Lecture 17: Transport Layer Security Protocol Part 1 Flashcards
Briefly outline the history of TLS
- TLS 1.0 –> 1999
- TLS 1.1 –> 2006, fixing problems with non-random IVs and exploitation of padding error messages
- TLS 1.2 –> 2008, allowing the use of standard authentication encryption rather than separating encryption and MAC
- TLS 1.3 –> 2018, separating key agreement and authentication algorithms for cipher suites
What is TLS?
- cryptographic services protocol based upon PKI and commonly used on the Internet
- often used to allow browsers to establish secure sessions with Web servers
What does TLS primarily run over?
TCP
Variant DTLA runs over datagram protocols
What was TLS designed for?
To secure reliable end-to-end services over TCP
What are the three higher level TLS protocols?
1) TLS handshake protocol
2) TLS alert protocol
3) TLS change cipher spec protocol
What is the general idea of the TLS handshake protocol?
to set up sessions
What is the general idea of the TLS alert protocol?
to signal events, such as failures
What is the general idea of the TLS change cipher spec protocol?
to change the cryptographic algorithms
What does TLS record protocol provide?
basic services to various higher level protocols
Give the protocol stack of TLS
See slide 8 in set 17
What are the two TLS connection services?
1) message confidentiality –> ensure that the message contents cannot be read in transit
2) message integrity –> ensuring that the receiver can detect if a message is modified in transmission
What are the TLS connection services possibly provided by?
symmetric encryption alg and a MAC
From TLS 1.2, what are the connection services provided with?
authentication modes (CCM, GCM)
What type of keys does the TLS handshake protocol establish?
symmetric session keys
Give the format of a TLS record using in the record protocol
See slide 11 in set 17
What can the content type in the header of a TLS record i.t.o the TLS record protocol be?
1) change-cipher-spec
2) alert
3) handshake
4) application-data
What are possible protocol versions in the header of a TLS record i.t.o the TLS record protocol?
- major version: 3 for TLS
- minor version:
- 1 for TLS 1.0
- 2 for TLS 1.1
- 3 for TLS 1.2
- 4 for TLS 1.3
What does the length field in the header of a TLS record contain?
length of the data, in octets
What is the fragmentation operation of the TLS record protocol?
each application layer message is fragmented into blocks of 2^14 bytes or less
Comment on the compression operation of the TLS record protocol
- default compression algorithm is null for TLS 1.2 (thus optionally applied)
- removed in TLS 1.3
Comment on the authenticated data of the TLS record protocol
consisting of the (compressed) data, header and an implicit record sequence number
Comment on the plaintext of the TLS record protocol
compressed data and MAC (if present)
Comment on the session keys of the TLS record protocol
computed during handshake protocol, for either MAC and encryption algorithms, or authenticated encryption algorithm
Comment on the specification of the TLS record protocol
encryption and MAC algorithms are specified in the negotiated cipher suite
What type of MAC is used in all TLS versions?
HMAC, using a negotiated hash function
What versions of TLS allow SHA-2?
only from TLS 1.2
Which hash functions have been discarded from TLS 1.3?
MD5 and SHA-1
Comment on the encryption algorithm used in TLS
Either a negotiated block cipher in CBC mode or a stream cipher
For block ciphers, padding is applied after MAC to make a multiple of the cipher block size
What is the most common block cipher for TLS?
AES
Which ciphers have been discarded by TLS 1.3?
3DES and RC4
What can be used instead of encryption and MAC from TLS 1.2?
authenticated encryption algorithm
What are the allowed authentication methods in TLS 1.3?
Only AES with either CCM or GCM modes in TLS 1.3
Where else is authenticated additional data i.t.o TLS record protocol?
header and implicit record sequence number
What are the four purposes of the TLS handshake protocol?
- negotiating the TLS version and cryptographic algorithms to be used
- establishing a shared session key for use in the record protocol
- authenticating the server, and optionally authenticating the client
- completing the session establishment
What variations is TLS handshake used with?
1) RSA
2) Diffie-Hellman
3) Pre-shared keys
4) Mutual authentication
5) server-only (unilateral) authentication
What is the general idea of phase 1 of the TLS handshake protocol?
initiating the logical connection and establishing its security capabilities
What is the general idea of phase 2 and 3 of the TLS handshake protocol?
performing key exchange
–> messages and their contents depend on the handshake variant negotiated in phase 1
What is the general idea of phase 4 of the TLS handshake protocol?
completing the setting up of a secure connection
What do cipher suites specify i.t.o the TLS handshake protocol?
1) public key algorithm used for key establishment
2) symmetric algorithms used for providing authentication encryption and key computation
How many standardised cipher suites are there i.t.o the TLS handshake protocol?
over 300
BUT
many are weak and many have been discarded in TLS 1.3
What is the big change in TLS 1.3 i.t.o cipher suites?
All supported cipher suites must be Authenticated Encryption with Associated Data (AEAD)
Explain the cipher suite example on slide 21 in set 17
See slide 21 in set 17
What are the possible handshake algorithms i.t.o the TLS handshake protocol?
DHE-DSS
DHE-RSA
ECDHE-RSA
ECDHE-ECDSA
Describe the algorithm DHE-DSS and which TLS version it can be used in i.t.o the TLS handshake protocol
DHE with Digital Signature Standard
TLS 1.2
Describe the algorithm DHE-RSA and which TLS version it can be used in i.t.o the TLS handshake protocol
Ephemeral Diffie-Hellman with RSA signatures
1.2 and 1.3
Describe the algorithm ECDHE-RSA and which TLS version it can be used in i.t.o the TLS handshake protocol
Elliptic curve DHE with RSA signatures
1.2 and 1.3
Describe the algorithm ECDHE-ECDSA and which TLS version it can be used in i.t.o the TLS handshake protocol
Elliptic curve DHE with elliptic curve Digital Signature Algorithm
1.2 and 1.3
What are the possible record algorithms i.t.o the TLS record protocol?
