Introduction to the design principles behind SSL. This was a relatively basic talk since the audience was a networking class with no previous security experience. Talk given to Cal Poly networking class on November 29, 2007.
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
The design criteria behind TLS/SSL, presented at Cal Poly on 2010/6/3. An updated version of a previous talk, this presentation includes descriptions of the Null-byte certificate attack and the recent session renegotiation attack (both from 2009).
Dans cette session, Cedric Fournet, chercheur principal à Microsoft Research Cambridge et au Centre de Recherche Commun INRIA-Microsoft Research nous présentera un panorama des types de vulnérabilités classiques de TLS ainsi que le projet "MiTLS" qui leur a permis, en avril 2014, de révéler une vulnérabilité majeure mais n'ayant pas fait l'objet d'attaques jusqu'à sa découverte. MiTLS est une implémentation expérimentale vérifiée mathématiquement de TLS : MiTLS est implémenté en F# et spécifié en F7. MiTLS est une plateforme de recherche et de test permettant de revisiter les attaques connues et régulièrement d'en trouver de nouvelles et donc de renforcer la robustesse du protocole en connexion avec l'IETF. TLS 1.2 (connu aussi comme SSL 3.0) est le protocole de cryptographie le plus répandu pour sécuriser les communications et les échanges sur Internet. Successeur de SSL, TLS est la garantie que vos transactions bancaires sur le web ou que votre messagerie seront bien protégées. TLS est omniprésent : HTTPS, 802.1x, VPNs, files, mail, VoIP… Et pourtant, est-ce que la confiance qu'on lui accorde est bien méritée ? Est-ce que TLS est sûr à 100% ? TLS a une histoire longue de 18 ans de défauts et de correctifs, depuis la logique de sa spécification jusqu'aux multiples implémentations. Son omniprésence au cœur du système de confiance du web rend nécessaire une démarche organisée, rationnelle et préventive de détection de ses vulnérabilités. http://www.mitls.org/wsgi/home http://research.microsoft.com/en-us/projects/f7/
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
The design criteria behind TLS/SSL, presented at Cal Poly on 2010/6/3. An updated version of a previous talk, this presentation includes descriptions of the Null-byte certificate attack and the recent session renegotiation attack (both from 2009).
Dans cette session, Cedric Fournet, chercheur principal à Microsoft Research Cambridge et au Centre de Recherche Commun INRIA-Microsoft Research nous présentera un panorama des types de vulnérabilités classiques de TLS ainsi que le projet "MiTLS" qui leur a permis, en avril 2014, de révéler une vulnérabilité majeure mais n'ayant pas fait l'objet d'attaques jusqu'à sa découverte. MiTLS est une implémentation expérimentale vérifiée mathématiquement de TLS : MiTLS est implémenté en F# et spécifié en F7. MiTLS est une plateforme de recherche et de test permettant de revisiter les attaques connues et régulièrement d'en trouver de nouvelles et donc de renforcer la robustesse du protocole en connexion avec l'IETF. TLS 1.2 (connu aussi comme SSL 3.0) est le protocole de cryptographie le plus répandu pour sécuriser les communications et les échanges sur Internet. Successeur de SSL, TLS est la garantie que vos transactions bancaires sur le web ou que votre messagerie seront bien protégées. TLS est omniprésent : HTTPS, 802.1x, VPNs, files, mail, VoIP… Et pourtant, est-ce que la confiance qu'on lui accorde est bien méritée ? Est-ce que TLS est sûr à 100% ? TLS a une histoire longue de 18 ans de défauts et de correctifs, depuis la logique de sa spécification jusqu'aux multiples implémentations. Son omniprésence au cœur du système de confiance du web rend nécessaire une démarche organisée, rationnelle et préventive de détection de ses vulnérabilités. http://www.mitls.org/wsgi/home http://research.microsoft.com/en-us/projects/f7/
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts:
- Brief Introduction to Public Key Infrastructure (PKI)
- Introduction to SSL/TLS Protocols
- Practical Examples and Hints
The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).
Securing TCP connections using SSL
Originally developed by Netscape
Communications to allow secure access of a
browser to a Web server, Secure Sockets
Layer (SSL) has become the accepted
standard for Web security.1 The first version
of SSL was never released because of
problems regarding protection of credit
card transactions on the Web. In 1994,
Netscape created SSLv2, which made it
possible to keep credit card numbers
confidential and also authenticate the Web
server with the use of encryption and digital
certificates. In 1995, Netscape strengthened
the cryptographic algorithms and resolved
many of the security problems in SSLv2
with the release of SSLv3. SSLv3 now
supports more security algorithms
than SSLv2.
