Applied Cryptography & SSL

Encryption & Digital Signatures Agenda

• Introduction to encryption

• Brute-force attacks and encryption key-length analysis

• Symmetric encryption, Asymmetric encryption, and Hybrid encryption

• Cryptographic hash functions and Message digest

• MAC (symmetric digital signatures) & Digital signatures

• Digital Certificates and Public-Key Infrastructure (PKI)

• The SSL Protocol

• Vulnerabilities and attacks related to data exposure

Security Properties &
Security Mechanisms
Introduction to
Encryption

4
Caesar Cipher
• http://www.youtube.com/watch?v=sMOZf4GN3oc

• One of the simplest and oldest encryption technique.

• named after Julius Caesar

• who used it in his private correspondence

• Substitution cipher

• each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet

5
Caesar Cipher Example
• A left shift of 3

• D would become A

• E would become B

• …. And so on.

Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW

• Caesar cipher is easily broken - offers no security

English Plaintext Statistics

7
One Time Pad (OTP)
• http://www.youtube.com/watch?v=FlIG3TvQCBQ
• Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from
a secret random key (or pad) of the same length as the plaintext => resulting in a ciphertext.
• If used correctly, i.e. if the key/pad is
• truly random
• as large as (or greater than) the plaintext
• never reused in whole or part
• kept secret
ciphertext will be impossible to decrypt or break without knowing the key/pad
• Practical problems prevented OTPs from being widely used. 8
True Random ver. Pseudo Random

Unconditional Security (True Random) ver. Computational Security (Pseudo Random)

 cryptosystem is said to be unconditionally secure if it cannot be broken

 even with infinite computational time.

 cryptosystem is said to be computationally secure if the best known algorithm of breaking the system
requires an unreasonably large amount of computational time.

 https://www.youtube.com/watch?v=itaMNuWLzJo

9
PRNG
• PRNG: a function which

• takes a certain amount of true randomness (called the seed /key of the PRNG)

• generates a stream of bits which can be used as if they were true-random

• assuming seed/key is large enough to make brute force attacks impossible

• Cryptographically strong PRNG: an algorithm for which it has been proved that an opponent who knows
the algorithm and all of its output bits up to a certain point but not its seed, can not guess the next
output bit with any higher probability than ((1/2)+(e))

• (e) decreases exponentially with some security parameter (typically the length of the PRNG seed).

10
Cryptographic Keys
• Key is a collection of random bits
01010011101011110111
• The more bits in the key => the stronger the key

• Keys are tied to specific encryption algorithm

• Key length depends on the encryption algorithm

11
Kerckhoff’s Principle
• The system must be practically, if not mathematically, indecipherable;

• It should not require secrecy, and it should not be a problem if it falls into enemy hands;

• It must be possible to communicate and remember the key without using written notes

• correspondents must be able to change or modify it at will;

• It must be applicable to telegraph communications;

• It must be portable, and should not require several persons to handle or operate;

• Lastly, given the circumstances in which it is to be used, the system must be easy to use and should not be
stressful to use or require its users to know and comply with a long list of rules.

• Published in an 1883 article, La Cryptographie Militaire (Military Cryptography)

12
• By Auguste Kerckhoff, a Dutch linguist and cryptographer
Kerckhoff’s Principle
• The concept that a cryptographic system should be designed to be secure, even if all its details, except for
the key, are publicly known

• Only the key is secret.

• It should be easy to replace the key

• Encryption/decryption algorithm is publicly known

• Most of the civilian cryptography makes use of publicly known algorithms

• Ciphers used to protect classified government or military information are often kept secret

• It should not be assumed that government/military ciphers must be kept secret to maintain security

• the decision to keep them secret is a layered security posture

Breaking a cryptosystem means figuring out the key currently used.

14
Brute-Force Attack
• A method of defeating a cryptographic scheme by exhaustively enumeration through all possible keys in
order to decrypt a message

• For symmetric-key encryption, brute force attack typically means: testing all possible keys to recover
plaintext used to produce the ciphertext

• expected number of trials before the correct key is found is equal to half the size of the key space.

• if there are 2^128 possible keys, a brute force attack would, on average, be expected to find a key
after 2^127 trials

• Selection of an appropriate key length depends on the practical feasibility of performing a brute force
attack.
15
Brute-Force Attack & Key Length Setting
• In most cryptographic schemes

• theoretical possibility of a brute force attack is recognized

• Key-length should be set up in such a way that it would be computationally infeasible to carry out
brute-force enumeration attack.

