SSL/TLS: ???????

1
SSL/TLS ???????
Secure Sockets Layer (SSL) ???????? ??????????
??????? ????????????? ?????????????? Netscape.
?????? 2.0 ???? ???????????? ? 1994 ?. ??????
??-?? ???????????? ??????????? ? 1996 ?. ????
??????????? ??????????? SSLv3. ??? ?????? ????
????? ?? ?????? IETF ??? ?????????? ??????????
????????? Transport Layer Security (TLS)
???????? ???????????? ????????????? ??????. TLS
v.1.0 RFC 2246 1999 ?. TLS v.1.1 RFC 4346
2006 ?. ???????? ?????????? ??????????????
??????? (???????) ? ?????????? ???????? ??????
(?????????????? ?????????????, ??????? ?????? ???
????????, ???????? ??????????? ??????) ?? ??????
????????????????.
Rev. 1.00 / 26.11.2007
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
2
SSL/TLS ? OSI RM
Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer
2 Layer 1
APPLICATION
TCP IP Physical
SSL/TLS
PRESENTATION
SESSION
TRANSPORT
NETWORK
DATA LINK
PHYSICAL
TCP/IP
OSI/RM
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
3
SSL/TLS ?????? ????

• ???????????? ??????????
• ?????? ???????? ?????? ?????????, ????????? ?????
  ? ?????? ?????????????? ?????????? ClientHello
• ?????? ???????? ????????? ?????? ?????????, ????
  ????????? ????? ? ????????? ?????????
  ServerHello

??????
??????
RNc
RNs
ClientHello
ServerHello
RNc
RNs
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
4
SSL/TLS ?????? ????

• ?????????????? ???????
• ?????? ???????? ???? ?????????? (X.509 ???
  OpenPGP)
• ?????? ????? ????????? ?????????? ???????, ?????
  ????????????????? ???
• ?????? ????????? ?????????? ???????, ????????? PKI

??????
??????
RNc
RNs
RNs
RNc
Servers Certificate
Demand Client Certificate
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
5
SSL/TLS ?????? ???? (???)

• ?????????????? ??????? (???????????)
• ?????? ????? ???????????? ???? ??????????, ?????
  ??????, ????????? PKI, ????????? ?????????????
  ??????? ??? ?????????????? ????????
  ??????????????
• ???? ?????????????? ????????????? ?????.
  ServerHelloDone

??????
??????
RNc
RNs
RNs
RNc
Clients Certificate
ServerHelloDone
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
6
SSL/TLS ?????? ????

• ????????? ????? ??????
• ?????? ?????????? Pre-Master-Secret ? ??????????
  ??? ??????? ? ????????? ClientKeyExchange
• ?????? ? ?????? ?? ?????? RNc, RNs ? PMS
  ?????????? ???? ??? ????????????? ???????????????

??????
??????
RNc
RNs
RNs
RNc
PMS
ClientKeyExchange
PMS
PMS
Master-Secret
Master-Secret
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
7
SSL/TLS ????????? ????

• ?????????? ????????????
• ?????? ???????? ????????? ? ???????? ? ?????
  ?????????? ChangeCipherSpec ? ????????
  ????????????? ????????? ? ?????????? ????????????
  ? ????? ???? ?????????
• ?????? ???????? ChangeCipherSpec ? ?????????????
  ????????? ? ?????????? ???????????? ? ????? ????
  ?????????

??????
??????
ChangeCipherSpec
Master-Secret
Master-Secret
Finished
ChangeCipherSpec
Finished
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
8
SSL/TLS ?????????

• ????????? ?????? ???????
• RSA (Ron Rivest, Adi Shamir, Leonard Adleman
  MIT, 1977)
• Diffie-Hellman (Whitfield Diffie, Martin Hellman
  / Ralph Merkle 1976)
• DSA (Digital Signature Algorithm / David W.
  Kravitz 1991)
• SRP (Secure Remote Password Protocol)
• PSK (Pre-shared key)
• ???????????? ???????????????
• RC4TM (Ron Rivest/RSA Security 1987) ???
  ARCFOUR (1994)
• 3DES (Triple Data Encryption Standard IBM,
  1973-74)
• AES (Advanced Encryption Standard AKA Rijndael
  Joan Daemen and Vincent Rijmen 1997)
• Camellia (European Union's NESSIE project,
  Japanese CRYPTREC project Mitsubishi NTT,
  2000)
• IDEATM (International Data Encryption Algorithm
  Xuejia LaiJames Massey/ ETH Zurich, 1991)
• ????????? ???????????
• HMAC-MD5 (Message-Digest algorithm 5 Ron
  Rivest, 1991)
• HMAC-SHA (Secure Hash Algorithm, 1993)

?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
9
Public Key Infrastructure

• ?????? ??????????? ???????? ??????? ????????
  ????????????, ?????? ?? ? ?????????????, ????????
  ??????????, ??????????? ??? ??????????? ????????
  ???????????? ????????????.
• ????? ???????????? (Certification Authority)
  ???????? ???????? ??????????, ???????????
  ???????? ??????????? ??????????? ???????
  ???????????? ? ???????? ?????????????. ?????
  ???????????? ??? ?????????? ??????????? ?????????
  ???? ? ??????????, ?????????? ???????? ????
  ??????? ??????.
• ???????????? ????????????? ????????? ?????
  ???????????? ????? ??????????-???????? ????????.
• ????????? ?????? ?????????? ????????????.
• ????? ???? ???? ????????????? ???????????? ?
  ??????? ?????????? ????????????.

?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
10
?????????? X.509

• ITU-T/CCITT X.509, RFC 3280
• ?????????? ????????????? ? Distinguished Name
  (????????????? ???)
• CRU, STKarelia, LPetrozavodsk, OPetrozavodsk
  State University, OUDIMS, CNafs.dims.prv/emailAd
  dressroot_at_mx.dims.prv
• ????????? ???????????
• ??????, ???????? ?????, ID ?????????, ????????,
  ???? ????????, ???????, ????????? ???? ????????,
  ID ????????? ??????? ???????????, ???????
  ???????????
• ?????????? ????????-?????? ????????????
• Verisign - http//www.verisign.com/
• Thawte - http//www.thawte.com/
• ??????? ???????????? SSL/TLS
• ?????? ????????? ??? ??????????? ??????? ???
  ?????? ?????????? ????? ??????????? ??????
  ????????????.
• ?????? ????????? ???? ???????? ???????????.
• ?????? ?????????, ??? ???????? ??? ???????
  ????????? ? ?????? ? ???????????.

?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
11
?????????? SSL/TLS

• HTTPS
• POP3S, IMAPS
• ESMTP
• stunnel
• ? ??????????? ??????????? ???????? ?????????
  ?????????? ????? ??? ??????????? ???????????
  ?????????? SSL/TLS (????????, POP3S 995, IMAPS
  993), ??? ? ????????????? ???? ?? ????? ?
  ???????????? ???????????? ?? ??????????
  ?????????? ??????????? ??????? START TLS
  (????????, ESMTP)

?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????
12
???????? ??????????
OpenSSL http//www.openssl.org/ ???????? ????
Apache GnuTLS http//www.gnu.org/software/gnutl
s/ ???????? GPL/LGPL
?????????????? ??????????????, ?. ?. ????????,
2007
??????? ??????????