SlideShare ist ein Scribd-Unternehmen logo

SSl/TLS Analysis

Duduman Bogdan Vlad
Duduman Bogdan Vlad
IngenieurwesenTechnologieBildung
1 von 38
Downloaden Sie, um offline zu lesen
08 Mai 2014! Security Protocols: Modelling and Verification! Prof. Indrumator - Cătălin Bîrjoveanu " Duduman Bogdan Vlad! 1 TLS/SSL (Analysis) Text
Overview 1. Introduction to the SSL / TLS protocol! • Widely deployed, “real-world” security protocol! • Well-understood, with detailed specifications! • Good benchmark for analysis techniques! 2. Protocol analysis! • //Starting with the RFC describing the protocol! 3. Tools
What is TLS/SSL? ❖ Standard for Internet security! ❖ “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications ”! ❖ In practice, used to protect information transmitted between browsers and Web servers! ❖ Based on Secure Sockets Layers protocol, ver 3.0! • Same protocol design, different algorithms! ❖ Deployed in nearly every web browser
SSL / TLS in the Real World
TCP/IP - TLS/SSL (1)
TCP/IP - TLS/SSL (2)
TLS (Transport Layer Security) ❖ Provides a layer between TCP and Application ! ❖ Itself a layered protocol: Handshake over Record ! ❖ Record (sub)protocol! ❖ provides a private and reliable connection! ❖ Handshake (sub)protocol! ❖ authenticates one or both parties, negotiates security parameters! ❖ establishes secret connection keys for the Record protocol
TCP/IP - TLS/SSL (2)
History of the Protocol ❖ SSL 1.0! ❖ Netscape completed the design in early 1994 (Internally used)! ❖ Data integrity protection! ❖ RC4 allowed adversary to make predictable changes to the plaint text! ❖ Vulnerable to replay attacks! ❖ SSL 2.0! ❖ End of 1994, also has several problems! ❖ Handshake protection - MITM undetected!! ❖ Vulnerable to length extension attacks
History of the Protocol ❖ SSL 3.0! ❖ fixed previous attacks! ❖ Netscape and Paul Kocher, 1996! ❖ Taher Elgamal - inventor of SSL! ❖ TLS 1.0! ❖ Internet standard based on SSL 3.0, 1999 ! ❖ RFC2246 (≈SSL3)
History of the Protocol ❖ TLS 1.1! ❖ 2006! ❖ RFC4346! ❖ TLS 1.2! ❖ 2008! ❖ RFC5246
Public-Key Encryption, CA & MITM ❖ “Symmetric” encryption! ❖ Share secret key! ❖ Hundred of peoples to communicate?! ❖ Distance Key Key Them You
Public-Key Encryption, CA & MITM ❖ Solution: public-key encryption! ❖ Share public key with whole world! ❖ No known practical way to gain the private key from pkey
Public-Key Encryption, CA & MITM ❖ Visiting first time “https”! ❖ Browser create a random private key A ! ❖ Generates corresponding public key A(blue)
Public-Key Encryption, CA & MITM ❖ Server generate a random private key A ! ❖ Session key established! ❖ Intruder (MITM) ?!
Public-Key Encryption, CA & MITM ❖ MITM stops the communication! ❖ MITM create his own private key (red B)! ❖ Server doesn’t know if is the browser
Public-Key Encryption, CA & MITM ❖ MITM has the same session key (red key)! ❖ How to solve? ! ❖ Server and Browser can send there public key and compare! ❖ what if MITM knows about that - he has the session key
Public-Key Encryption, CA & MITM ❖ Certificate Authority solves the problems! ❖ There is a single CA - Symantec (VeriSign)! ❖ FedEx - Federal Express - encryption key H! ❖ MITM has the public key CA! ❖ What browser and server can do?
Public-Key Encryption, CA & MITM ❖ Server encrypts public key A with certificate key H! ❖ Browser do the same using the built-in CA
Public-Key Encryption, CA & MITM ❖ CA compares the 2 public keys! ❖ CA sends reply to them! ❖ What if MITM appear?! ❖ the browser will not be able to decrypt (key random R)
Obtaining an SSL Certificate ❖ XYZ Inc., intends to secure their customer checkout process, account management, and internal employee correspondence on their website, xyz.com. ❖ Steps: 1. XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated. 2. XYZ goes to a trusted, third party Certificate Authority, such as Trustwave . Trustwave takes the certificate signing request and validates XYZ in a two step process. Trustwave validates that XYZ has control of the domain xyz.com and that XYZ Inc. is an official organization listed in public government records. 3. When the validation process is complete, Trustwave gives XYZ a new public key (certificate) encrypted with Trustwave's private key. 4. XYZ installs the certificate on their webserver(s).
How Customers Communicate with the Server using SSL Steps: 1. A customer makes a connection to xyz.com on an SSL port, typically 443. This connection is denoted with https instead of http. 2. xyz.com sends back its public key to the customer. Once customer receives it, his/ her browser decides if it is alright to proceed. 3. The xyz.com public key must NOT be expired 4. The xyz.com public key must be for xyz.com only 5. The client must have the public key for Trustwave installed in their browser certificate store. 99.9% of all modern browsers (1998+) include the Trustwave root certificate. If the customer has Trustwave trusted public key, then they can trust that they are really communicating with XYZ, Inc.
How Customers Communicate with the Server using SSL ! 7.If the customer decides to trust the certificate, then the customer will be sent to xyz.com his/her public key. 8.xyz.com will next create a unique hash and encrypt it using both the customer's public key and xyz.com's private key, and send this back to the client. 9.Customer's browser will decrypt the hash. This process shows that the xyz.com sent the hash and only the customer is able to read it. 10.Customer and website can now securely exchange information!
