Network Security - Transport Layer Security - PDF

Summary

These lecture notes cover Network Security, Transport Layer Security. The document includes topics ranging from introductions and security approaches to specific protocols, and provides details on concepts like TLS, HTTPS and SSH.

Full Transcript

Network Security
X. Transport Level Security

Prof. Dr. Torsten Braun, Institut für Informatik
Bern, 18.11.2024 – 25.11.2024
Network Security: Transport Level Security

Transport Level Security
Table of Contents

1. Introduction
2. Transport Layer Security
3. Datagram Transport Layer Security
4. Hypertext Transfer Protocol Secure
5. Secure Shell

3
Network Security: Transport Level Security

1. Introduction
1. Threats on the
Web

4
Network Security: Transport Level Security

1. Introduction
2. Web Traffic Security Approaches

5
Network Security: Transport Level Security

2. Transport Layer Security
1. Overview Application (e.g., https, imaps)
Handshake Protocol
Transport Layer Security
Record Protocol
TCP
- Functions
- Server and client authentication with public keys
- Sessions encrypted with symmetric keys
- Handshake Protocol
- Certificate exchange
- Generation of a secret session key
- Record Protocol (for data exchange)
- Fragmentation
- Compression
- Encryption

6
Network Security: Transport Level Security

2. Transport Layer Security
2. Protocol Stack

- IETF RFC 8446
- TLS Record Protocol provides
basic security services.
- Higher-layer protocols as part of TLS
- Handshake Protocol
- Change Cipher Spec Protocol
- Alert Protocol
- Heartbeat Protocol is
defined in a separate RFC.
7
Network Security: Transport Level Security

2. Transport Layer Security
3. Connections and Session
Connections Session
- are transport-layer connections - is an association between
between two endpoints. a client and a server.
- are peer-to-peer relationships. - is created by the Handshake Protocol.
- defines a set of cryptographic security
- are transient.
parameters, which can be shared among
- Every connection is multiple connections.
associated with - is used to avoid expensive negotiation of
one session. new security parameters for
each connection.
8
Network Security: Transport Level Security

2. Transport Layer Security
3.1 Session State
- Session identifier: arbitrary - Cipher Spec
byte sequence chosen by the - specifies bulk data encryption algorithm
server to identify an active or and hash algorithm
(for MAC calculation)
resumable session state.
- defines cryptographic attributes such as
- Peer certificate: hash size
X.509 certificate of the peer - 48-byte master secret shared between
- Compression method: client and server.
Algorithm used to compress - Resumable flag indicates whether the
data prior to encryption session can be used to initiate new
connections.
9
Network Security: Transport Level Security

2. Transport Layer Security
3.2 Connection State
- Server and Client random - Initialization Vectors
- Byte sequences that are chosen by server and - When a block cipher in CBC mode is used, an
client for each connection.
IV is maintained for each key.
- Server (Client) write MAC secret - It is initialized by TLS Handshake Protocol.
- Secret key used in MAC operations on data - The final ciphertext block from each record is
sent by the server (client).
preserved for use as IV with the following
- Server (Client) write key record.
- The secret encryption key for data encrypted by
the server (client) and decrypted by the client - Sequence Numbers
(server) - Each party maintains separate sequence
numbers for transmitted and received
messages for each connection.
- When a party sends or receives a
“change cipher spec message”,
appropriate sequence number is set to 0.
10 - Sequence numbers may not exceed 264 - 1.
Network Security: Transport Level Security

2. Transport Layer Security
4.1 Record Protocol Services

Confidentiality Message Integrity
Handshake Protocol defines a Handshake Protocol also
shared secret key that is used defines a shared secret key
for conventional encryption of that is used to form a
TLS payloads. Message Authentication Code.

