IntroductionIntroduction : :

SSL Is used to carry application layer protocols SSL Is used to carry application layer protocols in a secure way.in a secure way.

Carrying an application data over an SSL Carrying an application data over an SSL connection at a naive way can lead to reductionconnection at a naive way can lead to reduction

in security and performance.in security and performance.

In order to design well we have to know the securitycapabilities of SSL.

First thing: Know what you want to First thing: Know what you want to secure.secure.

Evaluate a ‘Threat model’ for the application you want to Evaluate a ‘Threat model’ for the application you want to secure.secure.

Figure out what are the vulnerabilities of the system you Figure out what are the vulnerabilities of the system you are trying to secure (taking the costs into consideration).are trying to secure (taking the costs into consideration).

Check what are the security services your application Check what are the security services your application needs:needs:

1. Confidentiality (not always needed).1. Confidentiality (not always needed).

2. Message integrity (a must).2. Message integrity (a must).

3. endpoint authentication (highly recommended). 3. endpoint authentication (highly recommended).

It’s not necessary that all security services be provided by It’s not necessary that all security services be provided by SSL.SSL.

Next step: Identify which security services are best Next step: Identify which security services are best

provided by SSL and which by the applicationprovided by SSL and which by the application..

Confidentiality.Confidentiality. Message integrity (should be done by SSL).Message integrity (should be done by SSL). Endpoint authentication:Endpoint authentication:

Server authentication (better with SSL).Server authentication (better with SSL). Client authentication (optional in SSL) .Client authentication (optional in SSL) .

Rule of Thumb:Rule of Thumb: Message integrity isn’t optional-always provide it.Message integrity isn’t optional-always provide it. It is best to provide confidentiality (for interoperability It is best to provide confidentiality (for interoperability

with other SSL implementations and for answering the with other SSL implementations and for answering the users expectations).users expectations).

Avoid client authentication unless you really need it.Avoid client authentication unless you really need it.

Client authentication options:Client authentication options:

The ideal situationThe ideal situation – giving a certificate for each – giving a certificate for each client we want to authenticate.client we want to authenticate.

SinceSince it presents deployment problems we needit presents deployment problems we need

other options:other options:

1.1. Username/password authentication:Username/password authentication:

2.2. Username/ password variants authentication.Username/ password variants authentication.

Username/password authenticationUsername/password authenticationThis is the most traditional way to do client auth.This is the most traditional way to do client auth.It’s usually combined with “ Access control list” It’s usually combined with “ Access control list” (ACL).(ACL).Disadvantages:Disadvantages: Vulnerable to simple passive attacks (like sniffing attack) – Vulnerable to simple passive attacks (like sniffing attack) –

can be prevented by SSL.can be prevented by SSL. Vulnerable to the following three major types of attacks: Vulnerable to the following three major types of attacks: 1. man-in-the-middle attack (if the client doesn’t check1. man-in-the-middle attack (if the client doesn’t check the server’s certificate).the server’s certificate). 2. Password guessing attack – people tend to choose 2. Password guessing attack – people tend to choose easy passwords.easy passwords.Countermeasures against password guessing: limited tries,Countermeasures against password guessing: limited tries, slowing down each password check.slowing down each password check.

3. 3. Passwords are transferable-if the user choosesPasswords are transferable-if the user chooses

the same password on multiple machines, the the same password on multiple machines, the

server can impersonate him to another server.server can impersonate him to another server.

Conclusion:Conclusion:

Although passwords are better over SSL, they still Although passwords are better over SSL, they still

have substantial weaknesses.have substantial weaknesses.

Username/password variant authentication:Username/password variant authentication:

Since many systems uses the username/passwordSince many systems uses the username/password

model, more complicated methods were designed model, more complicated methods were designed

to improve the security of this model.to improve the security of this model.

For example:For example:

One time password (One time password (OTPOTP) methods such as ) methods such as

‘‘secureID’ cards.secureID’ cards.

These methods prevents attacks on the These methods prevents attacks on the

connection carrying the password.connection carrying the password.

Since SSL prevents these attacksSince SSL prevents these attacks-It is useful -It is useful onlyonly in in

system with both insecure and secure connections. system with both insecure and secure connections.

SSL client authentication:SSL client authentication:

Client authentication In SSL is certificate-based.Client authentication In SSL is certificate-based.

