|
Stephen A. Thomas
Wave7 Optics
TechOnline
 |
|
Stephen
A. Thomas is chief architect for Wave7 Optics. He
has been actively involved in TCP/IP standards
development for nearly two decades, and has co-authored
and contributed to numerous Internet RFCs.
Mr. Thomas is the author of several books, papers, and
articles. Most notably, he has written IPng and the
TCP/IP Protocols: Implementing the Next Generation
Internet, as well as the recently published SSL and TLS Essentials: Securing
the Web.
|
|
 |
By now, we're getting quite familiar with the staggering
success of the Internet and e-commerce. Millions of people—with
billions of dollars—rely on the Web to execute critical
transactions every day. All of those transactions require
trust. Users trust the authenticity of the Web site; users
trust that their sensitive information remains confidential as
it traverses the Internet and users trust that no malicious
hacker has modified their requests.
Security technology provides that trust. And on the Web, the
Secure Sockets Layer (SSL) protocol is THE security
technology.
If you've ever looked closely at your browser's status bar,
you may have noticed that a padlock icon appears when you're
viewing some Web pages. That icon indicates that SSL has
secured the delivery of that page from the server to your PC.
And if the page is a form, SSL can secure the information you
provide back to the Web site.
Figure 1: The padlock icon in the Web browser
indicates that SSL is securing communications.
What Does SSL Offer?
SSL is not just for Web browsing. It can add security to almost
any network application. Many commercial products rely on SSL
for security, including those for email, news groups,
electronic document interchange, and remote execution.
For all of those applications, SSL provides nearly all the
standard security services, including confidentiality,
authentication, and message integrity.
Confidentiality
Confidentiality is the most well-known security
service. SSL provides confidentiality by encrypting
information that traverses the network. Encryption protects
against eavesdroppers, preventing Charles from reading the
message that Alice sends to Bob. When SSL encrypts Web
sessions, it keeps sensitive information such as passwords,
credit card numbers, and account statements safe from
prying eyes.
Authentication
Although some consider it less glamorous,
authentication is often more important than confidentiality.
Authentication lets communicating parties verify each other's
identity. With authentication services, Bob can be sure that
the message really is from Alice, not from Charles posing as
Alice.
Authentication is an important prerequisite to encryption.
After all, if Charles is able to masquerade as Alice, encrypted
messages that Bob thinks he's sending to Alice will actually go
to Charles. Even though no one will have been able to read the
encrypted messages in transit, Charles will just decrypt them
as part of his masquerade.
For Web browsing and electronic commerce, authentication of
Web sites is a critical security service. Without it, a hacker
could establish a phony site, sit back, and collect credit
cards from unsuspecting users.
Message Integrity
Message integrity is another important security service that SSL provides. It makes sure that Charles isn't able to alter Alice's message while it's in transit. Note that message integrity really is distinct from encryption. In some cases, sophisticated attackers might be able to alter encrypted messages even if they can't decipher their contents. For example, the attacker could simply delete part of the message. SSL, however, lets recipients detect such attacks and respond appropriately.
Public Key Cryptography
One particular technology—public key cryptography—is essential
to the Secure Sockets Layer protocol. Quite simply, without
asymmetric key cryptography (to use its technical name) SSL
could not exist.
In the history of cryptography (which stretches back for
thousands of years), asymmetric key cryptography is quite
recent, having been invented about 30 years ago. Before
asymmetric keys, all cryptography relied on shared keys. Both
parties in a secure communication had to know the same keys.
The challenge with traditional cryptography is key
distribution—how do you distribute, manage, and protect those
secret keys.
Public key cryptography changes the key distribution problem
dramatically. Instead of a single key that both parties share,
public key cryptography relies on a pair of keys. It only takes
one of the keys to encrypt a message, but you can't decrypt the
message unless you know the other key. Because the encryption
key alone will not compromise any message, it can be
distributed publicly, even published in a newspaper.