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts:
- Brief Introduction to Public Key Infrastructure (PKI)
- Introduction to SSL/TLS Protocols
- Practical Examples and Hints
The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).
Securing TCP connections using SSL
Originally developed by Netscape
Communications to allow secure access of a
browser to a Web server, Secure Sockets
Layer (SSL) has become the accepted
standard for Web security.1 The first version
of SSL was never released because of
problems regarding protection of credit
card transactions on the Web. In 1994,
Netscape created SSLv2, which made it
possible to keep credit card numbers
confidential and also authenticate the Web
server with the use of encryption and digital
certificates. In 1995, Netscape strengthened
the cryptographic algorithms and resolved
many of the security problems in SSLv2
with the release of SSLv3. SSLv3 now
supports more security algorithms
than SSLv2.
Security is always a top-of-mind issue for WLAN deployments, no matter what business you're in. But it’s an issue that's loaded with acronyms, confusing terminology, and some degree of black-art mystique. This session starts with basic principles of cryptography and gives you a thorough understanding of how Wi-Fi authentication and encryption work to keep your network safe. You’ll also learn about 802.1X authentication, tradeoffs of different EAP methods, why proper client configuration is so important, and why Aruba believes that role-based access control is critical in a modern mobile network.
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
TLS/SSL - The mechanism enabling to have secured communications between 2 points over network is more important than ever. Here we deep dive into the basics and its relevance in today's world.
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
They always taught us that the only thing that can be pulled out from a SSL/TLS session using strong authentication and latest Perferct Forward Secrecy ciphersuites is the public key of the certificate exchanged during the handshake - an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible to derive the private key of server regardless of the size of the used modulus. Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and computational resources. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occurring certain conditions such as CPU overheating, RAM errors or other hardware faults. Because of these premises, devices like firewall, switch, router and other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author will explain the theory behind the attack, how common the factors are that make it possible and his custom pratical implementation of the technique. At the end, a proof-of-concept, able to work both in passive mode (i.e. only by sniffing the network traffic) and in active mode (namely, by participating directly in the establishment of TLS handshakes), will be released.
(Source: Black Hat USA 2016, Las Vegas)
The ZoomFloppy is a new device for accessing Commodore floppy drives from a PC via USB. The firmware, known as xum1541, has been available since fall 2009 for those who want to build their own board, but the ZoomFloppy is the first device that will be a complete product offered for sale.
The ZoomFloppy has a number of features beyond simple disk access, which is implemented in OpenCBM. It can also nibble protected disks using a parallel cable and nibtools. It is software-upgradeable and this presentation discusses some features that are planned for the future.
By running the 1571 drive in double-clocked (2 MHz mode), the hardware UART is just fast enough to enable transfer of raw bits, directly off the media. No one has every created a copier that took advantage of this "hidden" mode in the 25 years since the 1571 was introduced.
This presentation is from ECCC 2010, Chicago area.
http://www.root.org/~nate/c64/xum1541/
http://jbrain.net/
Encrypting and decrypting, choosing a random number, signing and verifying -- it all seems so logical. But the road to hell is paved with good intentions and a copy of "Applied Cryptography".
This talk will cover recent crypto vulnerabilities in widely-deployed systems and how the smallest oversight resulted in catastrophe. You'll learn why public key crypto is like a Ford Pinto in a demolition derby, the meaning of "PBKDF2", and how Web 2.0 reinvented 1970's-style password hashing, badly. And maybe, just maybe, you'll leave with a newfound respect for the utter brittleness of even the simplest crypto.
Nate Lawson is the founder of Root Labs, which specializes in the design and analysis of embedded security and cryptography. Previously, he worked at Cryptography Research, analyzing cryptographic products and co-designing the Blu-ray content protection layer known as BD+.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
Why software protection matters to everyone, including IT professionals. Design principles for making more robust DRM. Attacker tools. Provides a framework in two variables (L and T) for evaluating the longer term success of a DRM system. Gives an update on the latest DRM cracks. Talk given at RSA Conference in the spring of 2008.
