 |
Appendix D. SSL Protocol
This appendix reproduces
verbatim the SSL protocol specification from http://
home.netspace.com/newsref/std/ssl.html.
The SSL protocol is designed to establish a secure connection between
a client and a server communicating over an insecure channel. This
document makes several traditional assumptions, including that
attackers have substantial computational resources and cannot obtain
secret information from sources outside the protocol. Attackers are
assumed to have the ability to capture, modify, delete, replay, and
otherwise tamper with messages sent over the communication channel.
The following material outlines how SSL has been designed to resist a
variety of attacks.
D.1. Handshake Protocol
The handshake protocol is responsible for
selecting a CipherSpec and generating a MasterSecret, which together
comprise the primary cryptographic parameters associated with a
secure session. The handshake protocol can also optionally
authenticate parties who have certificates signed by a trusted
certificate authority.
D.1.1. Authentication and Key Exchange
SSL
supports three authentication modes: authentication of both parties,
server authentication with an unauthenticated client, and total
anonymity. Whenever the server is authenticated, the channel should
be secure against man-in-the-middle attacks, but completely anonymous
sessions are inherently vulnerable to such attacks. Anonymous servers
cannot authenticate clients, since the client signature in the
certificate verify message may require a server certificate to bind
the signature to a particular server. If the server is authenticated,
its certificate message must provide a valid certificate chain
leading to an acceptable certificate authority. Similarly,
authenticated clients must supply an acceptable certificate to the
server. Each party is responsible for verifying that the
other's certificate is valid and has not expired or been
revoked.
The general goal of the key exchange process is to create a
pre_master_secret known to the communicating
parties and not to attackers. The pre_master_secret
will be used to generate the
master_secret. The
master_secret is required to generate the
finished messages, encryption keys, and MAC secrets. By sending a
correct finished message, parties prove that they know the correct
pre_master_secret.
D.1.1.1. Anonymous key exchange
Completely anonymous sessions can be
established using RSA, Diffie-Hellman, or Fortezza for key exchange.
With anonymous RSA, the client encrypts a
pre_master_secret with the server's
uncertified public key extracted from the server key exchange
message. The result is sent in a client key exchange message. Since
eavesdroppers do not know the server's private key, it will be
infeasible for them to decode the
pre_master_secret.
With Diffie-Hellman or Fortezza, the server's public parameters
are contained in the server key exchange message and the
client's are sent in the client key exchange message.
Eavesdroppers who do not know the private values should not be able
to find the Diffie-Hellman result (i.e., the
pre_master_secret) or the Fortezza token
encryption key (TEK).
WARNING
Completely anonymous connections only provide protection against
passive eavesdropping. Unless an independent tamper-proof channel is
used to verify that the finished messages were not replaced by an
attacker, server authentication is required in environments where
active man-in-the-middle attacks are a concern.
D.1.1.2. RSA key exchange and authentication
With RSA, key
exchange and server authentication are combined. The public key may
be either contained in the server's certificate or may be a
temporary RSA key sent in a server key exchange message. When
temporary RSA keys are used, they are signed by the server's
RSA or DSS certificate. The signature includes the current
ClientHello.random, so old signatures and
temporary keys cannot be replayed. Servers may use a single temporary
RSA key for multiple negotiation sessions.
NOTE
The temporary RSA key option is useful if servers need large
certificates but must comply with government-imposed size limits on
keys used for key exchange.
After verifying the server's certificate, the client encrypts a
pre_master_secret with the server's public
key. By successfully decoding the
pre_master_secret and producing a correct
finished message, the server demonstrates that it knows the private
key corresponding to the server certificate.
When RSA is used for key exchange, clients are authenticated using
the certificate verify message (see Section 7.6.8). The client signs
a value derived from the master_secret and all
preceding handshake messages. These handshake messages include the
server certificate, which binds the signature to the server, and
ServerHello.random, which binds the signature to
the current handshake process.