Tools 1.! Security Protocol Analysis! ❖ Scyther ❖ Scyther-proof ❖ Tamarin prover 2.! Access Control! ❖ FPL 3.! Static Security Analysis! ❖ FAST 4.! Protocol Testing! ❖ SecFuzz 5.! Specification synthesis! ❖ Mid-point synthesis 6.! Monitoring! ❖ MonPoly 7! Isabelle/HOL frameworks! ❖ ProtoVeriPhy ❖ Developing Security Protocols by Refinement ❖ Verification of IBM 4765's Persistent Memory Manager 8. Avispa! 9. ProVerif
The Scyther Tool ❖ Tool for the formal analysis of security protocols ! ❖ it is assumed that all cryptographic functions are perfect: the adversary learns nothing from an encrypted message unless he knows the decryption key.! ❖ Description of a protocol in the spdl language ! ❖ based on the operational semantics! ❖ spdl (Security Protocol Description Language)
The Scyther Tool ❖ Analysis of infinite sets of traces in terms of patterns! ❖ Support for multi-protocol analysis! ❖ Assist in the analysis of classes of attacks and possible protocol behaviours, or to prove correctness for an unbounded number of protocol sessions.! ❖ Can optionally output the proof tree (by using the backend).! ❖ The tool provides useful results even in the case that no attack is found
The Scyther Tool ❖ ProVerif or the Avispa tools have shown to be effective at finding attacks on protocols (Avispa) or establishing correctness of protocols (ProVerif).! ❖ Scyther offer verification, falsification, and the analysis of security protocols.! ❖ Performance
Installation Scyther Tool ❖ Scyther can be downloaded from the following website:! ❖ http://users.ox.ac.uk/~coml0529/scyther/! ❖ Installation instruction are included in the downloadable Scyther archives. Scyther is available for the Windows, Linux and Mac OS platforms.
Scyther Input File ❖ A minimal input file:! ! protocol ExampleProtocol(I,R) {! role I { };! role R { };! };
Input Language ❖ Main purpose of the language is to describe protocols, which are defined by a set of roles.! ❖ Protocol definition takes as a parameter a sequence of roles, which are then defined within its body.! ❖ Roles - are sequences of events, i. e., declarations, send, receive, or claim events.! ❖ Security protocols rely on generating random values. Can be specified by declaring them inside a role definition using the fresh declaration.! ❖ role X(...) {! ❖ fresh Na: Nonce;! ❖ send_1(X,Y,Na);! ❖ }
Input Language ❖ To receive a nonce into a variable with name Na, we specify:! ❖ role Y(...) {! ❖ var Na: Nonce;! ❖ recv_1(X,Y,Na);! ❖ }! ❖ Local declaration! ❖ Two terms can combined into a term pair: we write (x,y)! ❖ Symmetric keys: { ni }kir! ❖ Asymmetric keys: { ni } pk(I)
Input Language ❖ Hash functions are essentially encryptions with a function, of which the inverse is not known by anybody:! ❖ global declaration: hashfunction H1! ❖ how are used: H1(ni);! ❖ Types: Agent, Function, Nonce, Ticket! ❖ You can define a new type: user type! ❖ Recv and Send events mark receiving and sending a message!
Input Language ❖ Claim events are used in role specifications to model intended security properties. For example, the following claim event models that Ni is meant to be secret! ❖ claim(I, Secret, Ni);! ❖ Claim types:! ❖ Secret! ❖ SKR, echivalent to Secret but additionally mark the parameter term as a session-key! ❖ Alive - Aliveness (of all roles) ! ❖ Weakagree - Weak agreement (of all roles)
Input Language ❖ Claim types:! ❖ Nisynch (Authentification Property, Non-injective Synchronisation)! ❖ Niagree (Authentification Property, Non-injective Agreement)! ❖ Reachable! ❖ when this claim is verified, Scyther will check whether this claim can be reached at all. It is true iff there exists a trace in which this claim occurs. This can be useful to check if there is no obvious error in the protocol specification, and is in fact inserted when the--check mode of Scyther is used.! ❖ Empty! ❖ this claim will not be verified, but simply ignored. It is only useful when Scyther is used!
– It’s time to see TLS on Scyther Tool
Simplified TLS key transport protocol ❖ Protocol 4.24 is a simplified version of one possible protocol which transports the 'pre- master secret', PMK, from the client A to the server B" ❖ Session key Kab is calculated as Kab = MACpmk(Na,Nb)" ❖ TLS protocol specifies that four different session keys must be derived from the pre-master secret: one for encryption and one for data integrity (MAC calculation) in each direction. !
Simplified TLS key transport protocol ❖ Message sequences Mess_Seq1, Mess_Seq2 and Mess_Seq3 consist of hashes of the sequence of all previous exchanged messages up to that point using a hash function H.! ❖ Mess_Seq1 = H(Na, Nb, Eb(PMK)).!
Bibliografie 1. Protocols for Authentication and Key Establishment - C.Boyd, A.Mathuria! 2. Operational Semantics of Security Protocols - Cas Cremers and Sjouke Mauw, Eindhoven University of Technology, Department of Mathematics and Computer Science! 3. How SSL works! 4. Security Tools! 5. Scyther Manual! 6. http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https- bindings-on-iis.aspx! 7. http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/ Secure_Socket_Layer.html