Highway to Hell: Hacking Toll Systems (Blackhat 2008)Nate Lawson
FasTrak and related toll collection systems have been around since the mid-90’s. I started looking at them because I had never signed up due to privacy concerns. However, while the underlying Title 21 standard is public, I couldn’t find any details about the internal workings of the system or any security measures. I bought a few transponders and took them apart to find out.
Besides support for the standard messages, I found no encryption. So it’s easy for an attacker to use a simple RFID reader to collect transponder IDs from cars in a parking lot, then replay them to bill tolls to the real owners. By only using each stolen ID once, it would be difficult to track them down.
Even more surprising, I found support for a lot of proprietary messages that go far beyond toll collection. By sending a few packets, an attacker can activate a hidden “update mode” that allows the ID to be wiped or overwritten with a different one. This goes against claims that the transponder is “read-only” and “there is no memory to write anything to”.
More information available here:
http://rdist.root.org/2008/08/07/fastrak-talk-summary-and-slides/
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
History and future of copy protection. Builds on the property of asymmetry as a way of analyzing copy protection features. Defenders only need to increase cost to attackers, not build an impenetrable wall. Included a live demo of reading a C64 game and cracking its protection, as well as an intro to the Xbox 360 drive hacks. Ended with some simple recommendations for repairing the 360 hacks.
An introduction to ACPI for users. Covers how to configure ACPI on FreeBSD and what is currently supported. Given at the Bay Area FreeBSD User's Group, September 6, 2006
An introduction to ACPI for developers. Includes an example tracing a power management event from the hardware up through the OS and back down. Intended to get other kernel developers interested in helping me maintain FreeBSD's ACPI layer. Given at the Bay Area FreeBSD User's Group, May 3, 2006.
Uses the concept of asymmetry as a foundation for analyzing the security of various systems. Asymmetry in security is the property where mounting an attack is much more difficult for the attacker than the defender's effort required to maintain security. Platform design principles, including a study of sendmail vs. qmail architectures, are recommended for those who are designing their own systems. Given to a SJSU security class on May 1, 2006.
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Nate Lawson
Case study of a project I did of interfacing a proprietary digital cinema server to a FreeBSD machine, configured to act as a SCSI target. Also contains an analysis of NetBSD's CGD disk encryption with respect to several less common security models. While CGD (and similar products) focus on providing privacy if an attacker has one-time read-only access to the ciphertext, they were not designed to address other threat models. Talk given at Usenix 2004.
Designing and Attacking Virtual Machines (RSA 2004)Nate Lawson
Describes using VMs for attack and defense and talks about the need for good partitioning in commodity hardware (i.e., bring LPAR from IBM's VM to x86 today.) Introduces the metric of "cross-section", which is the number/size of unique inputs that need to be recorded to reproduce the VM state. Talk given at the RSA conference, 2004.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. Overview
• Introduction to SSL/TLS
– Focus on SMTP+SSL
• Design goals and result
• Cryptography primer
– Desired properties
– Primitives for implementing them
• Protocol walkthrough in detail
• Attacks and mitigation
3. My background
• Root Labs founder
– Design and analyze security systems
– Emphasis on embedded, kernel, and crypto
• Previously, Cryptography Research
– Paul Kocher’s company (author of SSL 3.0)
– Co-designed Blu-ray disc security layer, aka
BD+
• Crypto engineer at Infogard Labs
• FreeBSD committer
4. Security is hard but rewarding
• Protocols and crypto are susceptible to
very minor mistakes
• Example: SSL timing attacks over the
Internet
• Hard = fun and $
– Breaking and building things is exciting
– Security is a desired skill for any resumé
5. SSL history
• SSL (Secure Sockets Layer) v2.0 (1994)
– Serious security problems including incomplete MAC
coverage of padding
– Designed by Netscape
• SSL v3.0 (1996)
– Major revision to address security problems
– Paul Kocher + Netscape
• TLS (Transport Layer Security) 1.0 (1999)
– Added new crypto algorithm support
– IETF takes over
• TLS 1.1 (2006)
– Address Vaudenay’s CBC attacks on record layer
– Provide implementation guidance
6. Layered model
• SSL provides security at the transport
layer (OSI model L4)
– Stream of bytes in, private/untampered
stream of bytes out
– Application logic is unmodified
– Can be adapted to datagram service also
(DTLS)
• Compare to IPSEC
– Mostly used as an L3 protocol
7. SMTP over SSL
• HTTP, SMTP, POP, IMAP, etc. all have
SSL variants
• Two design choices to add SSL
– Use alternate port since SSL session
establishment differs from original protocol
– SMTPS (TCP port 465 and 587)
– Add protocol-specific message to toggle SSL
mode
– STARTTLS over port 25 (RFC 3207)
• SMTP session over SSL is unchanged
