S1 Teknik Telekomunikasi

Fakultas Teknik Elektro

SSL/TLS(Transport Layer Security)

KEAMANAN JARINGAN | TTH3K3 | Kur. 2016 | 2017/2018
Outlines :

• 1. SSL (Secure Socket Layer)

• 2. TLS: Handsake & Record Protocol
• 3. Structure Protocol and Format Record
Security Sevices in Network

IPSec SSL/TLS Kerberos, S/MIME/PGP

• Transparent to Part of protocol, thus, Embedded into packages
applications transparent to applications Can be tailored to specific
• General purpose or embedded into packages application needs
• Filtering (e.g. browsers)
capability
What is SSL/TLS?
• SSL (Secure Socket Layer) first relased in 1994
• IETF standaridized SSL protocol into TLS (Transport Layer Security) in
1999
• Based on Secure Sockets Layers protocol, ver 3.0
– Same protocol design, different algorithms
• Transport Layer Security protocol, version 1.0
– De facto standard for Internet security and Deployed in nearly every Web Browser
– “The primary goal of the TLS protocol is to provide privacy and data integrity between
two communicating applications”
– In practice, used to protect information transmitted between browsers and Web servers
• Deployed in nearly every Web browser
• People carry on using SSL when speaking about TLS
SSL / TLS in the Real World
Where SSL Fits

HTTP SMTP POP3 HTTPS SSMTP SPOP3

80 25 110 443 465 995

Secure Sockets Layer

Transport

Network

Link
Purposes of The Protocol

• Confidentiality
– No body beetwween the peer of TLS connection can undestand the content
• Integrity
– No data are altered when transmitted over a TLS conection
• Authentication
– Each peer of a TLS connection can check the other one is the he says to be
History of the Protocol
• SSL 2.0
– Published by Netscape, November 1994 and have Several weaknesses
• SSL 3.0
– Designed by Netscape and Paul Kocher, November 1996
• TLS 1.0
– Internet standard based on SSL 3.0, January 1999
– Not interoperable with SSL 3.0
• TLS uses HMAC instead of MAC; can run on any port
• TLS 1.1
– Publish in 2006 to update of TLS 1.0 with stronger cipher suites
• TLS 1.2
– Publish in 2008 to update TLS 1.1 with stronger cipher suites and support for extension
• TLS 1.3
– TLS 1.3 has now been finalized as of March 21st, 2018.
– Faster speed and improfed security
 SSL Architecture

Used in the
management
of TLS
exchange
SSL components
• SSL Handshake Protocol
– negotiation of security algorithms and parameters
– key exchange
– server authentication and optionally client authentication
• SSL Alert Protocol
– error messages (fatal alerts and warnings)
• SSL Change Cipher Spec Protocol
– a single message that indicates the end of the SSL handshake
• SSL Record Protocol
– fragmentation
– compression
– message authentication and integrity protection
– encryption

10
SSL Connection and Session

• A transport that provides a suitable type of

SSL service
• For SSL such connections are peer-to-peer
relationships

connection • Connections are transient

• Every connection is associated with one session

• An association between a client and a server

• Created by the Handshake Protocol
• Define a set of cryptographic security parameters
SSL session which can be shared among multiple connections
• Are used to avoid the expensive negotiation of
new security parameters for each connection
A session state is defined by the following
parameters:

Session Peer Compression Cipher Master Is

identifier certificate method spec secret resumable

Specifies the
bulk data
encryption
An arbitrary
algorithm and A flag
byte sequence An X509.v3
The algorithm a hash 48-byte secret indicating
chosen by the certificate of
used to algorithm shared whether the
server to the peer; this
compress data used for MAC between the session can be
identify an element of
prior to calculation; client and the used to
active or the state may
encryption also defines server initiate new
resumable be null
cryptographic connections
session state
attributes
such as the
hash_size
A connection state is defined by the following
parameters:
• Byte sequences that are chosen by the server and client for
Server and client random each connection • When a block cipher in CBC mode
is used, an initialization vector (IV)
is maintained for each key
Initialization • This field is first initialized by the
• The secret key used in MAC operations on data SSL
sent by the
Server write MAC secret server
vectors Handshake Protocol
• The final ciphertext block from
each record is preserved for use
as the IV with the following record

• The secret key used in MAC operations on data sent by the

Client write MAC secret client
• Each party maintains separate
• The secret encryption key for data encrypted bysequence
the server
numbersand
for
Server write key decrypted by the client transmitted and received
messages for each connection
Sequence • When a party sends or receives a
numbers change cipher spec message, the
• The symmetric encryption key for data encrypted by thesequence
appropriate clientnumber is
Client write key and decrypted by the server set to zero
• Sequence numbers may not
exceed 264 - 1
SSL Record Protocol

