Secure&Socket&Layer&(SSL)& SSL# THE&PROTOCOL& 2&
Security in the TCP/IP stack HTTP# SMTP# FTP# HTTP# SMTP# FTP# SSL,#TLS# TCP# TCP# IP/IPSec# IP# Kerberos& PGP# SET# SMTP# HTTP# UDP# TCP# IP# Network#layer# Transport#Layers# ApplicaAon#layer# 3& La suite di protocolli SSL Applicazioni Protocollo Handshake Protocollo Change Cipher Protocollo Alert HTTP Protocollo Record TCP IP 4
References! Secure&Socket&Layer&(SSL)& Netscape# hdp://wp.netscape.com/eng/ssl3/#! Transport&Layer&Security&(TLS)& Based#on#SSL#v3.0# RFC#2246# Rp://Rp.rfcTeditor.org/inTnotes/rfc2246.txt# Same#design#as#SSL#but#different#algorithms# 5& History&of&the&protocol&! SSL Developed by Netscape in mid 1990s SSLv1 broken at birth (never publicly released) SSLv2 flawed, now IETF-deprecated (RFC 6176) SSLv3 still widely supported (since 1996)! TLS IETF-standardized version of SSL. TLS 1.0 in RFC 2246 (1999), based on SSLv3 but NOT interoperable TLS 1.1 in RFC 4346 (2006). TLS 1.2 in RFC 5246 (2008). 6&
Session vs connection Session Client connection Server! A#session#is#a#logical#associaAon#between#a#Client#and# a#server#! Created#by#the#Handshake&protocol&! Define#a#set#of#crypto&pars&that#can#be#shared#by#mulAple# connecaons#! Avoid#expensive#negoAaAon#of#crypto#pars#for#each# connecaon& 7& Session&vs&connecHon& session& client& connechon& server& SESSION#STATE# session#idenafier# Peer#cerAficate#(X.509v3)## compression#method# cipher#spec# pretmaster#secret#(48#bytes)# 8&
Session&vs&connecHon& session& Cliente& connechon& Server& CONNECTION&STATE& Server#random#number#(nonce)# Client#random#number#(nonce)# Server#write#MAC#secret# Client#write#MAC#secret## Server#write#key# Client#write#key# IniAalizaAon#vectors# Sequence#numbers# 9& Payload& The&Record&Protocol& FragmentaHon# (max#2 14 #bytes)# Compression# max#2 14 #+#1024#bytes# MAC& EncrypHon& The#Record#Protocol# encapsulates#data#from#higher# layers#so#guaranteeing# confidenaality#and#integrity#of# communicaaon# Heading# (max#2 14 #+#2048)# 10&
Il Protocollo Record! Fragmentation fragments application data in 2 14 - bytes blocks! Compression must be lossless and must not increase the block size more than 1024 bytes (default = null)! MAC uses the [Server Client] write MAC secret, the sequence number, the compressed block, pad! Encryption uses the [Server Client] write key Use block and steam ciphers Does not increases the block size more than 1024 byte 11 Il Protocollo Record Intestazione Tipo di payload change cipher, alert, handshake, application Versione principale Versione minore Lunghezza compressa Fragment size 2 14 + 2048 12
Tipi di payload 1byte 1byte 3byte 0byte 1 tipo lunghezza contenuto Protocollo Change Cipher Protocollo Handshake 1byte livello 1byte allarme 0byte Contenuto opaco Protocollo Alert Protocollo Applicativo (HTTP, ) 13 The&Handshake&Protocol&! Establish a secure session Client and server authenticate each other Client and server negotiate the cipher suite Key establishment scheme; Encryption scheme (used in the RP) MAC (used in the RP) Client and server establish a shared secret (premaster secret)! Before any application data! The most complex part of SSL 14
Handshake&Protocol:&basic&scheme& client# server# RSA# EncrypAon# Network# RSA# DecrypAon# pretmaster&secret#(48#byte)# 15& Handshake&Procol:&basic&scheme& Server&AuthenHcaHon&only& client& server& 1.&client_hello& client#nonce# client#nonce# 2.&server_hello& server#nonce# server#nonce# 3.&cerHficate& 4.&server_hello_done& pretmaster# secret# RSA# EncrypAon# 5.&client_key_exchange& RSA# DecrypAon# pretmaster## secret# 16
