Professional Documents
Culture Documents
- and
a list of in decreasing order of preference.
server
lient.random
cipher suites
server.rando _hello: contains a and
a single selected
m
cipher by the s suit er e ver.
-
Each indicates a key exchange algorithm,
a cipher algorithm, and a MAC algorithm.
About 30 cipher suites have been defined,
each represente
cip
d by a 2-octet numbe
her suite
r.
Cipher Suite
-
-
- Users can define their own cipher suites.
Downgrade attack: the adversary removes strong cipher
suites from client_hello.
-
Anonymous Diffie-Hellman
Fixed Diffie-Hellman
Ephemeral Diffie-Hellman
RSA
Server has an RSA encryption key pair
Server has an RSA signature key pair
Es
Key Exchange Algorithms
-
-
-
-
- Pre_Master_Secret (48 bytes)
Master_Secret (48 bytes)
tabli
sh a
Keys
server_key _exchange ( , , )
server_hello_done
Client Server
Anonymous Diffie-Hellman
s
p o o
client_key _exchange ( )
The contains the server's
Diffie
se
-H
rver
ellm
_key_exc
an public key and parameters, ( , ,
hange
).
s
c
p
o
o o
-
- The client provides its public key in the
client_key_exchange.
A 48-byte pre_master_secret is generated from .
c
cs
o
o -
certificate ( , , )
server_hello_done
Client Server
Fixed Diffie-Hellman
s
p o o
client_key _exchange ( )
certificat
The contains the server's Diffie-Hellman
public key and parameters ( , , ).
The client p
e
rovid
s
c
p
o
o o
-
- es its public key in the
client_key_exchange.
A 48-byte pre_master_secret is generated from .
c
cs
o
o -
certificate
serv
Client Server
Ephemeral Diffie-Hellman
er_key _exchange ( , , )
server_hello_done
client_key _exchange ( )
The contains the server's signature certificate
s
c
p o o
o
- info.
The server_key_exchange contains the server's
, hashed and signed.
The client provides its public key in the
one-time ( , ,
client_key_exchange.
)
s
c
p o o
o
-
-
certificate ( , )
server_hello_don
Client Server
RSA Key Exchange with an encryption key
n e
e
client_key _exchange
The message contains the server's
encryption ke
certificate
client_key_excha
y info.
The message contains a 48-byte
e
r
ng
p
-
-
( , )
encrypted wi e_master_secret th RSA .
n e
certificate ( , )
server_key_
Client Server
RSA Key Exchange with a signature key
n e
exchange ( , )
server_hello_done
client_key _exchange
certificat
The contains the server's RSA-signature info.
The serve
e
r ge
n e
' '
-
- nerates a temporary RSA encryption key
pair, and sends the public key info (hashed and signed) to
the client in the server_key_exchange.
Client Authentication
The server may request a certificate from the
client.
The client will send a certificate message or a
no_certificate alert.
( )
( )
( )
( )
Both sides compute the master_secret as follows:
master_secret =
'A' pms client.r server.r
'BB' pms client.r server
MD5 SHA
SHA
SH
pms
MD5 pms
MD5 pms) A
.r
'
Computing the Master Secret (48 bytes)
( )
( )
where pms pre_master_secret; and client.r and server.r
are the random num
CCC' pms client.r
bers exchanged
server
in Pha
.
s .
r
e 1
=
An SSL session needs six keys:
Client write MAC secret
Server write MAC secret
Client write key (for encryption)
Server write key
Generation of Cryptographic Parameters
-
Client write IV (for CBC)
Server write IV
These parameters are generated from the master_secret
in that order as in the next slide.
-
( )
( )
( )
( )
( )
( )
SHA 'A' ms client.r serv
Continue the following process until enough bits have been
generated:
MD5 ms
MD5 ms
M
er
D5 ms
wher
.r
SHA 'BB' ms client.r server.r
SHA 'CCC' ms client.r server.r
e
ms master_secret; and client.r and server.r
are the random numbers exchanged in Phase 1.
=
change_cipher _spec
finished
change_cipher _spec
Client Server
Phase 4: Finish
finished
The message indicates that the sender
is putting the negotiated Cipher Spec into use.
Th
change_cipher_spec
finis e mess hed age contains MD5
-
-
SHA(handshake_messages ||
( ) or
SHA(master_secret
Sender master_secret || pad1)
pad2 ||
).
SSL Session and Connection
SSL was designed to work with HTTP 1.0
which tended to open a lot of TCP connections
between the same client and server.
SSL assumes a session is a relatively long-
lived thing from which many (transient)
connections can be cheaply derived.
1 session = 1 or more connections
24
SSL Session
Created by the Handshake Protocol.
Parameters:
Session ID
Compression method
Cipher spec (encryption and hash algorithm)
Master secret
Is resumable
25
SSL Connection
Based on an underlying TCP connection
Associated with a session
Parameters:
Server and client random
Server and client write MAC secret
Server and client write secret
Server and client IV (if CBC is used)
Sequence number
Closed by a close_notify from each side
26
Session Resumption
In handshaking, the client_hello contains a
session ID:
If session ID = 0, start a new session
If session ID = x (and session x is resumable):
start a new connection of session x
(or change parameters of a current connection of
session x)
Skip key exchange
Use the sessions master secret to generate keys
27
Master secret vs. pre-master secret
Why?
Note: even if we use pre_master_secret to
generate keys, each connection will have its
own set of keys.
28
Pre_Master_Secret (48 bytes)
Master_Secret (48 bytes) (session)
Keys (connection)
Pre_master_secret
computed for each session during handshaking
could be the same for all sessions
is not stored (so safe)
Master_secret
is stored for the lifetime of the session
may be compromised
If compromised, damage limited to a session
What if pre_master_secret is used to generate
keys?
29