Advantages of using SSL client auth.:Advantages of using SSL client auth.: Doesn’t have any of the weaknesses of Doesn’t have any of the weaknesses of

password-based authentication password-based authentication

Much more secure.

Disadvantages of using SSL client authDisadvantages of using SSL client auth.:.:

Operational problem (arrangement withOperational problem (arrangement with CA’s, CA’s, user list for maintenance).user list for maintenance).

Vast majority of clients can not access theVast majority of clients can not access the server – undesirable for a business.server – undesirable for a business.

Needs mapping certificates to user identities Needs mapping certificates to user identities (ACLs entries should be the same(ACLs entries should be the same as the as the identities in the certificates).identities in the certificates).

Certain attacks are still possible – like tricking Certain attacks are still possible – like tricking the client to make auth. request for the attacker. the client to make auth. request for the attacker.

Rule of thumb:Rule of thumb:

In most cases, it’s easier to offer the clients a In most cases, it’s easier to offer the clients a username/password authentication.username/password authentication.

Passwords are easier to integrate with most Passwords are easier to integrate with most systems and the users understand them better.systems and the users understand them better.

For automated clients (such as web servers) its For automated clients (such as web servers) its just as easy to manage with certificates.just as easy to manage with certificates.

SSL client authentication cont.SSL client authentication cont.

Three major subjects should be taken into Three major subjects should be taken into

consideration when using SSL client authentication: consideration when using SSL client authentication:

1.1. Certificate issuance:Certificate issuance:

The two primary problems:The two primary problems:

A.A. Correctly authenticate users before issuing them Correctly authenticate users before issuing them certificates.certificates.

Solutions: Solutions:

1.seeing the user’s physical identity and then1.seeing the user’s physical identity and then

issuing him the certificate.issuing him the certificate.

2. Issuing on-line by asking identity marks (credit 2. Issuing on-line by asking identity marks (credit card number, etc.)card number, etc.)

B. B. Arranging that only one user can get a Arranging that only one user can get a

certificate certificate

with a certain username.with a certain username.

Solution: Issue temporary password through Solution: Issue temporary password through some external mechanism. some external mechanism.

2. 2. Access control:Access control:

Enable us to provide different levels of access to Enable us to provide different levels of access to

different classes of users (using certificates too).different classes of users (using certificates too). can be done by access control lists (ACLs).can be done by access control lists (ACLs).

Advantages of this approach:Advantages of this approach:

1.Permissions can be changed by merely changing 1.Permissions can be changed by merely changing ACLs (no issuing of new certificate).ACLs (no issuing of new certificate).

2. We can have a mixed system with both 2. We can have a mixed system with both certificates and passwords (by having a function certificates and passwords (by having a function that does the mapping). that does the mapping).

User ListUser List

User User Password Password

Alice Alice <Alice’s password> <Alice’s password>

Bob Bob <none> <none>

Charlie Charlie <Charlie’s password><Charlie’s password>

..………....………..

Alice’s certificate

Bob’s certificate

Access control listAccess control listUserUser ActionAction

AliceAlice PermitPermit

BobBob DenyDeny

CharlieCharlie PermitPermit

..…………… ..……………

DisadvantagesDisadvantages::

Requires user data to be maintainedRequires user data to be maintained in two in two locations: The ACL and the CA.locations: The ACL and the CA.

(Makes it more problematic to create user).(Makes it more problematic to create user). The ACL and CA can get out of synch.The ACL and CA can get out of synch.

3.Removing users:3.Removing users:

When using ACLs – merely remove the accessWhen using ACLs – merely remove the access

control list.control list.

When not using ACLs – use certificate revocationWhen not using ACLs – use certificate revocation

Lists (CRLs).Lists (CRLs).

Harder since CRLs lacks a direct support in SSL.

Host to host connection:Host to host connection:

This is a case where certificate-base authenticationThis is a case where certificate-base authentication

Can be used with minimal overhead.Can be used with minimal overhead.

Secure tunnel

In this case all we care about is identity on the other endThus we can do client auth. the same as server auth.(No need for ACLs and clients removal).

Server authentication:Server authentication:Server authentication is done by checking the referenceServer authentication is done by checking the referenceintegrity.integrity.

Server identity:Server identity: Ensuring a secure connection with SSL requires Ensuring a secure connection with SSL requires verifying the server identity (to prevent man-in-theverifying the server identity (to prevent man-in-themiddle attack).middle attack).

