Chapter 19: SSL/TLS
- Secure Socket Layer (SSLv2 and SSLv3)
- Transport Layer Security (TLS)
- Socket layer --- between application and transport layer
- SSL/TLS between layers 4 and 5
- IPsec security at layer 3,
SSL security "at layer 4" (also TLS and SSH)
- Comparison of SSL and IPsec
- Layer 4 and below is part of OS
- Above layer 4 is user space
- With SSL, no change to OS required
- IPsec implemented in OS
- API to SSL is superset of API to TCP
- With SSL, minor changes to applications
- With SSL, DoS is easy (insert 1 bogus packet that passes
TCP checksum)
- With IPsec, DoS is not so easy
- SSL protects the byte stream, IPsec protects packets
- With IPsec, applications automatically protected
(in principle, no modification to apps required)
- With IPsec, unmodified apps only authenticate IP address
(but can send name and password under IPsec)
- History
- SSLv2 deployed in Netscape Navigator 1.1 in 1995
- Microsoft PCT soon after
- SSLv3 (by Netscape) soon after
- IETF decided 3 incompatible protocols was bad idea,
so they created 4th incompatible protocol, TLS
- SSLv3 is most common today
- Simplified SSLv3/TLS
- Implications
- Alice authenticates Bob, but not vice-versa
- Usually, client authenticates server, server does not
authenticate client
- Client verifies signature on server certificate
- Optionally, can do mutual authentication (client must
have certificate; Bob sends "certificate request" in
message 2)
- S is the "pre-master secret"
- Keyed hash includes different constant in each direction
- Strangely, keyed hash is encrypted and integrity protected
- Six quantities derived: 2 encryption keys, 2 integrity keys
and 2 IVs
- SSL assumes session is long lived with many
connections (designed for HTTP 1.0)
- Session establishment is expensive, connection establishment is cheap
- Session initiation (no previous state)
- Session resumption (previous state)
- PKI
- Version numbers
- Negotiating cipher suites
- Negotiating compression method
- Downgrade attack --- active attacker can remove
ciphers from "cipher" list (fixed in SSLv3)
- Truncation attack --- SSLv2 depends on TCP
termination to end session (fixed in SSLv3)
- Encrypted data format