Empfohlen

SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
Altoros
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
Shehzad Imran
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
Ibrahiem Mohammed
 

Empfohlen

SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
Altoros
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
Shehzad Imran
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
Ibrahiem Mohammed
 
Gestión de Certificados Digitales con OpenSSL
Gestión de Certificados Digitales con OpenSSLGestión de Certificados Digitales con OpenSSL
Gestión de Certificados Digitales con OpenSSL
Esteban Saavedra
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Http vs Https
Http vs HttpsHttp vs Https
Http vs Https
shikherwalia
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
Amar Shah
 
HTTPS
HTTPSHTTPS
HTTPS
maroti164
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 
HTTPS
HTTPSHTTPS
HTTPS
R.K. University
 
Man in-the-middle attack(http)
Man in-the-middle attack(http)Man in-the-middle attack(http)
Man in-the-middle attack(http)
Togis UAB Ltd
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Firewall
FirewallFirewall
Firewall
reddivarihareesh
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
Yoram Orzach
 
Https
HttpsHttps
Https
Billa Kota Sriram
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 
Encryption
Encryption Encryption
Encryption
Adnan Malak
 
Hyperledger fabric architecture
Hyperledger fabric architectureHyperledger fabric architecture
Hyperledger fabric architecture
Celine George
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
Buddhika Karunanayaka
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
SSIMeetup
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 

Weitere ähnliche Inhalte

Was ist angesagt?

VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 
Man in-the-middle attack(http)
Man in-the-middle attack(http)Man in-the-middle attack(http)
Man in-the-middle attack(http)
Togis UAB Ltd
 

Was ist angesagt? (20)

Gestión de Certificados Digitales con OpenSSL
Gestión de Certificados Digitales con OpenSSLGestión de Certificados Digitales con OpenSSL
Gestión de Certificados Digitales con OpenSSL
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Http vs Https
Http vs HttpsHttp vs Https
Http vs Https
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
HTTPS
HTTPSHTTPS
HTTPS
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
HTTPS
HTTPSHTTPS
HTTPS
 
Man in-the-middle attack(http)
Man in-the-middle attack(http)Man in-the-middle attack(http)
Man in-the-middle attack(http)
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Firewall
FirewallFirewall
Firewall
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
Https
HttpsHttps
Https
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Encryption
Encryption Encryption
Encryption
 
Hyperledger fabric architecture
Hyperledger fabric architectureHyperledger fabric architecture
Hyperledger fabric architecture
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 

Ähnlich wie SSl/TLS Analysis

Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
Hfz Mushtaq
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004
Malte Timmermann
 

Ähnlich wie SSl/TLS Analysis (20)

ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vanda
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Let's go HTTPS
Let's go HTTPSLet's go HTTPS
Let's go HTTPS
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004OpenOffice.org Digital Signatures, OOoCon 2004
OpenOffice.org Digital Signatures, OOoCon 2004
 

Kürzlich hochgeladen

"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
mphochane1998
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 

Kürzlich hochgeladen (20)

"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Bridge Jacking Design Sample Calculation.pptx
Bridge Jacking Design Sample Calculation.pptxBridge Jacking Design Sample Calculation.pptx
Bridge Jacking Design Sample Calculation.pptx
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdf
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 

