CS 465 Week 8
How do we derive the master secret and keys?
- Pre-master secret: Generate this. It's a random number that you make up. It is VERY hard to generate a random number properly. - We exchange the master secret, for example using RSA and padding. - We derive the master secret using the pre-master secret, the - ugh I didn't finish this slide
What are some of the things that protocols specify?
- Record formats - On the wire signaling - Connection setup/termination procedures - Control flow - Error conditions and responses - Data encoding - Compression
What are some lab hints that Dr. Clift gave us?
- SSLLabs (Qualys) will give us lots of certificate information. - What certification paths you'll get on different platforms. - What TLS version protocols it supports - What known attacks you should be worried about - What key exchanges it supports (I think) - Recommended book: Bulletproof SSL and TLS by Ivan Ristic, who wrote SSL Labs - The recommended command in the project (s_client) is good to use - Document can tell you how to connect to POP, etc. servers for the extra credit. - Prof. Clift likes testssl.sh. But it basically does the same thing as the SSLLabs. - Gather some information about a bunch of websites. Try and figure out that basic information, which means that you might have to google a cipher and understand it. To get that in-depth information (such as, say, key size). So it won't all automatically be there. - You will need testssl OR openssl s_client to do the extra credit. IMAP server for example, like imap.gmail.com. It has to be a well-written report, not just a table and three sentences. Need an introduction, explanation, conclusion, and so forth, in addition to the table. Show that you researched these things and teach Prof. Clift something he doesn't know.
What should we learn from the TLS unit?
- The history of why we got where we're at with TLS. - TLS Handshake - How authentication works with RSA and DHE - How certificate ownership proofs work -- how both can verify the other side - What cryptographic primitives are used and why? - Session resumption: how to reconnect with TLS - Limitations of TLS - Forward secrecy
You should do your message authentication codes...
...last.
5G is basically...
...vaporware. Doesn't really do anything.
If you claim to be TLS 1.3 compliant... Also, what were some updates made to it?
...you can't support the weaker cipher suites that have been deprecated. Only AEAD (Authenticated Encryption with Additional Data) cipher modes allowed. No RSA key exchange, and only a fixed set of DH parameters. - No CBC modes - No compression; completely omitted - No Unixtime used for randomness. - Only 5 ciphersuites, technically. You have cipher, key exchange, and signature all as separate negotiations. - TLS 1.3 changed how cipher suites work. - MAC over the entire handshake - Fixed RSA padding, so you have to use RSA-PSS instead of PKCS#1v1.5 (the latter has some sketchy edge cases). - Improving against cross-protocol attacks (such as the drowning attack)
How do we use DHE with SSL/TLS?
1) Client Hello 2) Server Hello, with an actual session ID 3) a chain of X.509 certs: Server Certificate 4) Then, the Server Key Exchange. This is the cipher suite that I'm going to pick. I will send some DH parameters -- the exponent, the modulus, and a copy of its own public key. Signs it with its own RSA key. 5) Server Hello Done 6) Client: Client Key Exchange: sends back its own public parameter 7) Client Change cipher spec 8) Client Finished 9) Server: Change cipher spec 10) Server -> Client Finished
What is a cipher suite?
A set of crypto-algorithms used together to provide the benefits we want to get from TLS. Usually includes: - Key exchange algorithms - Bulk encryption algorithms - MAC algorithms There are over 300 combinations of algorithms available to use.
What did early SSL use for key exchange? How did this key exchange work?
A simple RSA key exchange method. This is how it worked: - Client Hello. Session ID means that there is no active connection. - Server hello: included a list of cipher suites and a session ID that is nonzero. - Server Certificate: A chain of X.509 certs. Here's the guys above me that I trust in the certificate chain. - Server hello done. - Then, the client verifies the certificate chain. - Then, the client key exchange will start. It makes a pre-master secret. (RSA encryption) A secret key is stored on the server that they both use to generate the master keys (which will be used for communication). If it's ever exposed, you could probably figure out everything. (Double-verify) - Change Cipher spec. Everything after this is encrypted. - Then: It sends a finished message. Encrypted plus an HMAC. What keeps all of this secret? A secret key stored on the server.
What does DH-RSA-AES256-GCM-SHA384 signify?
DH for key exchange RSA for another step AES 256 For a MAC it uses SHA-384.
What was significant about 2015 in terms of TLS?
Most websites were still actually HTTP, not HTTPS.
How does deep packet inspection work?
Deep packet box gets the information, and archives all of the conversations using some new encryption. Thus, you can go back and pull out every single mail that went between you and your client.
