SlideShare uma empresa Scribd logo

03-SSL (1).ppt

Transferir como PPT, PDF
Z
ZAKARIAABED1

SSL

Engenharia
1 de 59
SSL / TLS Case Study CS 259 John Mitchell 2008
Course organization (subject to revision) January • Two written homeworks: first due next Thursday (9 days) • Lectures on case studies (protocols and tools) • Choose your project: we’ll start giving examples Thursday February • Project presentation #1: describe your system (5-10 min) • Lectures on additional approaches • Project presentation #2: describe security properties March • Project presentation #3: results of study Grading: 20% homework, 30% project presentations, 50% project results and final presentation
Overview Introduction to the SSL / TLS protocol • Widely deployed, “real-world” security protocol Protocol analysis case study • Start with the RFC describing the protocol • Create an abstract model and code it up in Murj • Specify security properties • Run Murj to check whether security properties are satisfied This lecture is a compressed version of what you would do if SSL were your project!
What is SSL / TLS? Transport Layer Security protocol, ver 1.0 • De facto standard for Internet security • “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” • In practice, used to protect information transmitted between browsers and Web servers Based on Secure Sockets Layers protocol, ver 3.0 • Same protocol design, different algorithms Deployed in nearly every web browser
SSL / TLS in the Real World
History of the Protocol SSL 1.0 • Internal Netscape design, early 1994? • Lost in the mists of time SSL 2.0 • Published by Netscape, November 1994 • Several problems (next slide) SSL 3.0 • Designed by Netscape and Paul Kocher, November 1996 TLS 1.0 • Internet standard based on SSL 3.0, January 1999 • Not interoperable with SSL 3.0
SSL 2.0 Vulnerabilities Short key length • In export-weakened modes, SSL 2.0 unnecessarily weakens the authentication keys to 40 bits. Weak MAC construction Message integrity vulnerability • SSL 2.0 feeds padding bytes into the MAC in block cipher modes, but leaves the padding-length unauthenticated, may allow active attackers to delete bytes from the end of messages Ciphersuite rollback attack • An active attacker may edits the list of ciphersuite preferences in the hello messages to invisibly force both endpoints to use a weaker form of encryption • “Least common denominator" security under active attack
Let’s get going with SSL/TLS … Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error RFC (request for comments)
Request for Comments Network protocols are defined in an RFC TLS version 1.0 is described in RFC 2246 Intended to be a self-contained definition of the protocol • Describes the protocol in sufficient detail for readers who will be implementing it and those who will be doing protocol analysis (that’s you!) • Mixture of informal prose and pseudo-code Read some RFCs to get a flavor of what protocols look like when they emerge from the committee
Evolution of the SSL/TLS RFC 0 10 20 30 40 50 60 70 80 SSL 2.0 SSL 3.0 TLS 1.0 Page count
From RFC to Murj Model Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Murj code RFC
TLS Basics TLS consists of two protocols Handshake protocol • Use public-key cryptography to establish a shared secret key between the client and the server Record protocol • Use the secret key established in the handshake protocol to protect communication between the client and the server We will focus on the handshake protocol
TLS Handshake Protocol Two parties: client and server Negotiate version of the protocol and the set of cryptographic algorithms to be used • Interoperability between different implementations of the protocol Authenticate client and server (optional) • Use digital certificates to learn each other’s public keys and verify each other’s identity Use public keys to establish a shared secret
Handshake Protocol Structure C ClientHello ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone S [Certificate], ClientKeyExchange, [CertificateVerify] Finished switch to negotiated cipher Finished switch to negotiated cipher
Encryption scheme • functions to encrypt, decrypt data • key generation algorithm Secret key vs. public key • Public key: publishing key does not reveal key-1 • Secret key: more efficient, generally key = key-1 Hash function, MAC • Map input to short hash; ideally, no collisions • MAC (keyed hash) used for message integrity Signature scheme • Functions to sign data, verify signature Recall: Basic Cryptographic Concepts
Use of cryptography C Version, Crypto choice, nonce Version, Choice, nonce, signed certificate containing server’s public key Ks S Secret key K encrypted with server’s key Ks hash of sequence of messages hash of sequence of messages switch to negotiated cipher
SSL/TLS Cryptography Summary Public-key encryption • Key chosen secretly (handshake protocol) • Key material sent encrypted with public key Symmetric encryption • Shared (secret) key encryption of data packets Signature-based authentication • Client can check signed server certificate • And vice-versa, in principal Hash for integrity • Client, server check hash of sequence of messages • MAC used in data packets (record protocol)
Public-Key Infrastructure Certificate Authority Ka, Ka-1 Client Server Known public signature verification key Ka Sign(Ka-1, Ks) Certificate Sign(Ka-1, Ks) Ks Server certificate can be verified by any client that has CA verification key Ka Certificate authority is “off line” Ka
Another general idea in SSL Client, server communicate Compare hash of all messages • Compute hash(hi,hello,howareyou?) locally • Exchange hash values under encryption Abort if intervention detected Client Server Hi Hello How are you?
SSL/TLS in more detail … ClientHello C  S C, VerC, SuiteC, NC ServerHello S  C VerS, SuiteS, NS, signCA{ S, KS } ClientVerify C  S signCA{ C, VC } { VerC, SecretC } signC { Hash( Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) } -------- Change to negotiated cipher -------------------------------------------------------------------- ServerFinished S  C { Hash( Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + S + Master(NC, NS, SecretC) + Pad1)) } ClientFinished C  S { Hash( Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1)) } KS Master(NC, NS, SecretC) Master(NC, NS, SecretC)
