Web security: SSL and TLS

What are SSL and TLS?

SSL Secure Socket Layer TLS Transport Layer Security both provide a secure transport connection between applications (e.g., a web server and a browser)

Approaches to provide web security

Sessions and connections

Sessions: an SSL session is an association between a client and a server sessions are stateful; the session state includes security algorithms and parameters Session state is identified using ID, certificate, compression method, cipher spec etc Connections: connections define the type of service. Connections are identified using server/client MAC, server/client write key IVs etc. Connections may be closed without affecting sessions. sessions are used to avoid expensive negotiation of new security parameters for each connection
5

Sessions and connections

SSL architecture

SSL Handshake Protocol

SSL Change Cipher Spec Protocol

SSL Alert Protocol

applications (e.g., HTTP)

SSL Record Protocol

TCP

IP

SSL components SSL Handshake Protocol SSL Record Protocol SSL Alert Protocol SSL Change Cipher Spec Protocol

SSL Record Protocol processing overview

application data

fragmentation

compression

SSL Record Protocol

msg authentication and encryption (with padding if necessary)

MAC

MAC

MAC

SSL record header: Fields content type, major and minor version, compressed length

SSL Alert Protocol

Level Alert first field (byte): warning or fatal second field (byte): fatal unexpected_message bad_record_MAC decompression_failure handshake_failure illegal_parameter warning close_notify no_certificate bad_certificate unsupported_certificate certificate_revoked certificate_expired certificate_unknown
9

SSL Alert Protocol

SSL Change Cipher Spec Protocol

Changes pending state to current state.

SSL Handshake Protocol - format

Type length Content (params)

Type(1 byte): one of the 10 messages used in handshake Length( 3 bytes) length of the message in bytes Content : parameters that are passed in the message: eg: client_hello ( version, session ID, cipher suite, compression method)

10

Cipher spec includes

Encryption Algorithm MAC algorithm Cipher type: block or stream Hash size IV etc

11

SSL Handshake Protocol overview

client
client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate Phase 2: SERVER AUTHENTICATION AND KEY XCHANGE Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase.

server
Phase 1:ESTABLISH SECURITY CAPABILITIES Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers,version

SSL Handshake Protocol

client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished

Phase 3: CLIENT AUTHENTICATION AND KEY XCHANGE Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message.

Phase 4: FINISH Change cipher spec and finish handshake

12

Supported key exchange methods

RSA based (SSL_RSA_with...)
the secret key (pre-master secret) is encrypted with the servers public RSA key the servers public key is made available to the client during the exchange fixed Diffie-Hellman (SSL_DH_RSA_with or SSL_DH_DSS_with) the server has fixed DH parameters contained in a certificate signed by a CA the client may have fix DH parameters certified by a CA or it may send an unauthenticated one-time DH public value in the client_key_exchange message ephemeral Diffie-Hellman (SSL_DH_RSA_with or SSL_DHE_DSS_with) both the server and the client generate one-time DH parameters the server signs its DH parameters with its private RSA or DSS key the client may authenticate itself (if requested by the server) by signing the hash of the handshake messages with its private RSA or DSS key

SSL Handshake Protocol / Phase 1

anonymous Diffie-Hellman
both the server and the client generate one-time DH parameters they send their parameters to the peer without authentication

Fortezza
Fortezza proprietary key exchange scheme
13

TLS vs. SSL

version number
for TLS the current version number is 3.1

MAC
TLS uses HMAC the MAC covers the version field of the record header too The padding bytes are XORed with secret key rather than concatenating.

more alert codes cipher suites

TLS doesnt support Fortezza key exchange and Fortezza encryption
TLS vs. SSL

14

SET
15

SET
Secure Electronic Transaction

Provides services like Confidentiality: all messages encrypted Trust: all parties must have digital certificates Privacy: information made available only when and where necessary

16

Components of SET

17

SET Transactions

18

customer

Merchant

Payment gateway

Initiate request

Initiate response Purchase request Authorization request

Authorization response Purchase response Capture request

Capture response
19

Dual Signature

20

DS Verification by Merchant

H(PIMD || H(OI)) DKUC[DS]

DS Verification by Bank H(H(PI) || OIMD) DKUC [ DS ]

21

Payment Processing
Purchase Request Payment Authorization Payment Capture

22

Purchase Request Browsing, Selecting, and Ordering is Done Purchasing Involves 4 Messages: Initiate Request Initiate Response Purchase Request Purchase Response

23

Purchase Request: initiate request

Customer Requests the Certificates in the Initiate Request Message to Merchant Brand of Credit Card ID Assigned to this Request/response pair by customer Nonce

24

Purchase Request: Initiate Response

Merchant Generates a Response Signs with Private Signature Key Include Customer Nonce Include Merchant Nonce (Returned in Next Message) Transaction ID for Purchase Transaction In Addition Merchants Signature Certificate Payment Gateways Key Exchange Certificate

25

Purchase request message

1. Purchase related InformationPayment Information, Dual Signature, OIMD : this message is forwarded by the merchant to the payment gateway. 2. Order Related Information : OI, dual signature, PI 3. cardholder certificate

Sent from card holder to the merchant.

26

Purchase Request

27

Merchant Verifies Purchase Request

28

Purchase Response Message

Prepared on receiving the payment request, after verifying certificates, dual signature, processes the order information and generates purchase response. Message that Acknowledges the Order and References Corresponding Transaction Number Block is
Signed by Merchant Using its Private Key Block and Signature Are Sent to Customer Along with Merchants Signature Certificate

Upon Reception the customer

Verifies Merchant Certificate Verifies Signature on Response Block Takes the Appropriate Action
29

Payment Authorization
The merchant sends an authorization request message to the payment gateway consisting of the following: Purchase-related information PI Dual signature calculated over the PI & OI and signed with customers private key. The OI message digest (OIMD) The digital envelop Authorization-related information Certificates

30

Payment Authorization (contd)

Authorization-related information
An authorization block including:
A transaction ID Signed with merchants private key Encrypted one-time session key

Certificates
Cardholders signature key certificate Merchants signature key certificate Merchants key exchange certificate

31

Payment: Payment Gateway

Verify All Certificates Decrypt Authorization Block Digital Envelope to Obtain Symmetric Key and Decrypt Block Verify Merchant Signature on Authorization Block Decrypt Payment Block Digital Envelope to Obtain Symmetric Key and Decrypt Block Verify Dual Signature on Payment Block Verify Received Transaction ID Received from Merchant Matches PI Received from Customer Request and Receive Issuer Authorization

32

Verification by the Payment gateway

PIMD

KUc
D Ks D POMD Compare

PRb

Accept/ reject
33

Authorization Response
Authorization Response Message
Authorization-related Information Capture Token Information Certificate

34