8. Security goals
• Privacy
– Data within SSL session should not be
recoverable by anyone except the endpoints
• Integrity
– Data in transit should not be modified
without detection except by the endpoints
• Authentication
– No endpoint should be able to masquerade
as another
9. Attacker capabilities
• Sorted by increasing power
• Normal participant
– Can talk to server that is also talking to other parties
• Passive eavesdropping
– Observe any or all messages sent by other parties
• Active (Man in the Middle)
– Insert or replay old messages
– Modify
– Delete or reorder
• Secure protocols must address all these
threats
10. Crypto property: privacy
• No one other than the intended
recipient of a message can determine
its contents
• Caveats
– Adversary could have powers of knowing or
choosing plaintext
– Traffic analysis
– Length, latency, unencrypted data like IP or
Ethernet addresses
– Side channel attacks: power consumption, EM,
timing of operations
11. Crypto property: integrity
• Any change made to a message after it
has been sent will be detected by the
recipient
– Corollary: reordering, replay, insertion, or
deletion of messages will also be detected
• Caveats
– Privacy is not integrity protection
– Error recovery
– You can’t always terminate the session
– Root of trust (shared system?)
12. Crypto property: authentication
• Messages can be associated with a
given identity with high level of
confidence
• Caveats
– Managing identification
– Lost keys, forgotten passwords, laptop walks
away
– Revocation of old keys and refreshing to new
ones
– Bootstrapping: what is your root of trust?
13. Security goal implementation
• Privacy
– Data is encrypted with block cipher (e.g.,
AES)
– Cipher key is exchanged via public key
crypto (e.g., RSA)
• Integrity
– Data is protected by a MAC (e.g., SHA1-
HMAC)
• Authentication
– Server and/or client identity is verified via
certificates
14. Primitive: symmetric crypto
• Block ciphers turn plaintext block into
ciphertext using a secret key
– Recipient inverts (decrypts) block using
same key
• Examples: AES, 3DES, RC5
15. Primitive: symmetric crypto
• Often requires “chaining” to encrypt
messages longer than a single block
• This does not provide integrity
protection
16. Primitive: public key crypto
• Data transformed with one key can only
be inverted with the other key
(asymmetric)
• Examples: RSA, Diffie-Hellman, DSA
– And elliptic curve variants
• Can encrypt data to a recipient without
also being able to decrypt it afterward
• Can sign data by encrypting it with one
key and publishing the other
18. Primitive: certificates
• Associate a name with a public key
– Trusted party uses private key to sign the
message “joe.com = 0x09f9…”
– Public key of trusted party came with your
web browser
• Key management still a problem
– Expire certs and explicitly revoke them if a
private key is compromised (CRL)
– Or, check with the trusted party each time
you want to use one (OCSP)
19. Primitive: message authentication code
• A MAC combines a hash function and
secret key with the data to protect
– Resulting MAC is transmitted with message
– Recipient performs same process and
verifies result matches
• Attacker cannot…
– Modify message without changing its hash
– Forge a new MAC value without knowing the
key
• Examples: SHA1-HMAC, AES CMAC
20. Primitive: secure PRNG
• Outputs a cryptographically-strong,
pseudo-random stream of data based
on initial seed
– Initial seed needs to have enough entropy
– PRNGs used many places (key generation,
IVs, nonces)
• Examples: /dev/random, Yarrow
– Often based on a hash function like SHA-1
21. Overview of typical session
Client Server
ClientHello
ServerHello
Certificate
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
ApplicationData ApplicationData
23. Message: Client/ServerHello
• Initiates connection and specifies
parameters
– Initiator sends list (i.e., CipherSuites) and
responder selects one item from list
– SessionID is used for resuming (explained
later)
Client/ServerHello
Version
RandomData
SessionID
CipherSuites
CompressionMethods
24. Message: Certificate
• Provides a signed public key value to
the other party
– Almost always the server although clients
can also authenticate with a cert
– Other side must verify information in cert
(i.e., the DN field is myhost.com = IP
address in my TCP connection)
Certificate
ASN.1Cert
25. Message: ServerHelloDone
• Signifies end of server auth process
– Allows multi-pass authentication handshake
– Otherwise unimportant
• Cert-based auth is single-pass
26. Message: ClientKeyExchange
• Client sends encrypted premaster
secret to server
– Assumes RSA public key crypto (most
common)
– Server checks ClientVersion matches
highest advertised version
ClientKeyExchange
RSA-PubKey-Encrypt(
ClientVersion
PreMasterSecret[48]
)
27. Message: ChangeCipherSpec
• Indicates following datagrams will be
encrypted
– Disambiguates case where next message
may be error or encrypted data
• Each side now calculates data
encryption key (K)
MasterSecret computation
Hash(
PreMasterSecret
ClientRandom
ServerRandom
)
28. Message: Finished
• Indicates all protocol negotiation is
complete and data may be exchanged
– First encrypted message of each party
– Includes hashes of all handshake messages
seen by each side
– Also, magic integers 0x434C4E54 or 0x53525652
(why?)
