SlideShare a Scribd company logo
1 of 36
Download to read offline
TLS/SSL protocol design


      Nate Lawson
     nate@rootlabs.com

     Presented at Cal Poly
        Nov. 29, 2007
Overview

• Introduction to SSL/TLS
  – Focus on SMTP+SSL
• Design goals and result
• Cryptography primer
  – Desired properties
  – Primitives for implementing them
• Protocol walkthrough in detail
• Attacks and mitigation
My background

• Root Labs founder
  – Design and analyze security systems
  – Emphasis on embedded, kernel, and crypto
• Previously, Cryptography Research
  – Paul Kocher’s company (author of SSL 3.0)
  – Co-designed Blu-ray disc security layer, aka
    BD+
• Crypto engineer at Infogard Labs
• FreeBSD committer
Security is hard but rewarding

• Protocols and crypto are susceptible to
  very minor mistakes
• Example: SSL timing attacks over the
  Internet

• Hard = fun and $
  – Breaking and building things is exciting
  – Security is a desired skill for any resumé
SSL history
• SSL (Secure Sockets Layer) v2.0 (1994)
  – Serious security problems including incomplete MAC
    coverage of padding
  – Designed by Netscape
• SSL v3.0 (1996)
  – Major revision to address security problems
  – Paul Kocher + Netscape
• TLS (Transport Layer Security) 1.0 (1999)
  – Added new crypto algorithm support
  – IETF takes over
• TLS 1.1 (2006)
  – Address Vaudenay’s CBC attacks on record layer
  – Provide implementation guidance
Layered model

• SSL provides security at the transport
  layer (OSI model L4)
  – Stream of bytes in, private/untampered
    stream of bytes out
  – Application logic is unmodified
  – Can be adapted to datagram service also
    (DTLS)
• Compare to IPSEC
  – Mostly used as an L3 protocol
SMTP over SSL

• HTTP, SMTP, POP, IMAP, etc. all have
  SSL variants
• Two design choices to add SSL
  – Use alternate port since SSL session
    establishment differs from original protocol
     – SMTPS (TCP port 465 and 587)
  – Add protocol-specific message to toggle SSL
    mode
     – STARTTLS over port 25 (RFC 3207)
• SMTP session over SSL is unchanged
Security goals

• Privacy
  – Data within SSL session should not be
    recoverable by anyone except the endpoints
• Integrity
  – Data in transit should not be modified
    without detection except by the endpoints
• Authentication
  – No endpoint should be able to masquerade
    as another
Attacker capabilities

• Sorted by increasing power
• Normal participant
  – Can talk to server that is also talking to other parties
• Passive eavesdropping
  – Observe any or all messages sent by other parties
• Active (Man in the Middle)
  – Insert or replay old messages
  – Modify
  – Delete or reorder
• Secure protocols must address all these
  threats
Crypto property: privacy

• No one other than the intended
  recipient of a message can determine
  its contents
• Caveats
  – Adversary could have powers of knowing or
    choosing plaintext
  – Traffic analysis
    – Length, latency, unencrypted data like IP or
      Ethernet addresses
    – Side channel attacks: power consumption, EM,
      timing of operations
Crypto property: integrity

• Any change made to a message after it
  has been sent will be detected by the
  recipient
  – Corollary: reordering, replay, insertion, or
    deletion of messages will also be detected
• Caveats
  – Privacy is not integrity protection
  – Error recovery
     – You can’t always terminate the session
  – Root of trust (shared system?)
Crypto property: authentication

• Messages can be associated with a
  given identity with high level of
  confidence
• Caveats
  – Managing identification
     – Lost keys, forgotten passwords, laptop walks
       away
     – Revocation of old keys and refreshing to new
       ones
  – Bootstrapping: what is your root of trust?
Security goal implementation

