Transport Layer security (TLS) Project Plan The proposed project plan for Transport Layer Security involves following tasks Overview and Understanding of TLS protocol Prototype using Open Source TLS libraries Application level protocol operating over TLS Suggested improvements for TLS Page 1 of 10 Spring 2006 Transport Layer security (TLS) 1. Overview of TLS protocol The TLS security protocol is layered between the application layer protocol and the TCP/IP layer, where it can secure and send the application data to the transport layer. The primary goal of TLS is to provide privacy, security and data integrity between two communicating applications. It also provides a transparent and secure channel between the client and the server. Figure 1. SSL/TLS Protocol Layers [1] The TLS protocol comprises of two layers. The first layer consists of the application protocol and 3 handshake sub-protocols: Handshake protocol, the Change Cipher Spec protocol and the Alert protocol. The second layer is the Record Layer. In this project we will be giving the in depth analysis of TLS protocol and how the TLS protocol works to provide a secured connection. The analysis will cover the detailed explanation of the following: Handshake Protocol: It is used to negotiate the session information between the client and the server. The session information consists of the session ID, cipher suites that are to be used, certificates if requested, compression algorithm and the shared secret keys used. Page 2 of 10 Spring 2006 Transport Layer security (TLS) Change Cipher Spec Protocol: Changes the key material used for the encryption between the client and the server. The Keying material is the raw data used to generate the keys that are used for encryption. Alert Protocol: This protocol use messages to indicate the change in the status and occurrence of error to the peer. There are various alert message used which we will be explaining in detail. Record Layer: The Record Layer fragments the data received from the application layer to the size appropriate to the cryptographic algorithm, it then compresses (or decompresses) the data and applies the Mac or HMAC and then encrypts (or decrypts) the data using the information exchanged during the Handshake process. This encrypted data is passed to the transport Layer. 2. Full TLS Handshake Figure 2. Handshake Protocol Messages [1] Page 3 of 10 Spring 2006 Transport Layer security (TLS) To understand the complete message exchange in the handshake protocol we initially configured the Opera Browser so that it supports TLS and then used network analyzer tool Ethereal to captures the messages exchanged between the browser and server. The following is the screenshot of the Opera browser configuration. Initial Client Message to Server Client Hello The client initiates a session by sending a Client Hello message to the server. The Client Hello message contains: • Version Number. • Randomly Generated Data. • Session Identification (if any). Page 4 of 10 Spring 2006 Transport Layer security (TLS) • Cipher Suite • Compression Algorithm. The following is a screenshot of a Client Hello message using Ethereal Server Response to Client Server Hello. The server responds with a Server Hello message. The Server Hello message includes: • Version Number • Randomly Generated Data • Session Identification (if any). This can be one of three choices. • Cipher Suite (chosen) Page 5 of 10 Spring 2006 Transport Layer security (TLS) • Compression Algorithm The following is a screenshot of a Server Hello message using Ethereal Client Key Exchange screenshot Page 6 of 10 Spring 2006 Transport Layer security (TLS) Change Cipher Spec Message screenshot 3. TLS libraries We tried to install and configure the following open source TLS libraries on Debian based Linux machines and encountered several errors during installation. We tried to implement sample client and server programs that use gnuTLS library but were unable to debug the files which prompted errors on execution. GnuTLS GnuTLS is an ANSI C based library which implements the TLS 1.1 and SSL 3.0 protocols. It is accompanied with the required framework for authentication and public key infrastructure. [4] Some of the important features of the GnuTLS library include: Support for TLS 1.0, TLS 1.1, and SSL 3.0 protocols. Support for both X.509 and OpenPGP certificates. Support for handling and verification of certificates. Support for SRP for TLS authentication. Page 7 of 10 Spring 2006 Transport Layer security (TLS) Support for PSK for TLS authentication. Support for TLS Extension mechanism. Support for TLS Compression Methods. GnuTLS consists of three independent parts, namely the “TLS protocol part”, the “Certificate part”, and the “Crypto backend” part. The `TLS protocol part' is the actual protocol implementation, and