The SSL Record Protocol provides

two services for SSL connections

Confidentiality Message integrity

The Handshake Protocol defines a shared The Handshake Protocol also defines a shared
secret key that is used for conventional secret key that is used to form a message
encryption of SSL payloads authentication code (MAC)
SSL Record Protocol
SSL Record Format
SSL Record Protocol Payload
SSL Change Cipher Spec Protocol
• one of 3 SSL specific protocols which use the SSL Record
protocol
• a single message
• causes pending state to become current
• hence updating the cipher suite in use
SSL Alert Protocol

 conveys SSL-related alerts to peer entity

 severity
• warning or fatal
 specific alert
• fatal: unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
 compressed & encrypted like all SSL data
SSL Handshake Protocol

• allows server & client to:

– authenticate each other
– to negotiate encryption & MAC algorithms
– to negotiate cryptographic keys to be used
• comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
Table 17.2 SSL Handshake Protocol Message Types
SSL Handshake
Protocol
Phase 1: Establish Secuity Capablities

• Initiate logical connection

• Establish associated security capabilities
• Client_hello massage
 Verison: highest supported SSL version
 CipherSuite: list of supported crypt algorithms in decreasing roder
of preference
• Server_hello message
 Version: highest supported by both client, server
 CipherSuite: selected suite from proposed list
Phase 2: Server Authentiaction and Key
Exchange
• Certificate message
 Server sends its X.509 certificate or chain
• Certificate_key_exchange message
 Parameters for key exchange
 Required by some algorithms (no shared key)
• Certificate_request message
 List of acceptable certifcate authorities
• Server_done message
 Indicate end of server hello messages
Phase 3: Client Authentiaction and Key
Exchange
• Client verify server certificate is valid
• Check that parameters are acceptable
• Certificate_message
 Send if server requested certificate
• Client_key_exchange message
 Parameters for key exchange
• Server_done message
 Optional, for some certificate types
Phase 4: Finsih

• Completes settings up secure connection

• Change_cipher_spec message
 Sent using Change Cipher Spec protocol
• Finished message
 Sent with established algorithms, keys
 Verifies key exchange, auth were succesful
Cryptographic Computations

• Two further items are of interest:

– The creation of a shared master secret by means of the key exchange
• The shared master secret is a one-time 48-byte value generated for this
session by means of secure key exchange

– The generation of cryptographic parameters from the master secret

• CipherSpecs require a client write MAC secret, a server write MAC secret, a
client write key, a server write key, a client write IV, and a server write IV
which are generated from the master secret in that order
– These parameters are generated from the master secret by hashing the master secret
into a sequence of secure bytes of sufficient length for all needed parameters
TLS (Transport Layer Security)

• IETF standard RFC 2246 similar to SSLv3

• with minor differences
– in record format version number
– uses HMAC for MAC
– a pseudo-random function expands secrets
• based on HMAC using SHA-1 or MD5
– has additional alert codes
– some changes in supported ciphers
– changes in certificate types & negotiations
– changes in crypto computations & padding
HTTPS

• HTTPS (HTTP over SSL)

– combination of HTTP & SSL/TLS to secure communications
between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
• use https:// URL rather than http://
– and port 443 rather than 80
• encrypts
– URL, document contents, form data, cookies, HTTP headers
HTTPS (HTTP over SSL)
• Refers to the combination of HTTP and SSL to implement secure communication
between a Web browser and a Web server
• The HTTPS capability is built into all modern Web browsers
• A user of a Web browser will see URL addresses that begin with https:// rather than
http://
• If HTTPS is specified, port 443 is used, which invokes SSL
• Documented in RFC 2818, HTTP Over TLS
– There is no fundamental change in using HTTP over either SSL or TLS and both
implementations are referred to as HTTPS
• When HTTPS is used, the following elements of the communication are encrypted:
– URL of the requested document
– Contents of the document
– Contents of browser forms
– Cookies sent from browser to server and from server to browser
– Contents of HTTP header
Connection Initiation

For HTTPS, the agent acting as the There are three levels of
HTTP client also acts as the TLS awareness of a connection in
client HTTPS:
At the HTTP level, an HTTP client requests a connection
The client initiates a connection to the server on the to an HTTP server by sending a connection request to
appropriate port and then sends the TLS ClientHello to the next lowest layer
begin the TLS handshake
•Typically the next lowest layer is TCP, but is may also be TLS/SSL

At the level of TLS, a session is established between a

When the TLS handshake has finished, the client may TLS client and a TLS server
then initiate the first HTTP request •This session can support one or more connections at any time

