTP data enc with k1 HTTP data enc with k2

Attacker proxies data between user and bank.

Sees all traffic and can modify data at will.
Discussion
Discussion

46