Two things are required: Two things are required: 1.Verifying the server’s certificate.1.Verifying the server’s certificate.2.Verifying that the server is indeed the server you’re expecting to talk to.2.Verifying that the server is indeed the server you’re expecting to talk to.In some cases, SSL allows for the server to remain anonymous (by SSL_DH_anon cipher In some cases, SSL allows for the server to remain anonymous (by SSL_DH_anon cipher

suites) but these suites are suites) but these suites are completely vulnerable to an active attackcompletely vulnerable to an active attack . .(its better if combined with passwords).(its better if combined with passwords).

Security properties:Security properties:

The client needs to verify that the level of secure of The client needs to verify that the level of secure of the connection meets his expectations.the connection meets his expectations.Two examples of ways to verify the security level:Two examples of ways to verify the security level:1.Telnet protocol: The client may simply have the 1.Telnet protocol: The client may simply have the

domain name of the server.domain name of the server.2. HTTP protocol: the client has an indication in 2. HTTP protocol: the client has an indication in

the URL that the protocol should be over SSL. the URL that the protocol should be over SSL. (The URL begins with “ https:\\ ”). (The URL begins with “ https:\\ ”). RemarkRemark: the enforcement of secure connections : the enforcement of secure connections

must generally be done on the client side.must generally be done on the client side.

Rule of thumb:Rule of thumb:

We need to provide a reference that:We need to provide a reference that:

1.Concretely identifies the server that the client can 1.Concretely identifies the server that the client can expect to connect to.expect to connect to.

2.Indicate that SSL is required.2.Indicate that SSL is required.

The server identity needs to be able to automaticallyThe server identity needs to be able to automatically

Compared to the server’s certificates (via domain Compared to the server’s certificates (via domain name). name).

SSL limitations.SSL limitations.Cases where we Cases where we should notshould not use SSL: use SSL:1.1. No repudiation:No repudiation: SSL can not be use to provide no repudiation of SSL can not be use to provide no repudiation of data.data.For example:For example: an online purchase. an online purchase.SSL insures that :SSL insures that : 1. You are talking to the correct server.1. You are talking to the correct server. 2. The receipt you were given hasn’t been tampered with. 2. The receipt you were given hasn’t been tampered with. But since the content of the receipt can’t be externally verified But since the content of the receipt can’t be externally verified The The

merchant can claim that you forged the receipt.merchant can claim that you forged the receipt.

2. End-To-End security:2. End-To-End security:

SSL is bad in cases where our machine isSSL is bad in cases where our machine is behind behind a firewall.a firewall.

Machine A

firewall

Machine B

Protocol selection.Protocol selection.We have to be able to know if a connection carryingWe have to be able to know if a connection carrying

a secure version of a protocol or an insecure one.a secure version of a protocol or an insecure one.

Requirements for parallel secure and insecure operations: Requirements for parallel secure and insecure operations:

1.1. We must be able to unambiguously distinguish We must be able to unambiguously distinguish secure and insecure connections.secure and insecure connections.

2.2. Clients who are unaware to security issues must be Clients who are unaware to security issues must be able to operate with security aware clients\servers.able to operate with security aware clients\servers.

Two common approaches to protocol selection:Two common approaches to protocol selection:

1.Separate ports.1.Separate ports.

2.Upward negotiation. 2.Upward negotiation.

Separate ports.Separate ports.

We assign different ports for the secure and the We assign different ports for the secure and the insecure versions of the protocol.insecure versions of the protocol.

Disadvantages:Disadvantages: There is a limited number of ports (around There is a limited number of ports (around

65000).65000). The client has to know to use SSL and to move The client has to know to use SSL and to move

to the secure port.to the secure port. Requires modification to some firewalls which Requires modification to some firewalls which

don’t allow TCP connections except on specific don’t allow TCP connections except on specific ports. ports.

Advantages:Advantages:

The implementation is trivial (arranging the The implementation is trivial (arranging the serverserver to listen to both ports). to listen to both ports).

Doesn’t require any real modification to the Doesn’t require any real modification to the application-layer protocol.application-layer protocol.

Secure and insecure implementation never Secure and insecure implementation never interact at all.interact at all.

Downgrade attacks on separate Downgrade attacks on separate ports:ports:

The attacker make it appearThe attacker make it appear that the server isn’t that the server isn’t listening on the appropriate port at all.listening on the appropriate port at all.