Abbreviated Handshake The handshake protocol may be executed in an abbreviated form to resume a previously established session • No authentication, key material not exchanged • Session resumed from an old state For complete analysis, have to model both full and abbreviated handshake protocol • This is a common situation: many protocols have several branches, subprotocols for error handling, etc.
Rational Reconstruction  Begin with simple, intuitive protocol • Ignore client authentication • Ignore verification messages at the end of the handshake protocol • Model only essential parts of messages (e.g., ignore padding) Execute the model checker and find a bug Add a piece of TLS to fix the bug and repeat • Better understand the design of the protocol
Protocol Step by Step: ClientHello C ClientHello S Client announces (in plaintext): • Protocol version she is running • Cryptographic algorithms she supports
struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites; CompressionMethod compression_methods; } ClientHello ClientHello (RFC) Highest version of the protocol supported by the client Session id (if the client wants to resume an old session) Cryptographic algorithms supported by the client (e.g., RSA or Diffie-Hellman)
ClientHello (Murj) ruleset i: ClientId do ruleset j: ServerId do rule "Client sends ClientHello to server (new session)" cli[i].state = M_SLEEP & cli[i].resumeSession = false ==> var outM: Message; -- outgoing message begin outM.source := i; outM.dest := j; outM.session := 0; outM.mType := M_CLIENT_HELLO; outM.version := cli[i].version; outM.suite := cli[i].suite; outM.random := freshNonce(); multisetadd (outM, cliNet); cli[i].state := M_SERVER_HELLO; end; end; end;
ServerHello C C, Versionc, suitec, Nc ServerHello S Server responds (in plaintext) with: • Highest protocol version both client & server support • Strongest cryptographic suite selected from those offered by the client
ServerHello (Murj) ruleset i: ServerId do choose l: serNet do rule “Server receives ServerHello (new session)" ser[i].clients[0].state = M_CLIENT_HELLO & serNet[l].dest = i & serNet[l].session = 0 ==> var inM: Message; -- incoming message outM: Message; -- outgoing message begin inM := serNet[l]; -- receive message if inM.mType = M_CLIENT_HELLO then outM.source := i; outM.dest := inM.source; outM.session := freshSessionId(); outM.mType := M_SERVER_HELLO; outM.version := ser[i].version; outM.suite := ser[i].suite; outM.random := freshNonce(); multisetadd (outM, serNet); ser[i].state := M_SERVER_SEND_KEY; end; end; end;
ServerKeyExchange C Versions, suites, Ns, ServerKeyExchange S Server responds with his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite) C, Versionc, suitec, Nc
“Abstract” Cryptography We will use abstract data types to model cryptographic operations • Assumes that cryptography is perfect • No details of the actual cryptographic schemes • Ignores bit length of keys, random numbers, etc. Simple notation for encryption, signatures, hashes • {M}k is message M encrypted with key k • sigk(M) is message M digitally signed with key k • hash(M) for the result of hashing message M with a cryptographically strong hash function
ClientKeyExchange C Versions, suites, Ns, sigca(S,Ks), “ServerHelloDone” S C, Versionc, suitec, Nc ClientKeyExchange Client generates some secret key material and sends it to the server encrypted with the server’s public key
struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys } ClientKeyExchange struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret ClientKeyExchange (RFC) Let’s model this as {Secretc}Ks
“Core” SSL C Versions, suites, Ns, sigca(S,Ks), “ServerHelloDone” S C, Versionc, suitec, Nc {Secretc}Ks switch to key derived from secretc If the protocol is correct, C and S share some secret key material secretc at this point switch to key derived from secretc
Participants as Finite-State Machines M_SLEEP ClientHello Murj rules define a finite-state machine for each protocol participant Client state M_SERVER_HELLO M_SERVER_KEY M_SEND_KEY M_CLIENT_HELLO Server state M_SEND_KEY M_CLIENT_KEY M_DONE ServerHello ServerKeyExchange ClientKeyExchange
Intruder Model Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Murj code RFC Murj code, similar for all protocols
Intruder Can Intercept Store a message from the network in the data structure modeling intruder’s “knowledge” ruleset i: IntruderId do choose l: cliNet do rule "Intruder intercepts client's message" cliNet[l].fromIntruder = false ==> begin alias msg: cliNet[l] do -- message from the net … alias known: int[i].messages do if multisetcount(m: known, msgEqual(known[m], msg)) = 0 then multisetadd(msg, known); end; end; end;
Intruder Can Decrypt if Knows Key If the key is stored in the data structure modeling intruder’s “knowledge”, then read message ruleset i: IntruderId do choose l: cliNet do rule "Intruder intercepts client's message" cliNet[l].fromIntruder = false ==> begin alias msg: cliNet[l] do -- message from the net … if msg.mType = M_CLIENT_KEY_EXCHANGE then if keyEqual(msg.encKey, int[i].publicKey.key) then alias sKeys: int[i].secretKeys do if multisetcount(s: sKeys, keyEqual(sKeys[s], msg.secretKey)) = 0 then multisetadd(msg.secretKey, sKeys); end; end; end;
Intruder Can Create New Messages Assemble pieces stored in the intruder’s “knowledge” to form a message of the right format ruleset i: IntruderId do ruleset d: ClientId do ruleset s: ValidSessionId do choose n: int[i].nonces do ruleset version: Versions do rule "Intruder generates fake ServerHello" cli[d].state = M_SERVER_HELLO ==> var outM: Message; -- outgoing message begin outM.source := i; outM.dest := d; outM.session := s; outM.mType := M_SERVER_HELLO; outM.version := version; outM.random := int[i].nonces[n]; multisetadd (outM, cliNet); end; end; end; end;
Intruder Model and Cryptography There is no actual cryptography in our model • Messages are marked as “encrypted” or “signed”, and the intruder rules respect these markers Our assumption that cryptography is perfect is reflected in the absence of certain intruder rules • There is no rule for creating a digital signature with a key that is not known to the intruder • There is no rule for reading the contents of a message which is marked as “encrypted” with a certain key, when this key is not known to the intruder • There is no rule for reading the contents of a “hashed” message
Running Murj Analysis Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Murj code RFC Murj code, similar for all protocols Specify security conditions and run Murj