is entirely implemented within the GnuTLS library. The `Certificate part' consists of the certificate parsing, and verification functions which is partially implemented in the GnuTLS library. The Libtasn1, a library which offers ASN.1 parsing capabilities, is used for the X.509 certificate parsing functions, and Opencdk is used for the OpenPGP key support in GnuTLS. The “Crypto backend” is provided by the Libgcrypt library. OpenSSL Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols 4. Applications running on TLS We will be concentrating on HTTP on TLS and will evaluate the TLS handshake and functionality using tool such as Ethereal, and also provide insights into the probable limitations or difficulties that may arise and probable solutions to it. The table below gives some of the mappings for protocols that are defined to run over TLS: Protocol http NNTP LDAP FTP-data FTP-control Telnet IMAP IRC POP3 Normal Port 80 119 389 20 21 23 143 194 110 Encrypted Port 443 563 636 989 990 992 993 994 995 Page 8 of 10 Spring 2006 Transport Layer security (TLS) SMTP 25 465 (revoked) We will discuss in brief HTTP over TLS Connection initiation: The client initiates a communication to the server on appropriate port and then send TLS client HELLO to begin the handshake. The client initiates first HTTP request after completion of the handshake. Connection closure: In TLS, exchange of closure alerts takes place before closing the connection. In handshake, the server sends close_notify followed by TCP FIN and the client responds with its close_notify and a TCP FIN. A TLS implementation may close the connection without waiting for the peer to send the closure alert provided it knows the HTTP message boundaries. When a connection is closed without valid close alert, we have to examine whether this truncation occurred at the end of HTTP message boundaries or in between. (a) If the closure occurred in-between message boundaries then it is considered as truncation attack (b) If the closure occurred at the end of the message boundary then it may be considered as programming error (which can be ignored) When HTTP/TLS is being run over a TCP/IP connection, the default port is 443. End point authentication In most cases server’s expected hostname will be available from the URL or similar sources. The client checks this hostname against the server’s identity as presented in the server’s certificate messages, in order to prevent man in the middle attack If the host name does not match the identity in the certificate, user oriented clients must either notify the user or terminate the connection with a bad certificate. Client authentication The commonly used approach is for the server to negotiate an ordinary TLS connection with all the clients and once the request has been received, the server determines whether client authentication is required or not. If it is required, the server requests a re-handshake using HelloRequest(which requests client authentication) Upgrading to TLS within HTTP/1.1 This allows unsecured and secured HTTP traffic to share the same port (in this case, http: at 80 rather than https: at 443). In this we will be discussing about Page 9 of 10 Spring 2006 Transport Layer security (TLS) (a) Client requested upgrade to HTTP over TLS (b) Server requested upgrade to HTTP over TLS (c) Upgrade across proxies Hop-by hop headers negotiates upgrade between pair of HTTP counter parties( for example user agent and proxy ) To provide end to end authentication and to prevent man in the middle attack, CONNECT method is used to establish tunnel across proxies 5. Suggested improvements for TLS In case of TLS though it is a simple to understand protocol and considered as a replacement for SSL v3, there is a definite room for its improvement. We have identified that TLS protocol does possess some disadvantages which are listed as follows: 1. It is tightly-coupled with transport-layer protocol 2. All or nothing approach to security. This implies that the security mechanism is unaware of message contents and as such you cannot selectively apply security to portions of the message as you can with message-layer security. 3. TLS provides protection that is transient. The message is only protected while in transit. Protection is removed automatically by the endpoint when it receives the message. 4. It is not an end-to-end solution, but simply point-to-point. We will concentrate on how we can either minimize or eliminate the disadvantages so as to make TLS more secure. References [1] http://technet2.microsoft.com/WindowsServer/en/Library [2] TLS v1.0 RFC http://www.ietf.org/rfc/rfc2246.txt [3] HTTP over TLS RFC http://www.ietf.org/rfc/rfc2818.txt [4] Open Source Library http://www.gnu.org/software/gnutls/ [5] SSL and TLS, Eric Rescorla, Addison-Wesley Page 10 of 10 Spring 2006