11
Network Security: Transport Level Security

2. Transport Layer Security
4.2 Record Protocol Operation

- HMAC algorithm (RFC 2104)
- HMACK(M) =
H[(K+⊕opad) || (K+⊕ipad) || M]
- H: MD5 or SHA-1
- M: message
- K+: secret key padded with 0’s
- ipad/opad: 36/5C repeated 64 times
- Encryption
- Block Cipher (AES-128/256, 3DES)
- Stream Cipher (RC4-128)
12
 Network Security: Transport Level Security

2. Transport Layer Security
4.3 Record Format

- Content Type
- higher-layer protocol used to process
the enclosed fragment.
- Major/Minor Version Numbers
- Compressed Length (16 bits)
- length in bytes of the plaintext
fragment (or compressed fragment if
compression is used) < 214 + 2048.

13
Network Security: Transport Level Security

2. Transport Layer Security
5. Specific Protocols

- Change Cipher Spec Protocol
- to copy pending state into current state and
to update the cipher suite to be used on a connection
- Alert Protocol
- to convey TLS-related alerts to the peer entity.
- Level: warning or fatal
(immediate connection termination)
- Code to indicate alert

14
Network Security: Transport Level Security

2. Transport Layer Security
6.1 Handshake Protocol Messages

15
Network Security: Transport Level Security

2. Transport Layer Security
6.2.1 Handshake Protocol Operation:
Establish Security Capabilities (Phase 1)
client_hello message / server_hello message
- Version: highest version understood by client; lowest suggested by client and highest supported by
server
- Random: A client(server)-generated random structure consisting of a 32-bit timestamp and 28
bytes generated by a secure random number generator. These serve as nonces during key
exchange to prevent replay attacks.
- Session ID: A variable-length session identifier.
- A non-zero value indicates that the client wishes to
update the parameters of an existing connection or
to create a new connection on this session.
- A zero value indicates that the client wishes
to establish a new connection on a new session.
- CipherSuite: a list that contains the cryptographic algorithms supported by the client, each element
defines a key exchange algorithm, and a Cipher Spec. Server selects Cipher Suite from that list.
- Compression Method: a list of compression methods the client supports. Server selects a method.
16
 Network Security: Transport Level Security

2. Transport Layer Security
6.2.2 Handshake Protocol Operation:
Server Authentication and Key Exchange (Phase 2)
server_key_exchange message needed for parameter exchange,
not needed if the server has sent a certificate with fixed DH
parameters or RSA key exchange is to be used, but required for:
- Anonymous DH

Client

Server
- 2 global DH values + server’s public DH key
- Ephemeral DH
- 3 DH parameters + signature of those
- RSA key exchange (if server has a signature-only RSA key)
- Server creates temporary public/private RSA key pair.
- server_key_exchange to send public key
17
Network Security: Transport Level Security

2. Transport Layer Security
6.2.3 Handshake Protocol Operation:
Client Authentication and Key Exchange (Phase 3)
client_key_exchange Client Server
- RSA: 48-byte pre-master secret, encrypted
using public server key or key from 2nd phase
- Ephemeral/Anonymous DH parameters

18
Network Security: Transport Level Security

2. Transport Layer Security
6.2.4 Handshake Protocol Operation: Finish (Phase 4)
- Client Client Server
- sends change_cipher_spec message
- copies pending into current Cipher Spec
- sends finished message to verify that key exchange
and authentication processes were successful.
- Server
- sends own change_cipher_spec message,
- transfers pending to current Cipher Spec
- sends its finished message.
- finished message
- PRF (master_secret, finished_label,
MD5/SHA-1 (handshake_messages))
19
 Network Security: Transport Level Security

2. Transport Layer Security
7.1 Master Secret Creation
1. Creation of a shared master secret
- shared master secret: one-time 48-byte value generated for a session by secure key exchange
- Stages
1. Exchange of pre_master_secret
RSA: client generates pre_master_secret, encrypts using server’s public RSA key, sends to server
DH: client and server generate DH public key for pre_master_secret
2. Calculation of master_secret by both parties
master_secret = PRF(pre_master_secret, “master secret”,
ClientHello.Random||ServerHello.Random)

