ssl

SSL / TLS
Internet Security Protocols

© Novell, Inc. All rights reserved.2
What is it used for?
 Designed to provide communication security over the
Internet
 Authentication, Data Integrity, Confidentiality
 Prevents Eavesdropping, tampering & message
forgery
 Application protocol independent ( POP3, IMAP,
SMTP, FTP)
 Virtual Private Network (SSL VPN)
 Public key infrastructure(PKI)

Cryptography Heads up!!!
1. Symmetric Key
Cryptography
2. Asymmetric Key
Cryptography a.k.a.
Public Key Cryptography

Symmetric Key Cryptography

Public Key Cryptography

History & Development
Secure Network Programming (1993)
SSL 1.0, 2.0 and 3.0 (1995-96)
TLS 1.0(1999)
TLS 1.1(2006)
TLS 1.2(2008)
TLS 1.3(Draft Oct. 2014)

SSL/TLS Architecture
Handshake
protocol
Change Cipher
spec
Alert Application
Protocol
Record
TCP/IP

Basic TLS Handshake
TLS Client
TLS Server
Client Hello
Offers TLS version, list of ciphers, compression methods etc.
Server Hello
Server chooses TLS version, Session IDs, Cipher, compression method
Server Certificate (Optional)
Server Key Exchange (Optional)
Servers public key if certificate not available
Client certificate request (Optional)
Server Hello Done
Client Certificate (Optional)
Client KeyExchange
PreMasterSecret or public key, or nothing encrypted using server’s public key
Client Certificate verify (Optional)
client will start using the new session keys for hashing and encrypting messages
Change CipherSpec
Server Finished
Encrypted Application Data
Change CipherSpec & Client Finished

Resumed TLS Handshake
 Public key operations (e.g., RSA) are relatively expensive
in terms of computational power.
 TLS provides a secure shortcut in the handshake
mechanism to avoid these operations: resumed sessions.
 Resumed sessions are implemented using session IDs or
session tickets.
 Apart from the performance benefit, resumed sessions
can also be used for single sign-on.
 Session ID and Session tickets are used for resumed
TLS handshake.

Resumed TLS Handshake (Cont.)
TLS Client
TLS Server
Client Hello
Offers TLS version, list of ciphers, compression methods etc.
Older Session ID / Session Ticket
Server Hello
With Old / New session ID
Change CipherSpec & Client Finished
client will start using the new /old session keys for hashing and encrypting
messages
Encrypted Application Data
Change CipherSpec
Server Finished
containing a hash and MAC over the previous handshake messages

Session ID & Session tickets
Session ID:- The client associates this session id with the server's IP
address and TCP port, so that when the client connects again to that
server, it can use the session id to shortcut the handshake. In the server,
the session id maps to the cryptographic parameters previously
negotiated, specifically the "master secret". Both sides must have the
same "master secret" or the resumed handshake will fail.
Session Tickets:- When using session tickets, the TLS server stores
its session-specific state in a session ticket and sends the session ticket
to the TLS client for storing. The client resumes a TLS session by
sending the session ticket to the server, and the server resumes the TLS
session according to the session-specific state in the ticket. The session
ticket is encrypted and authenticated by the server, and the server
verifies its validity before using its contents.

TLS Record Protocol
 The TLS Record Protocol is a layered protocol.
 The Record Protocol takes messages to be transmitted,
fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts, and
transmits the result.
 Received data is decrypted, verified, decompressed,
reassembled, and then delivered to higher-level clients.
 Following four protocol clients uses it: the handshake
protocol, the alert protocol, the change cipher spec
protocol, and the application data protocol

TLS Record Protocol(Cont.)
TLS Record Header

Connection States
 A TLS connection state is the operating environment of
the TLS Record Protocol
 There are always four connection states outstanding: the
current read and write states, and the pending read and
write states
 All records are processed under the current read and
write states.
 The security parameters for the pending states can be
set by the TLS Handshake Protocol, and the Change
Cipher Spec can selectively make either of the pending
states current

Message Authentication Code
 TLS record layer uses Keyed-Hash MAC(HMAC) for authentication
and integrity check of messages.
 HMAC employs an iterative cryptographic hash function in
combination with a premaster secret key as follows:
H(secret XOR opad, H(secret XOR ipad, message))
 HMAC produces a fixed length message digest which may not be
sufficiently long. To remedy this successive concatenation of HMAC
with different values is done as follows:
P_hash(secret, seed) = H(secret, A(1) + seed) + H(secret, A(2) + seed) + H (secret, A(3) +
seed) + ...
where + indicates concatenation.
A() is defined as: A(0) = seed = ClientHello.random + ServerHello.random
A(i) = H (secret, A(i-1))
Secret = premaster secret

Master Key Generation:-
 The master secret is calculated using PRF:
master_secret = PRF(pre_master_secret, "master secret", ClientHello.random +
ServerHello.random) [0..47];
 TLS's PRF is created by applying P_hash to the secret as:
PRF(secret, label, seed) = P_<hash>(secret, label, + seed)
 The master secret is always exactly 48 bytes in length.
 The Length of the premaster secret will vary depending on
key exchange method.

