Information Technology Security

MSI
2017/2018
T5 – Web and Transport-Level Security
Web Security Considerations
• The World Wide Web is fundamentally a client/server application
running over the Internet and TCP/IP intranets

• The following characteristics of Web usage suggest the need for

tailored security tools:
• Web servers are relatively easy to configure and manage
• Web content is increasingly easy to develop
• The underlying software is extraordinarily complex
• May hide many potential security flaws
• A Web server can be exploited as a launching pad into the
corporation’s or agency’s entire computer complex
• Casual and untrained (in security matters) users are common clients
for Web-based services
• Such users are not necessarily aware of the security risks that exist and do
not have the tools or knowledge to take effective countermeasures

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Threats on the Web

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Security approaches in the context of the TCP/IP stack

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Transport Layer Security (TLS)

Most browsers come

equipped with TLS, and
Can be embedded in
One of the most widely most Web servers have
specific packages
used security services implemented the
protocol

Could be provided as
part of the underlying
protocol suite and
Defined in RFC 5246 therefore be
transparent to
applications

Is an Internet standard
Is a general purpose
that evolved from a
service implemented as
commercial protocol
a set of protocols that
known as Secure
rely on TCP
Sockets Layer (SSL)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

SSL/TLS Protocol Stack

• TLS is not a single protocol, but

rather two layers of protocols

• The TLS Record Protocol

provides basic security services
to various higher layer protocols,
in particular, the Hypertext
Transfer Protocol (HTTP)

• Three higher-layer protocols are

defined as part of TLS: the
Handshake Protocol, the Change
Cipher Spec Protocol, and the
Alert Protocol. These TLS specific
protocols are used in the
management of TLS exchanges

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Architecture

• Two important TLS concepts are:

TLS
• A transport that provides a suitable type of service
• For TLS such connections are peer-to-peer relationships
• Connections are transient

connection
• Every connection is associated with one session

• An association between a client and a server

• Created by the Handshake Protocol

TLS session • Define a set of cryptographic security parameters which

can be shared among multiple connections
• Are used to avoid the expensive negotiation of new
security parameters for each connection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

A Session State is defined by the following parameters:

Session Peer Compression Cipher Master Is

identifier certificate method spec secret resumable

Specifies the
bulk data
encryption
An arbitrary
algorithm and A flag
byte sequence An X509.v3
The algorithm a hash 48-byte secret indicating
chosen by the certificate of
used to algorithm shared whether the
server to the peer; this
compress data used for MAC between the session can be
identify an element of
prior to calculation; client and the used to
active or the state may
encryption also defines server initiate new
resumable be null
cryptographic connections
session state
attributes
such as the
hash_size

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

A Connection State is defined by the following parameters:

Server and • Byte sequences that are chosen

client by the server and client for each
•When a block cipher in CBC mode
random connection is used, an initialization vector (IV)
is maintained for each key
Initialization •This field is first initialized by the
Server write • The secret key used in MAC vectors TLS Handshake Protocol
operations on data sent by the •The final ciphertext block from
MAC secret server each record is preserved for use as
the IV with the following record

Client write • The secret key used in MAC

operations on data sent by the
MAC secret client
•Each party maintains separate
sequence numbers for transmitted
Server write • The secret encryption key for and received messages for each
data encrypted by the server and connection
key decrypted by the client Sequence •When a party sends or receives a
numbers change cipher spec message, the
appropriate sequence number is
set to zero
Client write • The symmetric encryption key •Sequence numbers may not
for data encrypted by the client exceed 264 - 1
key and decrypted by the server

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Record Protocol

The TLS Record

Protocol provides
two services for TLS
connections

Confidentiality Message integrity

The Handshake Protocol The Handshake Protocol

defines a shared secret key also defines a shared secret
that is used for key that is used to form a
conventional encryption of message authentication
TLS payloads code (MAC)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Record Protocol Operation

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Record Format

• Content Type (8 bits): The

higher-layer protocol used to
process the fragment

• Major and Minor Version: The

version of TLS used

• Compressed Length (16 bits):

The length in bytes of the
plaintext fragment (possibly
compressed)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Record Protocol Payload

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Handshake Protocol Message Types

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

TLS Handshake Protocol in action

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cryptographic Computations
• Two further items are of interest:

• The creation of a shared master secret by means of the key

exchange
• The shared master secret is a one-time 48-byte value
generated for this session by means of secure key exchange

• The creation is in two stages

• First, a pre_master_secret is exchanged
• Second, the master_secret is calculated by both parties

• The generation of cryptographic parameters from the master

secret

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Generation of Cryptographic Parameters

• CipherSpecs require:
• A client write MAC secret
• A server write MAC secret
• A client write key
• A server write key
• A client write IV
• A server write IV

…Which are generated from the master secret in that order…

• These parameters are generated from the master secret by hashing the
master secret into a sequence of secure bytes of sufficient length for all
needed parameters

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Heartbeat Protocol
• Is a periodic signal generated by hardware or software to indicate
normal operation or to synchronize other parts of a system

• Typically used to monitor the availability of a protocol entity

• In the specific case of TLS, a Heartbeat protocol was defined in 2012 in

RFC 6250 (Transport Layer Security (TLS) and Datagram Transport Layer
Security (DTLS) Heartbeat Extension)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Heartbeat Protocol
• Runs on top of the TLS Record Protocol

• Consists of two message types

• heartbeat_request
• heartbeat_response

• The use of the Heartbeat protocol is established during Phase 1 of the

Handshake protocol

• The heartbeat serves two purposes

• It assures the sender that the recipient is still alive
• The heartbeat generates activity across the connection during idle periods,
which avoids closure by a firewall that does not tolerate idle connections

• The requirement for the exchange of a payload was designed into the
Heartbeat protocol to support its use in a connectionless version of TLS
known as Datagram Transport Layer Security (DTLS)
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
SSL/TLS Attacks
• The attacks can be grouped into four general categories:

• Attacks on the handshake protocol

• Attacks on the record and application data protocols

• Attacks on the PKI

• Other attacks

• The constant back-and-forth between threats and countermeasures

determines the evolution of Internet-based protocols

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

HTTPS (HTTP over SSL)
• Refers to the combination of HTTP and SSL to implement secure
communication between a Web browser and a Web server
• The HTTPS capability is built into all modern Web browsers
• A user of a Web browser will see URL addresses that begin with https://
rather than http://
• If HTTPS is specified, port 443 is used, which invokes SSL
• Documented in RFC 2818, HTTP Over TLS
• There is no fundamental change in using HTTP over either SSL or TLS and both
implementations are referred to as HTTPS
• When HTTPS is used, the following elements of the communication are
encrypted:
• URL of the requested document
• Contents of the document
• Contents of browser forms
• Cookies sent from browser to server and from server to browser
• Contents of HTTP header

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Connection Initiation

For HTTPS, the agent acting There are three levels of

as the HTTP client also acts awareness of a connection
as the TLS client in HTTPS
At the HTTP level, an HTTP client requests a
The client initiates a connection to the server connection to an HTTP server by sending a
on the appropriate port and then sends the connection request to the next lowest layer
TLS ClientHello to begin the TLS handshake •Typically the next lowest layer is TCP, but is may also be
TLS/SSL

At the level of TLS, a session is established

When the TLS handshake has finished, the between a TLS client and a TLS server
client may then initiate the first HTTP •This session can support one or more connections at any
request time

A TLS request to establish a connection

begins with the establishment of a TCP
All HTTP data is to be sent as TLS application
connection between the TCP entity on the
data
client side and the TCP entity on the server
side

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Connection Closure
• An HTTP client or server can indicate the closing of a connection by
including the line Connection: close in an HTTP record
• The closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side, which will
involve closing the underlying TCP connection
• TLS implementations must initiate an exchange of closure alerts before
closing a connection
• A TLS implementation may, after sending a closure alert, close the
connection without waiting for the peer to send its closure alert,
generating an “incomplete close”
• An unannounced TCP closure could be evidence of some sort of attack
so the HTTPS client should issue some sort of security warning when
this occurs

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Hearthbleed Bug
• Vulnerability in the popular OpenSSL cryptographic library published in CVE-
2014-0160
• Before version 1.0.1g OpenSSL do not properly handle Herthbeat Extension
packets, allowing remote attackers to obtain information from process memory
(private keys) via crafted packets