• Symmetric key cipher is considered secure if there is no attack method less expensive (in time, memory
requirements, etc) than brute force attack

• One definition of "breaking" a cryptographic scheme is to find an attack method faster than a brute
force attack.

16
NIST Encryption Algorithms

17
Data Encryption
• Encryption – the of process of taking data and
a key, feeding it into an encryption function
and receiving encrypted data (cipher-text)

Encryption
Function

Encrypted data is, in principal, unreadable unless decrypted

18
Data Decryption
• Decryption – the process of taking encrypted
data (cipher-text) and a key and feeding it into
a decryption function and receiving back the
original data

• You need to right key to decrypt the data

Decryption
• Encryption and decryption functions are linked Function

19
Symmetric Encryption
• Encryption and decryption functions that use the
same key are called symmetric
Encrypt
• Anyone who want to read the encrypted data
must have the key used to encrypt the data

• DES and AES is an example of symmetric encryption

Decrypt

20
Symmetric Stream Cipher Summary
• Sender XOR each bit of your plaintext continuous stream with a bit from a pseudo-random sequence

• Receiver, use the same symmetric key, XOR again to extract plaintext

21
Diffie-Hellman (D-H)
Algorithm

22
Diffie-Hellman (DH) Key Exchange
• http://www.youtube.com/watch?v=3QnD2c4Xovk

• DH key exchange - a cryptographic protocol that allows two parties that have no prior knowledge of each
other to jointly establish a shared secret key over an insecure communications channel.

• Key can then be used to encrypt subsequent communications using symmetric encryption algorithm

• The simplest, and original, implementation of the DH protocol uses the Multiplicative group of integers
modulo p

• p is prime

• g is primitive root mod p

23
Diffie-Hellman Key Exchange (1976)

Alice generates a

Bob generates b.

Alice sends ga mod p

Bob sends gb mod p.

Alice and Bob compute gab mod p.

24
Diffie-Hellman Key-Exchange Example
1. Alice and Bob agree to use a prime number p=23 and base g=5.

2. Alice chooses a secret integer a=6, then sends Bob (ga mod p): 56 mod 23 = 8.

3. Bob chooses a secret integer b=15, then sends Alice (gb mod p): 515 mod 23 = 19.

4. Alice computes (gb mod p)a mod p : 196 mod 23 = 2.

5. Bob computes (ga mod p)b mod p : 815 mod 23 = 2.

Both Alice and Bob have arrived at the same value, because gab and gba are equal.

25
Diffie-Hellman Details
• Only a, b and gab = gba are kept secret.

• Other values -- p, g, ga mod p, and gb mod p -- are sent in the clear.

• Shared secret computed (known only to Alice and Bob) can be used as an encryption key for encrypting messages

• Much larger values of a, b, and p would be needed to make this example secure

• since it is easy to try all the possible values of gab mod 23

• there will be, at most, 22 such values, even if a and b are large

• If p were a prime of at least 600 digits, and a and b were at least 600 digits long, then even the best algorithms
known today could not find a given only g, p, and ga mod p, even using all of available computing power.

• problem is known as the discrete logarithm problem.

• Note: g need not be large at all, and in practice is usually either 2 or 5. 26

Asymmetric Encryption

27
Asymmetric Encryption
• Encryption and decryption functions that use a key pair are called asymmetric encryption

• Keys are mathematically linked

• RSA - example of asymmetric encryption

• http://www.youtube.com/watch?v=wXB-V_Keiu8

Private key is known Public key is given

only to owner away to the world 28
Asymmetric Encryption
• Data encrypted with one key , should be
decrypted using the other key
Encrypt Decrypt
Each user has a pair of keys: a private key
and a public key

• Data encrypted with the private key can

only be decrypted with the public key

• Data encrypted with the public key can Decrypt Encrypt

only be decrypted with the private key

29
Asymmetric Encryption for Data Confidentiality
• Public keys are used for encrypting.

• Private keys are used for decrypting.

30
Alice & Bob Communicate Securely over
an Insecure Channel using Asymmetric Encryption

Alice wants to send Bob a private message

• Apublic is Alice’s public key.