D.1.1.3. Diffie-Hellman key exchange with authentication
When Diffie-Hellman key exchange is used,
the server can either supply a certificate containing fixed
Diffie-Hellman parameters or use the client key exchange message to
send a set of temporary Diffie-Hellman parameters signed with a DSS
or RSA certificate. Temporary parameters are hashed with the
hello.random values before signing to ensure
that attackers do not replay old parameters. In either case, the
client can verify the certificate or signature to ensure that the
parameters belong to the server.
If the client has a certificate containing fixed Diffie-Hellman
parameters, its certificate contains the information required to
complete the key exchange. Note that in this case the client and
server will generate the same Diffie-Hellman result (i.e.,
pre_master_secret) every time they communicate.
To prevent the pre_master_secret from staying in
memory any longer than necessary, it should be converted into the
master_secret as soon as possible. Client
Diffie-Hellman parameters must be compatible with those supplied by
the server for the key exchange to work.
If the client has a standard DSS or RSA certificate or is
unauthenticated, it sends a set of temporary parameters to the server
in the client key exchange message, then optionally uses a
certificate verify message to authenticate itself.
D.1.1.4. Fortezza
Fortezza's design is classified, but
at the protocol level it is similar to Diffie-Hellman with fixed
public values contained in certificates. The result of the key
exchange process is the token encryption key (TEK), which is used
to wrap data encryption keys, client write key, server write key, and
master secret encryption key. The data encryption keys are not
derived from the pre_master_secret because
unwrapped keys are not accessible outside the token. The encrypted
pre_master_secret is sent to the server in a
client key exchange message.
D.1.2. Version Rollback Attacks
Because SSL Version 3.0 includes
substantial improvements over SSL Version 2.0, attackers may try to
make Version 3.0-capable clients and servers fall back to Version
2.0. This attack occurs if (and only if) two Version 3.0-capable
parties use an SSL 2.0 handshake.
Although the solution using non-random PKCS #1 block type 2 message
padding is inelegant, it provides a reasonably secure way for Version
3.0 servers to detect the attack. This solution is not secure against
attackers who can brute force the key and substitute a new
ENCRYPTED-KEY-DATA message containing the same key (but with normal
padding) before the application-specified wait threshold has expired.
Parties concerned about attacks of this scale should not be using
40-bit encryption keys anyway. Altering the padding of the least
significant 8 bytes of the PKCS padding does not impact security,
since this is essentially equivalent to increasing the input block
size by 8 bytes.
D.1.3. Detecting Attacks Against the Handshake Protocol
An attacker might try to influence the handshake exchange to make the
parties select different encryption algorithms than they would
normally choose. Because many implementations will support 40-bit
exportable encryption and some may even support null encryption or
MAC
algorithms, this attack is of particular concern.
For this attack, an attacker must actively change one or more
handshake messages. If this occurs, the client and server will
compute different values for the handshake message hashes. As a
result, the parties will not accept each others' finished
messages. Without the master_secret, the
attacker cannot repair the finished messages, so the attack will be
discovered.
D.1.4. Resuming Sessions
When a
connection is established by resuming a session, new
ClientHello.random and
ServerHello.random values are hashed with the
session's master_secret. Provided that the
master_secret has not been compromised and that
the hash operations used to produce the encryption keys and MAC
secrets are secure, the connection should be secure and effectively
independent from previous connections. Attackers cannot use known
encryption keys or MAC secrets to compromise the
master_secret without breaking the secure hash
operations (which use both SHA and MD5).
Sessions cannot be resumed unless both the client and server agree.
If either party suspects that the session may have been compromised,
or that certificates may have expired or been revoked, it should
force a full handshake. An upper limit of 24 hours is suggested for
session ID lifetimes, since an attacker who obtains a
master_secret may be able to impersonate the
compromised party until the corresponding session ID is retired.
Applications that may be run in relatively insecure environments
should not write session IDs to stable storage.
D.1.5. MD5 and SHA
SSL uses hash functions very conservatively. Where possible, both MD5
and SHA are used in tandem to ensure that non-catastrophic flaws in
one algorithm will not break the overall protocol.
 |  |  | | C. NCSA and Apache Compatibility |  | D.2. Protecting Application Data |
Copyright © 2001 O'Reilly & Associates. All rights reserved.
|
|
|