SSl/TLS Analysis

  • 1. 08 Mai 2014! Security Protocols: Modelling and Verification! Prof. Indrumator - Cătălin Bîrjoveanu " Duduman Bogdan Vlad! 1 TLS/SSL (Analysis) Text
  • 2. Overview 1. Introduction to the SSL / TLS protocol! • Widely deployed, “real-world” security protocol! • Well-understood, with detailed specifications! • Good benchmark for analysis techniques! 2. Protocol analysis! • //Starting with the RFC describing the protocol! 3. Tools
  • 3. What is TLS/SSL? ❖ Standard for Internet security! ❖ “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications ”! ❖ In practice, used to protect information transmitted between browsers and Web servers! ❖ Based on Secure Sockets Layers protocol, ver 3.0! • Same protocol design, different algorithms! ❖ Deployed in nearly every web browser
  • 4. SSL / TLS in the Real World
  • 7. TLS (Transport Layer Security) ❖ Provides a layer between TCP and Application ! ❖ Itself a layered protocol: Handshake over Record ! ❖ Record (sub)protocol! ❖ provides a private and reliable connection! ❖ Handshake (sub)protocol! ❖ authenticates one or both parties, negotiates security parameters! ❖ establishes secret connection keys for the Record protocol
  • 9. History of the Protocol ❖ SSL 1.0! ❖ Netscape completed the design in early 1994 (Internally used)! ❖ Data integrity protection! ❖ RC4 allowed adversary to make predictable changes to the plaint text! ❖ Vulnerable to replay attacks! ❖ SSL 2.0! ❖ End of 1994, also has several problems! ❖ Handshake protection - MITM undetected!! ❖ Vulnerable to length extension attacks
  • 10. History of the Protocol ❖ SSL 3.0! ❖ fixed previous attacks! ❖ Netscape and Paul Kocher, 1996! ❖ Taher Elgamal - inventor of SSL! ❖ TLS 1.0! ❖ Internet standard based on SSL 3.0, 1999 ! ❖ RFC2246 (≈SSL3)
  • 11. History of the Protocol ❖ TLS 1.1! ❖ 2006! ❖ RFC4346! ❖ TLS 1.2! ❖ 2008! ❖ RFC5246
  • 12. Public-Key Encryption, CA & MITM ❖ “Symmetric” encryption! ❖ Share secret key! ❖ Hundred of peoples to communicate?! ❖ Distance Key Key Them You
  • 13. Public-Key Encryption, CA & MITM ❖ Solution: public-key encryption! ❖ Share public key with whole world! ❖ No known practical way to gain the private key from pkey
  • 14. Public-Key Encryption, CA & MITM ❖ Visiting first time “https”! ❖ Browser create a random private key A ! ❖ Generates corresponding public key A(blue)
  • 15. Public-Key Encryption, CA & MITM ❖ Server generate a random private key A ! ❖ Session key established! ❖ Intruder (MITM) ?!
  • 16. Public-Key Encryption, CA & MITM ❖ MITM stops the communication! ❖ MITM create his own private key (red B)! ❖ Server doesn’t know if is the browser
  • 17. Public-Key Encryption, CA & MITM ❖ MITM has the same session key (red key)! ❖ How to solve? ! ❖ Server and Browser can send there public key and compare! ❖ what if MITM knows about that - he has the session key
  • 18. Public-Key Encryption, CA & MITM ❖ Certificate Authority solves the problems! ❖ There is a single CA - Symantec (VeriSign)! ❖ FedEx - Federal Express - encryption key H! ❖ MITM has the public key CA! ❖ What browser and server can do?
  • 19. Public-Key Encryption, CA & MITM ❖ Server encrypts public key A with certificate key H! ❖ Browser do the same using the built-in CA
  • 20. Public-Key Encryption, CA & MITM ❖ CA compares the 2 public keys! ❖ CA sends reply to them! ❖ What if MITM appear?! ❖ the browser will not be able to decrypt (key random R)
  • 21. Obtaining an SSL Certificate ❖ XYZ Inc., intends to secure their customer checkout process, account management, and internal employee correspondence on their website, xyz.com. ❖ Steps: 1. XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated. 2. XYZ goes to a trusted, third party Certificate Authority, such as Trustwave . Trustwave takes the certificate signing request and validates XYZ in a two step process. Trustwave validates that XYZ has control of the domain xyz.com and that XYZ Inc. is an official organization listed in public government records. 3. When the validation process is complete, Trustwave gives XYZ a new public key (certificate) encrypted with Trustwave's private key. 4. XYZ installs the certificate on their webserver(s).
  • 22. How Customers Communicate with the Server using SSL Steps: 1. A customer makes a connection to xyz.com on an SSL port, typically 443. This connection is denoted with https instead of http. 2. xyz.com sends back its public key to the customer. Once customer receives it, his/ her browser decides if it is alright to proceed. 3. The xyz.com public key must NOT be expired 4. The xyz.com public key must be for xyz.com only 5. The client must have the public key for Trustwave installed in their browser certificate store. 99.9% of all modern browsers (1998+) include the Trustwave root certificate. If the customer has Trustwave trusted public key, then they can trust that they are really communicating with XYZ, Inc.
  • 23. How Customers Communicate with the Server using SSL ! 7.If the customer decides to trust the certificate, then the customer will be sent to xyz.com his/her public key. 8.xyz.com will next create a unique hash and encrypt it using both the customer's public key and xyz.com's private key, and send this back to the client. 9.Customer's browser will decrypt the hash. This process shows that the xyz.com sent the hash and only the customer is able to read it. 10.Customer and website can now securely exchange information!
