Introduction to SSL Protocol

1
Introduction to SSL Protocol
2
Introduction to SSL Protocol

• Secure Socket Layer (SSL)
• Developed by Netscape
• A de facto standard for securing traffic of WWW
• Which layer?
• Above TCP/IP
• Below higher-level protocols such as HyperText
  Transport Protocol (HTTP)
• Mainly for web server authentication and user
  data confidentiality
• E.g. online shopping, banking, etc.
• Current version 3.0
• Published in 1996 as an Internet-Draft by
  Netscape
• It has never been renewed after the document
  expired.
• In the same year, TLS (Tansport Layer Security)
  Working Group was established

3
Introduction to TLS Protocol

• Mission of TLS Working Group standardize a
  transport layer security protocol with similar
  objectives to the SSL.
• TLS started with SSL v3.0
• Three years later
• RFC2246, TLS Protocol Version 1.0
• Essentially the same as SSL v3.0
• RFC2817, Upgrading to TLS within HTTP/1.1
• RFC2818, HTTP over TLS
• Recently
• RFC3268, AES Ciphersuites for TLS
• Currently supported ciphers
• RC2, RC4, IDEA, DES and Triple DES
• All RFCs are available at http//www.ietf.org/rfc

4
Whats SSL For?
Internet
Web Server
(PK, SK)
Web Browser
Cert lt IDserver, PK, Expiry, SignCA() gt
SSL Secure Channel

• Server Authentication
• An SSL-enabled server authenticates itself to a
  client
• Client Authentication
• A client authenticates itself to a server
• Privacy
• Two machines establish an encrypted connection,
  we call it a secure channel
• Integrity and Authenticity
• SSL uses the MAC (Message Authentication Code)
  technique to provide message integrity and
  authenticity check

5
An Example

• In applications such as online banking and
  Internet shopping, secure web servers and web
  browsers use SSL to provide server authentication
  and privacy.
• Client authentication is optional and usually
  does not take place.
• Why?
• Hint Think about what security issues we want
  to address here.

6
The Principle of the SSL Protocol

• Two layers
• Lower layer record protocol defines the data
  format for transmission
• Upper layer handshake protocol, change cipher
  spec protocol and alert protocol
• A session of SSL is established by running the
  Handshake Protocol between a web server and a web
  browser.

Just another illustration
7
Handshake Protocol
A typical setup procedure of the SSL session of
secure web browsing (Abridged Version)
8
Notations

• rc, rs random numbers for preventing replay
  attack
• d, e, n RSA private exponent, public exponent,
  modulo, respectively
• a A 46-byte random number for generate the
  session key K
• h a cryptographic hash function (e.g. MD5,
  SHA-1)
• K the session key
• sessionID, sessionID If sessionID
  sessionID, this implies that a
• previous session is resumed
• (list-of-ciphers) list of ciphers and key sizes
  supported by the browser
• e.g. (SSL_RSA_WITH_RC4_128_SHA,
• SSL_RSA_WITH_RC2_CBC_40_MD5)
• CERT A sequence of X.509 digital certificates,
  ordered with the
• senders certificate first followed by any
  certificate authority
• (CA) certificates proceeding sequentially
  upward

9

• Cryptographic Hash Functions
• And
• Message Authentication Codes

10
Outline

• The Definition of Hash function
• Birthday Attack
• Security of Hash Function
• MD5, SHA-1
• Block Ciphers as Hash Functions
• Applications of Hash Functions
• Digital Signature
• Message Authentication Code
• HMAC
• One-time password

11
Hash Functions

• A hash function is denoted by
• h 0, 1 ? 0, 1n
• where n is a security parameter, say 128, 160,
  256 or 512.
• In English
• A function which is applicable to data of any
  size.
• Its produces a fixed length output, usually
  short.
• 3 Types of Security Requirements
• One-way given an output z, it is difficult to
  find x such that z h(x).
• Weak collision-resistant given x, it is
  difficult to find y ? x such that h(y) h(x).
• Strong collision-resistant it is difficult to
  find any pair (x, y) such that h(x) h(y).
• Note Strong collision-resistant ? Weak
  collision-resistant ? One-way
• Let m be some message. h(x) is called the message
  digest.