• Privacy
  – Data is encrypted with block cipher (e.g.,
    AES)
  – Cipher key is exchanged via public key
    crypto (e.g., RSA)
• Integrity
  – Data is protected by a MAC (e.g., SHA1-
    HMAC)
• Authentication
  – Server and/or client identity is verified via
    certificates
Primitive: symmetric crypto

• Block ciphers turn plaintext block into
  ciphertext using a secret key
  – Recipient inverts (decrypts) block using
    same key
• Examples: AES, 3DES, RC5
Primitive: symmetric crypto

• Often requires “chaining” to encrypt
  messages longer than a single block
• This does not provide integrity
  protection
Primitive: public key crypto

• Data transformed with one key can only
  be inverted with the other key
  (asymmetric)
• Examples: RSA, Diffie-Hellman, DSA
  – And elliptic curve variants
• Can encrypt data to a recipient without
  also being able to decrypt it afterward
• Can sign data by encrypting it with one
  key and publishing the other
Primitive: public key crypto
Primitive: certificates

• Associate a name with a public key
  – Trusted party uses private key to sign the
    message “joe.com = 0x09f9…”
  – Public key of trusted party came with your
    web browser
• Key management still a problem
  – Expire certs and explicitly revoke them if a
    private key is compromised (CRL)
  – Or, check with the trusted party each time
    you want to use one (OCSP)
Primitive: message authentication code

• A MAC combines a hash function and
  secret key with the data to protect
  – Resulting MAC is transmitted with message
  – Recipient performs same process and
    verifies result matches
• Attacker cannot…
  – Modify message without changing its hash
  – Forge a new MAC value without knowing the
    key
• Examples: SHA1-HMAC, AES CMAC
Primitive: secure PRNG

• Outputs a cryptographically-strong,
  pseudo-random stream of data based
  on initial seed
  – Initial seed needs to have enough entropy
  – PRNGs used many places (key generation,
    IVs, nonces)
• Examples: /dev/random, Yarrow
  – Often based on a hash function like SHA-1
Overview of typical session
       Client        Server

      ClientHello
                    ServerHello
                    Certificate
                    ServerHelloDone

ClientKeyExchange
ChangeCipherSpec
Finished
                    ChangeCipherSpec
                    Finished

ApplicationData     ApplicationData
Decoding with WireShark
Message: Client/ServerHello

• Initiates connection and specifies
  parameters
  – Initiator sends list (i.e., CipherSuites) and
    responder selects one item from list
  – SessionID is used for resuming (explained
    later)

                 Client/ServerHello
                Version
                RandomData
                SessionID
                CipherSuites
                CompressionMethods
Message: Certificate

• Provides a signed public key value to
  the other party
  – Almost always the server although clients
    can also authenticate with a cert
  – Other side must verify information in cert
    (i.e., the DN field is myhost.com = IP
    address in my TCP connection)

                    Certificate
                ASN.1Cert
Message: ServerHelloDone

• Signifies end of server auth process
  – Allows multi-pass authentication handshake
  – Otherwise unimportant
• Cert-based auth is single-pass
Message: ClientKeyExchange

• Client sends encrypted premaster
  secret to server
  – Assumes RSA public key crypto (most
    common)
  – Server checks ClientVersion matches
    highest advertised version


               ClientKeyExchange
              RSA-PubKey-Encrypt(
                  ClientVersion
                  PreMasterSecret[48]
              )
Message: ChangeCipherSpec

• Indicates following datagrams will be
  encrypted
  – Disambiguates case where next message
    may be error or encrypted data
• Each side now calculates data
  encryption key (K)
            MasterSecret computation
              Hash(
                  PreMasterSecret
                  ClientRandom
                  ServerRandom
              )
Message: Finished

• Indicates all protocol negotiation is
  complete and data may be exchanged
  – First encrypted message of each party
  – Includes hashes of all handshake messages
    seen by each side
    – Also, magic integers 0x434C4E54 or 0x53525652
      (why?)
                    Finished
           AES-K-Encrypt(
                Magic
                MD5(handshake_messages)
                SHA1(handshake_messages)
           )
Message: ApplicationData