Secrecy Intruder should not be able to learn the secret generated by the client ruleset i: ClientId do ruleset j: IntruderId do rule "Intruder has learned a client's secret" cli[i].state = M_DONE & multisetcount(s: int[j].secretKeys, keyEqual(int[j].secretKeys[s], cli[i].secretKey)) > 0 ==> begin error "Intruder has learned a client's secret" end; end; end;
Shared Secret Consistency After the protocol has finished, client and server should agree on their shared secret ruleset i: ServerId do ruleset s: SessionId do rule "Server's shared secret is not the same as its client's" ismember(ser[i].clients[s].client, ClientId) & ser[i].clients[s].state = M_DONE & cli[ser[i].clients[s].client].state = M_DONE & !keyEqual(cli[ser[i].clients[s].client].secretKey, ser[i].clients[s].secretKey) ==> begin error "S's secret is not the same as C's" end; end; end;
Version and Crypto Suite Consistency Client and server should be running the highest version of the protocol they both support ruleset i: ServerId do ruleset s: SessionId do rule "Server has not learned the client's version or suite correctly" !ismember(ser[i].clients[s].client, IntruderId) & ser[i].clients[s].state = M_DONE & cli[ser[i].clients[s].client].state = M_DONE & (ser[i].clients[s].clientVersion != MaxVersion | ser[i].clients[s].clientSuite.text != 0) ==> begin error "Server has not learned the client's version or suite correctly" end; end; end;
Finite-State Verification ... ...  Murj rules for protocol participants and the intruder define a nondeterministic state transition graph  Murj will exhaustively enumerate all graph nodes  Murj will verify whether specified security conditions hold in every reachable node  If not, the path to the violating node will describe the attack Correctness condition violated
When Does Murj Find a Violation? Bad abstraction • Removed too much detail from the protocol when constructing the abstract model • Add the piece that fixes the bug and repeat • This is part of the rational reconstruction process Genuine attack • Yay! Hooray! • Attacks found by formal analysis are usually quite strong: independent of specific cryptographic schemes, OS implementation, etc. • Test an implementation of the protocol, if available
“Basic” SSL 3.0 C Versions=3.0, suites sigca(S,Ks), “ServerHelloDone” S C, Versionc=3.0, suitec {Secretc}Ks switch to key derived from secretc If the protocol is correct, C and S share some secret key material secretc at this point switch to key derived from secretc
Version Consistency Fails! C Versions=2.0, suites sigca(S,Ks), “ServerHelloDone” S C, Versionc=2.0, suitec {Secretc}Ks C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol) Server is fooled into thinking he is communicating with a client who supports only SSL 2.0
struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys } ClientKeyExchange struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret A Case of Bad Abstraction Model this as {Versionc, Secretc}Ks This piece matters! Need to add it to the model.
Better “basic” SSL C Versions=3.0, suites sigca(S,Ks), “ServerHelloDone” S C, Versionc=3.0, suitec {Versionc,Secretc}Ks switch to key derived from secretc If the protocol is correct, C and S share some secret key material secretc at this point switch to key derived from secretc Prevents version rollback attack Add rule to check that received version is equal to version in ClientHello
Summary of Incremental Protocols A = Basic protocol B = A + version consistency check D = B + certificates for both public keys – Authentication for client + Authentication for server E = D + verification (Finished) messages – Prevention of version and crypto suite attacks F = E + nonces – Prevention of replay attacks G = “Correct” subset of SSL – Additional crypto considerations (black art) give SSL 3.0
VerC, SteC VerS, SteS, KI { SecretC } C S KS Attack on Protocol B Intruder in the middle • Replaces server key by intruder’s key • Intercepts secret from client • Simulates client to server, server to client I VerC, SteC VerS, SteS, KS { SecretC } KI
Solution: Certificate Authority Defeats previous attack • But client is not authenticated to the server ... VersionC, SuiteC VersionS, SuiteS, signCA{ S, KS } { SecretC } C S KS
Replay Attacks Network eavesdropper can record messages If protocol is deterministic, then • Eavesdropper can replay client messages to server, OR • Eavesdropper can replay server message to client This is a problem • In each session, each party should be guaranteed that the other is a live participant in the session Solution • Each run of each protocol should contain at least one new value generated by each party, included in messages, and checked before session is considered done
“Core” SSL Handshake with server auth (only) C Versions, suites, Ns sigca(S,Ks), “ServerHelloDone” S C, Versionc, suitec , Nc {Versionc,Secretc}Ks Hash of sequence of messages Hash of sequence of messages switch to negotiated cipher Server public key in certificate signed by CA Nonces to avoid replay Hash messages to confirm consistent views
Anomaly (Protocol F) C S … SuiteC … … SuiteS … … Switch to negotiated cipher Finished Finished data data
Anomaly (Protocol F) C S … SuiteC … … SuiteS … … Switch to negotiated cipher Finished Finished data data X X
Protocol Resumption C S SessionId, VerC= 3.0, NC, ... Finished Finished data data VerS= 3.0, NS, ...
Version Rollback Attack C S SessionId, VerC= 2.0, NC, ... Finished Finished data data VerS= 2.0, NS, ... X X { NS } SecretKey { NC } SecretKey SSL 2.0 Finished messages do not include version numbers or cryptosuites
Basic Pattern for Doing Your Project Read and understand protocol specification • Typically an RFC or a research paper • We’ll put a few on the website: take a look! Choose a tool • Murj by default, but we’ll describe many other tools • Play with Murj now to get some experience (installing, running simple models, etc.) Start with a simple (possibly flawed) model • Rational reconstruction is a good way to go Give careful thought to security conditions
Background Reading on SSL 3.0 Optional, for deeper understanding of SSL / TLS  D. Wagner and B. Schneier. “Analysis of the SSL 3.0 protocol.” USENIX Electronic Commerce ’96. • Nice study of an early proposal for SSL 3.0  J.C. Mitchell, V. Shmatikov, U. Stern. “Finite-State Analysis of SSL 3.0”. USENIX Security ’98. • Murj analysis of SSL 3.0 (similar to this lecture) • Actual Murj model available  D. Bleichenbacher. “Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1”. CRYPTO ’98. • Cryptography is not perfect: this paper breaks SSL 3.0 by directly attacking underlying implementation of RSA