• Aprivate is Alice’s private key.

• Bpublic is Bob’s public key.

• Bprivate is Bob’s private key.

31
 Alice Bob

encrypt using Bpublic decrypt using Bprivate

32
 Alice Bob

decrypt using Aprivate encrypt using Apublic

33
Theoretical Comparable Strengths (in bits)
• Sym. Key: Symmetric key encryption algorithms

• FFC and IFC: Finite field discrete log and factoring based public key algorithms

• ECC: Elliptic Curve discrete log based public key algorithms

• Yellow background: Phase out use by 2010

Sym. Key 80 112 128 192 256

Hash functions (for signatures) * 160 224 256 384 512

FFC and IFC 1k 2k 3k 7.5k 15k

ECC 160 224 256 384 512

Hybrid Encryption

35
Symmetric vs. Asymmetric Encryption

Algorithm Type Description

Uses one key to:
Encrypt the data
Symmetric Decrypt the data
Is fast and efficient

Uses two mathematically related keys:

Public key to encrypt the data
Asymmetric Private key to decrypt the data
Is more secure than symmetric encryption
Is slower than symmetric encryption

36
Hybrid Crypto-System
• Hybrid cryptosystem combines the convenience of a public-key cryptosystem with the efficiency
of a symmetric-key cryptosystem.

• Hybrid cryptosystem - constructed using any two cryptosystems:

• key encapsulation scheme - a public-key cryptosystem,

and

• data encapsulation scheme - a symmetric-key cryptosystem.

37
Hybrid Crypto-System

38
 Hybrid Encryption Example#1
ShK
ShK
PrK

PuK PrK
‫אני‬

PuK
ShK ‫אתה‬

39
 Hybrid Encryption Example#2
‫קובץ‬ ‫קובץ‬

ShK
ShK

PrK PrK
‫קובץ‬

PuK PuK
‫אני‬ ‫אתה‬

40
What do we know about the message sender in asymmetric encryption?

Bob’s Dilemma

• Nobody can read the message from Alice, but anyone could produce it.

• How does Bob know that the message was really sent from Alice?

The Solution: Digital Signature

• Alice can create a digital signature and prove she sent the message
Message Digest &
Hash Functions
Message Digest – One Way Function
h=H(m) is easy to compute
m=H-1(h) is hard to compute

original message
no practical limit to size

message digest algorithm

message digest
256 bit/384 bits
easy hard
Message Digest – One Way Function
• "hash function" - a cryptographic function that

• takes as its input a bit string of any length

• performs a deterministic algorithm on this input

• produces as output a bit string of fixed length.

• Practicality: computing the hash H(m) of any input m can be done

efficiently,

• Preimage resistance: given h, it is hard to compute a preimage of h

• it is hard to compute an m such that h = H(m)

44
Hash Function Requirements
• Second preimage resistance (weak hash): given m, it is hard to compute a second preimage of m

• It is hard to find m' such that m ≠ m' and yet H(m) = H(m')

given m, h=H(m) try messages at random to find m’ with H(m’)=h

2n trials on average (n=128 to be safe)

• Collision resistance (strong hash): it is hard to compute a collision for H

• it is hard to compute m and m' such that m ≠ m' and yet H(m) = H(m')

try pairs of messages at random to find M and M’ such that H(M’)=H(M)

2n/2 trials on average (n=256 to be safe, n=384 is better)

Hash Function Overview
• The core of a hash function is a compression function

• accepts as input an IHV ("Intermediate Hash Value“) and a data block

• HIV length is 128/160/256/384/512 bits

• uses each input block to update the IHV

• produces as output an updated state IHV

• Input blocks are fed to the compression function in successive calls

• The initial IHV is a fixed value, and the final IHV is the hash value.

46
Hash Function Overview

M1 M2 M3 M4
IHV0

Com- Com- Com- Com-

press press press press

IHV4
MAC (Message
Authentication Code)

48
Verifying Data Integrity with Hashes
User A User B

Data Hash
Algorithm Hash Value

If hash values
Hash Algorithm
match, data is valid

Data
Data
Hash Value
Hash Value

User A sends data and hash

value to User B
MIC (Message Integrity Code) + Encryption
• MIC should be encrypted during transmission if it is to be used as a reliable gauge of message integrity

• Alice and Bob share a key

• Alice: Hash M and tie it to M

• Alice: Encrypt M||H(M)

50
MAC (Message Authentication Code) Overview
• MAC is a short piece of information used to protects both a message's integrity as well as its authenticity

• known also as a tag

• MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and
outputs a MAC

• MAC allow verifiers (who also possess the secret key) to detect any changes to the message content

• Same message can only generate matching MACs if the same secret key is used with the same
algorithms to generate both

• MAC does not necessarily need to be encrypted to provide the same level of assurance.