A TLS request to establish a connection begins with the

establishment of a TCP connection between the TCP
All HTTP data is to be sent as TLS application data
entity on the client side and the TCP entity on the server
side
Connection Closure
• An HTTP client or server can indicate the closing of a connection by
including the line Connection: close in an HTTP record
• The closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side, which will
involve closing the underlying TCP connection
• TLS implementations must initiate an exchange of closure alerts
before closing a connection
– A TLS implementation may, after sending a closure alert, close the
connection without waiting for the peer to send its closure alert,
generating an “incomplete close”
• An unannounced TCP closure could be evidence of some sort of
attack so the HTTPS client should issue some sort of security
warning when this occurs
Secure Shell (SSH)

• Protocol for secure network communications

• Relatively simple and inexpensive
• Intiially focused on remote login (TELNET)
• Later: general client/server capability
 File transfer
 Email
 X tunneling
• One of most prevasive encryption application
Secure Shell (SSH)
Transport Layer Protocol
– Server authentication occurs at the transport layer, based on the
server possessing a public/private key pair
– A server may have multiple host keys using multiple different
asymmetric encryption algorithms
– Multiple hosts may share the same host key
– The server host key is used during key exchange to authenticate the
identity of the host
– RFC 4251 dictates two alternative trust models:
• The client has a local database that associates each host name with the
corresponding public host key
• The host name-to-key association is certified by a trusted certification
authority (CA); the client only knows the CA root key and can verify the
validity of all host keys certified by accepted CAs
Packet Exchange
Supported algorithm for:
• Key excahnge
• Encryption
• MAC
• compression

Uses Diffie-Hellman
 MAC not
encrypted

Initiate to 0
incremented for
each packet
 Table 17.3

SSH

Transport

Layer

Cryptographic
* = Required
** = Recommended

Algorithms
Authentication Methods
• Publickey
– The client sends a message to the server that contains the client’s public key, with
the message signed by the client’s private key
– When the server receives this message, it checks whether the supplied key is
acceptable for authentication and, if so, it checks whether the signature is correct
• Password
– The client sends a message containing a plaintext password, which is protected
by encryption by the Transport Layer Protocol
• Hostbased
– Authentication is performed on the client’s host rather than the client itself
– This method works by having the client send a signature created with the private
key of the client host
– Rather than directly verifying the user’s identity, the SSH server verifies the
identity of the client host
Connection Protocol
 The SSH Connection Protocol runs on top of the SSH Transport
Layer Protocol and assumes that a secure authentication connection
is in use
The secure authentication connection, referred to as a tunnel, is used

by the Connection Protocol to multiplex a number of logical channels
 Channel mechanism
 All types of communication using SSH are supported using separate channels
 Either side may open a channel
 For each channel, each side associates a unique channel number
 Channels are flow controlled using a window mechanism
 No data may be sent to a channel until a message is received to indicate that
window space is available
 The life of a channel progresses through three stages: opening a channel, data
transfer, and closing a channel
Connection
Protocol
Channel Types
Four channel types are recognized in the SSH Connection Protocol specification

Session
• The remote execution of a program
• The program may be a shell, an application such as file transfer or e-mail, a system command,
or some built-in subsystem
• Once a session channel is opened, subsequent requests are used to start the remote program

X11
• Refers to the X Window System, a computer software system and network protocol that
provides a graphical user interface (GUI) for networked computers
• X allows applications to run on a network server but to be displayed on a desktop machine

Forwarded-tcpip
• Remote port forwarding

Direct-tcpip
• Local port forwarding
Port Forwarding

• One of the most useful features of SSH

• Provides the ability to convert any insecure TCP connection into a
secure SSH connection (also referred to as SSH tunneling)
• Incoming TCP traffic is delivered to the appropriate application on
the basis of the port number (a port is an identifier of a user of
TCP)
• An application may employ multiple port numbers
• Two types
 Local forwarding
 Remote forwarding
Local Forwarding

Source:
www.tectia.com/manuals/guardian-admin/30/scb_ssh_channel_types.html
Remote Forwarding

Source:
www.tectia.com/manuals/guardian-admin/30/scb_ssh_channel_types.html
Summary
• Web security considerations
• Web security threats
• Web traffic security approaches
• Secure sockets layer
• SSL architecture
• SSL record protocol
• Change cipher spec protocol
• Alert protocol
• Handshake protocol
• Cryptographic computations
• HTTPS
• Connection initiation
• Connection closure
• Transport layer security
• Version number
• Message authentication
code
• Pseudorandom function
• Alert codes
• Cipher suites
• Client certificate types
• Certificate_verify and
finished messages
• Cryptographic
computations
• Padding
• Secure shell (SSH)
• Transport layer protocol
• User authentication protocol
• Communication protocol
References
• W. Stallings, “Cryptography and Network Security: Principles and Practice”, 8th ed., Pearson, 2016
• E. Gean, “Chapter 13 IPSec”, California State University, 2015
• X. Y. Li, “IPSec”, Illinois Institute of Technology, 2014
• V. Shmatikov, “IP security. Internet Key Exchange (IKE) protocol”, 2004