The transport layer security protocol (TLS) Flashcards
What is TLS?
Cryptographic services protocol based on Public Key Infrastructure (PKI)
Runs primarly over TCP
Consist of 3 higher-level protocols
What is TLS often used for?
To allow browsers to establish secure sessions with web servers
What 3 higher level protocols does TCP consist of?
TLS handshake protocol to set up session
TLS alert protocol to signal events such as failures
TLS change cipher spec protocol to change the cryptographic algorithms
What are the layers of the TLS: Protocol stack?
Handshake - Change cipher spec - alert - http or other
TLS record protocol
TCP
IP
What does the TLS alert protocol do?
Handles connections by sending an “alert” message of various degrees of severity
What are the three types of alerts in the alert protocol?
Warning alerts
close_notify alert
fatal alerts
What can happen if we have improper handling of alert messages?
Truncation attacks
What does the change cipher spec protocol do?
Normally used after handshake to indicate commencement of secure traffic
What does TLS ciphersuites do?
Specify the public key algorithms used in handshake, and symmetric algo used in record protocol
Describe the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite
Key exchange uses RSA to encrypt a secret chosen by the client
Triple DES (enc-dec-enc) in CBC mode used for encryption
SHA-1 used for the HMAC for data integrity
What 2 services does the record protocol provide in TLS?
Message confidentiality: Ensure message content cannot be read in transit
Message integrity:Ensure receiver can detect if a message is modified in transit
How does the record protocol provide the 2 services?
A symmetric encryption algorithm and a MAC
Describe the record protocol format
Header: Content type, major version, minor version, length
Plaintext (optionally compressed): encrypted
MAC (not a separate field if AEAD is used): encrypted
What is the Content Type field in the record protocol header?
Defines content types. The defined ones are:
- change-cipher-spec
- alert
- handshake
- application data
What is the length field in the record protocol header?
Length in octets of the data
What are the operations of the record protocol (6)?
Fragmentation
Compression: optionally applied
Authenticated data
Plaintext: Compressed data and the MAC, if present
Session keys for MAC and encryption algorithms are established during handshake protocols
Encryption and MAC algorithms are specified in the negotiated ciphersuite
What is fragmentation in the record protocol?
Each application layer message is fragmented into blocks of 2^14 bytes or less
What is authenticated data in the record protocol?
Consist of the (compressed) data, header, and an implicit record sequence number
What crypto algorithms are used in the record protocol?
MAC: HMAC, SHA-2 allowed in TLS 1.2
Enc: Either a block in CBC, or stream cipher
AEAD: Allowed instead of enc and MAC in TLS 1.2
What is the purpose of the handshake protocol?
Negotiates the TLS version and crypto algos to be used
Establishes shared session key for use in record protocol
Auths server
Auths client (optional)
Completes session establishment
Name 4 versions of the TLS handshake
RSA variant (supported, but not recommended)
Diffie-Hellman (recommended)
Pre-shared key variant
Mutual authentication or server only authentication
What are the 4 phases of the TLS handshake protocol?
1: Initiates the logical connection and establishes its security capabilites
2 and 3: Performs key exchange with messages and message content depending on the handshake variant negotiated in phase 1
4: Completes the setting up of a secure connection
What happens during phase 1 of the TLS handshake?
Client and server negotiates version, cipher suite and compression. Exchanges nonces
What happens during phase 2 of the TLS handshake?
Server sends certificate and key exchange message (if it is needed)
What happens during phase 3 of the TLS handshake?
Client sends certificate and key exchange message
What happens during phase 4 of the TLS handshake?
Client and server starts secure communications
How does the RSA-based TLS handshake work?
The simplest variation has server-only authentication and the server has a public key suitable for RSA encryption
On completion of phase 1, assume that RSA-based key exchange has been selected
What are the 5 main TLS handshake messages?
Client hello
Server hello
Server key exchange
Client key exchange
Change cipher spec
What does the message “Client hello” do in the TLS handshake?
States highest TLS version available
Advertises ciphersuites available to the client
Sends client nonce Nc
What does the message “Server hello” do in the TLS handshake?
Returns the selected TLS version and ciphersuite
Sends server nonce Ns
What does the message “Server key exchange” do in the TLS handshake?
Server’s input to the key exchange
What does the message “Client key exchange” do in the TLS handshake?
Client’s input to the key exchange
What does the message “Change cipher spec” do in the TLS handshake?
Switch to newly negotiated ciphersuite for record layer
What does the “Server key exchange” message do in the Ephemeral DH handshake variant?
DH generator, group parameters and the server ephemeral DH value is sent.
All of these values are signed by the server
What does the “Client key exchange” message do in the Ephemeral DH handshake variant?
Send client ephemeral DH value.
This value is optionally signed by the client, if the client certificate is used
What is the shared secret in the Ephemeral DH handshake variant?
Pre-master secret (pms)
What type of secrecy does the Ephemeral DH handshake variant provide?