Public Key Encryption
Figure 5 on the right demonstrates how
public key encryption works. First, Bob creates his pair of
keys. This may require quite a bit of complex calculations, but
that's not a problem with computers. After Bob creates his key
pair, he makes one of those keys publicly available. That's
step 2 in the example. In step 3, Alice wants to send Bob
something secret. To do that, she looks up Bob's public key and
uses that key to encrypt the message. Step 4 shows Alice
sending the encrypted message to Bob. Since nobody knows Bob's
private key, nobody (not even Alice) can decipher this message.
(Of course, Alice probably remembers what it contains.)
Finally, in step 5, Bob receives the message and decrypts it
with his private key.
Authentication with Digital Signatures
Public key cryptography is also a major advance in
authentication technology; it makes digital signatures
possible.
To digitally sign a message, Bob encrypts it
with his private key. He also continues to publish his public
key. When Alice receives the message, she verifies the
signature by decrypting it using Bob's public key. If the
message decrypts successfully, then Alice is sure that Bob's
private key must have encrypted it. And, since only Bob knows
his private key, the message must have really come from
Bob.
Note that the message in this example is not confidential at
all. Anyone can look up Bob's public key and decipher it. If
Bob and Alice want confidentiality and authentication, Bob
should encipher his message with his private key and then
encrypt the result with Alice's public key.
Computational Complexity
Of course, public key cryptography does have some disadvantages. A major one is computational complexity. Public key encryption and decryption can be several orders of magnitude more complex than some symmetric key algorithms.
Solving this problem is actually rather straightforward: use
asymmetric and symmetric algorithms together. Bob begins the
process with asymmetric cryptography; he publishes his public
key.
But Alice does not use that public key to encrypt her
messages. Instead, she generates random numbers. It's those
random numbers that she encrypts with Bob's public key and
sends to Bob. Bob, of course, decrypts those random numbers
with his private key.
Then, in step 5, Alice and Bob use the random numbers Alice
picked as secret keys for symmetric encryption.
In this approach Alice and Bob have to undergo the
computational burden of asymmetric cryptography once—in order
to securely exchange keys for symmetric encryption. From then
on, however, Alice and Bob use more efficient symmetric
algorithms to secure their communications.
Certificate Authorities
Another challenge for public key cryptography is knowing
whether to trust a particular public key. Just because Alice
reads Bob's public key in a newspaper, can she be sure that it
was really Bob that published it? Can she be sure that she's
reading a legitimate newspaper and not some clever forgery that
Charles has printed up?
To create the necessary trust, public keys are distributed
in public key certificates, which are digitally signed by a
certificate authority. In signing a public key certificate, the
certificate authority vouchsafes for the party's identity.
So when Alice examines Bob's public key, she's actually
looking at a public key certificate that's signed by a
certificate authority. Alice can verify the authority's digital
signature and, so long as she trusts the authority, she can
trust Bob's public key.
Now this may seem like nothing more than passing the buck.
After all, in order to verify the certificate's signature,
Alice needs to know the authority's public key. And that means
that she has to trust that public key. Isn't Alice back to
square one?
Fortunately, the answer is no. The problem is the same, but
it's scale is much more manageable. While there are something
like a quarter of a million Web sites today with their own
public keys, there are only around 40 commercial certificate
authorities. The public keys for these certificate authorities
are pre-installed in Web browsers by their vendors.
Figure 8: Certificate authorities are pre-loaded in
Web browsers.
To offer a secure Web site, therefore, the site operator has
its public key certified by one of these established
certificate authorities. A browser that accesses the site may
not know whether it can trust the site itself, but it can trust
the certificate authority that has signed the site's public key
certificate.
The Architecture of SSL
In the Internet protocol architecture, SSL sits between the
Transmission Control Protocol (TCP) and an application like
HTTP.
Figure 9: SSL's protocol architecture inserts
several components between the application and TCP.
The SSL Record Layer is common to all SSL messages. The
record layer provides framing and padding for the other SSL
components, and for the application. The record layer also
identifies the particular SSL component in use for a given
message; each of these components is like a separate mini
protocol.
