transport layer security (tls)

34
1 Transport Layer Security (TLS) Team: Techno Gautami Parulkar Hariharan Venkataraman Jigar Patel karthik gottiparthy Neeraj Sharma

Upload: liora

Post on 25-Feb-2016

85 views

Category:

Documents


0 download

DESCRIPTION

Transport Layer Security (TLS). Team: Techno G autami Parulkar Hariharan Venkataraman Jigar Patel karthik gottiparthy Neeraj Sharma. Presentation Agenda……. Introduction TLS Protocol Stack TLS Handshake Improvement Demo. TLS…. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Transport Layer Security (TLS)

1

Transport Layer Security (TLS)

Team: Techno

Gautami ParulkarHariharan Venkataraman

Jigar Patelkarthik gottiparthy

Neeraj Sharma

Page 2: Transport Layer Security (TLS)

2

Presentation Agenda……

Introduction TLS Protocol Stack TLS Handshake Improvement Demo

Page 3: Transport Layer Security (TLS)

3

TLS… Cryptographic protocol to provide

secure communications on the internet

Similar to SSL with slight differences

Preventions of eavesdropping, tampering, and message forgery

Current approved version of TLS is 1.1

Page 4: Transport Layer Security (TLS)

4

TLS Protocol Stack…

TLS

IPTCP

HTTP FTP SMTP

TLS Record Protocol

TLS Handshake Protocol

TLS Change Cipher Spec Protocol

TLS Alert Protocol

1 2 3

Page 5: Transport Layer Security (TLS)

5

Data

TLS Record Protocol…

Data MAC Data MAC

Encrypted Data & MACRecordheader

Page 6: Transport Layer Security (TLS)

6

Full TLS Handshake…

Page 7: Transport Layer Security (TLS)

7

Limitations of TLS…

Time consuming Handshake messages during connection establishment.

Limitation of the session caching period at the server’s cache.

Access security threat (web jacking). Time consuming and expensive RSA

private key decryption. Denial of Service Attacks (DoS).

Page 8: Transport Layer Security (TLS)

8

Limitations condt…

Denial of Service Attacks (DoS).

Page 9: Transport Layer Security (TLS)

9

Counter Measures…

Resume Handshake Mechanism: The client resumes the previously negotiated TLS

session by sending the session ID.

The server stores the session for certain period of time before evicting the session (aborting the session) causing the client to perform the full Handshake.

Amazon’s servers evict the session every 2mins .As a result the clients had to perform full handshake even tough the client wanted to resume the session

Page 10: Transport Layer Security (TLS)

10

Eric Rescorla,Dan Boneh,Hovav Shacham proposed two mechanism.

1. Fast Track Handshake Message.2. Client side session caching.

Fast Track Handshake Message:The ordinary TLS handshake mechanism follows:

1) negotiating the session parameter’s2) authentication of the server and optionally the client.3) Establishing the shared cryptographic secret  

Page 11: Transport Layer Security (TLS)

11

Ordinary TLS Handshake

The ordinary TLS handshake follows: negotiating the session parameter’s

authentication of the server and optionally the client.

Establishing the shared cryptographic secret

Page 12: Transport Layer Security (TLS)

12

Fast Track Handshake…

Specifically used for short lived TLS session ,no resumption done.

The peers have not communicated at all.

The client and the server well established session got expired in the middle.

Eg. Amazon clients placed multiple requests in the 2min window of the server’s cache.

Page 13: Transport Layer Security (TLS)

13

Fast Track HS condt.

The Fast track clients store the long-lived server information such as the server certificate and the preferred cipher suite.

The HS parameters are called the determining Parameters.

The long-lived parameters do not change unless the configuration of either the client or the server changes.

Page 14: Transport Layer Security (TLS)

14

Handshake Parameters…

1st Category:The server’s certificate

chain;   The server’s Diffie-

Hellman group, if any; and

  Whether client authentication is required; if so,

   Acceptable client certificate types; and

    Acceptable certificate authorities.

2nd Category: The preferred

client–server cipher suite; and

The preferred client–server compression method

Page 15: Transport Layer Security (TLS)

15

Fast Handshake Diagram

Page 16: Transport Layer Security (TLS)

16

Description… The clientHelloFT message must include the

fast-track hash function with the Hash of determining parameters.

Once the client validates the server certificate ,it is not required to again revalidate it.

Verification of the SHA-1 hash of the determining parameters is required.