TLS communication steps
1. Handshake and cipher suite negotiation
2. Authentication of parties
3. Key-related information exchange
4. Application data exchange
The steps that make up TLS are divided into two protocols
that together provide connection security:
TLS Handshaking Protocols — (steps 1 – 3)
Application Data Protocol — (step 4)

TLS Handshaking Protocols
 It is responsible for the authentication and key exchange
necessary to establish or resume secure sessions
 When establishing a secure session, the Handshaking
Protocol manages the following:
• Cipher suite negotiation
• Authentication of the server and optionally, the client
• Session key information exchange.
 It includes “The Handshake Protocol”, “The Alert
Protocol” & “Change Cipher Spec Protocol”

TLS Handshake Protocol
The Handshake Protocol is responsible for negotiating a
session, which consists of the following items:-
 Session Identifier:- An arbitrary byte sequence chosen by the server to identify an
active or resume-able session state.
 Peer Certificate:- X509v3 certificate of the peer. This element of the state may be null.
 Compression Method:- The algorithm used to compress data prior to encryption.
 Cipher Spec:- Specifies the pseudorandom function (PRF) used to generate keying
material, the bulk data encryption algorithm (such as null, AES, etc.) and the MAC
algorithm (such as MD5 HMAC-SHA1). It also defines cryptographic attributes such as
the mac_length.
 Master Secret:- 48-byte secret shared between the client and server.
 is resumable:- A flag indicating whether the session can be used to initiate new
connections.

Change Cipher Spec Protocol
 The change cipher spec protocol exists to signal
transitions in ciphering strategies.
 The ChangeCipherSpec message is sent by both the
client and the server to notify the receiving party that
subsequent records will be protected under the newly
negotiated CipherSpec and keys.

Alert Protocol
 Alert messages convey the severity of the message
(warning or fatal) and a description of the alert.
 There are two alert levels in TLS
1. Fatal:- immediate termination of the connection
2. Warning:- other connections corresponding to the session may
continue, but the session identifier MUST be invalidated,
preventing the failed session from being used to establish new
connections
 For complete list of alert messages use RFC5246
Note :- alert messages are encrypted and compressed, as
specified by the current connection state.

Application Data Protocol
 Application data messages are carried by the record layer
and are fragmented, compressed, and encrypted based
on the current connection state. The messages are
treated as transparent data to the record layer.

TLS Record
Content Type:-
This field identifies the Record Layer
Protocol Type contained in this Record.

TLS Record(Cont.)
Version :- This field identifies
the major and minor
version of TLS for the
contained message. For a
ClientHello message, this
need not be the highest
version supported by the
client.

TLS Record(Cont.)
Version :- This field identifies
the major and minor
version of TLS for the
contained message. For a
ClientHello message, this
need not be the highest
version supported by the
client.
Length:- The length of
Protocol message(s), MAC
and Padding, not to
exceed 214 bytes (16 KiB).

TLS Record(Cont.)
Protocol message(s):- One or more messages identified by
the Protocol field. Note that this field may be encrypted
depending on the state of the connection.
MAC and Padding:- A message authentication code
computed over the Protocol message, with additional key
material included. Note that this field may be encrypted, or
not included entirely, depending on the state of the
connection. No MAC or Padding can be present at end of
TLS records before all cipher algorithms and parameters
have been negotiated and handshaked and then
confirmed by sending a CipherStateChange record (see
below) for signalling that these parameters will take effect
in all further records sent by the same peer.

References:-
• http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS
_record
• rfc2246, rfc5246, rfc4346
• http://msdn.microsoft.com/en-
us/library/windows/desktop/aa380516%28v=vs.85%29.as
px
• https://www.cs.bham.ac.uk/~mdr/teaching/modules06/net
sec/lectures/tls/tls.html
• http://lasr.cs.ucla.edu/vahab/resources/notes_on_tls.pdf

Corporate Headquarters
1800 South, Novell Place
Provo, Utah 84606
801.861.7000 (Worldwide)
800.453.1267 (Toll-free)
Join us on:
www.novell.com

ssl

More Related Content

What's hot

Viewers also liked

Similar to ssl

ssl