Recomendados

8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.pptNoName261177
 
Secure socket later
Secure socket laterSecure socket later
Secure socket laterMuhammad Ahmad Nazar
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityJyothishmathi Institute of Technology and Science Karimnagar
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 

Recomendados

8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.pptNoName261177
 
Secure socket later
Secure socket laterSecure socket later
Secure socket laterMuhammad Ahmad Nazar
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityJyothishmathi Institute of Technology and Science Karimnagar
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
Enteprise Sync IT Data Sheets
Enteprise Sync IT Data SheetsEnteprise Sync IT Data Sheets
Enteprise Sync IT Data SheetsMarcus Grimaldo
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.pptPranavUndre1
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Securityn|u - The Open Security Community
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.pptssuserec53e73
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.pptssuserec53e73
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionUnited International University
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control
 

Mais conteúdo relacionado

Semelhante a 03-SSL (1).ppt

Enteprise Sync IT Data Sheets
Enteprise Sync IT Data SheetsEnteprise Sync IT Data Sheets
Enteprise Sync IT Data SheetsMarcus Grimaldo
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.pptPranavUndre1
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaMrinal Wadhwa
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 

Semelhante a 03-SSL (1).ppt (20)

Enteprise Sync IT Data Sheets
Enteprise Sync IT Data SheetsEnteprise Sync IT Data Sheets
Enteprise Sync IT Data Sheets
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocol
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
Transport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal WadhwaTransport Layer Security - Mrinal Wadhwa
Transport Layer Security - Mrinal Wadhwa
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
SSL overview
SSL overviewSSL overview
SSL overview
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Wireshark lab ssl v7 solution
Wireshark lab ssl v7 solutionWireshark lab ssl v7 solution
Wireshark lab ssl v7 solution
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 

Último

Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...SUHANI PANDEY
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfRagavanV2
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086anil_gaur
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 

Último (20)

Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 

03-SSL (1).ppt

  • 1. SSL / TLS Case Study CS 259 John Mitchell 2008
  • 2. Course organization (subject to revision) January • Two written homeworks: first due next Thursday (9 days) • Lectures on case studies (protocols and tools) • Choose your project: we’ll start giving examples Thursday February • Project presentation #1: describe your system (5-10 min) • Lectures on additional approaches • Project presentation #2: describe security properties March • Project presentation #3: results of study Grading: 20% homework, 30% project presentations, 50% project results and final presentation
  • 3. Overview Introduction to the SSL / TLS protocol • Widely deployed, “real-world” security protocol Protocol analysis case study • Start with the RFC describing the protocol • Create an abstract model and code it up in Murj • Specify security properties • Run Murj to check whether security properties are satisfied This lecture is a compressed version of what you would do if SSL were your project!
  • 4. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 • De facto standard for Internet security • “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” • In practice, used to protect information transmitted between browsers and Web servers Based on Secure Sockets Layers protocol, ver 3.0 • Same protocol design, different algorithms Deployed in nearly every web browser
  • 5. SSL / TLS in the Real World
  • 6. History of the Protocol SSL 1.0 • Internal Netscape design, early 1994? • Lost in the mists of time SSL 2.0 • Published by Netscape, November 1994 • Several problems (next slide) SSL 3.0 • Designed by Netscape and Paul Kocher, November 1996 TLS 1.0 • Internet standard based on SSL 3.0, January 1999 • Not interoperable with SSL 3.0
  • 7. SSL 2.0 Vulnerabilities Short key length • In export-weakened modes, SSL 2.0 unnecessarily weakens the authentication keys to 40 bits. Weak MAC construction Message integrity vulnerability • SSL 2.0 feeds padding bytes into the MAC in block cipher modes, but leaves the padding-length unauthenticated, may allow active attackers to delete bytes from the end of messages Ciphersuite rollback attack • An active attacker may edits the list of ciphersuite preferences in the hello messages to invisibly force both endpoints to use a weaker form of encryption • “Least common denominator" security under active attack
  • 8. Let’s get going with SSL/TLS … Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error RFC (request for comments)
  • 9. Request for Comments Network protocols are defined in an RFC TLS version 1.0 is described in RFC 2246 Intended to be a self-contained definition of the protocol • Describes the protocol in sufficient detail for readers who will be implementing it and those who will be doing protocol analysis (that’s you!) • Mixture of informal prose and pseudo-code Read some RFCs to get a flavor of what protocols look like when they emerge from the committee
  • 10. Evolution of the SSL/TLS RFC 0 10 20 30 40 50 60 70 80 SSL 2.0 SSL 3.0 TLS 1.0 Page count
  • 11. From RFC to Murj Model Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Murj code RFC
  • 12. TLS Basics TLS consists of two protocols Handshake protocol • Use public-key cryptography to establish a shared secret key between the client and the server Record protocol • Use the secret key established in the handshake protocol to protect communication between the client and the server We will focus on the handshake protocol
  • 13. TLS Handshake Protocol Two parties: client and server Negotiate version of the protocol and the set of cryptographic algorithms to be used • Interoperability between different implementations of the protocol Authenticate client and server (optional) • Use digital certificates to learn each other’s public keys and verify each other’s identity Use public keys to establish a shared secret
  • 15. Encryption scheme • functions to encrypt, decrypt data • key generation algorithm Secret key vs. public key • Public key: publishing key does not reveal key-1 • Secret key: more efficient, generally key = key-1 Hash function, MAC • Map input to short hash; ideally, no collisions • MAC (keyed hash) used for message integrity Signature scheme • Functions to sign data, verify signature Recall: Basic Cryptographic Concepts
  • 16. Use of cryptography C Version, Crypto choice, nonce Version, Choice, nonce, signed certificate containing server’s public key Ks S Secret key K encrypted with server’s key Ks hash of sequence of messages hash of sequence of messages switch to negotiated cipher
  • 17. SSL/TLS Cryptography Summary Public-key encryption • Key chosen secretly (handshake protocol) • Key material sent encrypted with public key Symmetric encryption • Shared (secret) key encryption of data packets Signature-based authentication • Client can check signed server certificate • And vice-versa, in principal Hash for integrity • Client, server check hash of sequence of messages • MAC used in data packets (record protocol)
