First time we talked about this was in Sicurezza delle reti#Protocollo SSL But that was a simple toy model.

Secure Socket Layer

Secure socket Layer and TLS add security (see security principles in Theoretical Notions of Security) on the transport layers, whereas IPSec protocol adds it to the network level. So this works on a higher level of abstraction following the ISO OSI framework Architettura e livelli 1, 2#Livelli ISO/OSI.

SSL is the old version of the TLS protocol. This provides integrity and confidentiality to the communication, see Theoretical Notions of Security. The main difference of SSL and TLS is that this has vulnerabilities like POODLE attack

Principles

Session

It’s an association (probably something similar to SA in Sicurezza delle reti). That connects the client to the server. Defines the cryptographic parameters to allow the communication.

Stuff for session:

  • Session identifier: generated by the server to identify an active or resumable session.
  • Peer certificate: X 509v3 certificate.
  • Compression method: algorithm used to compress the data before encryption.
  • Cipher spec: encryption and hash algorithm, including hash size.
  • Master secret: 48 byte secret shared between the client and server.
  • Is resumable: indicates if the session can be used to initiate new connections.

The main takeaways, similarly to what is done for SA, is that the session keeps identifying parameters and security parameters for the communication.

Connection

The same session can have more connections.

  • Server and client: random chosen for each connection. Server write MAC secret: shared key used to computeMAC on data sent by the server.
  • Client writes MAC secret: same as above for the clientServer write key: shared key used by encryption whenserver sends data.

Client writes key: same as above for the client.Initialization vector: initialization vectors required byencryption.

Sequence numbers: both server and client maintain such a counter to prevent replay, cycle is $2^{64} - 1$

The SSL record

TLS-SSL protocol-20240404173824939

Alerts

They are two bytes used for error/warning information.

TLS handshake protocol

TLS stands for Transport Layer Security, it provides CIA (See Theoretical Notions of Security) guaranties at the process level, not at the host or gateway level as IPSec does.

TLS-SSL protocol-20240416162209979

This works at the process layer to ensure security from the protocol perspective. It’s more granular because it is out of the ISO/OSI stack.

Properties

Two of the tree principles in Theoretical Notions of Security are done with this. Integrity and Confidentiality. Auth is implemented at the application layer.

Exchange of keys

It’s important, TLS uses a symmetric key to communicate after communication is established. TLS-SSL protocol-20240416163138977

Another diagram that better specifies the encryption of the messages TLS-SSL protocol-20240528154953807

Exchange protocol

Just use common exchange protocols!

  • Diffie Hellman
  • RSA

And variations are some examples

Authenticity of certificates

CA’s are used to exchange the security keys securely. This is the default, historically there have been some attacks on this method

Other options could be just self sign the certificate and exchange that signed thing (needs other things, like manual operations to validate and trust it).

Validation of the Certificates

During the negotiation of the keys, a certificate is needed. Within this certificate are present some information about

  • Issuer CA
  • Issuing and expiration date.
  • Public key, and who can use this cert
  • Where it can be verified
  • Where to look for if it has been revoked.

These certificates build a chain of certification, which should be validated by the client before connecting.

Domain Validation and extended validation: issuer makes different checks. With the former only the domain is validated (it is issued if the domain is owned), with the latter also organization or company is validated. So the main difference between the two is the cost of issuing a certificate. This is checked with the policy number on the certificate.

Revocation of the certificates🟨+

Hosts should check if the certificate is still valid or not. If a certificate has been revoked, it should be listed in a certificate revocation list on a site. You should check a serial number in the certificate. If this is present on the site then it is revoked.

But there is a more recent protocol, the OCSP (online certificate status protocol) that has an api style for checking the revocation. In this way the client doesn’t need to download the whole CRL.

Attacks on TLS

CA trustworthiness

See verisign 2001 to Microsoft, Comodo hack, DigiNotar, TrustWave

Usage of weak ciphers

During the negotiation, some weak cipher could be chosen, this makes the communication easier to break. (AKA using RC4 or MD5).

Protocol Attacks

  • Renegotiate with NULL algorithm (lol!)
  • Downgrade TSL version to a vulnerable one, or force usage of insecure ciphers.

Man in the middle

You need to stole a valid certificate, then you can put yourself in the middle of the communication with the user.

Usually the main defense against this type of attack is certificate pinning.

Hearthbeat

Some package sent to keep the communication on between idle times. Some firewalls for example could kill the connection if no package is sent. The response is a echo and random strings.