2.Generation of cryptographic parameters from master secret
key_block == PRF(SecurityParameters.master_secret, “key expansion”,
SecurityParameters.server_random || SecurityParameters.client_random)
20
Network Security: Transport Level Security

2. TLS
7.2 Pseudo-Random
Function
A(0) = seed
A(i) = HMAC_hash(secret, A(i−1))

21
Network Security: Transport Level Security

2. Transport Layer Security
7.3 Generation of Cryptographic Parameters
CipherSpecs Parameters are generated from master secret in that order by
hashing the master secret into a sequence of secure bytes of
- client write MAC secret sufficient length for all needed parameters.
- server write MAC secret key_block =
- client write key MD5(master_secret || SHA(‘A‘ || master_secret||

- server write key ServerHello.random || ClientHello.random)) ||
MD5(master_secret || SHA(‘BB‘ || master_secret||
- client write IV
ServerHello.random || ClientHello.random)) ||
- server write IV MD5(master_secret || SHA(‘CCC‘ || master_secret||

ServerHello.random || ClientHello.random)) ||...
22
Network Security: Transport Level Security

2. Transport Layer Security
8. Attacks

- Attacks on Handshake protocol - Attacks on PKI: Checking the validity
- Example: compromising the of X.509 certificates is an activity
handshake protocol based on subject to a variety of attacks
exploiting the formatting and - Example: it was demonstrated that
implementation of the RSA commonly used libraries for
encryption scheme SSL/TLS suffer from vulnerable
- Attacks on Record and certificate validation
application data protocols implementations.
- Example: Browser Exploit
Against SSL/TLS leverages
chosen-plaintext attack.
23
Network Security: Transport Level Security

2. Transport Layer Security
9. TLSv1.3
TLSv1.3 removes support for TLSv1.3 (RFC 8446)
several options and functions - uses DH or Elliptic Curve DH for key
- Compression exchange and does not permit RSA.
- Ciphers that do not offer - encrypts all handshake messages
authenticated encryption after server_hello.
- Static RSA and DH key - allows for a “1 round trip time”
exchange handshake by changing the order of
- … messages sent with establishing a
secure connection.

24
Network Security: Transport Level Security

3. Datagram Transport Layer Security
1. Overview
- DTLS is TLS with added features to Major changes
deal with the unreliable nature of - Reliable transmission of handshakes
UDP communications using retransmission at the beginning
- as close as possible to TLS design of the communication to support
authentication and key exchange.
- IETF RFC 6347 - Explicit numbering of packets (records)
- important for Constrained to enable HMAC calculation in case of
Application Protocol in IoT packet loss.
- Records must fit into a single datagram
- optional replay detection for single
packets
25
 Network Security: Transport Level Security

3. Datagram Transport Layer Security
2. RSA Handshake
Cookies for denial of service
attack prevention:
Before the handshake begins, the
client must replay a “cookie” provided
by server in order to demonstrate that
it is capable of receiving packets at
its claimed IP address.

26
 Network Security: Transport Level Security

4. Hyper Text Transfer Protocol Secure
1. Overview

- secure version of HTTP encrypts all communications between
browser and web server
- Data sent using HTTPS provides 3 important areas of protection:
1. Encryption
2. Data integrity
3. Authentication.
27
 Network Security: Transport Level Security

4. Hyper Text Transfer Protocol Secure
2. Connection Initiation
- Agent acting as HTTP client also acts Connection levels in HTTPS
as TLS client. 1. HTTP
- Client initiates a connection to server - HTTP client requests a connection to HTTP
on an appropriate port and sends server by sending a connection request to
TLS client_hello to begin the next lowest layer.
TLS handshake. 2. TLS
- After finishing TLS handshake, - A session is established between
TLS client and TLS server.
client may initiate first HTTP request.
3. TCP
- All HTTP data is sent
- A TLS request to establish a connection
as TLS application data. begins with the establishment of a TCP
connection between TCP client and server
28
 Network Security: Transport Level Security