• Encapsulates encrypted data
  – Includes MAC for integrity protection
  – Can span multiple TCP packets

                 ApplicationData
                AES-CBC-K-Encrypt(
                     Type
                     Version
                     Length
                     Data
                     MAC
                     Padding
                     PaddingLength
                )
Session resumption
       Client        Server



      ClientHello

                    ServerHello
                    ChangeCipherSpec
                    Finished

ChangeCipherSpec
Finished


ApplicationData     ApplicationData
Formal verification of protocol security

• Goal: formal system for finding any
  security problems in design
  – BAN logic (BAN89)
     – Formalized authentication with primitives like “X
       said” and “Y believes”
  – Model checking (MMS98)
     – Build a FSM model of the system and enumerate
      states
• Difficult and time consuming but worth
  it if your protocol is important
Attack: similarly-named certs

• What if server has valid certificate but a
  similar name to another server?
  – Example: Microsoft vs. Micr0soft
• Outside the scope of SSL but relevant
• Used all the time with phishing emails
  – But few bother with SSL currently
  – Yellow lock JPEG on page sufficient

  – Now, please enter your PIN
Attack: side channel

• Side effects of handling secure data can
  be indirectly observed
• Example: timing attack on server’s
  private key [BB03]
  – Observe how long the server takes to return
    an error when sending invalid
    ClientKeyExchange
  – Bits of the key can slowly be discovered
    … over the Internet
• Tricky problem to be sure you’ve solved
  adequately
Conclusions

• SSL provides a well-tested secure
  transport layer
• Security protocols require careful
  interdependence of primitives
  – Privacy
  – Integrity protection
  – Authentication
• Easy to make mistakes designing
  security and crypto in particular

• This stuff is a lot of fun!
Recommended reading
•   [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1.
    http://tools.ietf.org/html/rfc4346
•   [Resc02] Rescarola, E. Introduction to OpenSSL programming.
    http://www.rtfm.com/openssl-examples/
•   [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol.
    1996. http://citeseer.ist.psu.edu/wagner96analysis.html
•   [MMS98] John C. Mitchell, Vitaly Shmatikov, and Ulrich Stern. Finite-state
    analysis of SSL 3.0. In Seventh USENIX Security Symposium, pages 201 - 216,
    1998. http://citeseer.ist.psu.edu/mitchell98finitestate.html
•   [BAN90] Burrows, M., Abadi, M., and Needham, R. M. quot;A Logic of
    Authenticationquot;, ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb
    1990, pp. 18 - 36. A Formal Semantics for Evaluating Cryptographic Protocols p
    14. http://citeseer.ist.psu.edu/burrows90logic.htm
•   [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical.
    Proceedings of the 12th USENIX Security Symposium, August 2003.
    http://citeseer.ist.psu.edu/article/boneh03remote.html
Fixing v2.0: downgrade attacks

• Backwards compatibility with insecure
  protocol is difficult
  – Active attacker could change ServerHello to
    advertise v2-only
• Clever solution: put 64 bits of 0x3 in
  the RSA padding
  – Attacker cannot substitute their own key
    without breaking the server cert
  – Luckily, SSL v2 only supported RSA key
    exchange

More Related Content

What's hot

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerPina Parmar
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 

What's hot (20)

Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSL
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
SSL
SSLSSL
SSL
 
SSL overview
SSL overviewSSL overview
SSL overview
 

Similar to TLS/SSL Protocol Design

03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...ghorilemin
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptghorilemin
 
8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.pptNoName261177
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!OWASP
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured  CommunicationsTLS/SSL - Study of Secured  Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
Ip sec and ssl
Ip sec and  sslIp sec and  ssl
Ip sec and sslMohd Arif
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash functionomarShiekh1
 
OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004Malte Timmermann
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 