• MIC (message integrity code) is different from a MAC in that a secret key is not used in its operation
Message Authentication Code (MAC)
• A and B share a secret key

• A use the secret key to generate a symmetric digital signature (MAC)

• B use the secret key to verify the symmetric digital signature

A  B: M, CK(M)

52
MAC by Encrypted Hash
• Alice and Bob share a key

• Only hash code is encrypted

• Encrypted Hash code is concatenated to the message

• No confidentiality

A  B: M,EK[H(M)]
Digital Signature

54
Generating a Digital Signature
• Digital signatures are created by encrypting a hash of
the data with my private key
Hash
• Resulting encrypted data is the digital signature

• Hash can be decrypted by my public key Encrypt

Digital Signature Verification
Given some data with a signature, if you decrypt a signature with my public key and get the hash of
the data, you know it was encrypted with my private key (i.e. by me)

Hash

=?
Decrypt
Digital Signatures Summary

User A User B
Hash
Algorithm
Data
Data

Hash
Algorithm
User A
Public
Key
Hash Value

Hash Value

User A If hash values match,

Private data came from the
key owner of the private
Hash Value
key and is valid
MAC & Digital-Signatures
• MACs differ from digital signatures, as MAC values are both generated and verified using the same
secret key
• Sender and receiver of a message must agree on keys before initiating communications

• similar to symmetric encryption.

• MACs do not provide the property of non-repudiation:

• any user who can verify a MAC is also capable of generating MACs for other messages.

• Digital signatures do offer non-repudiation.

• Digital signature is generated using the private key of a key pair

• Since this private key is only accessible to its holder, a digital signature proves that a document was signed by
none other than that holder. Thus,
Using Asymmetric Encryption for Message Confidentiality & Integrity

Alice Bob

Sign with Aprivate check signature using Apublic

encrypt using Bpublic decrypt using Bprivate

Digital Certificates
Man in The Middle (MITM) Attack

PrK
PrK PrK

PuK PuK PuK

‫אני‬ ‫המתחזה‬ ‫אתה‬

61
Man in The Middle (MITM) Attack PrK

‫קובץ‬ ‫קובץ‬
PuK

‫אתה‬
PrK PuK PuK
PuK
‫קובץ‬ PrK
PuK
‫אני‬ ‫קובץ‬
PuK

PuK ‫המתחזה‬
‫קובץ‬

62
The Need for a Digital Certificate
• How do you know that you have my correct public key?

• The answer: A Digital Certificate

• It allows you to know that a given public key belongs to a given user

• Digital Certificates includes a name and a public key (among other things) ?
bundled together and signed by a trusted party (Issuer)
Digital Certificate

Digital Certificate is similar to passport or driver’s license

Name John Doe

Issuer 755 E. Woodlawn State of
Illinois
Public Key Urbana IL 61801 Seal
Signature BD 08-06-65
Male 6’0” 200lbs
GRN Eyes
X.509 Digital Certificate Basics
• Public key is given to the world encapsulated in a X.509 certificate

• X.509 certificate binds a public key to an identity (the subject)

• X.509 is created by a trusted third party (the issuer)

• X.509 is signed by the issuer using asymmetric digital signature

• Using issuer’s private key

Name
Issuer
Public Key
Signature
Digital Certificate Verification (1)
By checking the digital certificate signature, one can
determine that a public key belongs to a given user

Hash
Name
Issuer =?
Public Key Decrypt
Signature

Public Key from Issuer

Digital Certificate Verification (2)
public key from CA self signed certificate can be
used to verify certificates issued by the CA

Name Hash
Issuer
Public Key =?
Signature Decrypt

Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
Self-Signed Certificate Example

