TLS_Report_Part1_Mai..

advertisement
Transport Layer security (TLS)
Project Plan
The proposed project plan for Transport Layer Security involves following tasks

Overview and Understanding of TLS protocol

Prototype using Open Source TLS libraries

Application level protocol operating over TLS

Suggested improvements for TLS
Page 1 of 10
Spring 2006
Transport Layer security (TLS)
1. Overview of TLS protocol
The TLS security protocol is layered between the application layer protocol and the
TCP/IP layer, where it can secure and send the application data to the transport layer.
The primary goal of TLS is to provide privacy, security and data integrity between two
communicating applications. It also provides a transparent and secure channel between
the client and the server.
Figure 1. SSL/TLS Protocol Layers [1]
The TLS protocol comprises of two layers. The first layer consists of the application
protocol and 3 handshake sub-protocols: Handshake protocol, the Change Cipher Spec
protocol and the Alert protocol. The second layer is the Record Layer.
In this project we will be giving the in depth analysis of TLS protocol and how the TLS
protocol works to provide a secured connection. The analysis will cover the detailed
explanation of the following:
Handshake Protocol: It is used to negotiate the session information between the client
and the server. The session information consists of the session ID, cipher suites that are to
be used, certificates if requested, compression algorithm and the shared secret keys used.
Page 2 of 10
Spring 2006
Transport Layer security (TLS)
Change Cipher Spec Protocol: Changes the key material used for the encryption
between the client and the server. The Keying material is the raw data used to generate
the keys that are used for encryption.
Alert Protocol: This protocol use messages to indicate the change in the status and
occurrence of error to the peer. There are various alert message used which we will be
explaining in detail.
Record Layer: The Record Layer fragments the data received from the application layer
to the size appropriate to the cryptographic algorithm, it then compresses (or
decompresses) the data and applies the Mac or HMAC and then encrypts (or decrypts)
the data using the information exchanged during the Handshake process. This encrypted
data is passed to the transport Layer.
2. Full TLS Handshake
Figure 2. Handshake Protocol Messages [1]
Page 3 of 10
Spring 2006
Transport Layer security (TLS)
To understand the complete message exchange in the handshake protocol we initially
configured the Opera Browser so that it supports TLS and then used network analyzer
tool Ethereal to captures the messages exchanged between the browser and server. The
following is the screenshot of the Opera browser configuration.
Initial Client Message to Server
Client Hello The client initiates a session by sending a Client Hello message to the
server. The Client Hello message contains:
• Version Number.
• Randomly Generated Data.
• Session Identification (if any).
Page 4 of 10
Spring 2006
Transport Layer security (TLS)
• Cipher Suite
• Compression Algorithm.
The following is a screenshot of a Client Hello message using Ethereal
Server Response to Client
Server Hello. The server responds with a Server Hello message. The Server Hello
message includes:
• Version Number
• Randomly Generated Data
• Session Identification (if any). This can be one of three choices.
• Cipher Suite (chosen)
Page 5 of 10
Spring 2006
Transport Layer security (TLS)
• Compression Algorithm
The following is a screenshot of a Server Hello message using Ethereal
Client Key Exchange screenshot
Page 6 of 10
Spring 2006
Transport Layer security (TLS)
Change Cipher Spec Message screenshot
3. TLS libraries
We tried to install and configure the following open source TLS libraries on Debian
based Linux machines and encountered several errors during installation. We tried to
implement sample client and server programs that use gnuTLS library but were unable to
debug the files which prompted errors on execution.
GnuTLS
GnuTLS is an ANSI C based library which implements the TLS 1.1 and SSL 3.0
protocols. It is accompanied with the required framework for authentication and public
key infrastructure. [4]
Some of the important features of the GnuTLS library include:

Support for TLS 1.0, TLS 1.1, and SSL 3.0 protocols.

Support for both X.509 and OpenPGP certificates.

Support for handling and verification of certificates.

Support for SRP for TLS authentication.
Page 7 of 10
Spring 2006
Transport Layer security (TLS)

Support for PSK for TLS authentication.

Support for TLS Extension mechanism.