What's the difference between DH, DHE (ephemeral), and ECDHE?
Ephemeral = don't need to keep any of the key materials. ECDHE = Elliptic Curve Diffie-Hellman. Instead of using modexp, they use rotations around an elliptic curve as a reversible thing.
How does TLS fit into the network stack?
HTTP request goes through TLS and then gets sent via a TCP segment. Between the application and transport layers.
How do you get more points on the project 2?
If you improve your paper, you can get up to 5 more points. Before the end of next week.
How will the next extra credit work?
It's more of an internet research thing. He will talk about it in class.
How does the SSL record protocol operate?
Let's say you have a connection set up already, and you have some application data. Break it up into small fragments. Optionally compress them. (But this leaks data -- should be done earlier -- generally in practice nobody does it) Then, generate MAC, and take the whole BLOB of stuff -- compressed, uncompressed data, message authentication code. This is what gets sent over the wire. - On the other end, they get a BLOB of data. They decrypt it, then they calculate the MAC (we're basically doing that diagram backwards) and verify it - TLS is designed to be a drop-in replacement to socket programming.
What should you NOT do when submitting labs?
Make archives that unpack into the current directory.
What is the main benefit of using DHE with xls?
Math is generally a bit less computationally intensive than RSA. If you don't reuse the DH key, and the server forgets it after each step, this wipes everything and makes it way more secure. FORWARD SECRECY. You can't go back and time to decrypt previous stuff.
Should you ever be in support of encryptions with backdoors?
NO!
Can you treat TLS as a black box?
NO.
Does nonrepudiation work with HMAC? Why or why not?
No. At least two people have the key for it, so at least 2 people can generate the key. So you can't guarantee that it was only one person because another person on the other end may have it!
What should you use RC4-MD5 for?
Nothing. ABSOLUTELY NOTHING.
Using the crypto tools that you have, how are you going to get privacy, authentication, and data integrity? Which crypto pieces would you use? You have - Symmetric ciphers - Hashes - MACs - Key exchange algorithms - Public key encryption - Certificates and PKI (Public Key Infrastructure)
Privacy: Symmetric encryption, RSA/DHE for passing keys Authentication: RSA/PKI Data Integrity: MAC, RSA/DHE for passing keys Provide familiar programming interface: Socket programming interface Extensibility: options built into protocol
Describe the STRIDE model, and which parts are covered by the TLS protocol.
S = Spoofing identity (protected against) T = Tampering and MITM (protected): Ensuring that the data is hidden and can't be messed with. R = Repudiation (MAYBE protected) I = Information Disclosure : YES D = Denial of Service: No E = Elevation of Privileges: no
What's the difference between SSL and TLS?
SSL has been renamed to TLS. Never mind the naming of OpenSSL. :P
What's in an individual SSL record?
Secret, MAC, header, data. (Double check based on slides)
Why is TLS broken?
So many attacks can be executed on it. It can be extended, for example.
Which message is the first one that is encrypted using the master secret
The finished message
Name one of the main goals of TLS 1.3. Why was this goal created?
To move to only AEAD (Authenticated Encryption with Additional Data) modes. We always want to use the highest level of a crypto interface that you can, which was the principle behind this goal.
What changed when we got SSL 1.2? (I think)
We started getting more picky about which cipher suites we would add.
Explain the history of TLS.
We used to have protocols with no security protocols at all. Examples include telnet and FTP. This was pretty terrible. RSH (Remote Shell) and Telnet are replaced by SSH. A "secure network" used to be establishing a tunnel that you could use these unsafe protocol over. This works well for connecting two offices, buildings together. But not good for "any-to-any" connection, such as accessing TCOD or some other server in another country. So we needed a way to use any-to-any safely. So, some people came up with Secure Network Programming, the first prototype of SSL. Wrapping the secure stuff inside of the insecure stuff, and not changing the programming interface. To make things much easier. Netscape decided to make their own web browser, which was secure, so they made SSLv1. This was never actually released, but SSLv2 was released in 1994 in Netscape, and 1995 for Microsoft. SSLv3 came in 1995, and in 1997, they made TLS 1.0. Early HTTP drove the implementation of SSL.
Exam tip for Thursday?
We will look at TLS handshake diagrams today. Be able to follow them and explain them. For the exam.
Explain why secure email is so hard to make from scratch.
Writing an email client yourself is nigh to impossible. Doing so securely is even harder. Consider that it's taken 25 years to get to this point. And the attacks keep progressing along with your crypto.