Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Module 6 - Transport Layer Security and IP

BCSE309P Security
Cryptography and Network Security Transport-Layer Security, Secure Socket Layer(SSL),TLS, IP Security:
Overview: IP Security Architecture, Encapsulating Payload Security

By,
[Link].N.G.,
Assistant Professor Senior,
Department of Analytics,
School of Computer Science and Engineering,
Vellore Institute of Technology, Vellore.

Email: [Link]@[Link] Mobile: 8903580808 Cabin: PRP 217-16

Transport-Level Security Transport-Level Security

• Transport level security provides end to end security services for • Location of SSL and TLS in the Internet model
applications that use a reliable transport layer protocol such as TCP.
• The idea is to provide security services for transactions on the
internet.
• Two protocols are dominant today for providing security at the
transport layer.
1. Secure Sockets layer (SSL) protocol.
2. Transport Layer Security (TLS) protocol.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 1 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

SSL Architecture [Link]

• SSL is designed to provide security and compression services to data • Fragmentation: First, SSL divides the data into blocks of 214 bytes or less.
generated from the application layer.
• Compression: Each fragment of data is compressed using one of the
• Topics discussed in this section: lossless compression methods. This service is optional.
• Services
• Key Exchange Algorithms • Message Integrity: SSL uses a keyed-hash function to create MAC to
• Encryption/Decryption Algorithms preserve integrity of data.
• Hash Algorithms
• Cipher Suite • Confidentiality: The original data and the MAC are encrypted using
• Compression Algorithms
symmetric-key cryptography to provide confidentiality.
• Cryptography Parameter Generation • Framing: A header is added to the encrypted payload. The payload is then
• Session and Connections passed to reliable transport layer protocol.

2. Key Exchange Algorithms 2. Key Exchange Algorithms

• To exchange an authenticated and confidential message, the client
and the server each need six cryptographic secrets (four keys and
two initialization vectors).
• To create these secrets, one pre-master secret must be established
between the two parties.

• SSL defines six key-exchange methods to establish this pre-master

secret.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 2 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

2. Key Exchange Algorithms 2. Key Exchange Algorithms

NULL RSA
• There is no key exchange in this method. No pre-master secret is • RSA key exchange; server public key
established between the client and the server.

Both client and server need to know the value

of the pre-master secret.

2. Key Exchange Algorithms 2. Key Exchange Algorithms

Anonymous Diffie-Hellman Ephemeral Diffie-Hellman key exchange
• Anonymous Diffie-Hellman key exchange • Ephemeral Diffie-Hellman key exchange

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 3 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

2. Key Exchange Algorithms 3. Encryption/Decryption Algorithms

Fixed Diffie-Hellman • There are 6 groups of algorithms as shown below.
• Another solution is the fixed Diffie-Hellman method. All entities in a • All block protocols use an 8-byte initialization vector (IV), except
group can prepare fixed Diffie-Hellman parameters (g and p). Fortezza using 20-byte vector

Fortezza
• Fortezza is a registered trademark of the U.S. National Security
Agency (NSA).
• It is a family of security protocols developed for the Defense
Department.

3. Encryption/Decryption Algorithms 3. Encryption/Decryption Algorithms

NULL IDEA
• The NULL category simply defines the lack of an encryption/decryption algorithm.
• The IDEA algorithm defined in block mode is IDEA_CBC, with a 128-bit
Stream RC key.
• Two RC algorithms are defined in stream mode.
Fortezza
Block RC
• The one Fortezza algorithm defined in block mode is FORTEZZA_CBC.
• One RC algorithm is defined in block mode.
DES
• All DES algorithms are defined in block mode.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 4 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

4. Hash Algorithm 5. Cipher Suite

• The combination of
NULL key exchange, hash,
• The two parties may decline to use an algorithm. and encryption
algorithms defines a
• In this case, there is no hash function and the message is not authenticated. cipher suite for each
MD5 SSL session
• The two parties may choose MD5 as the hash algorithm.
• In this case, a 128-key MD5 hash algorithm is used.
SHA-1
• The two parties may choose SHA as the hash algorithm.
• In this case, a 160-bit SHA-1 hash algorithm is used.

6. Compression Algorithms 7. Cryptographic Parameter Generation

• Compression is optional in SSLv3. • SSL needs six cryptographic secrets (4 keys & 2 IVs).
• No specific compression algorithm is defined for SSLv3. • The client needs one key for HMAC, one key for encryption and one
IV for block encryption. The server needs same.
• Therefore, the default compression method is NULL.
• The parameters are generated using the following procedure:
1. The client and server exchange two random numbers.
2. The client and server exchange one pre-master secret using one of
the key-exchange algorithms.
3. A 48 byte master secret is created from the pre-master secret by
applying two hash functions (SHA-1 and MD5).