  • 18. Public-Key Infrastructure Certificate Authority Ka, Ka-1 Client Server Known public signature verification key Ka Sign(Ka-1, Ks) Certificate Sign(Ka-1, Ks) Ks Server certificate can be verified by any client that has CA verification key Ka Certificate authority is “off line” Ka
  • 19. Another general idea in SSL Client, server communicate Compare hash of all messages • Compute hash(hi,hello,howareyou?) locally • Exchange hash values under encryption Abort if intervention detected Client Server Hi Hello How are you?
  • 20. SSL/TLS in more detail … ClientHello C  S C, VerC, SuiteC, NC ServerHello S  C VerS, SuiteS, NS, signCA{ S, KS } ClientVerify C  S signCA{ C, VC } { VerC, SecretC } signC { Hash( Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) } -------- Change to negotiated cipher -------------------------------------------------------------------- ServerFinished S  C { Hash( Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + S + Master(NC, NS, SecretC) + Pad1)) } ClientFinished C  S { Hash( Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1)) } KS Master(NC, NS, SecretC) Master(NC, NS, SecretC)
  • 21. Abbreviated Handshake The handshake protocol may be executed in an abbreviated form to resume a previously established session • No authentication, key material not exchanged • Session resumed from an old state For complete analysis, have to model both full and abbreviated handshake protocol • This is a common situation: many protocols have several branches, subprotocols for error handling, etc.
  • 22. Rational Reconstruction  Begin with simple, intuitive protocol • Ignore client authentication • Ignore verification messages at the end of the handshake protocol • Model only essential parts of messages (e.g., ignore padding) Execute the model checker and find a bug Add a piece of TLS to fix the bug and repeat • Better understand the design of the protocol
  • 23. Protocol Step by Step: ClientHello C ClientHello S Client announces (in plaintext): • Protocol version she is running • Cryptographic algorithms she supports
  • 24. struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites; CompressionMethod compression_methods; } ClientHello ClientHello (RFC) Highest version of the protocol supported by the client Session id (if the client wants to resume an old session) Cryptographic algorithms supported by the client (e.g., RSA or Diffie-Hellman)
  • 25. ClientHello (Murj) ruleset i: ClientId do ruleset j: ServerId do rule "Client sends ClientHello to server (new session)" cli[i].state = M_SLEEP & cli[i].resumeSession = false ==> var outM: Message; -- outgoing message begin outM.source := i; outM.dest := j; outM.session := 0; outM.mType := M_CLIENT_HELLO; outM.version := cli[i].version; outM.suite := cli[i].suite; outM.random := freshNonce(); multisetadd (outM, cliNet); cli[i].state := M_SERVER_HELLO; end; end; end;
  • 26. ServerHello C C, Versionc, suitec, Nc ServerHello S Server responds (in plaintext) with: • Highest protocol version both client & server support • Strongest cryptographic suite selected from those offered by the client
  • 27. ServerHello (Murj) ruleset i: ServerId do choose l: serNet do rule “Server receives ServerHello (new session)" ser[i].clients[0].state = M_CLIENT_HELLO & serNet[l].dest = i & serNet[l].session = 0 ==> var inM: Message; -- incoming message outM: Message; -- outgoing message begin inM := serNet[l]; -- receive message if inM.mType = M_CLIENT_HELLO then outM.source := i; outM.dest := inM.source; outM.session := freshSessionId(); outM.mType := M_SERVER_HELLO; outM.version := ser[i].version; outM.suite := ser[i].suite; outM.random := freshNonce(); multisetadd (outM, serNet); ser[i].state := M_SERVER_SEND_KEY; end; end; end;
  • 28. ServerKeyExchange C Versions, suites, Ns, ServerKeyExchange S Server responds with his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite) C, Versionc, suitec, Nc
  • 29. “Abstract” Cryptography We will use abstract data types to model cryptographic operations • Assumes that cryptography is perfect • No details of the actual cryptographic schemes • Ignores bit length of keys, random numbers, etc. Simple notation for encryption, signatures, hashes • {M}k is message M encrypted with key k • sigk(M) is message M digitally signed with key k • hash(M) for the result of hashing message M with a cryptographically strong hash function
  • 30. ClientKeyExchange C Versions, suites, Ns, sigca(S,Ks), “ServerHelloDone” S C, Versionc, suitec, Nc ClientKeyExchange Client generates some secret key material and sends it to the server encrypted with the server’s public key
  • 31. struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys } ClientKeyExchange struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret ClientKeyExchange (RFC) Let’s model this as {Secretc}Ks
