Internet安全協(xié)議與分析：SSL TLS協(xié)議

Internet安全協(xié)議與分析

SSL/TLS協(xié)議問題如何對TCP上層的通訊進(jìn)行安全加固？本次課程教學(xué)安排Web安全問題SSLWTLSWEB安全Web服務(wù)器易于使用但正確配置比較復(fù)雜容易成為攻擊目標(biāo)Web安全問題威脅后果反對措施IntegrityModificationofDataTrojanhorsesLossofInformationCompromiseofMachineMACsandHashesConfidentialityEavesdroppingTheftofInformationLossofInformationPrivacyBreachEncryptionDoSStoppingFillingupDisksandResourcesStoppedTransactionsAuthenticationImpersonationDataForgeryMisrepresentationofUserAcceptfalseDataSignatures,MACs不同協(xié)議層的安全TCPIP/IPSECHTTPFTPSMTPTCPIPHTTPFTPSMTPSSL/TLSTCPIPS/MIMEPGPUDPKerberosSMTPSETHTTPAttheNetworkLevelAttheTransportLevelAttheApplicationLevelSSL概念SecureSocketsLayer：由Netscape于1994年始創(chuàng)，用于加固http層安全。Version3ofSSLwasreleasedin1995ItiswhatwethinkofwhenwesaySSLSlightvariationbecameTransportLayerSecurity(TLS)andwasacceptedbytheIETFin1999TLSisbackwardcompatiblewithSSLv3目的是使得TCP實(shí)現(xiàn)可靠、端對端的服務(wù)SSLconsistsoftwosublayers:SSLRecordProtocol(wherealltheactiontakesplace)SSL

Management:(Handshake/CipherChange/AlertProtocols)SSL\TLS的安全性TLSisusedconnection-orientedtransport,typicallyTCP.TLS可做到:Authentication以public/Privatekey方式來做Confidentiality利用一sessionkey，來encode和decode資料Integrity檢查MAC(MessageAuthenticationCode)，確認(rèn)是否被篡改不同的SSL版本1.SSL(SecureSocketLayer)是netscape公司設(shè)計的主要用于web的安全傳輸協(xié)議。這種協(xié)議在WEB上獲得了廣泛的應(yīng)用。2.IETF()將SSL作了標(biāo)準(zhǔn)化，即RFC2246,并將其稱為TLS（TransportLayerSecurity），從技術(shù)上講，TLS1.0與SSL3.0的差別非常微小。由于本文中沒有涉及兩者間的細(xì)小差別，本文中這兩個名字等價。3.在WAP的環(huán)境下，由于手機(jī)及手持設(shè)備的處理和存儲能力有限，wap論壇（）在TLS的基礎(chǔ)上做了WTLS協(xié)議（WirelessTransportLayerSecurity），以適應(yīng)無線的特殊環(huán)境。SSL資料EvolvedthroughUnreleasedv1(Netscape)Flawed-but-usefulv2Version3fromscratchStandardTLS1.0SSL3.0withminortweaks,henceVersionfieldis3.1DefinedinRFC2246,/rfc/rfc2246.txtOpen-sourceimplementationat/體系RecordProtocoltotransferapplicationandTLSinformationAsessionisestablishedusingaHandshakeProtocolTLSRecordProtocolHandshakeProtocolAlertProtocolChangeCipherSpecSSL在應(yīng)用中的位置SSL基本過程建立一個會話