Forward secrecy
What TLS variant is recommended today, and why?
The Ephemeral DH handshake variant, because it provides forward secrecy
What does the “Server key exchange” message do in the RSA handshake variant?
The message is not used
What does the “Client key exchange” message do in the RSA handshake variant?
Key transport of pre-master secret pms
The client selects a random pms
Client encrypts the pms with the servers public key and sends the ciphertext to the server
The server decrypts the pms using its private key
Why is the RSA handshake version not recommended for use in TLS?
It does not provide forward secrecy
How is the master secret defined in TLS?
ms = PRF(pms, “master secret”, Nc || Ns)
In TLS how are keying material generated from the master key?
k = PRF(ms, “key expansion”, Ns || Nc)
In TLS how are independent session keys generated?
They are partitioned from k in each direction.
Session keys consist of a read key and write key on each side.
Give 3 examples of what keying material may include in TLS (these are dependent on the cipher suite)
Encryption key
MAC key
IV
What is PRF in TLS?
Pseudo random function
Describe the PRF in TLS?
Built from HMAC with a specified hash function.
TLS 1.0 and 1.1 uses a combination of MD5 and SHA1
TLS 1.2 uses SHA-2 in the PRF
What are the inputs to the PRF function in TLS?
PRF(K, label, r)
K: Key
r: Nonce, possibly (?)
When is static DH used in the TLS handshake, and when is the ephemeral DH used?
Static is used with certified keys.
If the client does not have a certificate, ephemeral is used
What is the Anonymous DH variant of the TLS handshake? (DH_Anon)
The ephemeral DH keys are not signed.
This only protects against passive eavesdropping
What is forward secrecy?
The property that a compromise of long-term keys should not lead to compromise of session keys established before the long-term key compromise took place.
How can forward secrecy be provided in the TLS handshake?
Use DH key exchange with the exchange authenticated using signatures from the long-term keys
What are a limitation with SSL and TLS?
There are multiple ways a man-in-the-middle attacker can attempt to make two entities drop down to the least secure version they support
This can be done if the attacker for example blocks access to the port a secure service runs on, or attempt to get the peers to negotiate an unauthenticated connection.
What are the 2 main protocols of TLS?
Handshake protocol and Record layer protocol
How does TLS assume reliable delivery of messages?
This is provided by TCP
What is the BEAST attack?
Browser Exploit Against SSL/TLS
Exploits a non-standard use of IV in CBC mode. IVs are chained from previous ciphertexts
This attack allows an attacker to recover plaintext byte by byte
What has been done to prevent the BEAST attack?
TLS 1.1: Only use random IVs
Browsers implement a mitigation strategy based on splitting plaintext into first byte + remainder to force a randomised IV including a MAC computation.
What are the CRIME and BREACH attack based on?
Compression - different inputs results in different amounts of compression
What is the CRIME attack?
Compression Ratio Info-leak Made Easy
Exploits compression in TLS
What is the BREACH attack?
Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
Exploits compression in HTTP
How can you protect against the CRIME and BREACH attack?
Turn of compression in TLS
Switching it of in HTTP results in a big performance penalty
What is a padding oracle?
The source of information about whether or not a message was correctly padded.
How can the padding oracle attack be mitigated?
Using a uniform error response that does not give any information about whether or not the message was correctly padded.
This way, an attacker cannot distinguish between padding and MAC errors.
What is the POODLE attack?
Padding Oracle On Downgraded Legacy Encryption
Forces downgrade to SSL 3.0 and then runs a padding oracle attack
What is the Heartbleed bug?
Implementation error in OpenSSL
Based on missing bounds check in heartbeat messages.
Allows memory leak from server
What did the Man-in-the-middle attacks on TLS do?
Rely on issuing a new certificate and installing a root certificate in the browser.
What is the TLS timing (padding) oracle attack?
There is a subtle timing bug in the way that TLS data decryption works when using the standard CBC mode ciphersuite.
TLS first applies a MAC to the plaintext, then adds additional padding bytes to get the message length to be an even number of blocks. Then, the record is CBC-encrypted.
The important part is that the padding is not protected by the MAC.
Record structure:
Header - DATA - MAC - Padding
Because of this, the attacker can tamper with the padding by flipping specific bits in the ciphertext, leading to a padding oracle attack.
The attacker can re-transmit the record to the server. If the attacker learned whether the changes affected the padding, this information can be used to decrypt the whole record.
Researchers showed that a timing attack could be run instead, if error messages were not provided. This was caused by the decryption taking different amount of time when the padding was correct or not. This was due to the implementation first checking the padding and returning immediately if it was incorrect, without checking the MAC.
Should you encrypt a message and then apply the MAC, or apply the MAC and then encrypt the message?
Encrypt, then apply the MAC to the resulting ciphertext
Why is backward compatibility a problem in TLS?
Allows for downgrade attacks.