The handshake component is responsible for the negotiations
that begin an SSL session. As we'll see, the communicating
parties negotiate cryptographic algorithms, operating
parameters, and key sizes.
The Change Cipher component is the simplest SSL component.
There's only one Change Cipher message. It activates the
negotiated security parameters for a session.
The Alert component lets the parties exchange error or
warning information. It can identify problems with the protocol
or potential security problems with the session.
Finally, there's the application itself. In this example
that's HTTP. As the figure shows, the application communicates
directly with the Record Layer which coordinates the TCP socket
interface.
Figure 10 shows how these components contribute to an
SSL message. In this case we're looking at a Client Hello
message, which is part of the Handshake component. This
message, like all SSL messages, begins with the Record Layer
header. As the figure shading indicates, the Record Layer is 5
bytes in size. The first byte—22 in the figure—is the component
identifier for the rest of the message. The value 22 identifies
a Handshake message. The remaining four bytes provide the SSL
version number (3.0 here) and the message length.
Figure 10: An SSL Client Hello message includes
record layer and handshake components.
The Client Hello message itself follows. The first byte
contains the message type. A value of 1 indicates Client Hello.
The rest of the message consists of Handshake and Client Hello
parameters.
SSL Operation
We can see how systems actually use the Client Hello message,
as well as other SSL messages, by looking at the basic SSL
negotiation process. All SSL sessions are established between a
client and a server. The client is the system that initiates
the communication.
Figure 11: The basic SSL negotiation requires the
exchange of nine SSL messages.
The client begins the exchange by sending a Client Hello
message. This message lets the server know that the client
wants to establish secure communications. It also proposes a
list of security parameters that the client would like to use
for the communications.
These security parameters are known as "cipher suites"; they
identify particular cryptographic algorithms, operating modes,
and key sizes. A client can include multiple cipher suites in
its Client Hello message. This gives the server the option of
selecting from the list.
The server indicates which of the client's proposed cipher
suites it prefers in a Server Hello message. This message also
tells the client that the server is willing to proceed with the
SSL negotiation. The server follows this immediately with a
Certificate message. As you might expect, the Certificate
message carries the server's public key certificate. This step
is how the client learns of the server's public key. The server
then sends a Server Hello Done message to the client. This
message tells the client that the server has finished its part
of the initial negotiations.
Now it's the client's turn. Internally, the client generates
random numbers to use as a shared session key. It encrypts the
session key with the server's public key and sends the result
to the server in a Client Key Exchange message.
Notice that the server doesn't have to digitally sign
anything to authenticate itself to the client. The client
relies on the server's ability to decipher the Client Key
Exchange message to verify the server's identity. If a hacker
impersonates the server, the hacker won't have the server's
private key, and the hacker won't be able to decipher the
Client Key Exchange.
After the Client Key Exchange, the client sends a Change
Cipher Spec message. This message tells the server to activate
the negotiated cipher suite. From this point forward, all
messages from the client will be encrypted using the algorithm
from the Server Hello and the session key in the Client Key
Exchange. The client follows this message with a Finished
message. Since it follows the Change Cipher Spec, the Finished
message is encrypted. It ensures that both parties are using
the same cryptographic algorithms and parameters. If the
message that follows the client's Change Cipher Spec doesn't
successfully decrypt as a Finished message, the server knows
something has gone amiss. If the decryption succeeds, however,
the negotiation has succeeded.
At this point, it's the server's turn to send a Change
Cipher Spec message. This message tells the client that all
subsequent messages from the server will use the negotiated
security. The server follows that message with its own Finished
message. Again, this gives the client a way to confirm that the
negotiated security is in place.
Alternate SSL Negotiation
One of the characteristics of the basic SSL negotiation is
that the server uses only a single public key. That public key
is used both for encryption and authentication. The client
encrypts using the public key when it creates the Client Key
Exchange message. And the public key is used implicitly to
authenticate the server by forcing the server to decrypt that
message in order to continue.
Historically, however, various governments (including the
U.S.) have placed restrictions on the strength of encryption
keys. Rarely, however, have there been restrictions on the
strength of keys used for authentication. To accommodate this
environment, SSL allows a server to use two different public
keys. That way, the server can use a key for encryption that
conforms to appropriate legal requirements while, at the same
time, use a much stronger key for authentication.