Similar to TLS/SSL Protocol Design (20)

03-SSL (1).ppt
03-SSL (1).ppt03-SSL (1).ppt
03-SSL (1).ppt
 
03-SSL (2).ppt
03-SSL (2).ppt03-SSL (2).ppt
03-SSL (2).ppt
 
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL (1).ppt03-SSL ...
 
this is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is pptthis is ppt this is ppt this is ppt this is ppt
this is ppt this is ppt this is ppt this is ppt
 
8.SSL encryption.ppt
8.SSL encryption.ppt8.SSL encryption.ppt
8.SSL encryption.ppt
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured  CommunicationsTLS/SSL - Study of Secured  Communications
TLS/SSL - Study of Secured Communications
 
Ip sec and ssl
Ip sec and  sslIp sec and  ssl
Ip sec and ssl
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
 
Transportsec
TransportsecTransportsec
Transportsec
 
OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004
 
SSL.ppt
SSL.pptSSL.ppt
SSL.ppt
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 

More from Nate Lawson

Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Nate Lawson
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Nate Lawson
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)Nate Lawson
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform SecurityNate Lawson
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Nate Lawson
 
Designing and Attacking Virtual Machines (RSA 2004)
Designing and Attacking Virtual Machines (RSA 2004)Designing and Attacking Virtual Machines (RSA 2004)
Designing and Attacking Virtual Machines (RSA 2004)Nate Lawson
 

More from Nate Lawson (13)

Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)Building the ZoomFloppy (ECCC 2010)
Building the ZoomFloppy (ECCC 2010)
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Highway to Hell: Hacking Toll Systems (Blackhat 2008)
Highway to Hell: Hacking Toll Systems (Blackhat 2008)
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform Security
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
 
Designing and Attacking Virtual Machines (RSA 2004)
Designing and Attacking Virtual Machines (RSA 2004)Designing and Attacking Virtual Machines (RSA 2004)
Designing and Attacking Virtual Machines (RSA 2004)
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

