the ssl/tls protocol · tcp/ip protocol stack i tcp/ip provides end-to-end connectivity and is...
TRANSCRIPT
![Page 1: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/1.jpg)
The SSL/TLS protocol
Myrto ArapinisSchool of Informatics
University of Edinburgh
October 27, 2016
1 / 27
![Page 2: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/2.jpg)
SSL/TLS protocol
Goals: Confidentiality, Integrity, Non repudiation
SSL/TLS use X.509 certificates and hence asymmetriccryptography to exchange a symmetric key. This session key isthen used to encrypt subsequent communication. This allows fordata/message confidentiality, and message authentication codesfor message integrity and thus, message authentication.
2 / 27
![Page 3: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/3.jpg)
SSL/TLS protocol
3 / 27
![Page 4: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/4.jpg)
SSL/TLS protocol
4 / 27
![Page 5: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/5.jpg)
TCP/IP protocol stack
I TCP/IP provides end-to-end connectivity and is organizedinto four abstraction layers which are used to sort all relatedprotocols according to the scope of networking involved
I The SSL/TLS library operates above the transport layer (usesTCP) but below application protocols
5 / 27
![Page 6: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/6.jpg)
SSL/TLS protocol layers
6 / 27
![Page 7: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/7.jpg)
SSL/TLS handshake protocol
7 / 27
![Page 8: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/8.jpg)
Client Hello
8 / 27
![Page 9: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/9.jpg)
Server Hello
9 / 27
![Page 10: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/10.jpg)
Certificate
10 / 27
![Page 12: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/12.jpg)
Key exchange
12 / 27
![Page 13: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/13.jpg)
Change cipher spec
13 / 27
![Page 15: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/15.jpg)
SSL/TLS renegotiation
Client and server are allowed to initiate renegotiation of the sessionencryption in order to:
I Refresh keys
I Increase authentication
I Increase cipher strength
I . . .
Client or server can trigger renegotiation by sending a hellomeesage
15 / 27
![Page 16: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/16.jpg)
SSL/TLS renegotiation weaknesses
I Renegotiation has priority over application data!
I Renegotiation can take place in the middle of an applicationlayer transaction!
(Detailed on the board)
Incorrect implicit assumtion: the client doesn’t change throughrenegotiation
16 / 27
![Page 17: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/17.jpg)
Marsh Ray’s plaintext injection attack on HTTPS
Attacker:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:(no carriage return)
Victim:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
Result:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
⇒ Server uses victim’s account to send a pizza to attacker!
17 / 27
![Page 18: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/18.jpg)
Marsh Ray’s plaintext injection attack on HTTPS
Attacker:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:(no carriage return)
Victim:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
Result:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
⇒ Server uses victim’s account to send a pizza to attacker!
17 / 27
![Page 19: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/19.jpg)
Marsh Ray’s plaintext injection attack on HTTPS
Attacker:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:(no carriage return)
Victim:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
Result:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
⇒ Server uses victim’s account to send a pizza to attacker!
17 / 27
![Page 20: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/20.jpg)
Marsh Ray’s plaintext injection attack on HTTPS
Attacker:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:(no carriage return)
Victim:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
Result:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
⇒ Server uses victim’s account to send a pizza to attacker!
17 / 27
![Page 21: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/21.jpg)
Marsh Ray’s plaintext injection attack on HTTPS
Attacker:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:(no carriage return)
Victim:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
Result:GET /pizza?toppings=pepperoni;address=attacker str HTTP/1.1
X-Ignore-This:GET /pizza?toppings=sausage;address=victim str HTTP/1.1
Cookie:victim cookie
⇒ Server uses victim’s account to send a pizza to attacker!
17 / 27
![Page 22: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/22.jpg)
Anil Kurmus’ plaintext injection attack on HTTPS
Twitter status updates using its API by posting the new status tohttp://twitter.com/statuses/update.xml, as well as the user nameand password
Attacker:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password
User-Agent: curl/7.19.5
Host: twitter.com
Accept:*/*
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
status=
Victim:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password...