Finished
AES-K-Encrypt(
Magic
MD5(handshake_messages)
SHA1(handshake_messages)
)
29. Message: ApplicationData
• Encapsulates encrypted data
– Includes MAC for integrity protection
– Can span multiple TCP packets
ApplicationData
AES-CBC-K-Encrypt(
Type
Version
Length
Data
MAC
Padding
PaddingLength
)
31. Formal verification of protocol security
• Goal: formal system for finding any
security problems in design
– BAN logic (BAN89)
– Formalized authentication with primitives like “X
said” and “Y believes”
– Model checking (MMS98)
– Build a FSM model of the system and enumerate
states
• Difficult and time consuming but worth
it if your protocol is important
32. Attack: similarly-named certs
• What if server has valid certificate but a
similar name to another server?
– Example: Microsoft vs. Micr0soft
• Outside the scope of SSL but relevant
• Used all the time with phishing emails
– But few bother with SSL currently
– Yellow lock JPEG on page sufficient
– Now, please enter your PIN
33. Attack: side channel
• Side effects of handling secure data can
be indirectly observed
• Example: timing attack on server’s
private key [BB03]
– Observe how long the server takes to return
an error when sending invalid
ClientKeyExchange
– Bits of the key can slowly be discovered
… over the Internet
• Tricky problem to be sure you’ve solved
adequately
34. Conclusions
• SSL provides a well-tested secure
transport layer
• Security protocols require careful
interdependence of primitives
– Privacy
– Integrity protection
– Authentication
• Easy to make mistakes designing
security and crypto in particular
• This stuff is a lot of fun!
35. Recommended reading
• [TLS06] The Transport Layer Security (TLS) Protocol, Version 1.1.
http://tools.ietf.org/html/rfc4346
• [Resc02] Rescarola, E. Introduction to OpenSSL programming.
http://www.rtfm.com/openssl-examples/
• [WS96] David Wagner and Bruce Schneier. Analysis of the SSL 3.0 Protocol.
1996. http://citeseer.ist.psu.edu/wagner96analysis.html
• [MMS98] John C. Mitchell, Vitaly Shmatikov, and Ulrich Stern. Finite-state
analysis of SSL 3.0. In Seventh USENIX Security Symposium, pages 201 - 216,
1998. http://citeseer.ist.psu.edu/mitchell98finitestate.html
• [BAN90] Burrows, M., Abadi, M., and Needham, R. M. quot;A Logic of
Authenticationquot;, ACM Transactions on Computer Systems, Vol. 8, No. 1, Feb
1990, pp. 18 - 36. A Formal Semantics for Evaluating Cryptographic Protocols p
14. http://citeseer.ist.psu.edu/burrows90logic.htm
• [BB03] D. Boneh and D. Brumley. Remote Timing Attacks are Practical.
Proceedings of the 12th USENIX Security Symposium, August 2003.
http://citeseer.ist.psu.edu/article/boneh03remote.html
36. Fixing v2.0: downgrade attacks
• Backwards compatibility with insecure
protocol is difficult
– Active attacker could change ServerHello to
advertise v2-only
• Clever solution: put 64 bits of 0x3 in
the RSA padding
– Attacker cannot substitute their own key
without breaking the server cert
– Luckily, SSL v2 only supported RSA key
exchange