4. Hyper Text Transfer Protocol Secure
3. Connection Closure
- An HTTP client or server indicates closing of - HTTP clients also must be able to cope
a connection by including the following line with situations when underlying TCP
in an HTTP record: Connection:close connection is terminated without
close_notify alert and
- Closure of HTTPS connection requires that Connection:close indicator.
TLS closes the connection with the peer
TLS entity, which will involve closing the - Such situation could result from
underlying TCP connection. - programming error on the server or
- communication error causing TCP
- At TLS level, the proper way to close a connection to drop.
connection is for each side to use Alert
protocol to send a close_notify alert. - Unannounced TCP closure could be
evidence of some attack
→ HTTPS client should issue some sort
of security warning when this occurs.
29
Network Security: Transport Level Security

5. Secure Shell
1. Overview

- Initial version to provide secure - SSH client and server
remote logon facility to replace applications are widely available
TELNET and other remote logon for most operating systems.
schemes - IETF RFCs 4250-4256
- SSH also provides a more
general client/server capability
and can be used for such
applications as file transfer
and e-mail.
30
Network Security: Transport Level Security

5. Secure Shell
2. Protocol Stack
- Transport Layer Protocol
- provides server authentication, data confidentiality,
and data integrity with forward secrecy, i.e.,
if a key is compromised during one session, the
knowledge does not affect
the security of earlier sessions.
- may optionally provide compression.
- User Authentication Protocol
- authenticates client/user to server.
- Connection Protocol
- multiplexes multiple logical communication channels
over a single, underlying
SSH connection.
31
Network Security: Transport Level Security

5. Secure Shell
3. Transport Layer Protocol

- Server authentication occurs at RFC 4251 dictates 2 alternative trust models
transport layer, based on the server
possessing a public/private key pair. 1. The client has a local database that
associates each host name with the
- A server may have multiple host keys corresponding public host key
using multiple different asymmetric
encryption algorithms. 2. The host name-to-key association is
- Multiple hosts may share certified by a trusted certification authority
the same host key. (CA); the client only knows the CA root key
and can verify the validity of all host keys
- Server host key is used during certified by accepted CAs
key exchange to authenticate
the identity of the host.
32
Network Security: Transport Level Security

5. Secure Shell
3.1 Packet Exchange

33
Network Security: Transport Level Security

5. Secure Shell
3.2 Cryptographic
Algorithms

* required
** recommended

34
Network Security: Transport Level Security

5. Secure Shell
3.3 Key Generation
The keys used for encryption and MAC are generated from
- shared secret key K resulting
from DH key exchange
- hash value from key exchange H
- session identifier, which is equal
to H unless there has been a
subsequent key exchange
after the initial key exchange

35
Network Security: Transport Level Security

5. Secure Shell
4.1 User Authentication Protocol: Message Exchange
1. Client sends an 4. Client selects 1 authentication method and
SSH_MSG_USERAUTH_REQUEST sends SSH_MSG_USERAUTH_REQUEST.
with a requested method of none There may be a sequence of exchanges to
perform the authentication method.
2. Server checks if user name is valid.
If not, the server returns 5. If authentication succeeds and more
SSH_MSG_USERAUTH_FAILURE authentication methods are required,
with the partial success value of server proceeds to step 3,
false, otherwise continue with 3.) using a partial success value of true.
If authentication fails, the server proceeds to
3. Server returns step 3, using a partial success value of false
SSH_MSG_USERAUTH_FAILURE
with a list of one or more 6. When all required authentication methods
authentication methods to be used. succeed, the server sends
SSH_MSG_USERAUTH_SUCCESS message;
Authentication Protocol is over.
36
 Network Security: Transport Level Security