⇒ the attacker gets the user name and password of the victim!
18 / 27
![Page 23: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/23.jpg)
Anil Kurmus’ plaintext injection attack on HTTPS
Twitter status updates using its API by posting the new status tohttp://twitter.com/statuses/update.xml, as well as the user nameand password
Attacker:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password
User-Agent: curl/7.19.5
Host: twitter.com
Accept:*/*
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
status=
Victim:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password...
⇒ the attacker gets the user name and password of the victim!
18 / 27
![Page 24: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/24.jpg)
Anil Kurmus’ plaintext injection attack on HTTPS
Twitter status updates using its API by posting the new status tohttp://twitter.com/statuses/update.xml, as well as the user nameand password
Attacker:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password
User-Agent: curl/7.19.5
Host: twitter.com
Accept:*/*
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
status=
Victim:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password...
⇒ the attacker gets the user name and password of the victim!
18 / 27
![Page 25: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/25.jpg)
Anil Kurmus’ plaintext injection attack on HTTPS
Twitter status updates using its API by posting the new status tohttp://twitter.com/statuses/update.xml, as well as the user nameand password
Attacker:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password
User-Agent: curl/7.19.5
Host: twitter.com
Accept:*/*
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
status=
Victim:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password...
⇒ the attacker gets the user name and password of the victim!
18 / 27
![Page 26: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/26.jpg)
Anil Kurmus’ plaintext injection attack on HTTPS
Twitter status updates using its API by posting the new status tohttp://twitter.com/statuses/update.xml, as well as the user nameand password
Attacker:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password
User-Agent: curl/7.19.5
Host: twitter.com
Accept:*/*
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
status=
Victim:POST /statuses/update.xml HTTP/1.1
Authorization: Basic username:password...
⇒ the attacker gets the user name and password of the victim!
18 / 27
![Page 27: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/27.jpg)
The SAML Signle Sign On (SSO) protocol
19 / 27
![Page 28: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/28.jpg)
SAML SSO protocol
20 / 27
![Page 29: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/29.jpg)
SAML SSO protocol
21 / 27
![Page 30: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/30.jpg)
SAML SSO protocol
22 / 27
![Page 31: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/31.jpg)
SAML SSO protocol (OASIS 2005)
23 / 27
![Page 32: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/32.jpg)
Google’s implementation of SSO
Google’s SAML-based Single Sign-On for Google Applicationsdeviates from the above protocol for a few, seemingly minorsimplifications in the messages exchanged:
G1. ID and SP are not included in the authentication assertion,i.e. AA = AuthAssert(C ; IdP) instead ofAuthAssert(ID;C ; IdP;SP);
G2. ID, SP and IdP are not included in the response, i.e.Resp = Response({AA}K−1
IdP) instead of
Response(ID;SP; IdP; {AA}K−1IdP
).
24 / 27
![Page 33: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/33.jpg)
Attack Google’s SSO implementation
[A. Armando, R. Carbone, L. Compagna, J. Cullar, L. Tobarra, ”Formalanalysis of SAML 2.0 web browser single sign-on: breaking the SAML-basedsingle sign-on for google apps”, (FMSE’08)]
25 / 27
![Page 34: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/34.jpg)
SAML SSO protocol (OASIS 2012)
26 / 27
![Page 35: The SSL/TLS protocol · TCP/IP protocol stack I TCP/IP provides end-to-end connectivity and is organized into four abstraction layers which are used to sort all related protocols](https://reader033.vdocuments.mx/reader033/viewer/2022060517/604a6cbc913b6210142c7f3b/html5/thumbnails/35.jpg)
Attack SAML SSO protocol (OASIS 2012)
[A. Armando, R. Carbone, L. Compagna, J. Cullar, G. Pellegrino, A. Sorniotti,”From Multiple Credentials to Browser-Based Single Sign-On: Are We MoreSecure?”, Chapter in Future Challenges in Security and Privacy for Academiaand Industry]
⇒ XSS attack on SAML-base SSO for Google Apps
27 / 27