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 5 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

7. Cryptographic Parameter Generation 7. Cryptographic Parameter Generation

4. The master secret is used to create variable length key material by
• Calculation applying the same set of hash functions and prepending with different
of master constants.
secret from
pre-master
secret

7. Cryptographic Parameter Generation 8. Sessions and Connections

5. Six different keys are extracted from the key material, as shown
below
• Extractions of cryptographic secrets from key material In a session, one party has the role of a client
and the other the role of a server;
in a connection, both parties have equal roles,
they are peers.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 6 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

8. Sessions and Connections 8. Sessions and Connections

• Session state parameters

8. Sessions and Connections 8. Sessions and Connections

• Connection state
parameters
The client and the server have six different
cryptography secrets: three read secrets
and three write secrets.
The read secrets for the client are the same as
the write secrets for the server and vice versa.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 7 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Four Protocols Four Protocols

• We have discussed the idea of SSL without showing how SSL
accomplishes its tasks.
• SSL defines four protocols in two layers, as shown in next slide.

• Topics in this session:

1. Handshake Protocol
2. ChangeCipher Spec Protocol
3. Alert Protocol
4. Record Protocol

Handshake Protocol Handshake Protocol

• It uses messages to negotiate the cipher suite, to authenticate the • Phase I of Handshake Protocol
server to the client and the client to the server if needed.
• To exchange information for building the cryptographic secrets.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 8 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Handshake Protocol Handshake Protocol

• Phase II of Handshake Protocol
After Phase I, the client and server know the
following:
❏ The version of SSL
❏ The algorithms for key exchange, message
authentication, and encryption
❏ The compression method
❏ The two random numbers for key
generation

Handshake Protocol Handshake Protocol

• Four cases in Phase II

After Phase II,

❏ The server is authenticated to the client.
❏ The client knows the public key of the
server if required.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 9 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Handshake Protocol Handshake Protocol

• Phase III of Handshake Protocol

After Phase III,

❏ The client is authenticated for the server.
❏ Both the client and the server know the
pre-master secret.

Handshake Protocol Handshake Protocol

• Four cases in Phase III
• Phase IV of Handshake Protocol

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 10 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Handshake Protocol ChangeCipherSpec Protocol

• In Handshake protocol the generation of cryptographic secrets and the
negotiation of the cipher suite is done.
• SSL mandates the usage of these secrets until they have sent or received
a special message, “ChangeCipherSpec message”.
After Phase IV, the client and server are ready to • This message is exchanged during handshake protocol and defined under
exchange data. ChangeCipherSpec protocol.
• The sender and receiver has two states: Pending state and Active state.
• Pending state: keeps track of the secrets and parameters.
• Active State: holds the parameters and secrets used by record protocol to
sign/verify messages.
• This protocol defines the process of moving values between the pending
and active states.

Alert Protocol
• SSL uses alert protocol for reporting errors and abnormal conditions.
ChangeCipher
Spec Protocol

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 11 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Record Protocol Record Protocol

• The record protocol carries message from the upper layer.
• The message is fragmented and optionally compressed.
• A MAC is added to the compressed message using the negotiated
hash algorithm.
• The compressed fragment and MAC are encrypted using the
negotiated encryption algorithm.
• Finally SSL header is added to the encrypted message.

Record Protocol Message Format

• Calculation of MAC • Refer Book

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 12 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Transport Layer Security (TLS) Version

• The Transport Layer Security (TLS) protocol is the IETF standard • The first difference is the version number (major and minor).
version of the SSL protocol.
• The two are very similar, with slight differences. • The current version of SSL is 3.0
• The current version of TLS is 1.0
• Topics discussed in this section:
• Version • In other words, SSLv3.0 is compatible with TLSv1.0.
• Cipher Suite
• Generation of Cryptographic Secrets
• Alert Protocol
• Handshake Protocol
• Record Protocol

Cipher Suite Cipher Suite

• Another minor difference between SSL and TLS is the lack of support
for the Fortezza method.
• TLS does not support Fortezza for key exchange or for
encryption/decryption.
• Table in the next slide shows the cipher suite list for TLS (without
export entries).

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 13 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Generation of Cryptographic Secrets Generation of Cryptographic Secrets

• Data Expansion Function • Pseudorandom Function (PRF)

Generation of Cryptographic Secrets Generation of Cryptographic Secrets

• Pre master Secret: Key Material:
• The generation of pre-master secret in TLS is exactly the same as in SSL. • TLS uses the PRF function to create the key material from the master
• Master Secret: secret.
• TLS uses the PRF function to create the master secret from the pre-master • This time the secret is the master secret, the label is “key expansion”.
secret.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 14 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Alert Protocol Alert Protocol

• TLS supports all of the alerts defined in SSL except for NoCertificate.
• TLS also adds some new ones to the list.
• Table in next slide shows the full list of alerts supported by TLS.