5. Secure Shell
4.2 Authentication Methods
- Public key - Password
- The client sends a message to - Client sends a message containing
a plaintext password, which is protected
the server that contains the by encryption by the Transport Layer
client’s public key, with the Protocol.
message signed by the client’s - Host-based
private key. - Authentication is performed on the
- Server checks whether the client’s host rather than the client itself
supplied key is acceptable for by having the client sending a signature
authentication and, if so, created with the private key of the client
whether signature is correct. host.
- Rather than directly verifying the user’s
identity, the SSH server verifies the
identity of the client host..
37
Network Security: Transport Level Security

5. Secure Shell
5.1 Connection Protocol
- SSH Connection Protocol runs on top Channel mechanism
of SSH Transport Layer Protocol and - All types of communication using
assumes that a secure authentication SSH are supported using separate
connection is in use. channels
- The secure authentication connection, - Either side may open a channel
referred to as a tunnel, is used by the - For each channel, each side
Connection Protocol to multiplex associates a unique channel number
several logical channels. - Channels are flow controlled using a
window mechanism
- No data may be sent to a channel
until a message is received to
indicate that window space is
38
Network Security: Transport Level Security

5. Secure Shell
5.2 Connection Protocol:
Message Exchange

39
 Network Security: Transport Level Security

5. Secure Shell
5.3 Channel Types

- Session - X11
- remote execution of a program. - refers to the X Window System, a
- Program may be a shell, an network protocol that provides a
graphical user interface (GUI) for
application such as file transfer networked computers.
or e-mail, a system command, - allows applications to run on a network
or some built-in subsystem.
server but to be displayed on a desktop
- Once a session channel is machine
opened, subsequent requests
are used to start the remote - forwarded-tcpip
program. - remote port forwarding
- direct-tcpip
- local port forwarding
40
Network Security: Transport Level Security

5. Secure Shell
5.4 Port Forwarding
- provides the ability to convert
any insecure TCP connection
into a secure SSH connection
(also referred to as SSH
tunneling)
- Incoming TCP traffic is
delivered to the appropriate
application based on port
number.
- Types of port forwarding
- Local
- Remote
41
 Network Security: Transport Level Security

5. Secure Shell
5.4.1 Local Port Forwarding
- allows the client to set up a “hijacker” process to intercept Example: POP using port 110
selected application-level traffic and redirect it from an
unsecured TCP connection to a secure SSH tunnel. 1. SSH client sets up a connection to the remote server.

- SSH is configured to listen on selected ports. SSH grabs 2. Select unused local port number, e.g., 9999; configure SSH
all traffic using a selected port and sends it through an to accept traffic from this port destined for port 110 on
SSH tunnel. server.

- On the other end, SSH server sends incoming traffic to 3. SSH client informs SSH server to create a connection to the
destination port dictated by the client application. destination, in this case mail server port 110.
4. Client takes any bits sent to local port 9999 and sends them
to server inside the encrypted SSH session. SSH server
decrypts incoming bits and sends plaintext to port 110.
5. In the other direction, SSH server takes any bits received on
port 110 and sends them inside the SSH session back to
client, who decrypts and sends them to the process
connected to port 9999.
42
Network Security: Transport Level Security

5. Secure Shell
5.4.2 Remote
Port Forwarding
User’s SSH client acts on server’s behalf. Example
- receives traffic with a given destination port - From work computer, set up outgoing SSH
connection to home computer.
- places traffic on the correct port and
- Configure SSH server to listen on a local
- sends it to the destination the user chooses. port, e.g., 22, and to deliver data across the
Example application: access to work SSH connection addressed to remote port,
computer from home computer e.g., 2222.

- Work computer behind a firewall will - Configure SSH at home computer to accept
not accept SSH request from home computer. traffic on port 2222.

- However, from work computer - SSH tunnel can now be used for remote
one can set up SSH tunnel logon to work server
using remote port forwarding.
43
Thanks a lot
for your Attentation
Prof. Dr. Torsten Braun, Institut für Informatik
Bern, 18.11.2024 – 25.11.2024