SSL/TLS

Name some algorithms for keys exchange.

Multiple methods: 1. RSA (Comodo, goDaddy): uses certificates signed by trusted third parties. 2. Diffie-Hellman Ephemeral: DHE_RSA 3. ECDHE : Elliptic Curve Diffie-Hellman Ephemeral

server_write_key, client_write_key

anything sent is encrypted with this key. the other machine uses the same key to decrypt the data.

TLS Record Protocol

frame for application data. Max len is 16KB, each record contains 5byte heade, MAC (up to 20-32 bytes) and possible padding block. MAC is added. Data may be compressed and must be encrypted.

What does TLS 1.3 bring ?

it removes static RSA key exchange. TLS v1.3 will bring major improvements to handshakes. They will be more private by default as all information not needed to set up a secure channel will be encrypted as early as possible. Clients will need only a single round-trip to establish secure and authenticated connections to servers they never spoke to before. Static RSA mode will no longer be available, forward secrecy will be the default. The two session resumption standards, session identifiers and session tickets, are merged into a single PSK mode which will allow streamlining implementations.

certificate revocation list

mechanism to check, if the certificate has beeen invalidated. Downloaded list contains serial numbers of invalidated certificates.

What for is asymmetric key cryptography ?

It allows the peers to negotiate a shared secret key without having to establish any prior knowledge of each other, and to do so over an unencrypted channel.

How many more roundtrips is required for TLS ?

2 for full handshake. abbreviated handshake requires 1 more.

Problems of SSL 2.0

- it used MD5 - it used same identical keys for both message authentication and encryption - cipher downgrade attack ( involves hashes of all previous messages) - virtual hosting not possible

What are the most important things that client and server need to agree on ?

- key exchange protocol - cipher - length of the symmetric key - message authentication protocol

what is SSL/TSL port ?

443

EV certs vs. DV certs ?

...

How many symmetric keys are used in bulk encryption ?

6

Describe: SSL/TLS RSA Key exchange

1. ClientHello: random value + supported things (hash methods, ciphers...) 2. Server records client's random number. ServerHello: random nunber + Servers decides ciphers methods(RSA for key exch., SHA for hash, AES for bulk encryption) 3. Server sends Server Certificate: - info about the server - set of signatures coming from trusted authoritties - server public key 4. Client verifies signature with CA, extracts public key 5. Server sends ServerHelloDone (useless message) 6. Client generates PMS (random values), encrypts it by server public key (ePMS) and sends 7. Server decrypts ePMS and gets PMS, from which symmetric key can be computed The exchanged messages: 1. RTT: ClientHello --> <-- ServerHello, Certificate, ServerHelloDone 2. RTT: ClientKeyExchange ChangeCipherSuite Finished ChangeCipherSpec, Finished

What are the phases ?

1. Key exchange: During handshake, assymetric crypto is sued to exchange symmetric keys. 2. Bulk encryption: symmetric keys are used to perform encryption.

ClientHello message

1. highest version of TLS/SSL protocol 2. 32byte random number 3. session ID (can be reused) 4. list of supported ciphers (Triple, DES, AES), compression methods, MACs

what guarantees TLS ?

1. server and client authentication: it allows the client to verify that the server is who it claims to be (e.g., your bank) and not someone simply pretending to be the destination by spoofing its name or IP address. the server can also optionally verify the identity of the client—e.g., a company proxy server can authenticate all employees, each of whom could have his own unique certificate signed by the company. 2. encryption 3. data integrity ... compression (disabled: CRIME attack)

What is TLS ciphersuite ?

A ciphersuite is the triplet of symmetric encryption, public-key cryptography and HMAC algorithms used for SSL. Triplets must be specified because not all symmetric encryption, public-key cryptography and HMAC algorithms work with each other. Typically clients and servers will support many different ciphersuites but the one actually used will be the highest preferred by the server that is supported by both the client and server.

Describe TLS 1.2 Diffie-Hellman handshake.

A full handshake using (Elliptic Curve) Diffie-Hellman to exchange ephemeral keys is very similar to the flow of static RSA. The main difference is that after sending the certificate the server will also send a ServerKeyExchange message. This message contains either the parameters of a DH group or of an elliptic curve, paired with an ephemeral public key computed by the server. The client too computes an ephemeral public key compatible with the given parameters and sends it to the server. Knowing their private keys and the other party's public key both sides should now share the same premaster secret and can derive a shared master secret. Messages: 1. RTT: ClientHello --> ServerHello,Cert, ServerKeyExchange,ServerHelloDone 2.RTT: ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished It offers forward secrecy.