12
Birthday Attack

• Birthday Paradox
• If there are 23 people in a room, the probability
  that at least two people have the same birthday
  is slightly more than 50. If there are 30, the
  probability is around 70.
• This process is analogous to throwing k balls
  randomly into n bins and checking to see if some
  bin contains at least two balls.
• For having more than half chance of finding at
  least two balls in one bin,
• k ? 1.17 n1/2
• E.g. n 365 ? k ? 23

13
Birthday Attack Against a Hash Function

• Finding collisions of a hash function using
  Birthday Paradox.
• randomly chooses k messages, x1, x2, , xk
• search if there is a pair of messages, say xi and
  xj such that
• h(xi) h(xj).
• If so, one collision is found.
• This birthday attack imposes a lower bound on the
  size of message digests.
• e.g. 40-bit message digest would be very
  insecure, since a collision could be found with
  probability at least ½ after doing slight over
  220 (about a million) random hashes.

14
Size of a Message Digest / Hash Value

• h 0,1?0,1n
• If n 64, the probability of finding one
  collision will be higher than half after slightly
  more than 232 random hashes being tried.
• If there exists a machine which can carry out
  100,000 hashes per second, it takes 12 hours for
  finding the first collision with probability
  higher than half.
• Recommended message digest lengths (in bits) 128
  (MD5), 160 (SHA-1), 256 (SHA-256) or 512
  (SHA-512)
• For those recommended lengths, because the number
  of possible hashes is so large, the odds of
  finding one by chance is negligibly small (one in
  280 for SHA-1).

15
General Design of Hash Algorithms

• Partition the input message into L-1 fixed-sized
  blocks of b bits each. (e.g. b 512 bits)
• The remaining bits of the input are padded with
  the value of the length of the total input
  message.
• It is then further padded until the final block
  is b bits long.

M1
M2
ML-1
MLpadLen
b bits
b bits

• The hash algorithm involves iterated use of a
  compression function, f.
• It is initialized by an initial value IV (i.e. a
  magic number).
• Note Hash algorithms are usually designed
  heuristically.

M1
M2
ML
b
b
b
f
f
f
n
IV
n
n
n
n
16
Examples MD5 and SHA-1

• MD5
• MD Message Digest, designed by Ron Rivest in
  1992.
• Available at http//www.ietf.org/rfc/rfc1321
• Output length 128 bits
• A Birthday Attack can be launched using 264
  trials.
• SHA-1
• Developed by NIST based on MD4, a precursor to
  MD5, in 1995
• Available at http//www.itl.nist.gov/fipspubs/fip1
  80-1.htm
• Output length 160 bits
• More difficult to launch a birthday attack needs
  280 trials.
• SHA-2 (SHA 256/384/512)
• Based on SHA-1 with a longer hash value

17
Block Ciphers as Hash Functions

• Can use block ciphers as hash functions
• using H00 and zero-pad for the final block
• compute Hi AESMi Hi-1
• and use the final block as the hash value
• resulting hash is small (128-bit)

18
What are the applications of cryptographic hash
functions?
19
Digital Signature

• Signature Generation Paradigm
• SignSK(M) ESK( H(M) )
• E.g. RSA-based Signature Scheme
• Public key (n, e)
• Private key (n, d)
• Message m
• Signature generation ? H(M)d mod n
• Signature verification H(M) ? ?e mod n

20
Digital Signature

• Advantages
• Enhance security
• Potential RSA signature forgery if without hash
• ?1 ? m1d mod n and ?2 ? m2d mod n
• ? The signature of m1m2 mod n is ?1?2 mod n.
• With hash, the attack above does not work
  anymore.
• Arbitrary message size
• Use a hash function
• H 0, 1 ? Zn
• for RSA signature scheme.
• How to construct H from SHA-2?

