%applicaons%of%crypto:%ssl/tls%cs161/sp15/slides/lec18-ssl-tls.pdfserverhello: cert, nonce s client...
TRANSCRIPT
![Page 1: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/1.jpg)
Dawn Song
Applica.ons of Crypto: SSL/TLS
Computer Security Course. Dawn Song
Slides credit: Dan Boneh, Doug Tygar, David Wagner
![Page 2: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/2.jpg)
Overview • Last lecture
– Cryptographic hash func.on – HMAC – Public-‐key encryp.on – Digital signature
• This lecture – Cer.ficate – SSL/TLS – Passwords
![Page 3: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/3.jpg)
Review: Applica.ons of Digital Signatures
• SoIware distribu.on
• How can we get MicrosoI’s public key?
Windows Update File
MicrosoI’s signature on file
![Page 4: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/4.jpg)
Certificates: bind Bob’s ID to his PK How does Alice (browser) obtain Bob’s public key pkBob ?
Cer.ficate Authority
(CA) pk and proof “I am Bob”
Browser Alice
SKCA check proof issue Cert with SKCA :
Bob’s key is pk Bob’s
key is pk
generate (sk,pk)
Server Bob
PKCA
verify cert
PKCA
![Page 5: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/5.jpg)
Sample certificate:
![Page 6: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/6.jpg)
Cer.ficate Issuance Woes Wrong issuance:
2011: Comodo and DigiNotar CAs hacked, incorrectly issue certs for
gmail.com, yahoo.com, and many others
![Page 7: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/7.jpg)
What to do? Ask some other trusted 3rd party: • examples: Perspec.ves [WAP’08] , Google cer.ficate catalog, DANE
client-hello
server-hello and cert
cert hash (DNSsec) date Google first saw cert, date Google last saw cert, # times
certs.googlednstest.com
Alice Bob
![Page 8: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/8.jpg)
Cer.ficate revoca.on What happens if Bob loses his secret key sk?
• Cer.ficate on pkbob must be revoked
Revoca.on methods: • Expira.on: cer.ficates ac.ve in fixed .me window (one year)
• Cer.ficate Revoca.on Lists (CRLs): CA publishes a list of revoked cer.ficates
• Online Cer.ficate Status Protocol (OCSP)
![Page 9: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/9.jpg)
Cer.ficate Revoca.on Lists (CRLs) CA periodically publishes the serial # of revoked certs. • List is signed by the CA
When browser receives cert.: • Download latest CRL and reject cert. if serial # is on list
Problems: • CRLs can get large • May reveal whose cert. is revoked
![Page 10: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/10.jpg)
Online Cer.ficate Status Protocol (OCSP)
client-hello
server-hello and cert
OCSP responder
Alice Bob
Browser accepts cert. if responder says valid (or if no response)
Problems: • Slows down HTTPS session setup • Let responder track users
(see OCSP stapling for a solution)
![Page 11: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/11.jpg)
Key Exchange • Alice and Bob want to use symmetric-‐key encryp.on
• How can they establish a secret key? – Public-‐key encryp.on – Diffie-‐Hellman key exchange
![Page 12: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/12.jpg)
Diffie-‐Hellman key exchange
Alice Bob
gA mod p
gB mod p
Prime p, number g, 0< g < p
(gA)B mod p (gB)A mod p
![Page 13: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/13.jpg)
Man in the middle acack Alice MITM Bob
Encrypted channel Encrypted channel
gA mod p
gB mod p
gS mod p
gT mod p
gAT mod p gBS mod p
![Page 14: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/14.jpg)
Applica.on of crypto to secure Internet communica.ons
![Page 15: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/15.jpg)
SSL session setup
C
ClientHello
ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone S [Certificate],
ClientKeyExchange, [CertificateVerify]
Finished
switch to negotiated cipher
Finished switch to negotiated cipher
Client Server
RSA secret
key
![Page 16: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/16.jpg)
Abstract SSL (simplified) ClientHello: nonceC
ServerHello: cert, nonceS
Client Server
Finished Finished
RSA secret
key ClientKeyExchange: c ← E(pk, PreK)
pick random 48 byte PreK
decrypt c to get PreK
session-keys ← PRF( PreK, nonceC , nonceS )
![Page 17: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/17.jpg)
SSL Problems • SSL 2.0 broken • SSL 3.0 broken • TLS 1.0 broken
– BEAST: Browser Exploit Against SSL/TLS Tool
![Page 18: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/18.jpg)
![Page 19: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/19.jpg)
![Page 20: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/20.jpg)
Passwords • The most popular authen.ca.on method • Security & Usability issues
– Long and random passwords are harder to remember
– Users select memorable passwords, which are easy to guess
– Users reuse passwords across mul.ple sites
![Page 21: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/21.jpg)
Acacks to Passwords • Online guessing acacks • Social engineering and phishing • Eavesdropping • Client-‐side malware
• Server compromise
![Page 22: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/22.jpg)
Online Guessing Acacks • Repeatedly try logging in with many different guesses
– 123456 – password – 12345678
• Defenses – Rate limi.ng, e.g., 5 guesses in one day – CAPTCHAs
• Vulnerable to machine learning acacks • Underground markets hire human workers to solve CAPTCHAs
![Page 23: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/23.jpg)
Social Engineering and Phishing • Fool a user to reveal his/her password • Defenses
– Educa.ng users – Machine learning to detect phishing sites
![Page 24: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/24.jpg)
Eavesdropping • If plaintext passwords are sent from the client to the server, they can be eavesdropped on internet, e.g., public Wi-‐Fi.
• Defenses – SSL!
![Page 25: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/25.jpg)
Client-‐side Malware • Keyloggers to capture passwords • Virtual keyboard
– Malware records the loca.ons of mouse clicks and take screen shots
• Very difficult to defend in this threat model
![Page 26: %Applicaons%of%Crypto:%SSL/TLS%cs161/sp15/slides/lec18-SSL-TLS.pdfServerHello: cert, nonce S Client Server Finished Finished RSA secret key ClientKeyExchange: c ← E(pk, PreK) pick](https://reader033.vdocuments.us/reader033/viewer/2022050214/5f6db4e962c85f788b3aa772/html5/thumbnails/26.jpg)
Server Compromise • Get a copy of the password database
– 32M passwords from Rockyou in 2009 • Do not store user passwords in plaintext • Use cryptographic hash func.on and salt
– Store (username, salt, H(salt, password)) – Offline password guessing: test guesses on the acacker’s own computer
– Use slow hash func.on to slow down offline password guessing