Name some encryption algorithms.

AES, RC4, DEC (Data encryption standard).

What is ASN.1 and X509 ?

ASN is Abstract Syntax Notation. The format of certificates is defined using ASN.1. The format SSL/TLS uses for certificates is defined by the International Telecommunications Union (ITU) and is called X.509v3.

what is CRL ?

Certificate Revocation List.

What for is serial number of cert used ? Is it globally unique ?

Every CA provides a unique serial number for each certificate. The serial number is not globally unique though. Different CAs may use the same serial number for different certificates. This serial number is used to determine whether a certificate from a specific CA has been revoked.

How is the bulk encryption started ?

Client sends to server: 1. ChangeCipherSpec: I beginning use this encryption 2. Finsh message: hash of prior messages Server sends messages 1. and 2. as well.

What messages are used in key exchange process ?

ClientHello ServerHello ServerHelloDone ClientKeyExchange ChangeCipherSpec ChangeCipherSpec Finished

DHE_RSA

Difffie-Hellman plus RSA.

Describe some popular certificate extensions.

Extensions are only available for X.509v3 certificates. Most of the standard extensions are in RFC 5280, section 4.2. Any two parties however can agree on arbitrary extensions. One of the most important extensions is the Subject Alternative Name. The Subject Alternative Name explicitly lists all of the domain names, or alt-names, for which the certificate is valid and obviates the need for listing the domain name as a common name in the subject section of the certificate. This extension is used for SAN Certificates. E-mail addresses, IP addresses, directory names, etc can also be specified.

What is the perfect Forward secrecy ?

If private key is ever stolen, prior communication can not be detected. It means using Diffie-Hellman instead of RSA in key exchange step. in that case, cipher key is never put on wire. A third-party observing the interchange gets no knowledge. That is exactly the protection we want in our SSL connections from long-term archiving. Long-term archiving and subsequent revelation of the server's private key doesn't give anybody any help in cracking

What does abbreviated handshake bring us ?

It allows us to remove a full roundtrip, as well as the overhead of public key cryptography, which is used to negotiate the shared secret key. This allows a secure connection to be established quickly and with no loss of security, since we are reusing the previously negotiated session data. In practice, most web applications attempt to establish multiple connections to the same host to fetch resources in parallel, which makes session resumption a must-have optimization to reduce latency and computational costs for both sides. Most modern browsers intentionally wait for the first TLS connection to complete before opening new connections to the same server: subsequent TLS connections can reuse the SSL session parameters to avoid the costly handshake.

What are disadvantages of RSA key exchanges ?

It does not offer forward secrecy. If a passive adversary records all traffic to a server then every recorded TLS session can be broken later by obtaining the certificate's private key. 2-RTTs are required.

How does TLS provide data integrity ?

It signs each message with a MAC code.The MAC algorithm is a one-way cryptographic hash function (ef‐ fectively a checksum), the keys to which are negotiated by both connection peers. Whenever a TLS record is sent, a MAC value is generated and appended for that message, and the receiver is then able to compute and verify the sent MAC value to ensure message integrity and authenticity.

How is the outoging data encrypted ?

It takes: data, Sequence number, MAC key and produces MAC. that is encrypted by sym. cipher. (AES, by client_write_key). It takes BOTH: clear text messages and the MAC and encrypts that.

How TLS guarantees integrity of the messages ?

Message digest (hash) is computed. the hash is usually significantly smaller than the original message. Unfortunately the hash by itself isn't quite enough to assure that the message can't be derived from the message digest. Since the hash will produce the same output for the same input some outputs can be pre-computed from well-defined inputs (e.g. credit card numbers). In order to avoid such predictable outputs a shared secret must be added to the input before it is hashed. The hash of the secret and the message is called a Hash Message Authentication Code (HMAC). After the receiver decrypts the message with the private key and runs it through the HMAC he or she compares the result to the HMAC result signed by the sender's private key. If they match, then the message is authentic. This authentication is done for every SSL record (~16k - 20k of data depending on the algorithm).

How expensive is TLS handshake in terms of RTT ?

New TLS connections require two roundtrips for a "full handshake." Alternatively, an "abbreviated handshake" can be used, which re‐ quires one roundtrip. This delay is a function of the implementation of TLS, and not due to functional requirements of security.

How does TLS 1.3 achieve 0-RTT handshake ?