Support for TLS Compression Methods.
GnuTLS consists of three independent parts, namely the “TLS protocol part”, the
“Certificate part”, and the “Crypto backend” part. The `TLS protocol part' is the actual
protocol implementation, and is entirely implemented within the GnuTLS library. The
`Certificate part' consists of the certificate parsing, and verification functions which is
partially implemented in the GnuTLS library. The Libtasn1, a library which offers ASN.1
parsing capabilities, is used for the X.509 certificate parsing functions, and Opencdk is
used for the OpenPGP key support in GnuTLS. The “Crypto backend” is provided by the
Libgcrypt library.
OpenSSL
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport
Layer Security (TLS v1) protocols
4. Applications running on TLS
We will be concentrating on HTTP on TLS and will evaluate the TLS handshake and
functionality using tool such as Ethereal, and also provide insights into the probable
limitations or difficulties that may arise and probable solutions to it.
The table below gives some of the mappings for protocols that are defined to run over
TLS:
Protocol
http
NNTP
LDAP
FTP-data
FTP-control
Telnet
IMAP
IRC
POP3
Normal Port
80
119
389
20
21
23
143
194
110
Encrypted Port
443
563
636
989
990
992
993
994
995
Page 8 of 10
Spring 2006
Transport Layer security (TLS)
SMTP
25
465 (revoked)
We will discuss in brief HTTP over TLS
Connection initiation:
 The client initiates a communication to the server on appropriate port and then
send TLS client HELLO to begin the handshake.
 The client initiates first HTTP request after completion of the handshake.
Connection closure:
 In TLS, exchange of closure alerts takes place before closing the connection.
 In handshake, the server sends close_notify followed by TCP FIN and the client
responds with its close_notify and a TCP FIN.
 A TLS implementation may close the connection without waiting for the peer to
send the closure alert provided it knows the HTTP message boundaries.
 When a connection is closed without valid close alert, we have to examine
whether this truncation occurred at the end of HTTP message boundaries or in
between.
(a) If the closure occurred in-between message boundaries then it is considered as
truncation attack
(b) If the closure occurred at the end of the message boundary then it may be
considered as programming error (which can be ignored)
 When HTTP/TLS is being run over a TCP/IP connection, the default port is 443.
End point authentication
 In most cases server’s expected hostname will be available from the URL or
similar sources.
 The client checks this hostname against the server’s identity as presented in the
server’s certificate messages, in order to prevent man in the middle attack
 If the host name does not match the identity in the certificate, user oriented clients
must either notify the user or terminate the connection with a bad certificate.
Client authentication
 The commonly used approach is for the server to negotiate an ordinary TLS
connection with all the clients and once the request has been received, the server
determines whether client authentication is required or not.
 If it is required, the server requests a re-handshake using HelloRequest(which
requests client authentication)
Upgrading to TLS within HTTP/1.1


This allows unsecured and secured HTTP traffic to share the same port (in this
case, http: at 80 rather than https: at 443).
In this we will be discussing about
Page 9 of 10
Spring 2006
Transport Layer security (TLS)
(a) Client requested upgrade to HTTP over TLS
(b) Server requested upgrade to HTTP over TLS
(c) Upgrade across proxies
 Hop-by hop headers negotiates upgrade between pair of HTTP counter
parties( for example user agent and proxy )
 To provide end to end authentication and to prevent man in the middle
attack, CONNECT method is used to establish tunnel across proxies
5. Suggested improvements for TLS
In case of TLS though it is a simple to understand protocol and considered as a
replacement for SSL v3, there is a definite room for its improvement. We have identified
that TLS protocol does possess some disadvantages which are listed as follows:
1. It is tightly-coupled with transport-layer protocol
2. All or nothing approach to security. This implies that the security mechanism is
unaware of message contents and as such you cannot selectively apply security to
portions of the message as you can with message-layer security.
3. TLS provides protection that is transient. The message is only protected while in
transit. Protection is removed automatically by the endpoint when it receives the
message.
4. It is not an end-to-end solution, but simply point-to-point.
We will concentrate on how we can either minimize or eliminate the disadvantages so as
to make TLS more secure.
References
[1] http://technet2.microsoft.com/WindowsServer/en/Library
[2] TLS v1.0 RFC http://www.ietf.org/rfc/rfc2246.txt
[3] HTTP over TLS RFC http://www.ietf.org/rfc/rfc2818.txt
[4] Open Source Library http://www.gnu.org/software/gnutls/
[5] SSL and TLS, Eric Rescorla, Addison-Wesley
Page 10 of 10
Spring 2006
Download