  • 24. Tools 1.! Security Protocol Analysis! ❖ Scyther ❖ Scyther-proof ❖ Tamarin prover 2.! Access Control! ❖ FPL 3.! Static Security Analysis! ❖ FAST 4.! Protocol Testing! ❖ SecFuzz 5.! Specification synthesis! ❖ Mid-point synthesis 6.! Monitoring! ❖ MonPoly 7! Isabelle/HOL frameworks! ❖ ProtoVeriPhy ❖ Developing Security Protocols by Refinement ❖ Verification of IBM 4765's Persistent Memory Manager 8. Avispa! 9. ProVerif
  • 25. The Scyther Tool ❖ Tool for the formal analysis of security protocols ! ❖ it is assumed that all cryptographic functions are perfect: the adversary learns nothing from an encrypted message unless he knows the decryption key.! ❖ Description of a protocol in the spdl language ! ❖ based on the operational semantics! ❖ spdl (Security Protocol Description Language)
  • 26. The Scyther Tool ❖ Analysis of infinite sets of traces in terms of patterns! ❖ Support for multi-protocol analysis! ❖ Assist in the analysis of classes of attacks and possible protocol behaviours, or to prove correctness for an unbounded number of protocol sessions.! ❖ Can optionally output the proof tree (by using the backend).! ❖ The tool provides useful results even in the case that no attack is found
  • 27. The Scyther Tool ❖ ProVerif or the Avispa tools have shown to be effective at finding attacks on protocols (Avispa) or establishing correctness of protocols (ProVerif).! ❖ Scyther offer verification, falsification, and the analysis of security protocols.! ❖ Performance
  • 28. Installation Scyther Tool ❖ Scyther can be downloaded from the following website:! ❖ http://users.ox.ac.uk/~coml0529/scyther/! ❖ Installation instruction are included in the downloadable Scyther archives. Scyther is available for the Windows, Linux and Mac OS platforms.
  • 29. Scyther Input File ❖ A minimal input file:! ! protocol ExampleProtocol(I,R) {! role I { };! role R { };! };
  • 30. Input Language ❖ Main purpose of the language is to describe protocols, which are defined by a set of roles.! ❖ Protocol definition takes as a parameter a sequence of roles, which are then defined within its body.! ❖ Roles - are sequences of events, i. e., declarations, send, receive, or claim events.! ❖ Security protocols rely on generating random values. Can be specified by declaring them inside a role definition using the fresh declaration.! ❖ role X(...) {! ❖ fresh Na: Nonce;! ❖ send_1(X,Y,Na);! ❖ }
  • 31. Input Language ❖ To receive a nonce into a variable with name Na, we specify:! ❖ role Y(...) {! ❖ var Na: Nonce;! ❖ recv_1(X,Y,Na);! ❖ }! ❖ Local declaration! ❖ Two terms can combined into a term pair: we write (x,y)! ❖ Symmetric keys: { ni }kir! ❖ Asymmetric keys: { ni } pk(I)
  • 32. Input Language ❖ Hash functions are essentially encryptions with a function, of which the inverse is not known by anybody:! ❖ global declaration: hashfunction H1! ❖ how are used: H1(ni);! ❖ Types: Agent, Function, Nonce, Ticket! ❖ You can define a new type: user type! ❖ Recv and Send events mark receiving and sending a message!
  • 33. Input Language ❖ Claim events are used in role specifications to model intended security properties. For example, the following claim event models that Ni is meant to be secret! ❖ claim(I, Secret, Ni);! ❖ Claim types:! ❖ Secret! ❖ SKR, echivalent to Secret but additionally mark the parameter term as a session-key! ❖ Alive - Aliveness (of all roles) ! ❖ Weakagree - Weak agreement (of all roles)
  • 34. Input Language ❖ Claim types:! ❖ Nisynch (Authentification Property, Non-injective Synchronisation)! ❖ Niagree (Authentification Property, Non-injective Agreement)! ❖ Reachable! ❖ when this claim is verified, Scyther will check whether this claim can be reached at all. It is true iff there exists a trace in which this claim occurs. This can be useful to check if there is no obvious error in the protocol specification, and is in fact inserted when the--check mode of Scyther is used.! ❖ Empty! ❖ this claim will not be verified, but simply ignored. It is only useful when Scyther is used!
  • 35. – It’s time to see TLS on Scyther Tool
  • 36. Simplified TLS key transport protocol ❖ Protocol 4.24 is a simplified version of one possible protocol which transports the 'pre- master secret', PMK, from the client A to the server B" ❖ Session key Kab is calculated as Kab = MACpmk(Na,Nb)" ❖ TLS protocol specifies that four different session keys must be derived from the pre-master secret: one for encryption and one for data integrity (MAC calculation) in each direction. !
  • 37. Simplified TLS key transport protocol ❖ Message sequences Mess_Seq1, Mess_Seq2 and Mess_Seq3 consist of hashes of the sequence of all previous exchanged messages up to that point using a hash function H.! ❖ Mess_Seq1 = H(Na, Nb, Eb(PMK)).!
  • 38. Bibliografie 1. Protocols for Authentication and Key Establishment - C.Boyd, A.Mathuria! 2. Operational Semantics of Security Protocols - Cas Cremers and Sjouke Mauw, Eindhoven University of Technology, Department of Mathematics and Computer Science! 3. How SSL works! 4. Security Tools! 5. Scyther Manual! 6. http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https- bindings-on-iis.aspx! 7. http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/ Secure_Socket_Layer.html