  • 32. “Core” SSL C Versions, suites, Ns, sigca(S,Ks), “ServerHelloDone” S C, Versionc, suitec, Nc {Secretc}Ks switch to key derived from secretc If the protocol is correct, C and S share some secret key material secretc at this point switch to key derived from secretc
  • 33. Participants as Finite-State Machines M_SLEEP ClientHello Murj rules define a finite-state machine for each protocol participant Client state M_SERVER_HELLO M_SERVER_KEY M_SEND_KEY M_CLIENT_HELLO Server state M_SEND_KEY M_CLIENT_KEY M_DONE ServerHello ServerKeyExchange ClientKeyExchange
  • 35. Intruder Can Intercept Store a message from the network in the data structure modeling intruder’s “knowledge” ruleset i: IntruderId do choose l: cliNet do rule "Intruder intercepts client's message" cliNet[l].fromIntruder = false ==> begin alias msg: cliNet[l] do -- message from the net … alias known: int[i].messages do if multisetcount(m: known, msgEqual(known[m], msg)) = 0 then multisetadd(msg, known); end; end; end;
  • 36. Intruder Can Decrypt if Knows Key If the key is stored in the data structure modeling intruder’s “knowledge”, then read message ruleset i: IntruderId do choose l: cliNet do rule "Intruder intercepts client's message" cliNet[l].fromIntruder = false ==> begin alias msg: cliNet[l] do -- message from the net … if msg.mType = M_CLIENT_KEY_EXCHANGE then if keyEqual(msg.encKey, int[i].publicKey.key) then alias sKeys: int[i].secretKeys do if multisetcount(s: sKeys, keyEqual(sKeys[s], msg.secretKey)) = 0 then multisetadd(msg.secretKey, sKeys); end; end; end;
  • 37. Intruder Can Create New Messages Assemble pieces stored in the intruder’s “knowledge” to form a message of the right format ruleset i: IntruderId do ruleset d: ClientId do ruleset s: ValidSessionId do choose n: int[i].nonces do ruleset version: Versions do rule "Intruder generates fake ServerHello" cli[d].state = M_SERVER_HELLO ==> var outM: Message; -- outgoing message begin outM.source := i; outM.dest := d; outM.session := s; outM.mType := M_SERVER_HELLO; outM.version := version; outM.random := int[i].nonces[n]; multisetadd (outM, cliNet); end; end; end; end;
  • 38. Intruder Model and Cryptography There is no actual cryptography in our model • Messages are marked as “encrypted” or “signed”, and the intruder rules respect these markers Our assumption that cryptography is perfect is reflected in the absence of certain intruder rules • There is no rule for creating a digital signature with a key that is not known to the intruder • There is no rule for reading the contents of a message which is marked as “encrypted” with a certain key, when this key is not known to the intruder • There is no rule for reading the contents of a “hashed” message
  • 39. Running Murj Analysis Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Murj code RFC Murj code, similar for all protocols Specify security conditions and run Murj
  • 40. Secrecy Intruder should not be able to learn the secret generated by the client ruleset i: ClientId do ruleset j: IntruderId do rule "Intruder has learned a client's secret" cli[i].state = M_DONE & multisetcount(s: int[j].secretKeys, keyEqual(int[j].secretKeys[s], cli[i].secretKey)) > 0 ==> begin error "Intruder has learned a client's secret" end; end; end;
  • 41. Shared Secret Consistency After the protocol has finished, client and server should agree on their shared secret ruleset i: ServerId do ruleset s: SessionId do rule "Server's shared secret is not the same as its client's" ismember(ser[i].clients[s].client, ClientId) & ser[i].clients[s].state = M_DONE & cli[ser[i].clients[s].client].state = M_DONE & !keyEqual(cli[ser[i].clients[s].client].secretKey, ser[i].clients[s].secretKey) ==> begin error "S's secret is not the same as C's" end; end; end;
  • 42. Version and Crypto Suite Consistency Client and server should be running the highest version of the protocol they both support ruleset i: ServerId do ruleset s: SessionId do rule "Server has not learned the client's version or suite correctly" !ismember(ser[i].clients[s].client, IntruderId) & ser[i].clients[s].state = M_DONE & cli[ser[i].clients[s].client].state = M_DONE & (ser[i].clients[s].clientVersion != MaxVersion | ser[i].clients[s].clientSuite.text != 0) ==> begin error "Server has not learned the client's version or suite correctly" end; end; end;
  • 43. Finite-State Verification ... ...  Murj rules for protocol participants and the intruder define a nondeterministic state transition graph  Murj will exhaustively enumerate all graph nodes  Murj will verify whether specified security conditions hold in every reachable node  If not, the path to the violating node will describe the attack Correctness condition violated