Hello&message&! By#means#of#Hello#msgs,#Client#and#Server#tell# each#other#what#they#are#able#to#do# client_hello#and#server_hello# SSL#version## Random:#Amestamp#[32#bit]#+#random#byte[28]# Session#id# Cipher#suite## Compression#method# 17& Cipher&suite&! Cipher suite is a list of algorithm triples <key establishment, cipher, MAC> Some triples are standard (SSL_RSA_WITH_3DES_EDE_CBC_SHA) Supported key establishment schemes RSA Fixed Diffie-Hellman (public pars are fixed and certificated) Ephemeral Diffie-Hellman (public pars are dynamic and signed) Anonymous Diffie-Hellman (non authenticated) Supported ciphers RC4, RC2, DES, 3DES, IDEA, Supported MAC MD5, SHA-1 18
Server client+side+ Key&generaHon& In#the#Hello#msgs& Pedefined#data# pretmaster#secret# client#nonce# server#nonce# PreTmaster&is&an&entropy& source! Hash#MulATstep# Server#write#MAC#secret## # key#block# # Client#write#MAC#secret### Server#write#key############# Client#write#key########## altro ########## 19& Handshake&protocol& client# server# client#write## key# h()# E()# client#nonce# server#nonce# pretmaster#secret# server#ceraficate# client_finished# server_finished# h()# server#write# key# change_cipher_spec& client_finished& client# write#key# h()# D()# =# client#nonce# server#nonce# pretmaster#secret# server#ceraficate# client_finished# server_finished# h()# =# D()# change_cipher_spec& server_finished& E()# server#write# key# 20&
Client&authenHcaHon&! HP#authenAcates#the#server#by#default#! How#can#the#client#be#authenAcated?## Typically,#the#client#is#authenAcated#at#the# applicaaon#level# password,#credit#card#number#(!!), #! SSL#supports#client#authenAcaAon#w.r.t.#the# server# 21& client Client&authenHcaHon& Server#requires#client#authenAcaAon#by#means#of#the# cerhficate&request#msg#arer#server_hello& AuthenAcaAon#is#based#on#challenge)response! client certificate server certificate client nonce server nonce pre-master secret h() challenge certificate server client private key Firma digitale (RSA) response certificate verify 22
Security&! Handshake#Protocol# Nonces#in#client#hello#and#server#hello# Nonces#make#it#possible#generate#a#fresh#master#secret#and#avoid# replay#adacks# CerAficates# Avoid#MIM# Random#quanAAes## PreTmaster#secret#and#nonces#must#be#impredictable##! Record#Protocol## A#block#is#numbered,#authenAcated#and#encrypted# Avoid#block#replay,#reordering#and#subsAtuAon# Cipher# protects #the#mac# 23& Set&of&messages& TIPO& hello_request& client_hello& server_hello& cerhficate& server_key_exchange& cerhficate_request& server_hello_done& cerhficate_verify& client_key_exchange& finished& No&pars& CONTENUTO& version,&nonce,&session&idcipher&suite,&compression& method& version,&nonce,&session&id,&cipher&suite,&compression& method& CerHficate&X.509v3& Pars,&signature& Type,&authority& No&pars& signature& Pars,&signature& hash& 24&
An&overview& Client#hello# Server#hello# Server#cerAficate# Client#cerAficate#request*# Server#hello#done# PreTmaster#secret# Client#cerAficate*# Finished# Finished# Secure#data#exchange# Secure#data#exchange# CLIENT& SERVER& HANDSHAKE& RECORD& SNCS& SSL& 25& (*)#OpAonal# Handshake&protocol:&an&overview& ophonal& Client# Server# client_hello# server_hello# ceraficate# server_key_exchange# ceraficate_request# server_hello_done# ceraficate# client_key_exchange# ceraficate_verify# change_cipher_spec# finished# change_cipher_spec# finished# 1&round& Exchange#of# security# capabiliaes# 2&round& Server# authenacaaon# 3&round& Client# authenacaaon# 4&round& Conclusion# SNCS& SSL& 26&
