Outline

• SSL
• Quiz
• IPSec

Secure Socket Layer -- What is the socket layer?

• The "Socket layer" lives between application and transport layers
• SSL usually between HTTP and TCP

What is SSL?

• SSL is the protocol used for majority of secure transactions on the Internet
• For example, if you want to buy a book at amazon.com...
  • You want to be sure you are dealing with Amazon (authentication)
  • Your credit card information must be protected in transit (confidentiality and/or integrity)
  • As long as you have money, Amazon does not care who you are
  • So, no need for mutual authentication

Simple SSL-like Protocol

• Is Alice sure she's talking to Bob?
• Is Bob sure he's talking to Alice?

Simplified SSL Protocol

• S is known as pre-master secret
• `K = h(S,R_A,R_B)`
• msgs means all previous messages
• CLNT and SRVR are constants

SSL Keys

• 6 "keys" derived from `K = h(S,R_A,R_B)`
  • 2 encryption keys: send and receive
  • 2 integrity keys: send and receive
  • 2 IVs: send and receive
  • Why different keys in each direction?
• Q: Why is `h(msgs,CLNT,K)` encrypted?
• A: Apparently, it adds no security...

SSL Authentication

• Alice authenticates Bob, not vice-versa
  • How does client authenticate server?
  • Why would server not authenticate client?
• Mutual authentication is possible: Bob sends certificate request in message 2
  • Then client must have a valid certificate
  • But, if server wants to authenticate client, server could instead require password

SSL MiM Attack?

• Q: What prevents this MiM attack?
• A: Bob's certificate must be signed by a certificate authority (CA)
• What does browser do if signature not valid?
• What does user do when browser complains?

SSL Sessions vs Connections

• An SSL session is established as shown on previous slides
• SSL designed for use with HTTP
• HTTP often opens multiple simultaneous (parallel) connections
• SSL session is costly, public key operations
• SSL has an efficient protocol for opening new connections given an existing session

SSL Connection

• Assuming SSL session exists
• So, S is already known to Alice and Bob
• Both sides must remember session-ID
• Again, `K = h(S,R_A,R_B)`
• No public key operations! (relies on known S)

SSL vs IPSec

• IPSec -- discussed in next section
  • Lives at the network layer (part of the OS)
  • Covers encryption, integrity, authentication, etc.
  • Is overly complex, has some security issues
• SSL (and IEEE standard known as TLS)
  • Lives at socket layer (part of user space)
  • Encryption, integrity, authentication, etc.
  • Relatively simple and elegant specification

SSL vs IPSec

• IPSec: OS must be aware, but not apps
• SSL: Apps must be aware, but not OS
• SSL built into Web early-on (Netscape)
• IPSec often used in VPNs (secure tunnel)
• Reluctance to retrofit applications for SSL
• IPSec not widely deployed (complexity, etc.)
• The bottom line...
• Internet less secure than it should be!

Quiz

Which of the following is true?

1. We gave a protocol for perfect forward security that did not involve forgetting anything.
2. If timestamps are used rather than nonces, replay attacks might become possible where they weren't before.
3. We gave a potentially successful man-in-the-middle attack for SSH.

IPSec and SSL

• IPSec lives at the network layer
• IPSec is transparent to applications

IPSec and Complexity

• IPSec is a complex protocol
• Over-engineered -- Lots of (generally useless) features
• Flawed -- Some significant security issues
• Interoperability is serious challenge -- Defeats the purpose of having a standard!

IKE and ESP/AH

• Two parts to IPSec
• IKE: Internet Key Exchange
  • Mutual authentication
  • Establish session key
  • Two "phases" -- like SSL session/connection
• ESP/AH
  • ESP: Encapsulating Security Payload -- for encryption and/or integrity of IP packets
  • AH: Authentication Header -- integrity only

IKE

• IKE has 2 phases -- (Phase 1) IKE security association, SA; (Phase 2) AH/ESP security association
• Phase 1 is comparable to SSL session
• Phase 2 is comparable to SSL connection
• Not an obvious need for two phases in IKE
• If multiple Phase 2's do not occur, then it is more costly to have two phases!

IKE Phase 1 Versions

• Four different "key" options
  • Public key encryption (original version)
  • Public key encryption (improved version)
  • Public key signature
  • Symmetric key
• For each of these, two different "modes" -- Main mode and aggressive mode
• There are 8 versions of IKE Phase 1!
• Need more evidence it's over-engineered?

IKE Phase 1 - Specific Version Cases

• We discuss 6 of 8 Phase 1 variants
  • Public key signatures (main and aggressive modes)
  • Symmetric key (main and aggressive modes)
  • Public key encryption (main and aggressive)
• Why public key encryption and public key signature
  • Always know your own private key
  • May not (initially) know other side's public key

IKE Phase 1 -- Session Key

• Uses ephemeral Diffie-Hellman to establish session key -- Provides perfect forward secrecy (PFS)
• Let `a` be Alice's Diffie-Hellman exponent
• Let `b` be Bob's Diffie-Hellman exponent
• Let `g` be generator and `p` prime
• Recall that `p` and `g` are public

IKE Phase 1: Digital Signature (Main Mode)

• `CP =` crypto proposed, `CS =` crypto selected
• `IC =` initiator "cookie", `RC =` responder "cookie"
• `K = h(IC,RC,g^(ab) mod p,R_A,R_B)`
• `SKEYID = h(R_A, R_B, g^(ab) mod p)`
• `p\r\o\o\f_A = [h(SKEYID,g^a mod p,g^b mod p,IC,RC,CP,"Alice")]_(Alice)`

IKE Phase 1: Public Key Signature (Aggressive Mode)

• Main difference from main mode
  • Not trying to protect identities
  • Cannot negotiate `g` or `p`

Main vs Aggressive Modes

• Main mode MUST be implemented
• Aggressive mode SHOULD be implemented -- So, if aggressive mode is not implemented, "you should feel guilty about it"
• Might create interoperability issues
• For public key signature authentication
  • Passive attacker knows identities of Alice and Bob in aggressive mode, but not in main mode
  • Active attacker can determine Alice's and Bob's identity in main mode

IKE Phase 1: Symmetric Key (Main Mode)

• Same as signature mode except:
  • `K_(AB)` = symmetric key shared in advance
  • `K = h(IC,RC,g^(ab) mod p,R_A,R_B,K_(AB)`)
  • `SKEYID = h(K, g^(ab) mod p)`
  • `p\r\o\o\f_A = h(SKEYID,g^a mod p,g^b mod p,IC,RC,CP,"Alice")`

Problems with Symmetric Key (Main Mode)

• Catch-22
  • Alice sends her ID in message 5
  • Alice's ID encrypted with `K`
  • To find `K` Bob must know `K_(AB)`
  • To get `K_(AB)` Bob must know he's talking to Alice!
• Result: Alice's ID must be IP address!
• Useless mode for the "road warrior"
• Why go to all of the trouble of trying to hide identities in 6 message protocol?