AgreeonalgorithmsSharesecretsPerformauthentication傳輸應(yīng)用數(shù)據(jù)Ensureprivacyandintegrity握手協(xié)議SSL的核心協(xié)議部分完成在傳輸應(yīng)用數(shù)據(jù)之前進(jìn)行的準(zhǔn)備工作.相互認(rèn)證協(xié)商加密算法建立共享密鑰TheHandshakeProtocolconsistsofmessagesconsistingofthreefields:Type(1byte):Indicatestypeofthemessage.Thereare10types.Length(3bytes)Content:Thepayloadexchangedineachmessage握手協(xié)議NegotiateCipher-SuiteAlgorithms對稱密鑰密鑰交換方法消息摘要函數(shù)握手協(xié)議基本過程Hello消息證書和密鑰交換ChangeCipherSpecandFinishedmessages握手過程（1）ClientHelloClientCertificateClientKeyExchangeCertVerifyChangeCipherFinishedServerHelloServerCertificateServerKeyExchangeCertRequestServerHelloEndChangeCipherFinishedrAisanoncemadeof4bytesoftimestampand28bytesofrandom#.SimilarlyforrG.SessID:0ifnewsession,elseisthesessionIDofanexistingsession(andtheHandshakewillupdateparameters)CiphListisalistofalgorithmssupportedbytheclientinanorderofdecreasingpreference(KeyExchangeandEncryptionCipher)CiphChoice:TheciphersuitechosenbytheServer.ClientHello(0x01)ServerHello(0x02)握手過程（2）服務(wù)器認(rèn)證和密鑰交換ServerbeginsbysendingitsX.509cert(andassociatedcertchain)Next,apublickeyissentServermayRequestaCertfromtheClientServersendsendround2message握手過程（2）ClientHelloClientCertificateClientKeyExchangeCertVerifyChangeCipherFinishedServerHelloServerCertificateServerKeyExchangeCertRequestServerHelloEndChangeCipherFinishedKGistheprivatekey,andhenceEKGisasignatureoperationbytheServerValidCertAuthoritiesidentifiestheauthoritiestheserverwillacceptServerCertificate(0x0b)證書SequenceofX.509certificatesServer’s,CA’s,…X.509CertificateassociatespublickeywithidentityCertificationAuthority(CA)createscertificateAdherestopoliciesandverifiesidentitySignscertificateUserofCertificatemustensureitisvalid證書校驗(yàn)問題MustrecognizeacceptedCAincertificatechainOneCAmayissuecertificateforanotherCAMustverifythatcertificatehasnotbeenrevokedCApublishesCertificateRevocationList(CRL)serverkeyexchangemessageTheserverkeyexchangemessageissentbytheserveronlywhentheservercertificatemessage(ifsent)doesnotcontainenoughdatatoallowtheclienttoexchangeapremastersecret.握手過程（3）客戶機(jī)認(rèn)證和密鑰交換ClientverifiesthattheServer’sCertisvalid,andchecksthatparameterssentarevalidIfacertwasrequested,thentheClientsendsoneServergeneratesaPreMasterSecretsPM握手過程（3）ClientHelloClientCertificateClientKeyExchangeCertVerifyChangeCipherFinishedServerHelloServerCertificateServerKeyExchangeCertRequestServerHelloEndChangeCipherFinished+KGisthepublickey,andhenceE+KGisaencryptionusingthepublickeygainedfromthecertificateMessages1to8istheconcatenationoffirst8messagesMSismastersecretandStep9isforverification計算mastersecret握手過程（3）ClienttellsServertochangecipher(viatheChangeCipherProtocol).ServerrespondswithitsownchangedciphermessageFinishedMessagearehashesforverificationClientHelloClientCertificateClientKeyExchangeCertVerifyChangeCipherFinishedServerHelloServerCertificateServerKeyExchangeCertRequestServerHelloEndChangeCipherFinishedChangeCipherSpecAsinglebyteissentafternewcipherparametershavebeenagreedupon.“Pending”parametersbecomeactivated.SSLAlertProtocolSignalsthatunusualconditionshavebeenencountered.Eachmessageconsistsoftwobytes.Firstbyteisa(1)ifawarningora(2)ifafatalerror.Iferrorisfatal,theconnectionisterminated(otherconnectionsmaycontinue…).Secondbytesaysthetypeoferror.Unexpected_Message:FatalBad_Record_MAC:FatalDecompression_Failure:FatalHandshake_Failure:FatalAndmanymore…SSL加密MastersecretGeneratedbybothpartiesfrompremastersecretandrandomvaluesgeneratedbybothclientandserverKeymaterialGeneratedfromthemastersecretandsharedrandomvaluesEncryptionkeysExtractedfromthekeymaterial傳輸應(yīng)用數(shù)據(jù)通過握手協(xié)議建立一個SSL會話，擁有一組安全參數(shù)一個SSL會話可以對應(yīng)多個SSL連接，這些連接可以使用相同的安全參數(shù)SessionSecurityParametersSessionSecurityParameters:SessionIdentifierPeerCertificate:X.509v3certificateofthepeerCompression:OptionalalgorithmusedtocompressdataCipherSpecs:EncryptionAlgorithm(3DES,AES,etc.)andhashalgorithm(MD5,SHA-1)MasterSecret:48-bytesecretsharedbetweenclientandserverSSLRecordProtocolRecordHeaderThreepiecesofinformationContenttypeApplicationdataAlertHandshakeChange_cipher_specContentlengthSuggestswhentostartprocessingSSLversionRedundantcheckforversionagreementRecordHeaderMax.recordlength214–1MAC(MessageAuthenticationCode)對于消息和秘密數(shù)據(jù)單向hash，難以偽造DataHeadersSequencenumberTopreventreplayandreorderingattackNotincludedintherecordSSLSessionsvs.ConnectionsMultipleconnectionswithinasessionsOnenegotiation/sessionSessionResumptionThroughsessionIDsClientsuseserverIPaddressornameasindexServersusethesessionIDsprovidebytheclientsUseofrandomnumbersinresumedsessionkeycalculationensuresdifferentkeysSessionRe-handshakeClientcaninitiateanewhandshakewithinasessionUseofServerGatedCryptography(SGC)foraddedsecuritySSLOverhead2-10timesslowerthanaTCPsessionWheredowelosetimeHandshakephaseClientdoespublic-keyencryptionServerdoesprivate-keyencryption(stillpublic-keycryptography)UsuallyclientshavetowaitonserverstofinishDataTransferphaseSymmetrickeyencryptionWTLSWAPGatewayArchitectureWTLSHTTP/SSLHTTP/SSLWirelessGatewayApplicationServersWirelessTransportLayerSecurity(WTLS)Providessecurityservicesbetweenthemobiledevice(client)andtheWAPgatewayDataintegrityPrivacy(throughencryption)Authentication(throughcertificates)Denial-of-serviceprotection(detectsandrejectsmessagesthatarereplayed)WTLSProtocolStackWTLSRecordProtocol對應(yīng)用數(shù)據(jù)如下處理PayloadiscompressedAMACiscomputedCompressedmessageplusMACcodeareencryptedusingsymmetricencryptionRecordprotocoladdsaheadertothebeginningtoencryptedpaylo