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Secure Shell (SSH)
A protocol for secure network
communications designed to be
relatively simple and inexpensive
to implement
SSH client and server applications
are widely available for most The initial version, SSH1 was focused
operating systems on providing a secure remote logon
facility to replace TELNET and other
• Has become the method of choice remote logon schemes that provided
for remote login and X tunneling no security
• Is rapidly becoming one of the
most pervasive applications for
encryption technology outside of
embedded systems

SSH2 fixes a number of security

flaws in the original scheme and is SSH also provides a more general
documented as a proposed standard client/server capability and can be
in IETF RFCs 4250 through 4256 used for such network functions as
file transfer and e-mail

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

SSH Transport Layer Packet Exchanges

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

SSH Protocol Stack

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Transport Layer Protocol
• Server authentication occurs at the transport layer, based on the server
possessing a public/private key pair

• A server may have multiple host keys using multiple different

asymmetric encryption algorithms

• Multiple hosts may share the same host key

• The server host key is used during key exchange to authenticate the
identity of the host

• RFC 4251 dictates two alternative trust models:

• The client has a local database that associates each host name with the
corresponding public host key
• The host name-to-key association is certified by a trusted certification
authority (CA); the client only knows the CA root key and can verify the
validity of all host keys certified by accepted CAs
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Transport Layer Protocol Packet Formation

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Transport Layer Cryptographic Algorithms

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Authentication Methods
• Public-key
• The client sends a message to the server that contains the client’s public key,
with the message signed by the client’s private key
• When the server receives this message, it checks whether the supplied key is
acceptable for authentication and, if so, it checks whether the signature is
correct

• Password
• The client sends a message containing a plaintext password, which is
protected by encryption by the Transport Layer Protocol

• Host-based
• Authentication is performed on the client’s host rather than the client itself
• This method works by having the client send a signature created with the
private key of the client host
• Rather than directly verifying the user’s identity, the SSH server verifies the
identity of the client host

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Connection Protocol
• The SSH Connection Protocol runs on top of the SSH Transport Layer
Protocol and assumes that a secure authentication connection is in use
• The secure authentication connection, referred to as a tunnel, is
used by the Connection Protocol to multiplex a number of logical
channels

• Channel mechanism
• All types of communication using SSH are supported using
separate channels
• Either side may open a channel
• For each channel, each side associates a unique channel number
• Channels are flow controlled using a window mechanism
• No data may be sent to a channel until a message is received to
indicate that window space is available
• The life of a channel progresses through three stages: opening a
channel, data transfer, and closing a channel
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Connection Protocol Message Exchange

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Channel Types

Four channel types are recognized in the SSH Connection Protocol specification

Session
• The remote execution of a program
• The program may be a shell, an application such as file transfer or e-mail, a system
command, or some built-in subsystem
• Once a session channel is opened, subsequent requests are used to start the remote
program

X11
• Refers to the X Window System, a computer software system and network protocol that
provides a graphical user interface (GUI) for networked computers
• X allows applications to run on a network server but to be displayed on a desktop
machine

Forwarded-tcpip
• Remote port forwarding

Direct-tcpip
• Local port forwarding

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Port Forwarding
• One of the most useful features of SSH

• Provides the ability to convert any insecure TCP connection into a

secure SSH connection (also referred to as SSH tunneling)

• Incoming TCP traffic is delivered to the appropriate application on the

basis of the port number (a port is an identifier of a user of TCP)

• An application may employ multiple port numbers

• Local and remote Port Forwarding over SSH tunnel

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Port Forwarding (local)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Port Forwarding (remote)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Summary
• Web security considerations • Secure shell (SSH)

• Web security threats • Transport layer protocol

• Web traffic security approaches • User authentication protocol

• Secure sockets layer • Communication protocol

• SSL architecture • HTTPS

• SSL record protocol • Connection initiation

• Change cipher spec protocol • Connection closure

• Alert protocol

• Handshake protocol

• Cryptographic computations

• Heartbeat protocol

• SSL/TLS attacks

• TLSv1.3

• Hearthbleed Bug

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Bibliography

Cryptography and network security, Stallings,

Pearson, 2017, Chapter 17: Web and Transport-Layer
Security

Segurança Prática em Sistemas e Redes com Linux,

Capítulo 3: Autoridades de certificação digital e
Capítulo 4: Ligações seguras com SSH