Chapter 3

Transport-Level Security
We cannot enter into alliance with
neighboring princes until we are acquainted
with their designs.

—The Art of War, Sun Tzu

Web Security Considerations

• The World Wide Web is fundamentally a • A Web server can be exploited as a

client/server application running over the launching pad into the corporation’s or
Internet and TCP/IP intranets agency’s entire computer complex
• The following characteristics of Web usage • Casual and untrained (in security
suggest the need for tailored security matters) users are common clients for
tools: Web-based services
• Web servers are relatively easy to • Such users are not necessarily aware
configure and manage of the security risks that exist and do
• Web content is increasingly easy to not have the tools or
develop knowledge to take effective
countermeasures
• The underlying software is
extraordinarily complex
• May hide many potential security
flaws
Table 6.1 A Comparison of Threats on the Web
Secure Sockets Layer (SSL)

• One of the most widely used security services

• A general purpose service implemented as a set of protocols that
rely on TCP
• Could be provided as part of the underlying protocol suite and therefore
be transparent to applications
• Can be embedded in specific packages
SSL Architecture

• Two important SSL concepts are:

• A transport that provides a suitable type of service

SSL • For SSL such connections are peer-to-peer

relationships
• Connections are transient
connection • Every connection is associated with one session

• An association between a client and a server

• Created by the Handshake Protocol

SSL session • Define a set of cryptographic security parameters which

can be shared among multiple connections
• Are used to avoid the expensive negotiation of new
security parameters for each connection
A session state is defined by the following parameters:

An arbitrary byte sequence chosen by the server to

Session identifier identify an active or resumable session state

An X509.v3 certificate of the peer; this element of

Peer certificate the state may be null

The algorithm used to compress data prior to

Compression method encryption

Specifies the bulk data encryption algorithm and a

hash algorithm used for MAC calculation; also
Cipher spec defines cryptographic attributes such as the
hash_size

48-byte secret shared between the client and the

Master secret server

A flag indicating whether the session can be used to

Is resumable initiate new connections
A connection state is defined by the following parameters:

Server and • Byte sequences that are chosen • When a block cipher in CBC
client by the server and client for mode is used, an initialization
random each connection vector (IV) is maintained for
each key
Initialization • This field is first initialized by
Server • The secret key used in MAC vectors the SSL Handshake Protocol
• The final ciphertext block from
write MAC operations on data sent by the
each record is preserved for use
secret server as the IV with the following
record

Client write • The secret key used in MAC

operations on data sent by the
MAC secret client
• Each party maintains separate
sequence numbers for
• The secret encryption key for transmitted and received
Server data encrypted by the server messages for each connection
write key and decrypted by the client Sequence • When a party sends or receives
numbers a change cipher spec message,
the appropriate sequence
number is set to zero
Client write • The symmetric encryption key • Sequence numbers may not
for data encrypted by the client exceed 264 - 1
key and decrypted by the server
SSL Record Protocol

The SSL Record

Protocol provides
two services for SSL
connections

Confidentiality Message integrity

The Handshake Protocol also

The Handshake Protocol
defines a shared secret key
defines a shared secret key
that is used to form a
that is used for conventional
message authentication
encryption of SSL payloads
code (MAC)
Table 6.2 SSL Handshake Protocol Message Types
Cryptographic Computations

• Two further items are of interest:

• The creation of a shared master secret by means of the key exchange
• The shared master secret is a one-time 48-byte value generated for this session by
means of secure key exchange

• The generation of cryptographic parameters from the master secret

• CipherSpecs require a client write MAC secret, a server write MAC secret, a client
write key, a server write key, a client write IV, and a server write IV which are
generated from the master secret in that order
• These parameters are generated from the master secret by hashing the master secret
into a sequence of secure bytes of sufficient length for all needed parameters
Transport Layer Security (TLS)

• An IETF standardization Differences include:

initiative whose goal is to
produce an Internet standard • Version number
version of SSL • Message Authentication Code
• Is defined as a Proposed • Pseudorandom function
Internet Standard in RFC 5246
• RFC 5246 is very similar to SSLv3
• Alert keys
• Cipher suites
• Client certificate types
• Certificate_verify and Finished
Messages
• Cryptographic computations
• Padding
HTTPS
(HTTP over SSL)
• Refers to the combination of HTTP and SSL to implement secure
communication between a Web browser and a Web server
• The HTTPS capability is built into all modern Web browsers
• A user of a Web browser will see URL addresses that begin with
https:// rather than http://
• If HTTPS is specified, port 443 is used, which invokes SSL
• Documented in RFC 2818, HTTP Over TLS
• There is no fundamental change in using HTTP over either SSL or TLS and
both implementations are referred to as HTTPS
• When HTTPS is used, the following elements of the communication
are encrypted:
• URL of the requested document
• Contents of the document
• Contents of browser forms
• Cookies sent from browser to server and from server to browser
• Contents of HTTP header
 Connection Initiation

