Sicherheit in Kommunikationsnetzen (Network Security) Transport Layer Security Dr.-Ing. Matthäus Wander Universität Duisburg-Essen Transport Layer Security (TLS) PrivateTLS data Web browser Web server ∙ Cryptographic protocol ∘ Provides security on top of reliable transport (TCP) ∘ Used to secure HTTP, SMTP, IMAP, XMPP and others ∙ Security goals ∘ Authentication of server and optionally client ∘ Data integrity (no manipulation of data) ∘ Confidentiality (encryption) Universität Duisburg-Essen Matthäus Wander 2 Verteilte Systeme History ∙ Predecessor: Secure Sockets Layer (SSL) ∘ Developed by Netscape for HTTPS (= HTTP + SSL) ∙ 1994: SSL 2.0 ∘ Insecure, major security weaknesses ∙ 1995: SSL 3.0 ∘ Insecure, deprecated since 2015 (RFC 7568) ∙ 1999: TLS 1.0, minor improvements to SSL 3.0 ∘ Standardization and further development by IETF Universität Duisburg-Essen Matthäus Wander 3 Verteilte Systeme History ∙ 2003: TLS Extensions ∘ New features or security mechanisms (e.g. Encrypt-then-MAC, RFC 7366) ∙ 2006: TLS 1.1 ∘ Security improvements ∙ 2008: TLS 1.2 Presented in this lecture ∘ Added new or replaced old cryptographic algorithms ∙ TLS 1.3 is work in progress as of 2017 ∘ Outlook: new handshake and other major changes Universität Duisburg-Essen Matthäus Wander 4 Verteilte Systeme Protocol Overview Application Layer (e.g. HTTP) Handshake Change Cipher Application Alert Protocol Protocol Spec Protocol Data Protocol Record Protocol Transport Layer (e.g. TCP) ∙ TLS consists of two layers: ∘ Handshake Protocol and other protocols ∘ Record Protocol Universität Duisburg-Essen Matthäus Wander 5 Verteilte Systeme Record Protocol Header Fragment ∙ Input data fragmented into chunks ≤ 214 bytes Encrypted data + MAC ∙ Compressed (optionally) ⇨ insecure, don‘t use ∙ Encrypted and integrity protected (e.g. MAC) ∙ Prepended with header Universität Duisburg-Essen Matthäus Wander 6 Verteilte Systeme Record Protocol Type Version Length Header Fragment ∙ Input data fragmented into chunks ≤ 214 bytes ∙ Compressed (optional) ⇨ insecure, deprecated ∙ Encrypted and integrity protected (e.g. MAC) ∙ Prepended with header Universität Duisburg-Essen Matthäus Wander 7 Verteilte Systeme Record Protocol Type Version Length Header Fragment Protocol type of fragment, e.g. ∙handshakeInput data or fragmentedapplication data into chunks ≤ 214 bytes ∙ Compressed (optional) ⇨ insecure, deprecated ∙ Encrypted and integrity protected (e.g. MAC) ∙ Prepended with header Universität Duisburg-Essen Matthäus Wander 8 Verteilte Systeme Record Protocol Type Version Length Header Fragment Two fields: {Major, Minor}, 14 ∙ Input data e.g.fragmented TLS 1.2 == into {3, chunks 3} ≤ 2 bytes ∙ Compressed (optional) ⇨ insecure, deprecated ∙ Encrypted and integrity protected (e.g. MAC) ∙ Prepended with header Universität Duisburg-Essen Matthäus Wander 9 Verteilte Systeme Record Protocol Type Version Length Header Fragment Fragment length ∙ Input data fragmented into chunks ≤ 214 bytes ∙ Compressed (optional) ⇨ insecure, deprecated ∙ Encrypted and integrity protected (e.g. MAC) ∙ Prepended with header Universität Duisburg-Essen Matthäus Wander 10 Verteilte Systeme Protocol Overview Application Layer (e.g. HTTP) Handshake Change Cipher Application Alert Protocol Protocol Spec Protocol Data Protocol Record Protocol Transport Layer (e.g. TCP) • Negotiation of parameters • Authentication • Server (or service) • Client (or user) • Key exchange Universität Duisburg-Essen Matthäus Wander 11 Verteilte Systeme Protocol Overview Application Layer (e.g. HTTP) Handshake Change Cipher Application Alert Protocol Protocol Spec Protocol Data Protocol Record Protocol Transport Layer (e.g. TCP) • Error signaling Universität Duisburg-Essen Matthäus Wander 12 Verteilte Systeme Protocol Overview Application Layer (e.g. HTTP) Handshake Change Cipher Application Alert Protocol Protocol Spec Protocol Data Protocol Record Protocol Transport• Change Layer (e.g.cipher TCP) (especially from „NULL“ cipher after handshake) Universität Duisburg-Essen Matthäus Wander 13 Verteilte Systeme Protocol Overview Application Layer (e.g. HTTP) Handshake Change Cipher Application Alert Protocol Protocol Spec Protocol Data Protocol Record Protocol Transport Layer (e.g.