68
How Digital Certificate is Created?
Private
User Key Private/Public
Key Pair
Computer
Public
Key

Service
Application
Certification
Authority

Certified
Administrator
How Digital Certificate is Created?
• Client creates a pair of keys (using a software tool)

• one public and one private

• Client prepares a Certificate Signing Request (CSR) containing an unsigned certificate that includes

• user identity

• user’s domain name

• user's public key

• CSR is signed by user’s private key

• Client sends the CSR to a CA

How Digital Certificate is Created?
CA processes the CSR

• validates user identity

• validates domain ownership

• creates a signature by calculating the hash of the unsigned certificate and encrypting the hash with the
CA's private key

• attaches signature to the unsigned certificate

• returns the now signed certificate to the client

• If you are using TLS purely for communication over your own networks, it may be adequate to use
an internal CA and set your systems to trust it.

• The hassle and cost of setting up an internal CA often drives businesses to use external CA

• If data is sent over the Internet, the only way all parties can trust the certificate is if it was
issued by a trusted third-party CA.
Trusted Certificate
Authorities & PKI
Who Signs Certificates?
• A small set of trusted entities known as Trusted Certificate Authorities (CAs) Name

• CA exists only to sign user certificates Public Key

Issuer?
• CAs’ responsibilities:

• Verify the identity of the requestor

• Verify domain ownership for SSL certificates

• Revoke certificates when required

Name: CA
• CA signs it’s own certificate which is distributed in a trusted manner
Issuer: CA
CA’s Public Key
CA’s Signature
Certificates in Web Environment
Certificates in Web Environment
1. Certification Authority distributes its CA root certificate (the white one in diagram) via browser vendors to browsers.

• These root certificates reside in a "trust list" on the user's PC.

• All certificates issued by this CA will be trusted by default by the users.

2. Company that wants its website to be secured, purchases a website certificate at the CA (the green one in diagram).

• certificate is signed by the CA and guarantees the identity of the website to the users

3. When a user wants to visit the secure website, the web browser will first ask the web server for the certificate. If its
signature can be verified with the certificate of a CA in the trust list, the website certificate will be accepted.

• Then the website will be loaded into the browser, and all traffic between the browser and the website will be
secured by using SSL/LTS
Where is the “Trusted Root Certificates” List Stored?
Where is the “Trusted Root Certificates” List Stored?
• Many software products (OSs and browsers) come with a list of “trusted root certificates”

• Microsoft Windows includes a list of trusted root certificates

• Microsoft update the list periodically through Windows Update and their other updating
mechanisms.

• Many other operating systems have similar lists

• Applications may use the OS trusted root list or include their own trusted root list

• Some Web browsers on Windows use the Windows list

• Firefox uses its own list of “Trusted Root Cetrificate”.

The need for Chain of Certificates
• Alice wants Bob to believe that she owns a certain public key PK.

• Alice presents to Bob a Certificate, issued by her company “CA1”

Issuer Subject Name Subject PubKey Signature

CA1 Alice PK of CA1

• But

• Who is that company, “CA1”?

• Is CA1 trustworthy?

• Is “Signature of CA1” really the signature of CA1?

79
 Issuer Subject Name Subject PubKey Signature

CAT CAT of CAT

Issuer Subject Name Subject PubKey Signature

CAT CA2 of CAT

Issuer Subject Name Subject PubKey Signature

CA2 CA1 of CA2

Issuer Subject Name Subject PubKey Signature

CA1 Alice of CA1

Path Construction & Path Discovery

 Issuer Subject Name Subject PubKey Signature
CAT CAT of CAT

Issuer Subject Name Subject PubKey Signature

CAT CA2 of CAT

Issuer Subject Name Subject PubKey Signature

CA2 CA1 of CA2

Issuer Subject Name Subject PubKey Signature

CA1 Alice of CA1

Path Validation in Certificate Verification

Relying on a trusted/local copy of the root certificate CAT
Prove by induction : Issuer owns the claimed PubKey, CA2 , CA1 trustworthy.
Certificate Hierarchy Explained
• Signature on data can be verified by the signer's public key.

• Public key is linked to the owner's identity by a certificate.

• Link can be verified by verifying the certificate's signature, using the public key of the issuing CA.

• CA public key can be found inside the CA certificate, one layer upwards in the hierarchy.

• CA certificate will itself be signed by a CA another layer up.