For HTTPS, the agent acting as the There are three levels of awareness
HTTP client also acts as the TLS client of a connection in HTTPS:
• The client initiates a connection to the server on • At the HTTP level, an HTTP client requests a
the appropriate port and then sends the TLS connection to an HTTP server by sending a
ClientHello to begin the TLS handshake connection request to the next lowest layer
• When the TLS handshake has finished, the client • Typically the next lowest layer is TCP, but it may
may then initiate the first HTTP request also be TLS/SSL
• All HTTP data is to be sent as TLS application data • At the level of TLS, a session is established
between a TLS client and a TLS server
• This session can support one or more
connections at any time
• A TLS request to establish a connection begins
with the establishment of a TCP connection
between the TCP entity on the client side and the
TCP entity on the server side
Connection Closure

• An HTTP client or server can indicate the closing of a connection

by including the line Connection: close in an HTTP record
• The closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side, which will
involve closing the underlying TCP connection
• TLS implementations must initiate an exchange of closure alerts
before closing a connection
• A TLS implementation may, after sending a closure alert, close the
connection without waiting for the peer to send its closure alert,
generating an “incomplete close”
• An unannounced TCP closure could be evidence of some sort of
attack so the HTTPS client should issue some sort of security
warning when this occurs
Secure Shell (SSH)

A protocol for secure

network communications
designed to be relatively
simple and inexpensive to
SSH client and server implement
applications are widely
available for most
operating systems The initial version, SSH1
was focused on
• Has become the method of providing a secure
choice for remote login
and X tunneling
remote logon facility to
• Is rapidly becoming one of
replace TELNET and
the most pervasive other remote logon
applications for encryption schemes that provided
technology outside of no security
embedded systems

SSH2 fixes a number of SSH also provides a

security flaws in the more general
original scheme client/server capability
• Is documented as a and can be used for such
proposed standard in IETF network functions as file
RFCs 4250 through 4256 transfer and e-mail
Transport Layer Protocol

• Server authentication occurs at the transport layer, based on the server

possessing a public/private key pair
• A server may have multiple host keys using multiple different asymmetric
encryption algorithms
• Multiple hosts may share the same host key
• The server host key is used during key exchange to authenticate the
identity of the host
• RFC 4251 dictates two alternative trust models:
• The client has a local database that associates each host name with the
corresponding public host key
• The host name-to-key association is certified by a trusted certification authority
(CA); the client only knows the CA root key and can verify the validity of all host keys
certified by accepted CAs
 Table 6.3

SSH

Transport

Layer

Cryptographic

Algorithms
* = Required
** = Recommended
Authentication Methods

Publickey

• The client sends a message to the server that contains the client’s public
key, with the message signed by the client’s private key
• When the server receives this message, it checks whether the supplied key
is acceptable for authentication and, if so, it checks whether the signature
is correct

Password

• The client sends a message containing a plaintext password, which is

protected by encryption by the Transport Layer Protocol

Hostbased

• Authentication is performed on the client’s host rather than the client itself
• This method works by having the client send a signature created with the
private key of the client host
• Rather than directly verifying the user’s identity, the SSH server verifies the
identity of the client host
Connection Protocol

• The SSH Connection Protocol runs on top of the SSH

Transport Layer Protocol and assumes that a secure
authentication connection is in use
• The secure authentication connection, referred to as a
tunnel, is used by the Connection Protocol to multiplex a
number of logical channels
• Channel mechanism
• All types of communication using SSH are supported using
separate channels
• Either side may open a channel
• For each channel, each side associates a unique channel
number
• Channels are flow controlled using a window mechanism
• No data may be sent to a channel until a message is received
to indicate that window space is available
• The life of a channel progresses through three stages:
opening a channel, data transfer, and closing a channel
 Channel Types
Four channel types are recognized in the SSH Connection Protocol specification

Session
• The remote execution of a program
• The program may be a shell, an application such as file transfer or e-mail, a system command,
or some built-in subsystem
• Once a session channel is opened, subsequent requests are used to start the remote program

X11
• Refers to the X Window System, a computer software system and network protocol that
provides a graphical user interface (GUI) for networked computers
• X allows applications to run on a network server but to be displayed on a desktop machine

Forwarded-tcpip
• Remote port forwarding

Direct-tcpip
• Local port forwarding
Port Forwarding

• One of the most useful features of SSH

• Provides the ability to convert any insecure TCP connection into a
secure SSH connection (also referred to as SSH tunneling)
• Incoming TCP traffic is delivered to the appropriate application on the
basis of the port number (a port is an identifier of a user of TCP)
• An application may employ multiple port numbers
Summary
•Transport layer security
•Web security considerations •Version number
• Web security threats
•Message authentication code
• Web traffic security approaches
•Pseudorandom function
•Secure sockets layer •Alert codes
•SSL architecture •Cipher suites
•SSL record protocol •Client certificate types
•Change cipher spec protocol •Certificate_verify and finished
•Alert protocol messages
•Handshake protocol •Cryptographic computations
•Padding
•Cryptographic computations

• HTTPS • Secure shell (SSH)

•Connection initiation •Transport layer protocol
•Connection closure •User authentication
protocol
•Communication protocol