5
Sessions and connections
an SSL session is an association between a client and a server
sessions are stateful; the session state includes security
algorithms and parameters
a session may include multiple secure connections between
the same client and server
connections of the same session share the session state
sessions are used to avoid expensive negotiation of new
security parameters for each connection
there may be multiple simultaneous sessions between the
same two parties, but this feature is not used in practice
Sessions and connections
6
Session and connection states
session state
–
session identifier
•
arbitrary byte sequence chosen by the server to identify the session
–
peer certificate
•
X509 certificate of the peer
•
may be null
–
compression method
–
cipher spec
•
bulk data encryption algorithm (e.g., null, DES, 3DES, …)
•
MAC algorithm (e.g., MD5, SHA-1)
•
cryptographic attributes (e.g., hash size, IV size, …)
–
master secret
•
48-byte secret shared between the client and the server
–
is resumable
•
a flag indicating whether the session can be used to initiate new connections
–
connection states
Sessions and connections
7
Session and connection states cont’d
connection state
–
server and client random
•
random byte sequences chosen by the server and the client for every connection
–
server write MAC secret
•
secret key used in MAC operations on data sent by the server
–
client write MAC secret
•
secret key used in MAC operations on data sent by the client
–
server write key
•
secret encryption key for data encrypted by the server
–
client write key
•
secret encryption key for data encrypted by the client
–
initialization vectors
•
an IV is maintained for each encryption key if CBC mode is used
•
initialized by the SSL Handshake Protocol
•
final ciphertext block from each record is used as IV with the following record
–
sending and receiving sequence numbers
•
sequence numbers are 64 bits long
•
reset to zero after each Change Cipher Spec message
Sessions and connections
8
State changes
operating state
–
currently used state
pending state
–
state to be used
–
built using the current state
operating state pending state
–
at the transmission and reception of a Change Cipher Spec message
party A
(client or server)
party B
(server or client)
the sending part of the
pending state is copied
into the sending part
of the operating state
the receiving part of the
pending state is copied
into the receiving part
of the operating state
C
h
a
n
g
e
C
i
p
h
e
r
S
p
e
c
Sessions and connections
9
SSL Record Protocol – processing overview
MAC
application data
paddingtype
fragmentation
compression
msg authentication and
encryption (with padding if necessary)
version length
type version length
type version length
SSLPlaintext
SSLCompressed
SSLCiphertext
SSL Record Protocol
10
Header
type
–
the higher level protocol used to process the enclosed fragment
–
possible types:
•
change_cipher_spec
•
alert
•
handshake
•
application_data
version
–
SSL version, currently 3.0
length
–
length (in bytes) of the enclosed fragment or compressed fragment
–
max value is 2
14
+ 2048
SSL Record Protocol
11
MAC
MAC = hash( MAC_write_secret | pad_2 |
hash( MAC_write_secret | pad_1 | seq_num | type | length | fragment ) )
similar to HMAC but the pads are concatenated
supported hash functions:
–
MD5
–
SHA-1
pad_1 is 0x36 repeated 48 times (MD5) or 40 times (SHA-1)
pad_2 is 0x5C repeated 48 times (MD5) or 40 times (SHA-1)
SSL Record Protocol
12
Encryption
supported algorithms
–
block ciphers (in CBC mode)
•
RC2_40
•
DES_40
•
DES_56
•
3DES_168
•
IDEA_128
•
Fortezza_80
–
stream ciphers
•
RC4_40
•
RC4_128
if a block cipher is used, than padding is applied
–
last byte of the padding is the padding length
SSL Record Protocol
13
SSL Alert Protocol
each alert message consists of 2 fields (bytes)
first field (byte): “warning” or “fatal”
second field (byte):
–
fatal
•
unexpected_message
•
bad_record_MAC
•
decompression_failure
•
handshake_failure
•
illegal_parameter
–
warning
•
close_notify
•
no_certificate
•
bad_certificate
•
unsupported_certificate
•
certificate_revoked
•
certificate_expired
•
certificate_unknown
in case of a fatal alert
–
connection is terminated
–
session ID is invalidated no new connection can be established within this session
SSL Alert Protocol
14
SSL Handshake Protocol – overview
client server
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finished
Phase 1: Negotiation of the session ID, key exchange
algorithm, MAC algorithm, encryption algorithm, and
exchange of initial random numbers
Phase 2: Server may send its certificate and key
exchange message, and it may request the client
to send a certificate. Server signals end of hello
phase.
Phase 3: Client sends certificate if requested and may
send an explicit certificate verification message.
Client always sends its key exchange message.
Phase 4: Change cipher spec and finish handshake
SSL Handshake Protocol
Không có nhận xét nào:
Đăng nhận xét