Lecture 17: Transport Layer Security Protocol Part 1

Question 1

Briefly outline the history of TLS

Answer 1

• TLS 1.0 –> 1999
• TLS 1.1 –> 2006, fixing problems with non-random IVs and exploitation of padding error messages
• TLS 1.2 –> 2008, allowing the use of standard authentication encryption rather than separating encryption and MAC
• TLS 1.3 –> 2018, separating key agreement and authentication algorithms for cipher suites

Question 2

What is TLS?

Answer 2

• cryptographic services protocol based upon PKI and commonly used on the Internet
• often used to allow browsers to establish secure sessions with Web servers

Question 3

What does TLS primarily run over?

Answer 3

TCP

Variant DTLA runs over datagram protocols

Question 4

What was TLS designed for?

Answer 4

To secure reliable end-to-end services over TCP

Question 5

What are the three higher level TLS protocols?

Answer 5

1) TLS handshake protocol
2) TLS alert protocol
3) TLS change cipher spec protocol

Question 6

What is the general idea of the TLS handshake protocol?

Answer 6

to set up sessions

Question 7

What is the general idea of the TLS alert protocol?

Answer 7

to signal events, such as failures

Question 8

What is the general idea of the TLS change cipher spec protocol?

Answer 8

to change the cryptographic algorithms

Question 9

What does TLS record protocol provide?

Answer 9

basic services to various higher level protocols

Question 10

Give the protocol stack of TLS

Answer 10

See slide 8 in set 17

Question 11

What are the two TLS connection services?

Answer 11

1) message confidentiality –> ensure that the message contents cannot be read in transit
2) message integrity –> ensuring that the receiver can detect if a message is modified in transmission

Question 12

What are the TLS connection services possibly provided by?

Answer 12

symmetric encryption alg and a MAC

Question 13

From TLS 1.2, what are the connection services provided with?

Answer 13

authentication modes (CCM, GCM)

Question 14

What type of keys does the TLS handshake protocol establish?

Answer 14

symmetric session keys

Question 15

Give the format of a TLS record using in the record protocol

Answer 15

See slide 11 in set 17

Question 16

What can the content type in the header of a TLS record i.t.o the TLS record protocol be?

Answer 16

1) change-cipher-spec
2) alert
3) handshake
4) application-data

Question 17

What are possible protocol versions in the header of a TLS record i.t.o the TLS record protocol?

Answer 17

• major version: 3 for TLS
• minor version:
  
  • 1 for TLS 1.0
  • 2 for TLS 1.1
  • 3 for TLS 1.2
  • 4 for TLS 1.3

Question 18

What does the length field in the header of a TLS record contain?

Answer 18

length of the data, in octets

Question 19

What is the fragmentation operation of the TLS record protocol?

Answer 19

each application layer message is fragmented into blocks of 2^14 bytes or less

Question 20

Comment on the compression operation of the TLS record protocol

Answer 20

• default compression algorithm is null for TLS 1.2 (thus optionally applied)
• removed in TLS 1.3

Question 21

Comment on the authenticated data of the TLS record protocol

Answer 21

consisting of the (compressed) data, header and an implicit record sequence number

Question 22

Comment on the plaintext of the TLS record protocol

Answer 22

compressed data and MAC (if present)

Question 23

Comment on the session keys of the TLS record protocol

Answer 23

computed during handshake protocol, for either MAC and encryption algorithms, or authenticated encryption algorithm

Question 24

Comment on the specification of the TLS record protocol

Answer 24

encryption and MAC algorithms are specified in the negotiated cipher suite

Question 25

What type of MAC is used in all TLS versions?

Answer 25

HMAC, using a negotiated hash function

Question 26

What versions of TLS allow SHA-2?

Answer 26

only from TLS 1.2

Question 27

Which hash functions have been discarded from TLS 1.3?

Answer 27

MD5 and SHA-1

Question 28

Comment on the encryption algorithm used in TLS

Answer 28

Either a negotiated block cipher in CBC mode or a stream cipher

For block ciphers, padding is applied after MAC to make a multiple of the cipher block size

Question 29

What is the most common block cipher for TLS?

Answer 29

AES

Question 30

Which ciphers have been discarded by TLS 1.3?

Answer 30

3DES and RC4

Question 31

What can be used instead of encryption and MAC from TLS 1.2?

Answer 31

authenticated encryption algorithm

Question 32

What are the allowed authentication methods in TLS 1.3?