• At the top of the hierarchy there is the “trusted root certificate“

• It is "self signed“

• It has to be trusted for its own sake.

Certificate Authority Hierarchy
SSL – Secure Web
Communication

86
Secure Communication Requirements
• Confidentiality/Privacy: information should be readable only by the intended receiver. i.e., protect the
information from being eavesdropped.

• Integrity/authenticity: receiver can confirm that a message has not been altered during transmission,
i.e., protect the message from tampering.

• Authentication: sender and/or receiver can verify that the other party is who he/she claims to be, i.e.,
validate the identity of the other party.

• Non-repudiation: sender cannot deny what he/she has done. e.g., if a transaction (e.g., a purchase) has
occurred between two parties, the non-repudiation service can prove that the sender really performed
the transaction him/herself
Transport Layer Security (TLS/SSL)

• Many application protocols include the use of cryptography as part of the application level protocol.

• Secure Sockets Layer (SSL) is a different approach - a new layer is added that provides a secure channel
over TCP (currently TCP only).

TLS/SSL Goals:

• A protocol layer that provides secure communication

• “Transparent” from TCP/IP networking

• “Transparent” to applications through API

SSL and TCP/IP Relationships

• SSL-protected HTTP (https on default port 443)

• SSL-protected SMTP <mail sending> (ssmtp on port 465)
• SSL-protected LDAP (ssl-ldap on port 636)
• SSL-protected POP3 <mail retrieval> (spop3 on port 995)
89
SSL Provides
• Mutual Authentication of communication partners to establish trust with the two parties

• Server authentication (mandatory)

• Client authentication (optional)

• Data Confidentiality using Encryption

• Support different encryption algorithms

• Data Integrity- protect messages against tampering and replay

• Use Message Authentication Codes (e.g. HMAC)

“SSL is symmetric encryption nested within public-key encryption, authenticated

through the use of certificates.”
SSL Protocol Architecture or SSL Two Layer Protocol
SSL
SSL Change SSL Alert
HTTP, other
Handshake Cipher Protocol
apps
Protocol Spec
Protocol

SSL Record
Protocol

TCP

SSL record protocol carries application data &SSL ‘management’ data

SSL Record Protocol
SSL Record Protocol – Security Functionality
• SSL record protocol provides secure channel to the upper layer

• Data-Confidentiality - using symmetric algorithm

• Stream encryption / Block encryption

• Data-Integrity (and data origin authentication)

• using MAC algorithm (e.g. HMAC, GMAC)

• Anti-Replay

• MAC includes 64 bit sequence number to detect replay attacks

SSL Record Protocol
• Fragment upper layer (e.g. application) message data to be transmitted into SSL-records

• Max record size 16,384 = 214 Bytes

• Bigger messages split into multiple records

• Each SSL record data is optionally compressed – not recommended any more (due to CRIME attack)

• Each SSL record data is encapsulate with appropriate header

• Symmetric digital signature (MAC) is computed over the record (and the header) and added to the record

• The record data and the MAC are encrypted

• The header plus the encrypted (data + MAC) is sent using the TCP protocol
SSL Record Protocol Operation
 SSL v3 Scenario: Encryption Process
How encrypted, MAC'd records are sent and received

In the handshake phase, client and server have verified each other's certificates, have agreed upon which algorithms to
use, and have agreed upon symmetric keys (both for encryption and for the MAC)

Information to be sent, Information received, to be

fragmented into records defragmented by the
application
Record Record

The sender adds a MAC

(key dependent hash). The receiver checks the MAC,
This enables verification of verifying the integrity of the
the integrity of the record record and who sent it
and that the sender held
the MAC key

Record MAC Record MAC

The sender encrypts the

record and the MAC using
The receiver decrypts the
a symmetric key
record and the MAC using
a symmetric key

Record MAC Record MAC

TCP/IP TCP/IP

96
SSL Handshake Protocol
SSL Handshake Goals
• Establish security capabilities/parameters

• Protocol version, compression method, session ID

• Negotiate the cipher suite to be used

• SSL protocol accepts many Cipher Suites

• Perform Server Authentication

• Perform Client Authentication (optional)

• Establish a shared secret (session key)

• Shared secret is used to derive all connection keys.