Figure 12: An alternate negotiation sequence allows
different keys for encryption and authentication.
This operation requires an additional message—the Server Key
Exchange. The Server Key Exchange carries a public key that the
client should use to encrypt the session key, and the Server
Key Exchange message is digitally signed using the server's
authentication key. The client must verify that signature using
the public key from the Certificate message.
Client Authentication
Another option allows SSL to authenticate the identity of the
client as well as the server. The server can request such
authentication by sending the client a Certificate Request
message. The client responds by sending the server a
Certificate message and, later, a Certificate Verify message.
The Certificate Verify message digitally signs data from the
negotiation's initial messages, including the session key. The
server verifies that signature using the public key it receives
in the client's Certificate message.
Figure 13: SSL client authentication verifies the
client's identity.
Even though SSL defines a client authentication process, it
is not very common on the Internet for two main reasons. First,
it may not be necessary. Electronic commerce servers, for
example, can verify a user's identity by validating their
credit card number. Second, client authentication requires that
users install and manage public and private keys. Except in
specialized environments, those tasks may be too challenging
for typical users.
Resuming a Previous Session
As we've seen, establishing an SSL session can be a bit
time-consuming. The process can take as many as 13 messages,
and it may require up to five public key computations.
Fortunately, the client and the server don't have to go through
the entire process every time they want to communicate. If two
systems have established an SSL session in the past, they can
later resume that same session.
Figure 14: Resuming a previous SSL session requires
fewer messages.
Here's how it works. When the client sends its Client Hello
message, it includes a session ID from the earlier session. By
doing so the client proposes to simply resume that earlier
session. If the server agrees, it returns the same session ID
in its Server Hello message. At that point both parties
immediately send Change Cipher Spec and Finished messages and
the negotiation is complete. Resuming a session in this manner
only takes six messages, and it doesn't require any public key
operations.
Cipher Suites
SSL gives clients and servers the ability to negotiate several
cryptographic parameters. The protocol supports many different
algorithms, operating modes, and key sizes, for a total of 31
different cipher suites. These cipher suites include a key
exchange algorithm, a symmetric encryption algorithm, and a
digest algorithm for message integrity. They include nearly all
of the popular algorithms, although newer cryptographic
technology, elliptic curve cryptography, for example, is not
officially defined by the SSL standard.
-
Key Exchange Algorithms
- Rivest, Shami, Adleman (RSA) Public Key
- Diffie-Hellman with Digital Signature Standard
(DSS)
-
Symmetric Encryption Algorithms and Key Size
- Data Encryption Standard (DES)
- Triple Strength DES (3DES)
- Rivest Cipher 4 (RC4)
-
Message Digest Algorithms
- Message Digest 5 (MD5)
- Secure Hash Algorithm (SHA)
Transport Layer Security
New cryptographic technology is a part of the successor to SSL,
however. That successor is known as Transport Layer Security
(TLS).
SSL was originally developed by Netscape Communications.
Although Netscape always promoted open use of the protocol, it
was (and still is) proprietary. Indeed, during the height of
the browser wars Microsoft promoted a different (though very
similar) protocol known as Private Communications
Technology.
To fully promote SSL as a true open standard, its
developers, along with others in the security community,
decided to hand off responsibility for the protocol to a true
international standard organization—the Internet Engineering Task Force (IETF).
The IETF renamed the protocol TLS, but otherwise made very few
changes. TLS version 1.0 is SSL version 3.1.
TLS features a few minor changes to SSL version 3.0, primarily in the addition
of more Alert message types and in tweaks to some of the
cryptographic computations.
The main benefit to moving the work to the IETF, however, is
that it inherits a well-defined and open process to add to and
revise the protocol. This has made it much easier to create
official definitions of cipher suites that take advantage of
advanced cryptographic technology, including elliptic curve
cryptography and the new Advanced Encryption Standard
algorithm.
|