Answer 32

Only AES with either CCM or GCM modes in TLS 1.3

Question 33

Where else is authenticated additional data i.t.o TLS record protocol?

Answer 33

header and implicit record sequence number

Question 34

What are the four purposes of the TLS handshake protocol?

Answer 34

• negotiating the TLS version and cryptographic algorithms to be used
• establishing a shared session key for use in the record protocol
• authenticating the server, and optionally authenticating the client
• completing the session establishment

Question 35

What variations is TLS handshake used with?

Answer 35

1) RSA
2) Diffie-Hellman
3) Pre-shared keys
4) Mutual authentication
5) server-only (unilateral) authentication

Question 36

What is the general idea of phase 1 of the TLS handshake protocol?

Answer 36

initiating the logical connection and establishing its security capabilities

Question 37

What is the general idea of phase 2 and 3 of the TLS handshake protocol?

Answer 37

performing key exchange

–> messages and their contents depend on the handshake variant negotiated in phase 1

Question 38

What is the general idea of phase 4 of the TLS handshake protocol?

Answer 38

completing the setting up of a secure connection

Question 39

What do cipher suites specify i.t.o the TLS handshake protocol?

Answer 39

1) public key algorithm used for key establishment

2) symmetric algorithms used for providing authentication encryption and key computation

Question 40

How many standardised cipher suites are there i.t.o the TLS handshake protocol?

Answer 40

over 300
BUT
many are weak and many have been discarded in TLS 1.3

Question 41

What is the big change in TLS 1.3 i.t.o cipher suites?

Answer 41

All supported cipher suites must be Authenticated Encryption with Associated Data (AEAD)

Question 42

Explain the cipher suite example on slide 21 in set 17

Answer 42

See slide 21 in set 17

Question 43

What are the possible handshake algorithms i.t.o the TLS handshake protocol?

Answer 43

DHE-DSS
DHE-RSA
ECDHE-RSA
ECDHE-ECDSA

Question 44

Describe the algorithm DHE-DSS and which TLS version it can be used in i.t.o the TLS handshake protocol

Answer 44

DHE with Digital Signature Standard

TLS 1.2

Question 45

Describe the algorithm DHE-RSA and which TLS version it can be used in i.t.o the TLS handshake protocol

Answer 45

Ephemeral Diffie-Hellman with RSA signatures

1.2 and 1.3

Question 46

Describe the algorithm ECDHE-RSA and which TLS version it can be used in i.t.o the TLS handshake protocol

Answer 46

Elliptic curve DHE with RSA signatures

1.2 and 1.3

Question 47

Describe the algorithm ECDHE-ECDSA and which TLS version it can be used in i.t.o the TLS handshake protocol

Answer 47

Elliptic curve DHE with elliptic curve Digital Signature Algorithm

1.2 and 1.3

Question 48

What are the possible record algorithms i.t.o the TLS record protocol?

Answer 48

AES-CBC-SHA256
AES-GCM
CHACHA20-POLY1305

Question 49

Describe the algorithm AES-CBC-SHA256 and which TLS version it can be used in i.t.o the TLS record protocol

Answer 49

AES in CBC mode with HMAC from SHA256

1.2

Question 50

Describe the algorithm AES-GCM and which TLS version it can be used in i.t.o the TLS record protocol

Answer 50

AES with GCM mode

1.2 and 1.3

Question 51

Describe the algorithm CHACHA20-POLY1305 and which TLS version it can be used in i.t.o the TLS record protocol

Answer 51

ChaCha stream cipher with Poly1305 MAC

1.2 and 1.3

Question 52

Explain phase 1 of the TLS handshake protocol and give the diagram

Answer 52

client and server negotiate version, cipher suite and compression, and exchange nonces

See slide 24 in set 17 for diagram

Question 53

Explain phase 2 of the TLS handshake protocol and give the diagram

Answer 53

server sends certificate and key exchange message (if needed)

See slide 24 in set 17 for diagram

Question 54

Explain phase 3 of the TLS handshake protocol and give the diagram

Answer 54

client sends certificate and key exchange message

See slide 25 in set 17 for diagram

Question 55

Explain phase 4 of the TLS handshake protocol and give the diagram

Answer 55

client and server start secure communications. Finished messages include a check value (pseudorandom function) of all the previous messages

See slide 25 in set 17 for diagram

Question 56

What are the TLS handshake protocol messages?