On a previous connection, after the handshake completes, the server would send a ServerConfiguration message that the client can use for 0-RTT handshakes on subsequent connections. The configuration includes a configuration identifier, the server's semi-static (EC)DH parameters, an expiration date, and other details. With the very first TLS record the client sends its ClientHello and, changing the order of messages, directly appends application data (e.g. GET / HTTP/1.1). Everything after the ClientHello will be encrypted with the static secret, derived from the client's ephemeral KeyShare and the semi-static DH parameters given in the server's configuration. The server, if able and willing to decrypt, responds with its default set of messages and immediately appends the contents of the requested resource. That's the same round-trip time as for an unencrypted HTTP request. All communication following the ServerHello will again be encrypted with the ephemeral secret, derived from the client's and server's ephemeral key shares. After exchanging Finished messages the server will be re-authenticated, and traffic encrypted with keys derived from the master secret.

OCSP

Online Certificate Status Protocol: mechanism to provide real-time check for status of the certificate. Allows to query directly serial number of certificate in a real-time.

OCSP ?

Online checking if certificate is valid

What is RSA proxy ?

Proxy, that allows termination of SSL connection, without holding the private key. It can decrypt ePMS into PMS.

Describe pros and cons of DHE to RSA key exchange.

RSA: the original, oldest, trusted, we know how this works, everybody supports it, key exchange method. DHE: Diffie-Hellman Ephemeral. Diffie-Hellman is about three times slower in terms of computational burden to establish a key pair between the endpoints. There's forward secrecy with DHE.

Name some popular MAC algorithms.

SHA, MD5.

Difference between TLS and SSL ?

SSL came first. TLS has completely replaced it. The latest version is TLS 1.2. SSL 1.0: Netscape, broken, never saw a light of day. SSL 2.0: first public version of SSL, it used MD5. SSL 2.0 was the first publicly released version of the protocol, but it was quickly replaced by SSL 3.0 due to a number of discovered security flaws. Because the SSL protocol was proprietary to Netscape, the IETF formed an effort to standardize the protocol, resulting in RFC 2246, which became known as TLS 1.0 and is effectively an upgrade to SSL 3.0: The differences between this protocol and SSL 3.0 are not dramatic, but they are significant to preclude interoperability between TLS 1.0 and SSL 3.0. Since the publication of TLS 1.0 in January 1999, two new versions have been produced by the IETF working group to address found security flaws, as well as to extend the capabilities of the protocol: TLS 1.1 in April 2006 and TLS 1.2 in August 2008. Internally the SSL 3.0 implementation, as well as all subsequent TLS versions, are very similar, and many clients continue to support SSL 3.0 and TLS 1.0 to this day, although there are very good reasons to upgrade to newer versions to protect users from known attacks!

Describe versions of SSL and TLS.

SSLv2 , SSLv3 are old, Akamai turned them off by default. TLS 1.0, 1.1, 1.2 are supported. TLS 1.3 is being prepared.

What is SSL cipher downgrade attack ?

SSLv2 did not verify hashes of all previous messages, attacker could modify client's messages and pretend, that the client does not support any ciphers.

what is SNI ?

Server Name Indication. Allows the client to indicate the hostname the client is attermpting to connect to. Many older clients do not rupport it.

ServerHello message

Server chooses ciphers, compressions, generates 32-byte random number. Returns NULL session ID (no resumpton), new session ID or the same client ID. Server sends its certificate.

Describe types of abbreviated handshake via Session ID.

Session IDs, assigned by the server, are unique identifiers under which both parties store the master secret and other details of the connection they established. The client may include this ID in the ClientHello message of the next handshake to short-circuit the negotiation and reuse previous connection parameters. If the server is willing and able to resume the session it responds with a ServerHello message including the Session ID given by the client. If the server is willing and able to resume the session it responds with a ServerHello message including the Session ID given by the client. This handshake is effectively 1-RTT as the client can send application data immediately after the Finished message. Sites with lots of visitors will have to manage and secure big session caches, or risk pushing out saved sessions too quickly. A setup involving multiple load-balanced servers will need to securely synchronize session caches across machines. The forward secrecy of a connection is bounded by how long session information is retained on servers. 1.RTT: ClientHello (inc sessionID) ----> ServerHello (inc. sessionID) ChangeCipherSpec Finished ChangeCipherSpec Finished

Describe abbreviated handshake via Session tickets.

Session tickets, created by the server and stored by the client, are blobs containing all necessary information about a connection, encrypted by a key only known to the server. If the client presents this tickets with the ClientHello message, and proves that it knows the master secret stored in the ticket, the session will be resumed. A server willing and able to decrypt the given ticket responds with a ServerHello message including an empty SessionTicket extension, otherwise the extension would be omitted completely. As with session IDs, the client will start sending application data immediately after the Finished message to achieve 1-RTT.