Page 17: Transport Layer Security (TLS)

17

The server uses the information of clientHello msg and its own configuration to form a version of determining parameters.

These determining parameters are exchanged using the cryptographic hash and for more security handshake MAC is included in the finished message.

The 3 msg Server Certificate,Certificate Request, Server Hello done are not included in the Fast Track Handshake.

Page 18: Transport Layer Security (TLS)

18

Performance Table…

Page 19: Transport Layer Security (TLS)

19

Details…

The first cipher suite, called “TLS RSA WITH 3DES EDE CBC SHA” in RFC 2246 (and called “DES-CBC3-SHA” in OpenSSL), uses RSA for key exchange. It does not require a ServerKeyExchange message to be sent.

The second cipher suite, “TLS DHE RSAWITH 3DES EDE CBC SHA” (“EDH-RSA-DES-CBC3-SHA” in OpenSSL), employs EDH for key exchange, with RSA authentication .

Page 20: Transport Layer Security (TLS)

20

Advantages & Disadvantages

Advantages: It implements 3 flows instead of 4 flows. It saves bandwidth and time , improves

network traffic.

Disadvantages: Does not support RSA key exchange. Though the 3 msg are not included in the

HS ,they do not involve any significant computational intensive operations.

Page 21: Transport Layer Security (TLS)

21

Client Side Caching…

To reduce the overload of session caching on the server, the client is forced to store the session information in its cache.

This mechanism is used for resuming the sessions.

The cached data sent to client is encrypted by symmetric cipher key called the enc-key.

Page 22: Transport Layer Security (TLS)

22

Client side caching condt.

The integrity is still not guaranteed ,server uses MAC with the fixed server key called mac-key.

A token is formed using enc-key and mac-key. Token= enc-key [cache data || mac] Mac= mac-key [cache data]

Page 23: Transport Layer Security (TLS)

23

The Authentication Token retains all the information about the session .Only that the master key has to be shared.

This token is included in the session ID .

Problem: The session Id is 32 bytes but the master

secret in the token is 48 bytes, cannot fit in the ID.

The server provides the session ID in the server Hello message, which is transmitted before it knows the master secret.

Page 24: Transport Layer Security (TLS)

24

To overcome this problem the normal zero length session ID is sent in the server hello message.

Then the extended session ID message is sent containing the authentication token is sent immediately before the change cipher spec message.

Page 25: Transport Layer Security (TLS)

25

Connection Establishment…

Page 26: Transport Layer Security (TLS)

26

During the connection establishment the client signals the server about its capability of CSSC using the client side cache capable extension in the client Hello.

If the server wants to request it sends a client side cache capable request extension.

For the resumption of the session the client send the authentication token, if it is less than 256 bytes, it is placed in the session ID.

Page 27: Transport Layer Security (TLS)

27

Disadvantage

The session can become invalid due to expiration, improper closer and error. Authentication tokens are self-authenticating and hence it is difficult to invalidate the session easily, if an error is found .

Solution: To invalidate the session is to have a blacklist consisting of sessions that have been invalidated but may not have been expired.

Page 28: Transport Layer Security (TLS)

28

Performance Improvement by Re-balancing Clients send simultaneous requests flooding

the server causing it to crash or result in Denial of Service.

DoS attacks cause the server to deny service to legitimate clients.

The server consumes a lot of CPU processing time to perform the costly computation like decrypting key.

Page 29: Transport Layer Security (TLS)

29

Solution to this problem is Load Distribution where the client performs more work and the server performs commensurately less work.

A mechanism called the Client Aided RSA speeds up the processing by the factor of 11 to 19.

Page 30: Transport Layer Security (TLS)

30

The server can encrypt the session key thus shifting the decryption burden to the client. But for this the server has to authenticate the client and if the server cannot verify it will lead to DOS attacks.

The server needs to verify all the certificate chain. Therefore, the Client Aided RSA is used.

Page 31: Transport Layer Security (TLS)

31

Page 32: Transport Layer Security (TLS)

32

CA-RSA

Page 33: Transport Layer Security (TLS)

33

Attacks on TLS… Denial of Service is an incident in which a

user or organization is deprived of the services of a resource they would normally expect to have.

Man in the middle (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between the two communicating peers.

Page 34: Transport Layer Security (TLS)

34

Conclusion… SSL / TLS is the most widely deployed

security protocol, standard Easy to implement, deploy and use Widely available, flexible, supports

many scenarios Mature cryptographic design