TLS/SSL Protocol Design

  • 1. TLS/SSL protocol design Nate Lawson nate@rootlabs.com Presented at Cal Poly Nov. 29, 2007
  • 2. Overview • Introduction to SSL/TLS – Focus on SMTP+SSL • Design goals and result • Cryptography primer – Desired properties – Primitives for implementing them • Protocol walkthrough in detail • Attacks and mitigation
  • 3. My background • Root Labs founder – Design and analyze security systems – Emphasis on embedded, kernel, and crypto • Previously, Cryptography Research – Paul Kocher’s company (author of SSL 3.0) – Co-designed Blu-ray disc security layer, aka BD+ • Crypto engineer at Infogard Labs • FreeBSD committer
  • 4. Security is hard but rewarding • Protocols and crypto are susceptible to very minor mistakes • Example: SSL timing attacks over the Internet • Hard = fun and $ – Breaking and building things is exciting – Security is a desired skill for any resumé
  • 5. SSL history • SSL (Secure Sockets Layer) v2.0 (1994) – Serious security problems including incomplete MAC coverage of padding – Designed by Netscape • SSL v3.0 (1996) – Major revision to address security problems – Paul Kocher + Netscape • TLS (Transport Layer Security) 1.0 (1999) – Added new crypto algorithm support – IETF takes over • TLS 1.1 (2006) – Address Vaudenay’s CBC attacks on record layer – Provide implementation guidance
  • 6. Layered model • SSL provides security at the transport layer (OSI model L4) – Stream of bytes in, private/untampered stream of bytes out – Application logic is unmodified – Can be adapted to datagram service also (DTLS) • Compare to IPSEC – Mostly used as an L3 protocol
  • 7. SMTP over SSL • HTTP, SMTP, POP, IMAP, etc. all have SSL variants • Two design choices to add SSL – Use alternate port since SSL session establishment differs from original protocol – SMTPS (TCP port 465 and 587) – Add protocol-specific message to toggle SSL mode – STARTTLS over port 25 (RFC 3207) • SMTP session over SSL is unchanged
  • 8. Security goals • Privacy – Data within SSL session should not be recoverable by anyone except the endpoints • Integrity – Data in transit should not be modified without detection except by the endpoints • Authentication – No endpoint should be able to masquerade as another
  • 9. Attacker capabilities • Sorted by increasing power • Normal participant – Can talk to server that is also talking to other parties • Passive eavesdropping – Observe any or all messages sent by other parties • Active (Man in the Middle) – Insert or replay old messages – Modify – Delete or reorder • Secure protocols must address all these threats
  • 10. Crypto property: privacy • No one other than the intended recipient of a message can determine its contents • Caveats – Adversary could have powers of knowing or choosing plaintext – Traffic analysis – Length, latency, unencrypted data like IP or Ethernet addresses – Side channel attacks: power consumption, EM, timing of operations
  • 11. Crypto property: integrity • Any change made to a message after it has been sent will be detected by the recipient – Corollary: reordering, replay, insertion, or deletion of messages will also be detected • Caveats – Privacy is not integrity protection – Error recovery – You can’t always terminate the session – Root of trust (shared system?)
  • 12. Crypto property: authentication • Messages can be associated with a given identity with high level of confidence • Caveats – Managing identification – Lost keys, forgotten passwords, laptop walks away – Revocation of old keys and refreshing to new ones – Bootstrapping: what is your root of trust?
  • 13. Security goal implementation • Privacy – Data is encrypted with block cipher (e.g., AES) – Cipher key is exchanged via public key crypto (e.g., RSA) • Integrity – Data is protected by a MAC (e.g., SHA1- HMAC) • Authentication – Server and/or client identity is verified via certificates
  • 14. Primitive: symmetric crypto • Block ciphers turn plaintext block into ciphertext using a secret key – Recipient inverts (decrypts) block using same key • Examples: AES, 3DES, RC5
  • 15. Primitive: symmetric crypto • Often requires “chaining” to encrypt messages longer than a single block • This does not provide integrity protection
  • 16. Primitive: public key crypto • Data transformed with one key can only be inverted with the other key (asymmetric) • Examples: RSA, Diffie-Hellman, DSA – And elliptic curve variants • Can encrypt data to a recipient without also being able to decrypt it afterward • Can sign data by encrypting it with one key and publishing the other
  • 18. Primitive: certificates • Associate a name with a public key – Trusted party uses private key to sign the message “joe.com = 0x09f9…” – Public key of trusted party came with your web browser • Key management still a problem – Expire certs and explicitly revoke them if a private key is compromised (CRL) – Or, check with the trusted party each time you want to use one (OCSP)
  • 19. Primitive: message authentication code • A MAC combines a hash function and secret key with the data to protect – Resulting MAC is transmitted with message – Recipient performs same process and verifies result matches • Attacker cannot… – Modify message without changing its hash – Forge a new MAC value without knowing the key • Examples: SHA1-HMAC, AES CMAC