21
Message Authentication

• Data integrity make sure what is sent is what is
  received.
• Validating identity of sender the claimed sender
  is the actual one.
• Message authentication using digital signature
• Method Sender signs message using a private key
• Disadvantage digital signature is costly
• Message Authentication Code (MAC)
• Generated by an algorithm that creates a small
  fixed-sized block.

22
Message Authentication Code

• MAC does not provide non-repudiation
• Since both sender and receiver share the same
  key,
• receiver could forge message
• sender could deny message
• Use digital signature for non-repudiation
• MAC is a cryptographic checksum
• A ? CK(M)
• condenses a variable-length message M to a
  fixed-sized tag A
• using a secret key K
• Security knowing a message and a tag, is
  infeasible to find another message with same tag
  value
• Like a keyed hash function (a many-to-one
  function)
• potentially many messages have same MAC
• but finding these are very difficult
• Again the authentication tag should be long
  enough (e.g. 256 bits)

23
Using Symmetric Ciphers for MACs

• Can use any block cipher chaining mode and use
  final block as a MAC
• Data Authentication Algorithm (DAA)
• a widely used MAC based on DES-CBC
• using IV0 and zero-pad for the final block
• encrypt message using DES in CBC mode
• and send just the final block as the MAC

24
HMAC

• Message Authentication Code A ? CK (M)
• M message
• A authentication tag
• for integrity and authenticity
• HMAC Keyed-hashing for Message Authentication
• Used extensively in IPSec (IP Security)
• IPSec is widely used for establishing Virtual
• Private Networks (VPNs)

K
M
K
opad
ipad
?
?
HMACK(M) H( K ? opad H((K ? ipad) M) )
H
H
25
One-time Password

• For user authentication (e.g. remote login)
• Pick a seed x0 (say 256-bit) to create a chain of
  hashed values
• Initially, the remote host stores xn and the user
  keeps x0 secret.
• For the i-th login, the user sends xn-i to the
  remote host.
• The system verifies if h(xn-i) xn-i1
• Recursively, the system stores xn-i and checks
  against h(xn-i-1) when user sends xn-i-1 in the
  next login session.
• Adversaries cannot find xn-1 even if they know xn
• New setup is needed after n log-ons
• Legacy system S/Key
• Reference http//www.ietf.org/rfc/rfc2289

26
Security Updates of Hash Functions

• MD5
• In Aug 2004, Wang, et al. showed that it is
  easy to find collisions in MD5. They found many
  collisions in very short time (in minutes)
• http//eprint.iacr.org/2004/199.pdf
• SHA-1
• In Feb 2005, Wang, et al. showed that collisions
  can be found in SHA-1 with an estimated effort of
  269 hash computations.
• Less than 280 hash computations by birthday
  attack.
• http//www.schneier.com/blog/archives/2005/02/sha1
  _broken.html
• Impacts
• Hurts digital signatures
• Does not affect HMAC where collisions arent
  important.
• For applications require underlying hash
  functions should be collision resistant, its
  time to migrate away from SHA-1.
• Start using new standards SHA-256 and SHA-512.
• http//csrc.nist.gov/CryptoToolkit/tkhash.html

27
Some Details about Finding Collisions in SHA-1

• Q How hard would it be to find collisions in
  SHA-1?A The reported attacks require an
  estimated work factor of 269 (approximately 590
  billion billion) hash computations. While this is
  well beyond what is currently feasible using a
  normal computer, this is potentially feasible for
  attackers who have specialized hardware. For
  example, with 10,000 custom ASICs that can each
  perform 2 billion hash operations per second, the
  attack would take about one year. Computing
  improvements predicted by Moore 's Law will make
  the attack more practical over time, e.g. making
  it possible for a wide-spread Internet virus to
  use compromised computers to mount such attacks
  as well. Once a collision has been found,
  additional collisions can be found trivially by
  concatenating data to the matching messages.

Borrowed from http//www.cryptography.com/cnews/ha
sh.html