SSL Cipher Suite
• SSL Symmetric Encryption Algorithm
• no encryption
• stream ciphers
• block ciphers
• SSL Hash (Digest) Function
• Used to create a MAC for every record to provide integrity
• Supports: no digest, MD5, SHA-(1/2/256)
• SSL Key Exchange Algorithm
• RSA, Diffie-Hellman (DH), ECDH, SRP, PSK
• SSL Digital Signature algorithm for Server (and Client) Authentication
• RSA, DSA, ECDSA
100
Perfect Forward Secrecy (PFS)
• Secure communication protocol is said to have forward secrecy if compromise of long-term secret keys
or passwords does not compromise past session keys

• PFS ensures that encrypted communications and sessions recorded in the past cannot decrypted should
long-term secret keys or passwords be compromised in the future

• => compromise of one message cannot compromise others as well

• => there is no one secret value whose acquisition would compromise multiple messages

• Any cipher with PFS property must use keys with effectively the same requirements as OTP keys.

• Public-key system has the PFS property if it generates one random public key per session to complete
a key agreement, without using a deterministic algorithm
101
102
 SSL v3 Scenario: How SSL Works

The Handshake
module is called
when a
Signals connection is
change in started or
cipher resumed
strategy
Client Server Signals
Application Application Errors
(HTTP Client) (HTTP Server)

SSL
SSL SSL
Change
Alert Handshake
Cipher

SSL SSL

SSL Record Layer

TCP/IP TCP/IP The Record Layer receives uninterpreted data in

blocks of arbitrary size.
Fragmentation: It converts data into records of
reasonable length (16k or shorter)
Compression: It may compress records
Encryption: It protects records with encryption &
Client Server MACs
Certificate Usability Issues

Attackers often use self created certificates

and the browser will alert on these
Does client understand meaning of certificate
expiry and other security warnings?
SSL/TLS Notes
SSL Limitations
• Protocol limitations

• Requires connection-oriented transport protocol such as TCP

• There it a DTLS version that can be used for application protocols using UDP

• Does not support non-repudiation

• Relies on the security of the cryptographic algorithms used

• Environmental limitation

• Security provided only on the transmission network

• The path to the network and from the network is not secured
SSL to Secure e-Commerce Applications
• Client authentication not needed until client decides to buy something.

• Client authenticated using credit card information

• SSL provides secure channel for sending credit card information.

• Open Issues even if SSL is used

• No guarantees about what happens to client data (including credit card details) after session:
may be stored on insecure server.

• Is the client/server software proposing appropriate cipher-suites?

SSL to Secure e-Banking Applications
• SSL provides secure channel for sending

• Authentication information (e.g. username, password)

• The banking transactions

• Is client software proposing appropriate cipher-suites?

• Enforce cipher-suite from server.

• Client authentication may be enabled using client certificates.

• Using client certificates raise the issues of:

• PKI infrastructure (issuing, revocation and re-issue)

• Secure storage of private keys by the client

SSL Doesn’t Prevent Delivery of Malicious Content
• Malicious content is introduced in the request/response before the it is encrypted by the Secure
Socket Layer (SSL) established between the client and the legitimate server.

• SSL makes no attempt to validate the legitimacy of data transmitted.

• Because there is a legitimate SSL connection between the client and the server, SSL reports no
problems
Source: Jeremiah Grossman, BlackHat 2001
Securing Network Communications
• Working assumption should always be, that an attacker can install a sniffer to capture sensitive
information, transmitted over the network

• Not encrypting sensitive communications means that attacker who can sniff traffic from the network
will be able to access credentials or other sensitive information transmitted.

• Encrypting sensitive data, such as credit cards and social security numbers, has become a privacy and
financial regulation for many organizations.

• PCI requires that all credit card information being transmitted over the internet be encrypted

• Neglecting to use SSL for connections handling such data creates a compliance risk.
Securing Network Communications
• Securing communication with end users is critical, as they are very likely to be using insecure networks
to access web applications

• SSL should be used whenever sensitive or value data, (e.g. credit card details, health and other private
information) is being transmitted

• SSL should be used on any authenticated connection

• Web applications are using authentication or session token for authenticated connections.

• Since HTTP includes authentication credentials or a session token with every single request, all
authenticated traffic needs to go over SSL, not just the actual login request.
Vulnerabilities Related
to Data Exposure
OWASP Top-10 2013

114
OWASP Top-10 2017

115
116
117
118