CS
G254/U645 11/16/07
SSL / TLS vs. Kerberos & PKC vs. Secret Key Cryptography
https -- the s
signifies SSL/TLS
SSL is Secure Sockets Layer
TLS is Transport Layer Security
Coarse Structure
Browser Server
____________ ____________
| -------------- Hi ------------> | port :443
| |
Verifies Cert |<--cipher suite, certificate---- |
| |
Picks session |-----Epub
(session key)-----> |
key | |
| |
|<---data encrypted---------- |
| using session key |
-The server gets authenticated by certificate.
-The user (browser) typically gets authenticated by login/password.
-Client-side certificates exist, but are infrequent. Typically they are used by employees of big
corporations.
______________________________________________________
Things to think about
-Proxies: What happens when a proxy is between you and the server?
-What stuff is revealed?
______________________________________________________
Fine Structure
Browser Server
____________ ____________
| ----Hi, Supported Ciphers, Rb----> | port :443
| |
Chooses |<-cert, chosen cipher, Rs, session-id-|
Premaster | |
secret S | |
| |
Master secret |-------Epub(s) ------------------------->|
K=h(S,Rs,Rb) |
h(Msg1, Msg2, “Browser”, K) |
| |
| |
Compute |<---h(Msg1, Msg2, “Server”, K)-----| Computes same
Session keys | | session keys
separate for |
|
sender&server | |
| |
|<-exchange data using session keys- |
-Msg1, Msg2 included in the hash because the messages could have been tampered by a man-in-middle attack
-“Browser”, and “Server” added so that the messages are different to prevent replaying
-The server picks the strongest supported cipher.
-If the browser doesn’t support a strong enough cipher, the server can reject.
-The handshake is done with PKC, then the data
exchange is done using SKC. This is for
efficiency since SKC is faster
-The session is a lightweight interaction between browser/server
Session Resumption
Browser Server
____________ ____________
| ----session-id, ciphersuite, Rb-----> |
| |
Same K |<--------cipher, Rs, session-id-------- | Same K
| |
| |
Rs & Rb used |<---------Keyed hash ------------------ |
for new | |
session keys |---------Keyed
hash------------------> |
| |
|<------------data exchange------------- |
-Ciphersuite
sent again in case you upgraded
-New random numbers
-Server sends session-id again in case it wants to rename the session-id
-Multiple sessions can run on the same TCP connection
________________________________________________________________
Proxies
-CDN
-Doesn’t know which cert to present
Solution: IP/hostname is what the CDN looks at.
Each company/cert has its own IP.
-------------
| HTTP
-------------
| HTTPS
-------------
| TCP
What stuff is revealed
-Cipher
-IP addresses
-Port #s
-TCP sequence #s
-The IPs must always be revealed
-IPsec would allow port #s and sequence #s to be
hidden
___________________________________________________________________
Key sizes
PKC:
PKC/SKC
Year Individual Corporation Government
---------------------------------------------------------------
1995 765/80 1280/112 1536/112
2005 1280/112 1536/112 2048/128
2015 1536/128 2048/128 2048/128
-As time goes on,
-And as you go from Individual requirements to Government requirements, money
requirements increase
-“general field sieve” – for discrete log & factoring. To protect against it, you must use long key
length for public key cryptography
_____________________________________________________________________
Best Practice
-Initially handshake using PKC
exchange
session key using PKC
exchange data using secret key
-long email: pick secret key, encrypt secret key using public key & send as
header. Encrypt message using secret key
-Sign long email: hash email, sign the hash
_____________________________________________________________________
SSL vs. Kerberos
PKC vs. SKC
-PKC is better because Kerberos needs an always on KDC
Reality: There is no cert revocation today, PKC
will also need an ever present CA.
-Kerberos needs a higher degree of security because the KDC contains
everybody’s keys
Reality: You still need to provide ultra-high security for the root
private key of the CA.
-Kerberos is better because it is an open standard
Reality: Patents expired, so PKC is as open as Kerberos. Also in a Kerberos world, you would have to
pay to be a KDC
-Kerberos is more secure since a person’s password lives in their head while in
SSL private keys live on disk
Reality: Private key is protected using a passphrase