  • 20. Primitive: secure PRNG • Outputs a cryptographically-strong, pseudo-random stream of data based on initial seed – Initial seed needs to have enough entropy – PRNGs used many places (key generation, IVs, nonces) • Examples: /dev/random, Yarrow – Often based on a hash function like SHA-1
  • 21. Overview of typical session Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
  • 23. Message: Client/ServerHello • Initiates connection and specifies parameters – Initiator sends list (i.e., CipherSuites) and responder selects one item from list – SessionID is used for resuming (explained later) Client/ServerHello Version RandomData SessionID CipherSuites CompressionMethods
  • 24. Message: Certificate • Provides a signed public key value to the other party – Almost always the server although clients can also authenticate with a cert – Other side must verify information in cert (i.e., the DN field is myhost.com = IP address in my TCP connection) Certificate ASN.1Cert
  • 25. Message: ServerHelloDone • Signifies end of server auth process – Allows multi-pass authentication handshake – Otherwise unimportant • Cert-based auth is single-pass
  • 26. Message: ClientKeyExchange • Client sends encrypted premaster secret to server – Assumes RSA public key crypto (most common) – Server checks ClientVersion matches highest advertised version ClientKeyExchange RSA-PubKey-Encrypt( ClientVersion PreMasterSecret[48] )
  • 27. Message: ChangeCipherSpec • Indicates following datagrams will be encrypted – Disambiguates case where next message may be error or encrypted data • Each side now calculates data encryption key (K) MasterSecret computation Hash( PreMasterSecret ClientRandom ServerRandom )
  • 28. Message: Finished • Indicates all protocol negotiation is complete and data may be exchanged – First encrypted message of each party – Includes hashes of all handshake messages seen by each side – Also, magic integers 0x434C4E54 or 0x53525652 (why?) Finished AES-K-Encrypt( Magic MD5(handshake_messages) SHA1(handshake_messages) )
  • 29. Message: ApplicationData • Encapsulates encrypted data – Includes MAC for integrity protection – Can span multiple TCP packets ApplicationData AES-CBC-K-Encrypt( Type Version Length Data MAC Padding PaddingLength )
  • 30. Session resumption Client Server ClientHello ServerHello ChangeCipherSpec Finished ChangeCipherSpec Finished ApplicationData ApplicationData
  • 31. Formal verification of protocol security • Goal: formal system for finding any security problems in design – BAN logic (BAN89) – Formalized authentication with primitives like “X said” and “Y believes” – Model checking (MMS98) – Build a FSM model of the system and enumerate states • Difficult and time consuming but worth it if your protocol is important
  • 32. Attack: similarly-named certs • What if server has valid certificate but a similar name to another server? – Example: Microsoft vs. Micr0soft • Outside the scope of SSL but relevant • Used all the time with phishing emails – But few bother with SSL currently – Yellow lock JPEG on page sufficient – Now, please enter your PIN
  • 33. Attack: side channel • Side effects of handling secure data can be indirectly observed • Example: timing attack on server’s private key [BB03] – Observe how long the server takes to return an error when sending invalid ClientKeyExchange – Bits of the key can slowly be discovered … over the Internet • Tricky problem to be sure you’ve solved adequately
  • 34. Conclusions • SSL provides a well-tested secure transport layer • Security protocols require careful interdependence of primitives – Privacy – Integrity protection – Authentication • Easy to make mistakes designing security and crypto in particular • This stuff is a lot of fun!
  • 35. Recommended reading • [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1. http://tools.ietf.org/html/rfc4346 • [Resc02] Rescarola, E. Introduction to OpenSSL programming. http://www.rtfm.com/openssl-examples/ • [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol. 1996. http://citeseer.ist.psu.edu/wagner96analysis.html • [MMS98] John C. Mitchell, Vitaly Shmatikov, and Ulrich Stern. Finite-state analysis of SSL 3.0. In Seventh USENIX Security Symposium, pages 201 - 216, 1998. http://citeseer.ist.psu.edu/mitchell98finitestate.html • [BAN90] Burrows, M., Abadi, M., and Needham, R. M. quot;A Logic of Authenticationquot;, ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb 1990, pp. 18 - 36. A Formal Semantics for Evaluating Cryptographic Protocols p 14. http://citeseer.ist.psu.edu/burrows90logic.htm • [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical. Proceedings of the 12th USENIX Security Symposium, August 2003. http://citeseer.ist.psu.edu/article/boneh03remote.html
  • 36. Fixing v2.0: downgrade attacks • Backwards compatibility with insecure protocol is difficult – Active attacker could change ServerHello to advertise v2-only • Clever solution: put 64 bits of 0x3 in the RSA padding – Attacker cannot substitute their own key without breaking the server cert – Luckily, SSL v2 only supported RSA key exchange