The&other&protocols&in&the&SSL&suite&! The change cipher spec protocol consists in one single message (cleartext) to make the negotiated crypto suite operational! The alert protocol notifies alarms to peers unexpected_message no_certificate bad_record mac bad_certificate decompression_failure unsupported_certificate handshake_failure certificate_revoked illegal_parameter certificate_expired certificate_unknown 27 SSL# ON&USING&SSL&IN&ETCOMMERCE& 28&
SSL&in&acHon& Is#it#really#true?# 29& Is&it&the&right&cerHficate?& www.good_bargain.com& Redirect& Alice#(SSL)#successfully#verifies#the#bank# ceraficate,#establishes#a#secure# connecaon,#and#sends#her#pwd/pin#along# the#connecaon# www.bank.com& 30&
Is it the right certificate? www.very_good_bargain.com& Redirect& Alice#is##deceived#by#social#engineering#techniques# www.bamk.com& 31& Is&it&the&right&cerHficate&! SSL operates at the transport level rather than the application level Browser notifies if the URL known to the browser is equal to that in the certificate Browser notifies whether a certificate is signed by an unknown CA These controls may be not sufficient for all web applications The user has the last word Does the user understand security? Usability vs security 32&
Risk&allocaHon&! PIN/PWD#is#a#shared#secret#! In#a#home#banking#contract,#the#user#commits# himself#to#protect#the#pin/pwd# confidenaality#! In#a#fraud#it#is#evident#that#the#PIN/PWD# confidenaality#has#been#violated#! Who#is#liable#for?# 33& ETpayment&by&credit&card& SSL& nr.#5490#1234#5678#valid#thru#00/00#! Credit#card#number#is#public&! Is#the#sender#Richard#Cronwell?#! How#can#the#merchant# discriminate#between# the#two#situaaons?# 34
ETpayment&by&Credit&Card& Decreto&legislaHvo&22&maggio&1999,&n.&185,&di&& abuazione&della&diredva&97/7/ce&& Art.&8&T&Pagamento&mediante&carta& 1.#Il#consumatore#può#effeDuare#il#pagamento#mediante#carta#ove#ciò#sia# previsto#tra#le#modalità#di#pagamento,#da#comunicare#al#consumatore#al#sensi# dell'aracolo#3,#comma#1,#ledera#e),#del#presente#decreto#legislaavo.# 2.#L'isAtuto#di#emissione#della#carta#di#pagamento#riaccredita#al#consumatore#i# pagamena#dei#quali#quesa#dimostri#l'eccedenza#rispedo#al#prezzo#paduito# ovvero#l'effeduazione#mediante#l'uso#fraudolento#della#propria#carta#di# pagamento#da#parte#del#fornitore#o#di#un#terzo,#fada#salva#l'applicazione# dell'aracolo#12#del#decretotlegge#3#maggio#1991,#n.#143,#converato,#con# modificazioni,#dalla#legge#5#luglio#1991,#n.#197.#l'isatuto#di#emissione#della#carta# di#pagamento#ha#dirido#di#addebitare#al#fornitore#le#somme#riaccreditate#al# consumatore.# 35 ETpayment&by&Credit&Card& " Gli&isHtuH&di&emissione,#cui#compete#l'autorizzazione#dell'operazione#di# pagamento,#nonché#i#soggeu#che#rendono#tecnicamente#possibile#la# transazione#ontline,#sono&tenuh&a&controllare&la&correbezza&del&numero& della&carta&e&la&data&della&sua&scadenza#ma&non&anche&la&corrispondenza& tra&il&numero&fornito&e&l'effedvo&htolare## " Gli#isAtuA#di#emissione#verificano#la#corrispondenza#tra#numero#della#carta# di#credito#comunicato#per#effeduare#una#transazione#ontline#ed#il# nominaavo#fornito#da#colui#che#la#effedua.## #Ad#esempio,#l'Address&VerificaHon&Service&(AVS)&verifica#che#l'indirizzo#di# consegna#sia#quello#con#cui#il#possessore#della#carta#è#registrato# " In#Europa#il#grado#di#sicurezza#nelle#transazioni#onTline#è#minore#e#quindi#il# commercio#eledronico#è#desanato#ad#incontrare#resistenze#anche#da#parte# dei#fornitori#di#che#sopportano#rischi#elevaa# 36