Handshake Protocol Handshake Protocol

• Certificate Verify Message • Hash for Finished message in TLS

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 15 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Record Protocol IP Security

• HMAC for TLS • Why IP Security?
• The need to secure the network infrastructure from unauthorized
monitoring and control of network traffic
• The need to secure end user- to-end-user traffic using authentication and
encryption mechanisms.
• Protocols
• Authentication and encryption as necessary security features
• IPv4 and IPv6

Applications of IPsec IPsec Documents

1. Secure branch office connectivity over the Internet • IPsec encompasses three functional areas:
2. Secure remote access over the Internet • Authentication
• Confidentiality and
3. Establishing extranet and intranet connectivity with partners • Key management.
4. Enhancing electronic commerce security • The documents are categorized into the following groups.
• Architecture
• The principal feature of IPsec that enables it to support these varied • Authentication Header (AH)
applications is that it can encrypt and/or authenticate all traffic at the IP • Encapsulating Security Payload (ESP)
level. • Internet Key Exchange (IKE)
• Cryptographic algorithms
• Thus, all distributed applications (including remote logon, client/server, • Other: There are a variety of other IPsec-related RFCs, including those dealing with
email, file transfer, Web access, and so on) can be secured. security policy and management information base (MIB) content.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 16 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

IPsec Services IP Security Policy/ IP Architecture

• IPsec policy is determined primarily by the interaction of two
• Two protocols are used to provide security databases,
• Authentication Header • Security association database (SAD) and
• An authentication protocol designated by the header of the protocol
• Encapsulating Security Payload
• Security policy database (SPD).
• Combined encryption/ authentication protocol designated by the format of the packet for
that protocol
• Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality

1. Security Associations 2. Security Association Database

• An association is a one-way logical connection between a sender and • It defines the parameters associated with each SA.
a receiver that affords security services to the traffic carried on it. • A security association is normally defined by the following parameters in an
SAD entry.
• A security association is uniquely identified by three parameters. • Security Parameter Index
• Security Parameters Index (SPI) • Sequence Number Counter
• The SPI is carried in AH and ESP headers to enable the receiving system to select the SA • Sequence Counter Overflow
under which a received packet will be processed. • Anti-Replay Window
• IP Destination Address • AH Information
• Security Protocol Identifier • ESP Information
• Lifetime of this Security Association
• IPsec Protocol Mode: Tunnel, transport, or wildcard.
• Path MTU

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 17 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

3. Security Policy Database

3. Security Policy Database • SPD entry
• Remote IP Address
• The means by which IP traffic is related to specific SAs is the nominal • Local IP Address
Security Policy Database (SPD).
• Next Layer Protocol
• Each SPD entry is defined by a set of IP and upper-layer protocol field • Name
values, called selectors.
• Local and Remote Ports
• In effect, these selectors are used to filter outgoing traffic in order to map
it into a particular SA.
• Outbound processing obeys the following general sequence for each IP
packet.
• Compare the values of the appropriate fields in the packet (the selector fields)
against the SPD to find a matching SPD entry, which will point to zero or more SAs.
• Determine the SA if any for this packet and its associated SPI.
• Do the required IPsec processing (i.e., AH or ESP processing).

4. IP Traffic
4. IP Traffic Processing
Processing
• Outbound Packets • Inbound Packets

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 18 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

Combined mode algorithm

Encapsulating Security Payload • Algorithm itself is expected to
return both decrypted plaintext
and a pass/fail indication for the
• ESP can be used to provide confidentiality, data origin authentication, integrity check.
connectionless integrity, an anti-replay service (a form of partial sequence • ICV may be omitted.
integrity), and (limited) traffic flow confidentiality.
• ESP Format
• Security Parameters Index
• Sequence Number
Tunnel mode
• Payload Data
• Padding • Two additional fields may be present.
• Initialization value (IV)
• Pad Length
• Traffic Flow Confidentiality (TFC)
• Next Header
• Integrity Check Value

1. Encryption and Authentication Algorithms 2. Padding

• The Payload Data, Padding, Pad Length, and Next Header fields are • The Padding field serves several purposes:
encrypted by the ESP service. • If an encryption algorithm requires the plaintext to be a multiple of some
number of bytes (e.g., the multiple of a single block for a block cipher), the
• If the algorithm used to encrypt the payload requires cryptographic Padding field is used to expand the plaintext (consisting of the Payload
synchronization data, such as an initialization vector (IV), then these Data, Padding, Pad Length, and Next Header fields) to the required length.
data may be carried explicitly at the beginning of the Payload Data • The ESP format requires that the Pad Length and Next Header fields be
field. right aligned within a 32-bit word. Equivalently, the ciphertext must be an
• The ICV field is optional. integer multiple of 32 bits. The Padding field is used to assure this
alignment.
• It is present only if the integrity service is selected and is provided • Additional padding may be added to provide partial traffic-flow
by either a separate integrity algorithm or a combined mode confidentiality by concealing the actual length of the payload.
algorithm that uses an ICV.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 19 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

3. Anti-Replay Service 4. Transport and Tunnel Modes

• A replay attack is one in which an attacker obtains a copy of an
authenticated packet and later transmits it to the intended • Both AH and ESP support two modes of use:
destination. • Transport Mode
• Tunnel Mode

4.A Transport Mode ESP 4.B Tunnel Mode ESP

Provides protection Provides protection to
only to the pay load. the entire packet.

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 20 of 21
 Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore.

5. Tunnel Mode and VPN

Transport Mode Vs Tunnel Mode

Protocol Operations of ESP

Prepared by: [Link].N.G., Asst Professor Senior, Dept of Analytics, SCOPE, VIT, Vellore. Page 21 of 21