What is session resumption ?

Since SSLv2 clients have been able to use session identifiers as a way to resume previously established TLS/SSL sessions. Session resumption is important because a full handshake can take time: it has a high latency as it needs two round-trips and might involve expensive computation to exchange keys, or sign and verify certificates.

Why symmetric and asymmetric encryption is not enough and PKI is needed ?

Since the public key is sent unencrypted an attacker could intercept a client's request for a public key and substitute his or her own public key for the one requested from the server. Thereby the attacker would be able to decrypt the key for symmetric encryption sent by the client and subsequently decrypt all further communication. This kind of attack is called a "man-in-the-middle" attack. To prevent a "man-in-the-middle" attack SSL uses a Public Key Infrastructure with signed certificates to assure the client that the public key it receives came from the intended server rather than an attacker.

Describe full TLS 1.3 handshake.

Static RSA key exchanges are no longer supported, DHE is supported. Important change is the removal of the ChangeCipherSpec protocol (yes, it's actually a protocol, not a message). With TLS v1.3 every message sent after ServerHello is encrypted with the so-called ephemeral secret to lock out passive adversaries very early in the game. EncryptedExtensions carries Hello extension data that must be encrypted because it's not needed to set up secure communication. The probably most important change with regard to 1-RTT is the removal of the ServerKeyExchange and ClientKeyExchange messages. The DH parameters and public keys are now sent in special KeyShare extensions, a new type of extension to be included in the ServerHello and ClientHello messages. Moving this data into Hello extensions keeps the handshake compatible with TLS v1.2 as it doesn't change the order of messages. 1. RTT: ClientHello (+KeyShare) ServerHello(+KeyShare) EncryptedExtensions, Cert CertVerify, Finished Finished

SSL/TLS uses both symmetric and asymmetric cryptography. Why ?

Symmetric encryption is much more efficient than asymmetric (public-key) cryptography but public-key cryptography allows the key necessary for symmetric encryption to be shared over an inherently insecure network like the Internet. If symmetric encryption is to be used for communication however the sender and receiver need to share the key. The key needs to be shared securely though.

Describe purpose of each technology used in TLS: - symmetric encryption - public-key crypto - public key infrastructure - HMAC

TLS uses symmetric encryption to transfer data securely; public-key cryptography to exchange the key used for symmetric encryption; a public key infrastructure with digitally signed certificates to assure the client that the public-key sent to it during public-key cryptography is authentic; and Hash-based Message Authentication Codes (HMAC) with a secret key to authenticate the data transferred.

Can TLS work with UDP ?

TLS was designed to operate on top of a reliable transport protocol such as TCP. However, it has also been adapted to run over datagram protocols such as UDP. The Datagram Transport Layer Security (DTLS) protocol, defined in RFC 6347, is based on the TLS protocol and is able to provide similar security guarantees while preserving the datagram delivery model.

How do we know which CA issued the cert ?

The issuer is the distinguished name for the CA that signed the certificate.

How do we know for which hosts is the cert valid ?

The subject is the distinguished name of the site for which the certificate is issued. The CN or common name is usually the domain name for the site. The domain name may be specified in different ways depending on the type of certificate (e.g. Wildcard Certificates may have wildcards as subdomains, *.example.com). The domain name may also be specified as a DC or domain component (e.g. DC=*, DC=example, DC=com) but this specification is not widely supported even though it is mandatory in the RFC.

Describe abbreviated handshake in TLS 1.2 and its advantage.

This abbreviated handshake is effectively 1-RTT as the client can send application data immediately after the Finished message. It's possible via session ids and session tickets.

what is session ticket (session caching, stateless resumption) ?

replacement of session caches. no need to keep per=client session state. the server includes a New Session Ticket record, that includes all of the session data encrypted with a secret key known only by the server. All data is stored on the client, but the ticket is safe, as it is encrypted by key known only by the server.

what is session identifier ?

server maintains negotiated session parameters. Saves full roundtrip. Can be difficult to main, may consume lot of resources.

what is server renegotion request ?

server says: establish new private key 1. client can ignore it 2. session resumption 3. completely new handshake (very expensive)

Why do we exchange symmetric keys ?

so that we can bulk encryption: symmetric encryption. Symmetric encryption is cheaper than asymmetric encryption.

client_write_MAC_key server_write_MAC_Key

the key that will be used as input to the sent data MAC. MAC verifies the data is authentic and unchanged.

uncached origin fetch

using a CDN or proxy server to fetch a resource, which may need to be customized per user or contains private data and hence is not globally cacheable at the edge. Edge can contain warm connection pool to the origin.