Answer 56

1) client hello
2) server hello
3) server key exchange
4) client key exchange
5) change cipher suite

Question 57

Outline the client hello message in the TLS handshake protocol

Answer 57

• Stating the highest TLS version available
• Advertising cipher suites available to the client
• Sending the client’s nonce N_C

Question 58

Outline the server hello message in the TLS handshake protocol

Answer 58

• Returning the selected version and cipher suite

* Sending the server’s nonce N_S

Question 59

Outline the server key exchange message in the TLS handshake protocol

Answer 59

server’s inputs to key exchange

Question 60

Outline the client key exchange message in the TLS handshake protocol

Answer 60

client’s inputs to key exchange

Question 61

Outline the change cipher suite message in the TLS handshake protocol

Answer 61

switching to newly negotiated cipher suite for record layer

Question 62

Outline the server key exchange for the ephemeral Diffie-Hellman handshake variant (TLS handshake protocol)

Answer 62

inputs are the Diffie-Hellman generator and group parameters, along with the server’s ephemeral Diffie-Hellman value, all signed by the server

Question 63

Outline the client key exchange for the ephemeral Diffie-Hellman handshake variant (TLS handshake protocol)

Answer 63

inputs are client’s ephemeral Diffie-Hellman value

–> optionally signed by the client if the client’s certificate is used

Question 64

In terms of the ephemeral Diffie-Hellman TLS handshake protocol variant, what is the pre-master secrete pms?

Answer 64

the shared Diffie-Hellman secrete (from key agreement)

Question 65

In terms of the RSA handshake variant of the TLS handshake protocol, comment on the server key exchange

Answer 65

not required

Question 66

In terms of the RSA handshake variant of the TLS handshake protocol, explain the client key exchange

Answer 66

key transport of pre-master secret pms:

• client randomly selects the pre-master secret pms
• client encrypts pms with the server’s public key and sends the ciphertext to the server
• server decrypts using its secret key to recover pms

Question 67

How is the master secret ms defined i.t.o session key generation for the TLS handshake protocol?

Answer 67

See slide 29 in set 17

Question 68

How is the key material generated i.t.o session key generation for the TLS handshake protocol?

Answer 68

See slide 29 in set 17

Question 69

Explain the session key generation process for the TLS handshake protocol

Answer 69

See slide 29 in set 17

Question 70

What can the key material include i.t.o session key generation and the TLS handshake protocol?

Answer 70

Depending on the agreed cipher suite:
• encryption key
• MAC key
• IV

Question 71

Comment on the pseudorandom function used in the TLS handshake protocol

Answer 71

PRF build from HMAC with a specified hash function

• -> TLS 1.0 and 1.1: based on a combo of MD5 and SHA-1
• -> TLS 1.2: based on SHA-2

Question 72

Explain the pseudorandom function example in TLS 1.2 i.t.o the handshake function on slide 30 in set 17

Answer 72

See slide 30 in set 17

Question 73

What are the other 2 handshake variants for the TLS handshake protocol?

Answer 73

1) Diffie-Hellman

2) Anonymous Diffie-Hellman

Question 74

Outline the Diffie-Hellman variant of the TLS handshake protocol

Answer 74

client and server used static/fixed Diffie-Hellman with certified keys
–> when the client does not have a certification (usual on the Internet), she uses an ephemeral Diffie-Hellman key

Question 75

Outline the anonymous Diffie-Hellman variant of the TLS handshake protocol

Answer 75

the ephemeral Diffie-Hellman keys are not signed at all

–> it only protects against passive eavesdropping

Question 76

Outline the alert protocol of TLS

Answer 76

Handling connection by sending an alert message of various degrees of severity

Question 77

What are types of alerts sent in the alert protocol of TLS?

Answer 77

1) Warning alerts
2) close_notify alerts
3) Fatal alerts

Question 78

What is the consequence of improperly handling alert messages i.t.o TLS’s alert protocol?

Answer 78

truncation attacks

Question 79

Comment on the Diffie-Hellman key exchange achieving forward secrecy i.t.o TLS’s handshake protocol

Answer 79

• Exchange is authenticated using signatures from the long-term keys
• Diffie-Hellman-based cipher suites provide forward secrecy

Question 80

Does RSA-based handshakes offer forward secrecy?

Answer 80

no

Question 81

Does Diffie-Hellman key exchange handshakes offer forward secrecy?

Answer 81

yes

Question 82

Does TLS 1.3 allow static RSA?

Answer 82

no

Question 83

What does TLS assume?

Answer 83

reliable message delivery, provided by TCP.