Client Attacker Server Client Attacker Server TCP Syn

RST packet

The client can make this attack worse If he moves to insecure mode.

For instance, amazon.com’s web server contains the Following text:

“If you received an error message when you tried to use our secure server, sign in using our standard server . If You select the secure server, the information you enterWill be encrypted”.

2. Upward negotiation.2. Upward negotiation.

In this strategy one sideIn this strategy one side will indicate that he supportswill indicate that he supports

SSL and the other side will indicate that he wants it.SSL and the other side will indicate that he wants it.

The SSL handshake will occur

The rest of the protocol will run over the secured Connection.

Client server

Hello (SSL Supported)

Hello (Start SSL)

Client hello

Rest of SSL Handshake

First application protocol message

Upward negotiation

Advantages of upward negotiation:Advantages of upward negotiation:

Doesn’t require allocating an extra port.Doesn’t require allocating an extra port. Automatic discovery – the client doesn’t need to know that Automatic discovery – the client doesn’t need to know that

security is available. security is available. Disadvantages:Disadvantages: Requires substantial modifications to the code on both server Requires substantial modifications to the code on both server

and client (support must be added in order to negotiate).and client (support must be added in order to negotiate). Need to define what to do when the handshake is failed Need to define what to do when the handshake is failed

(reconnect insecurely,signal an error etc.).(reconnect insecurely,signal an error etc.). Has a performance cost (need to first check that the SSL is Has a performance cost (need to first check that the SSL is

permitted).permitted). Requires change to the code of the firewall proxies so they Requires change to the code of the firewall proxies so they

could recognize the upward negotiation and get out of the way.could recognize the upward negotiation and get out of the way.

Downgrade attacks on upward negotiation.Downgrade attacks on upward negotiation.

Client Attacker server

Hello(SSL supported Hello(SSL Not supported

Hello(SSL Not supported

Hello(SSL Not supported

First application protocol message

First applicationProtocol message

CountermeasuresCountermeasures::

1.1. Remember servers with whom we had a Remember servers with whom we had a secure connection and insist on secure secure connection and insist on secure connections with them.connections with them.

2.2. References to servers must indicate that the References to servers must indicate that the site is secure and what sort of negotiation is site is secure and what sort of negotiation is available.available.

3.3. users must be taught not to make insecure users must be taught not to make insecure connections when secure connections fails. connections when secure connections fails.

Rule of thumb:1. It’s much easier to design and implement a separate port strategy.2. When designing a protocol for largely internal usage use separate ports. 3. When designing for broad standardization its worth paying the cost of upgrade negotiation strategy.

Rehandshake Rehandshake

Useful in the following cases:Useful in the following cases: The server demands thatThe server demands that different different types of types of

protocol request will require different levels of protocol request will require different levels of security.security.

Client authentication is required (by the server Client authentication is required (by the server before providing it any restricted services).before providing it any restricted services).

Cipher suite upgrading.Cipher suite upgrading. Replenishment of keying material (to prevent Replenishment of keying material (to prevent

large-scale attack on long lived connections). large-scale attack on long lived connections).

closureclosureSSL provides its one closure mechanism: the SSL provides its one closure mechanism: the

close_notify alert (to prevent forging the TC Fins).close_notify alert (to prevent forging the TC Fins).

Incomplete close:Incomplete close:

When the implementation send a close_notify and When the implementation send a close_notify and immediately close the connection.immediately close the connection.

Premature close:Premature close:

Here, one side closes the TCP connection (i.e. sendsHere, one side closes the TCP connection (i.e. sends

a Fin) without first sending a close_notify.a Fin) without first sending a close_notify.

Security threat (the FIN segment could be forged).

CaseCase Generate ErrorGenerate Error Resume sessionResume session

Incomplete close Incomplete close NoNo YesYes

Premature close Premature close after End of Dataafter End of Data

No No NoNo

Premature close Premature close w/o End Of Dataw/o End Of Data

YesYes NoNo

summary.summary.

Not all security services need to be providedNot all security services need to be provided via via SSL.SSL.

Both protocol selection mechanisms have values.Both protocol selection mechanisms have values. Authenticate servers with certificates.Authenticate servers with certificates. Set client security expectations.Set client security expectations. Certificates are harder than passwords, but also Certificates are harder than passwords, but also

stronger.stronger. Define rehandshake semantics.Define rehandshake semantics. Closure is tricky. Closure is tricky.