ETpayment&by&Credit&Card:&risk& allocahon&& " Il#fornitore#di#beni#o#servizi#onTline#è&tenuto&ad&accollarsi&il&rischio#della# rivalsa#degli#isatua#di#emissione#qualora,#in#caso#di#uso#fraudolento#delle# carta,#quesa#riaccreditano#le#corrispondena#somme#al#legiumo#atolare.# " La#legge#non&consente#al#fornitore#di#liberarsi#dall obbligo#della#resatuzione# delle#somme#agli#isatua#di#emissione#qualora#dimostri## 1. di#avere#usato#tude#le#cautele#necessarie#e#possibili#ad#evitare#l uso# fraudolento#della#carta#di#credito## 2. che#il#fado#è#stato#causato#dal#caso#fortuito.## " I#fornitori#dovranno#usare#tuDe#le#cautele#del#caso#per#potere,#nel#caso#di# uso#fraudolento#di#carte#di#credito,#perlomeno#rintracciare#l illegiumo# ualizzatore#e#rivalersi#su#questo.## #Le#conseguenze#derivanA#dall addebito#delle#somme#riaccreditate#al# Atolare#della#carta#potrebbero#poi#essere#annullate#contraendo#una# assicurazione#a#copertura#dei#danni#(economici)#derivana#da#tale# circostanza.## 37& ETpayment&by&Credit&Card& Foglio&informaHvo&sulle&operazioni&e&servizi&offerH&alla& clientela&& (CariPrato)& 38&
ETpayment&by&Credit&Card& 39& Secure&Electronic&TransacHons&! SET was built to answer to these problems! SET has been designed and implemented in the late 90 s Commissioned by Visa and Mastercard Involves all (IBM, Microsoft, )! SET was a failure Too heavy Too expensive Specifications takes more than 1000 pages (!)! We are interested in the risk allocation 40&
Secure&Electronic&TransacHons&! SET requires a PKI in place! A (privk, pubk) pair is stored at M and C! If an order is signed by your key you cannot repudiate it The risk is allocated on the customer! M and C are assumed trusted devices! Stealing a privk is equivalent to stealing a file Customer+ C& Customer+signed+order+ Merchant+signed+order+ Merchant+ M& Is this secure? This is secure This is secure 41& Secure&Electronic&TransacHons&! Do#smart#cards#help?# Loosing#a#piece#of#plasAc#vs.#loosing#a#file# Is#what#you#see#what#you#sign?# Is this secure? Customer+ C& Customer+signed+order+ Merchant+signed+order+ Merchant+ M& This is secure 42&
! Pros# SSL:&Pros&and&Cons& SSL#is#a#wellTdesigned,#robust#and#secure#protocol#! Cons# SSL#protects#communicaAon#only# User#has#to#check#security#parameters# SSL#is#vulnerable#to#name#spoofing# 43& SSL# HISTORY:&PITFALLS&AND&ATTACKS& 44&
Abacks&! Browser Exploit Against SSL/TLS (BEAST) attack Weakness of CBC in TLS 1.0 (2011)! Compression Ratio Info-leak Made Easy (CRIME) Side-channel attack based on the compressed size of HTTP request (2012)! Lucky13 attack Timing side-channel attack with CBC (2013)! Heartbleed attack Buffer over-read attack (2014) 45& Random&generator&in&SSL&v2.0& (on&the&importance&of&a&good&sprbg)&! Pseudo-Random Bit Generator bit stream = H(tod pid ppid) tod = time of day pid = process id ppid = parent process id Entropy of the triple is 47-bit Seed can be guessed in 25 s A more sophisticated attack based on system observation may be even more effective 46&