Network Security

Essentials
Chapter 5
Fourth Edition
by William Stallings
Lecture slides by Lawrie Brown

Chapter 5
Transport-Level Security
Use your mentality
Wake up to reality
From the song, "I've Got You under My
Skin by Cole Porter

Web Security
Web now widely used by business,

government, individuals
but Internet & Web are vulnerable
have a variety of threats

integrity
confidentiality
denial of service
authentication

need added security mechanisms

Web Traffic Security

Approaches

SSL (Secure Socket Layer)

transport layer security service
originally developed by Netscape
version 3 designed with public input
subsequently became Internet standard

known as TLS (Transport Layer Security)

uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols

SSL Architecture

SSL Architecture
SSL connection

a transient, peer-to-peer, communications link

associated with 1 SSL session

SSL session

an association between client & server

created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections

SSL Record Protocol Services

confidentiality

using symmetric encryption with a shared

secret key defined by Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
message is compressed before encryption

message integrity

using a MAC with shared secret key

similar to HMAC but with different padding

SSL Record Protocol

Operation

SSL Change Cipher Spec

Protocol
one of 3 SSL specific protocols which use

the SSL Record protocol

a single message
causes pending state to become current
hence updating the cipher suite in use

SSL Alert Protocol

conveys SSL-related alerts to peer entity

severity
warning or fatal

specific alert
fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown

compressed & encrypted like all SSL data

SSL Handshake Protocol

allows server & client to:

authenticate each other

to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used

comprises a series of messages in phases

1.
2.
3.
4.

Establish Security Capabilities

Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish

SSL
Handshake
Protocol

Cryptographic Computations
master secret creation

a one-time 48-byte value

generated using secure key exchange (RSA /
Diffie-Hellman) and then hashing info

generation of cryptographic parameters

client write MAC secret, a server write MAC

secret, a client write key, a server write key, a
client write IV, and a server write IV
generated by hashing master secret

HTTPS
HTTPS (HTTP over SSL)

combination of HTTP & SSL/TLS to secure

communications between browser & server
documented in RFC2818
no fundamental change using either SSL or TLS

use https:// URL rather than http://

and port 443 rather than 80

encrypts

URL, document contents, form data, cookies,

HTTP headers

HTTPS Use
connection initiation

TLS handshake then HTTP request(s)

connection closure

have Connection: close in HTTP record

TLS level exchange close_notify alerts
can then close TCP connection
must handle TCP close before alert exchange
sent or completed