Notes - Computer Security MT24, SSL and TLS


SSL was the predecessor to TLS and is now deprecated.

Flashcards

@Describe the most basic form of TLS for unilateral authentication between a server $S$ and a client $C$.


  1. $C \to S$: $\mathbf{nonce} _ C$, available cipher suites
  2. $S \to C$:
    • $\mathbf{nonce _ S}$
    • selected cipher suite
    • $\langle S, pk _ S, \text{Issuer1}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss1} }(S \parallel pk _ S \parallel \mathbf{expiry} \rangle$
    • $\langle S, pk _ \text{Iss1}, \text{Issuer2}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss2} }(S \parallel pk _ 1 \parallel \mathbf{expiry} \rangle$
    • …(certificate chain)…
  3. $C \to S$: $E _ {pk _ S}(\mathbf{version} \parallel \mathbf{nonce} _ P)$
  4. $C \to S$: $E _ {ke _ C}(\text{messages 1 to 3} \parallel \text{MAC} _ {km _ C}(\text{messages 1 to 3}))$
  5. $S \to C$: $E _ {ke _ S}(\text{messages 1 to 4} \parallel \text{MAC} _ {km _ S}(\text{messages 1 to 4}))$
  6. $C \to S$: $E _ {ke _ C}(m _ 1 \parallel \text{MAC} _ {km _ C}(\mathbf{counter} \parallel m _ 1))$
  7. $S \to C$: $E _ {ke _ S}(m _ 2 \parallel \text{MAC} _ {km _ S}(\mathbf{counter} \parallel m _ 2))$
  8. …etc…

where:

  • $\mathbf{nonce} _ P$ is called the pre-master secret
  • Then the master secret is computed by $\text{PRF}(\mathbf{nonce} _ P, \text{master secret} \parallel \mathbf{nonce} _ C \parallel \mathbf{nonce} _ S)$ and used to derive:
    • $ke _ C$ and $ke _ S$ are session encryption keys
    • IVs for these encryptions
    • $\text{master secret}$ is the literal string “master secret”
    • $km _ C$ and $km _ S$, MAC integrity check for messages from $C$ to $S$
  • (note also that $\mathbf{nonce} _ C$ and $\mathbf{nonce} _ S$ are returned by the server and client in steps 4 and steps 5).

The most basic form of TLS for unilateral authentication between a server $S$ and a client $C$ is as follows:

  1. $C \to S$: $\mathbf{nonce} _ C$, available cipher suites
  2. $S \to C$:
    • $\mathbf{nonce _ S}$
    • selected cipher suite
    • $\langle S, pk _ S, \text{Issuer1}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss1} }(S \parallel pk _ S \parallel \mathbf{expiry} \rangle$
    • $\langle S, pk _ \text{Iss1}, \text{Issuer2}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss2} }(S \parallel pk _ 1 \parallel \mathbf{expiry} \rangle$
    • …(certificate chain)…
  3. $C \to S$: $E _ {pk _ S}(\mathbf{version} \parallel \mathbf{nonce} _ P)$
  4. $C \to S$: $E _ {ke _ C}(\text{messages 1 to 3} \parallel \text{MAC} _ {km _ C}(\text{messages 1 to 3}))$
  5. $S \to C$: $E _ {ke _ S}(\text{messages 1 to 4} \parallel \text{MAC} _ {km _ S}(\text{messages 1 to 4}))$
  6. $C \to S$: $E _ {ke _ C}(m _ 1 \parallel \text{MAC} _ {km _ C}(\mathbf{counter} \parallel m _ 1))$
  7. $S \to C$: $E _ {ke _ S}(m _ 2 \parallel \text{MAC} _ {km _ S}(\mathbf{counter} \parallel m _ 2))$
  8. …etc…

where

  • $\mathbf{nonce} _ P$ is called the pre-master secret
  • Then the master secret is computed by $\text{PRF}(\mathbf{nonce} _ P, \text{master secret} \parallel \mathbf{nonce} _ C \parallel \mathbf{nonce} _ S)$ and used to derive:
    • $ke _ C$ and $ke _ S$ are session encryption keys
    • IVs for these encryptions
    • $km _ C$ and $km _ S$, MAC integrity check for messages from $C$ to $S$

How does the bilateral variety modify this?


At step 3, the client sends their own certificate chain.




Related posts