AES-CBC-SHA256
AES-GCM
CHACHA20-POLY1305
Describe the algorithm AES-CBC-SHA256 and which TLS version it can be used in i.t.o the TLS record protocol
AES in CBC mode with HMAC from SHA256
1.2
Describe the algorithm AES-GCM and which TLS version it can be used in i.t.o the TLS record protocol
AES with GCM mode
1.2 and 1.3
Describe the algorithm CHACHA20-POLY1305 and which TLS version it can be used in i.t.o the TLS record protocol
ChaCha stream cipher with Poly1305 MAC
1.2 and 1.3
Explain phase 1 of the TLS handshake protocol and give the diagram
client and server negotiate version, cipher suite and compression, and exchange nonces
See slide 24 in set 17 for diagram
Explain phase 2 of the TLS handshake protocol and give the diagram
server sends certificate and key exchange message (if needed)
See slide 24 in set 17 for diagram
Explain phase 3 of the TLS handshake protocol and give the diagram
client sends certificate and key exchange message
See slide 25 in set 17 for diagram
Explain phase 4 of the TLS handshake protocol and give the diagram
client and server start secure communications. Finished messages include a check value (pseudorandom function) of all the previous messages
See slide 25 in set 17 for diagram
What are the TLS handshake protocol messages?
1) client hello
2) server hello
3) server key exchange
4) client key exchange
5) change cipher suite
Outline the client hello message in the TLS handshake protocol
- Stating the highest TLS version available
- Advertising cipher suites available to the client
- Sending the client’s nonce N_C
Outline the server hello message in the TLS handshake protocol
- Returning the selected version and cipher suite
* Sending the server’s nonce N_S
Outline the server key exchange message in the TLS handshake protocol
server’s inputs to key exchange
Outline the client key exchange message in the TLS handshake protocol
client’s inputs to key exchange
Outline the change cipher suite message in the TLS handshake protocol
switching to newly negotiated cipher suite for record layer
Outline the server key exchange for the ephemeral Diffie-Hellman handshake variant (TLS handshake protocol)
inputs are the Diffie-Hellman generator and group parameters, along with the server’s ephemeral Diffie-Hellman value, all signed by the server
Outline the client key exchange for the ephemeral Diffie-Hellman handshake variant (TLS handshake protocol)
inputs are client’s ephemeral Diffie-Hellman value
–> optionally signed by the client if the client’s certificate is used
In terms of the ephemeral Diffie-Hellman TLS handshake protocol variant, what is the pre-master secrete pms?
the shared Diffie-Hellman secrete (from key agreement)
In terms of the RSA handshake variant of the TLS handshake protocol, comment on the server key exchange
not required
In terms of the RSA handshake variant of the TLS handshake protocol, explain the client key exchange
key transport of pre-master secret pms:
- client randomly selects the pre-master secret pms
- client encrypts pms with the server’s public key and sends the ciphertext to the server
- server decrypts using its secret key to recover pms
How is the master secret ms defined i.t.o session key generation for the TLS handshake protocol?
See slide 29 in set 17
How is the key material generated i.t.o session key generation for the TLS handshake protocol?
See slide 29 in set 17
Explain the session key generation process for the TLS handshake protocol
See slide 29 in set 17
What can the key material include i.t.o session key generation and the TLS handshake protocol?
Depending on the agreed cipher suite:
• encryption key
• MAC key
• IV
Comment on the pseudorandom function used in the TLS handshake protocol
PRF build from HMAC with a specified hash function
- -> TLS 1.0 and 1.1: based on a combo of MD5 and SHA-1
- -> TLS 1.2: based on SHA-2
Explain the pseudorandom function example in TLS 1.2 i.t.o the handshake function on slide 30 in set 17
See slide 30 in set 17
What are the other 2 handshake variants for the TLS handshake protocol?
1) Diffie-Hellman
2) Anonymous Diffie-Hellman
Outline the Diffie-Hellman variant of the TLS handshake protocol
client and server used static/fixed Diffie-Hellman with certified keys
–> when the client does not have a certification (usual on the Internet), she uses an ephemeral Diffie-Hellman key
Outline the anonymous Diffie-Hellman variant of the TLS handshake protocol
the ephemeral Diffie-Hellman keys are not signed at all
–> it only protects against passive eavesdropping
Outline the alert protocol of TLS
Handling connection by sending an alert message of various degrees of severity
What are types of alerts sent in the alert protocol of TLS?
1) Warning alerts
2) close_notify alerts
3) Fatal alerts
What is the consequence of improperly handling alert messages i.t.o TLS’s alert protocol?
truncation attacks
Comment on the Diffie-Hellman key exchange achieving forward secrecy i.t.o TLS’s handshake protocol
- Exchange is authenticated using signatures from the long-term keys
- Diffie-Hellman-based cipher suites provide forward secrecy
Does RSA-based handshakes offer forward secrecy?
no
Does Diffie-Hellman key exchange handshakes offer forward secrecy?
yes
Does TLS 1.3 allow static RSA?
no
What does TLS assume?
reliable message delivery, provided by TCP.