Notes - Computer Security MT24, SSL and TLS
SSL was the predecessor to TLS and is now deprecated.
Flashcards
@Describe the most basic form of TLS for unilateral authentication between a server $S$ and a client $C$.
- $C \to S$: $\mathbf{nonce} _ C$, available cipher suites
- $S \to C$:
- $\mathbf{nonce _ S}$
- selected cipher suite
- $\langle S, pk _ S, \text{Issuer1}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss1} }(S \parallel pk _ S \parallel \mathbf{expiry} \rangle$
- $\langle S, pk _ \text{Iss1}, \text{Issuer2}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss2} }(S \parallel pk _ 1 \parallel \mathbf{expiry} \rangle$
- …(certificate chain)…
- $C \to S$: $E _ {pk _ S}(\mathbf{version} \parallel \mathbf{nonce} _ P)$
- $C \to S$: $E _ {ke _ C}(\text{messages 1 to 3} \parallel \text{MAC} _ {km _ C}(\text{messages 1 to 3}))$
- $S \to C$: $E _ {ke _ S}(\text{messages 1 to 4} \parallel \text{MAC} _ {km _ S}(\text{messages 1 to 4}))$
- $C \to S$: $E _ {ke _ C}(m _ 1 \parallel \text{MAC} _ {km _ C}(\mathbf{counter} \parallel m _ 1))$
- $S \to C$: $E _ {ke _ S}(m _ 2 \parallel \text{MAC} _ {km _ S}(\mathbf{counter} \parallel m _ 2))$
- …etc…
where:
- $\mathbf{nonce} _ P$ is called the pre-master secret
- Then the master secret is computed by $\text{PRF}(\mathbf{nonce} _ P, \text{master secret} \parallel \mathbf{nonce} _ C \parallel \mathbf{nonce} _ S)$ and used to derive:
- $ke _ C$ and $ke _ S$ are session encryption keys
- IVs for these encryptions
- $\text{master secret}$ is the literal string “master secret”
- $km _ C$ and $km _ S$, MAC integrity check for messages from $C$ to $S$
- (note also that $\mathbf{nonce} _ C$ and $\mathbf{nonce} _ S$ are returned by the server and client in steps 4 and steps 5).
The most basic form of TLS for unilateral authentication between a server $S$ and a client $C$ is as follows:
- $C \to S$: $\mathbf{nonce} _ C$, available cipher suites
- $S \to C$:
- $\mathbf{nonce _ S}$
- selected cipher suite
- $\langle S, pk _ S, \text{Issuer1}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss1} }(S \parallel pk _ S \parallel \mathbf{expiry} \rangle$
- $\langle S, pk _ \text{Iss1}, \text{Issuer2}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss2} }(S \parallel pk _ 1 \parallel \mathbf{expiry} \rangle$
- …(certificate chain)…
- $C \to S$: $E _ {pk _ S}(\mathbf{version} \parallel \mathbf{nonce} _ P)$
- $C \to S$: $E _ {ke _ C}(\text{messages 1 to 3} \parallel \text{MAC} _ {km _ C}(\text{messages 1 to 3}))$
- $S \to C$: $E _ {ke _ S}(\text{messages 1 to 4} \parallel \text{MAC} _ {km _ S}(\text{messages 1 to 4}))$
- $C \to S$: $E _ {ke _ C}(m _ 1 \parallel \text{MAC} _ {km _ C}(\mathbf{counter} \parallel m _ 1))$
- $S \to C$: $E _ {ke _ S}(m _ 2 \parallel \text{MAC} _ {km _ S}(\mathbf{counter} \parallel m _ 2))$
- …etc…
where
- $\mathbf{nonce} _ P$ is called the pre-master secret
- Then the master secret is computed by $\text{PRF}(\mathbf{nonce} _ P, \text{master secret} \parallel \mathbf{nonce} _ C \parallel \mathbf{nonce} _ S)$ and used to derive:
- $ke _ C$ and $ke _ S$ are session encryption keys
- IVs for these encryptions
- $km _ C$ and $km _ S$, MAC integrity check for messages from $C$ to $S$
How does the bilateral variety modify this?
- $\mathbf{nonce _ S}$
- selected cipher suite
- $\langle S, pk _ S, \text{Issuer1}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss1} }(S \parallel pk _ S \parallel \mathbf{expiry} \rangle$
- $\langle S, pk _ \text{Iss1}, \text{Issuer2}, \mathbf{expiry}, \text{SIGN} _ {sk _ \text{Iss2} }(S \parallel pk _ 1 \parallel \mathbf{expiry} \rangle$
- …(certificate chain)…
- $ke _ C$ and $ke _ S$ are session encryption keys
- IVs for these encryptions
- $km _ C$ and $km _ S$, MAC integrity check for messages from $C$ to $S$
At step 3, the client sends their own certificate chain.