  • 44. When Does Murj Find a Violation? Bad abstraction • Removed too much detail from the protocol when constructing the abstract model • Add the piece that fixes the bug and repeat • This is part of the rational reconstruction process Genuine attack • Yay! Hooray! • Attacks found by formal analysis are usually quite strong: independent of specific cryptographic schemes, OS implementation, etc. • Test an implementation of the protocol, if available
  • 45. “Basic” SSL 3.0 C Versions=3.0, suites sigca(S,Ks), “ServerHelloDone” S C, Versionc=3.0, suitec {Secretc}Ks switch to key derived from secretc If the protocol is correct, C and S share some secret key material secretc at this point switch to key derived from secretc
  • 46. Version Consistency Fails! C Versions=2.0, suites sigca(S,Ks), “ServerHelloDone” S C, Versionc=2.0, suitec {Secretc}Ks C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol) Server is fooled into thinking he is communicating with a client who supports only SSL 2.0
  • 47. struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys } ClientKeyExchange struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret A Case of Bad Abstraction Model this as {Versionc, Secretc}Ks This piece matters! Need to add it to the model.
  • 48. Better “basic” SSL C Versions=3.0, suites sigca(S,Ks), “ServerHelloDone” S C, Versionc=3.0, suitec {Versionc,Secretc}Ks switch to key derived from secretc If the protocol is correct, C and S share some secret key material secretc at this point switch to key derived from secretc Prevents version rollback attack Add rule to check that received version is equal to version in ClientHello
  • 49. Summary of Incremental Protocols A = Basic protocol B = A + version consistency check D = B + certificates for both public keys – Authentication for client + Authentication for server E = D + verification (Finished) messages – Prevention of version and crypto suite attacks F = E + nonces – Prevention of replay attacks G = “Correct” subset of SSL – Additional crypto considerations (black art) give SSL 3.0
  • 50. VerC, SteC VerS, SteS, KI { SecretC } C S KS Attack on Protocol B Intruder in the middle • Replaces server key by intruder’s key • Intercepts secret from client • Simulates client to server, server to client I VerC, SteC VerS, SteS, KS { SecretC } KI
  • 51. Solution: Certificate Authority Defeats previous attack • But client is not authenticated to the server ... VersionC, SuiteC VersionS, SuiteS, signCA{ S, KS } { SecretC } C S KS
  • 52. Replay Attacks Network eavesdropper can record messages If protocol is deterministic, then • Eavesdropper can replay client messages to server, OR • Eavesdropper can replay server message to client This is a problem • In each session, each party should be guaranteed that the other is a live participant in the session Solution • Each run of each protocol should contain at least one new value generated by each party, included in messages, and checked before session is considered done
  • 53. “Core” SSL Handshake with server auth (only) C Versions, suites, Ns sigca(S,Ks), “ServerHelloDone” S C, Versionc, suitec , Nc {Versionc,Secretc}Ks Hash of sequence of messages Hash of sequence of messages switch to negotiated cipher Server public key in certificate signed by CA Nonces to avoid replay Hash messages to confirm consistent views
  • 54. Anomaly (Protocol F) C S … SuiteC … … SuiteS … … Switch to negotiated cipher Finished Finished data data
  • 55. Anomaly (Protocol F) C S … SuiteC … … SuiteS … … Switch to negotiated cipher Finished Finished data data X X
  • 56. Protocol Resumption C S SessionId, VerC= 3.0, NC, ... Finished Finished data data VerS= 3.0, NS, ...
  • 57. Version Rollback Attack C S SessionId, VerC= 2.0, NC, ... Finished Finished data data VerS= 2.0, NS, ... X X { NS } SecretKey { NC } SecretKey SSL 2.0 Finished messages do not include version numbers or cryptosuites
  • 58. Basic Pattern for Doing Your Project Read and understand protocol specification • Typically an RFC or a research paper • We’ll put a few on the website: take a look! Choose a tool • Murj by default, but we’ll describe many other tools • Play with Murj now to get some experience (installing, running simple models, etc.) Start with a simple (possibly flawed) model • Rational reconstruction is a good way to go Give careful thought to security conditions
  • 59. Background Reading on SSL 3.0 Optional, for deeper understanding of SSL / TLS  D. Wagner and B. Schneier. “Analysis of the SSL 3.0 protocol.” USENIX Electronic Commerce ’96. • Nice study of an early proposal for SSL 3.0  J.C. Mitchell, V. Shmatikov, U. Stern. “Finite-State Analysis of SSL 3.0”. USENIX Security ’98. • Murj analysis of SSL 3.0 (similar to this lecture) • Actual Murj model available  D. Bleichenbacher. “Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1”. CRYPTO ’98. • Cryptography is not perfect: this paper breaks SSL 3.0 by directly attacking underlying implementation of RSA