Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

SSL/TLS: An Introduction

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS Overview

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

Problem

• Problem: Creating applications which can communicate securely over the Internet

• TLS: Transport Layer Security (SSL)• Certificates• Related technology: S-HTTP, IPSec, SET,

SASL

• References

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

What is SSL/TLS

• SSL (Secure Socket Layer) is an encryption protocol designed by Netscape,

• and TLS (Transport Level Security) is the successor protocol designed by the IETF.

• The protocols are designed to fit between the TCP/IP layer and the application layer(HTTP, SMTP).

• The most common uses of SSL/TLS are HTTP(web) and SMTP(mail), and like PGP, SSL/TLS uses public key cryptography.

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS: Overview

• Establish a session – Agree on algorithms– Perform authentication– Share secrets

• Transfer application data– Ensure privacy and integrity

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

What is TLS?

• Protocol layer • Requires reliable transport layer

(e.g. TCP)• Supports any application protocols

IPTCPTLS

HTTP Telnet FTP LDAP

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

Changes from SSL 3.0 to TLS

• Additional Alerts added• Modification to hash calculations• Protocol version 3.1 in ClientHello,

ServerHello

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS: HTTP Application

• HTTP most common TLS application– https://

• Requires TLS-capable web server• Requires TLS-capable web browser

– Netscape Navigator– Internet Explorer– Cryptozilla

• Netscape Mozilla sources with SSLeay

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS Architecture

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS: Record Protocol

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS Handshake Protocol

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS Handshake: Three Goals

1. Negotiate Cipher-Suite Algorithms– Symmetric cipher to use– Key exchange method– Message digest function

2. Optionally authenticate server and/or client

3. Establish and share master secret

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

Handshake Phases

• Hello messages• Certificate and Key Exchange

messages• Change CipherSpec and Finished

messages

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

TLS: Hello

• Client “Hello” - initiates session– Propose protocol version– Propose cipher suite– Server chooses protocol and suite

• Client may request use of cached session– Server chooses whether to honor

request

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez

References

• http://www.openssl.org/

• http://www.openssl.org/docs/

• http://httpd.apache.org/docs-2.0/ssl/

• Stallings, William Cryptography and Network Security: Principles and Practice, 2nd Edition, Prentice Hall, 1999.

• Wagner, David, Schneier, Bruce “Analysis of the SSL 3.0 Protocol” <http://www.counterpane.com/ssl.html>

• Internet Drafts and RFCs <http://www.ietf.org/>.