• Application TCP) payload Universität Duisburg-Essen Matthäus Wander 14 Verteilte Systeme Handshake ∙ Create new session or resume established one ∘ Full or abbreviated handshake (faster) ∙ Exchange capabilities and negotiate parameters ∘ e.g. cipher suites, extensions ∙ Authentication ∘ Anonymous (no authentication): insecure ∘ Server only (via certificate): most common ∘ Client and server (via certificates): occasionally ∙ Key exchange: agree on shared master secret Universität Duisburg-Essen Matthäus Wander 15 Verteilte Systeme Handshake Sequence • Version • Version • Random ns • Random nc ClientHello • Selected cipher • List of cipher suite • Extensions suites ServerHello • Extensions Certificate • Server name ServerKeyExchange* • Public key ServerHelloDone • Parameters for • Parameters for exchange of exchange of ClientKeyExchange master secret master secret [ChangeCipherSpec] (*optional, e.g. with DHE) • Integrity check Finished over handshake messages [ChangeCipherSpec] • Integrity check Finished over handshake messages Universität Duisburg-Essen Matthäus Wander 16 Verteilte Systeme Handshake Sequence • Version • Version • Random ns • Random nc ClientHello • Selected cipher • List of cipher suite • Extensions suites ServerHello • Extensions Certificate • Server name ServerKeyExchange* • Public key ServerHelloDone • Parameters for • Parameters for exchange of exchange of ClientKeyExchange master secret master secret [ChangeCipherSpec] (*optional, e.g. with DHE) • Integrity check Finished over handshake messages [ChangeCipherSpec] • Integrity check Finished over handshake messages Universität Duisburg-Essen Matthäus Wander 17 Verteilte Systeme X.509 Certificates ∙ TLS uses the X.509 public-key infrastructure ∙ Certificate has public key and server name ∘ Issued and signed by certificate authority (CA) ∘ or self-signed, i.e. untrusted (⇨browser warning) ∙ Applications checks: ∘ Server name matches „Common Name“ in certificate? ∘ ... or any of the „Subject Alternative Name“? ∘ Issuer CA known trusted by client? ∘ Certificate expiration time? Revocation status? Universität Duisburg-Essen Matthäus Wander 18 Verteilte Systeme X.509 Public Key Infrastructure Deutsche Telekom CA signs Deutsches • Check server name Forschungsnetz CA • Verify certificate chain signs • Root CA known & trusted? Uni-DUE CA Certificate chain signs CN: www.vs.uni-due.de • Server public key now Root CA trusted by client storage Universität Duisburg-Essen Matthäus Wander 19 Verteilte Systeme Example Certificates in Web Browser Universität Duisburg-Essen Matthäus Wander 20 Verteilte Systeme Domain Validation and Extended Validation ∙ Domain validation (DV) ∘ CA sends email to domain owner ∘ ... or requires setup of a token (unique string) in DNS zone or on a web server ∘ This is an automatic check mostly, maybe in addition with a simple identity check (e.g. photo of ID card) ∙ Extended validation (EV) ∘ Extensive identity check (e.g. phone call, bills, ID card) ∘ Businesses must provide legal proofs, e.g. registration of company name Universität Duisburg-Essen Matthäus Wander 21 Verteilte Systeme Handshake Sequence • Version • Version • Random ns • Random nc ClientHello • Selected cipher • List of cipher suite • Extensions suites ServerHello • Extensions Certificate • Server name ServerKeyExchange* • Public key ServerHelloDone • Parameters for • Parameters for exchange of exchange of ClientKeyExchange master secret master secret [ChangeCipherSpec] (*optional, e.g. with DHE) • Integrity check Finished over handshake messages [ChangeCipherSpec] • Integrity check Finished over handshake messages Universität Duisburg-Essen Matthäus Wander 22 Verteilte Systeme Server Name Indication ∙ TLS server returns certificate before client sends application data ClientHello Certificate ∙ Problem: what if server hosts multiple domains (virtual hosts) with different certificates? ClientHello example.net uni-due.de ? Not sent yet: land.nrw GET / HTTP/1.1 Host: www.example.net Universität Duisburg-Essen Matthäus Wander 23 Verteilte Systeme Server Name Indication (2) ∙ Solution: include requested server name in TLS connection request ClientHello + server name example.net Certificate uni-due.de land.nrw ∙ Server returns certificate that matches server name requested by client ∙ TLS extension „Server Name Indication“ (SNI) ∘ Supported by all current web browsers and servers Universität Duisburg-Essen Matthäus Wander 24 Verteilte Systeme Handshake Sequence • Version • Version • Random ns • Random nc ClientHello • Selected cipher • List of cipher suite • Extensions suites ServerHello • Extensions Certificate • Server name ServerKeyExchange* • Public key ServerHelloDone • Parameters for • Parameters for exchange of exchange of ClientKeyExchange master secret master secret [ChangeCipherSpec] (*optional, e.g. with DHE) • Integrity check Finished over handshake messages [ChangeCipherSpec] • Integrity check Finished over handshake messages Universität Duisburg-Essen Matthäus Wander 25 Verteilte Systeme Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ∙ Cipher suite: set of ciphers used for TLS session ∘ >300 specified, a lot of them insecure and deprecated ∙ Recommended in RFC 7525 (with TLS ≥1.2): TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages49 Page
-
File Size-