第十章安全通信（2）SMUCSE5349/49上一次課的內容密鑰如何分配

對稱加密用的密鑰

——三種辦法非對稱加密中的公鑰

——證書一種辦法SMUCSE5349/49上一次課的內容Deffie-Hellman協議

SMUCSE5349/49上一次課的內容數字證書SMUCSE5349/49本講的主要內容“支付寶”是如何保障安全的？“支付寶”使用的安全協議SSL(TLS)。比SSL更安全協議“支付寶”為什么不用？今天課程用到的知識對稱加密公鑰加密與簽名MAC=H(k,M)加密密鑰與認證密鑰要分開課后要完成的作業Page198:3,4Page215:5,6SMUCSE5349/49１支付寶是如何保障安全的？SMUCSE5349/49出現登錄界面后，瀏覽器與服務器之間已經完成的工作如下：

服務器已經提交了數字證書并被瀏覽器驗證完畢.一套密碼套件已經協商完畢，48字節的預主密鑰已經傳送.服務器用443端口通信，ＳＳＬ握手協議已經完成，包括一個會話已經建立，一個連接中的加密密鑰與MAC密鑰已經算出。SMUCSE5349/49：

之后的通信內容全是加密的SMUCSE5349/49２“支付寶”使用的安全協議SSL/TLSSMUCSE5349/7349LayersofSecuritySMUCSE5349/7349SSLHistoryEvolvedthroughUnreleasedv1(Netscape)Flawed-but-usefulv2Version3fromscratchStandardTLS1.0,TLS1.2SSL3.0withminortweaks,henceVersionfieldis3.1DefinedinRFC2246,/rfc/rfc2246.txtOpen-sourceimplementationat/SMUCSE5349/7349OverviewEstablishasessionAgreeonalgorithmsSharesecretsPerformauthenticationTransferapplicationdataEnsureprivacyandintegritySMUCSE5349/7349ArchitectureRecordProtocoltotransferapplicationandTLSinformationAsessionisestablishedusingaHandshakeProtocolTLSRecordProtocolHandshakeProtocolAlertProtocolChangeCipherSpecSMUCSE5349/7349Architecure(cont’d)HANDLESCOMMUNICATIONWITHTHEAPPLICATIONProtocolsINITIALIZESCOMMUNCATIONBETWEENCLIENT&SERVERINITIALIZESSECURECOMMUNICATIONHANDLESDATACOMPRESSIONERRORHANDLINGSMUCSE5349/7349HandshakeNegotiateCipher-SuiteAlgorithmsSymmetricciphertouseKeyexchangemethodMessagedigestfunctionEstablishandsharemastersecretOptionallyauthenticateserverand/orclientSMUCSE5349/7349HandshakePhasesHellomessagesCertificateandKeyExchangemessagesChangeCipherSpecandFinishedmessagesSMUCSE5349/7349SSLMessagesOFFERCIPHERSUITEMENUTOSERVERSELECTACIPHERSUITESENDCERTIFICATEANDCHAINTOCAROOTCLIENTSIDESERVERSIDESENDPUBLICKEYTOENCRYPTSYMMKEYSERVERNEGOTIATIONFINISHEDSENDENCRYPTEDSYMMETRICKEYSOURCE:THOMAS,SSLANDTLSESSENTIALSACTIVATEENCRYPTIONCLIENTPORTIONDONE(SERVERCHECKSOPTIONS)ACTIVATESERVERENCRYPTIONSERVERPORTIONDONE(CLIENTCHECKSOPTIONS)NOWTHEPARTIESCANUSESYMMETRICENCRYPTIONSMUCSE5349/7349ClientHelloProtocolversionSSLv3(major=3,minor=0)TLS(major=3,minor=1)RandomNumber32bytesFirst4bytes,timeofthedayinseconds,other28bytesrandomPreventsreplayattackSessionID32bytes–indicatestheuseofpreviouscryptographicmaterialCompressionalgorithmSMUCSE5349/7349ClientHello-CipherSuitesINITIAL(NULL)CIPHERSUITEPUBLIC-KEYALGORITHMSYMMETRICALGORITHMHASHALGORITHMCIPHERSUITECODESUSEDINSSLMESSAGESSSL_NULL_WITH_NULL_NULL={0,0}SSL_RSA_WITH_NULL_MD5={0,1}SSL_RSA_WITH_NULL_SHA={0,2}SSL_RSA_EXPORT_WITH_RC4_40_MD5={0,3}SSL_RSA_WITH_RC4_128_MD5={0,4}SSL_RSA_WITH_RC4_128_SHA={0,5}SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5={0,6}SSL_RSA_WITH_IDEA_CBC_SHA={0,7}SSL_RSA_EXPORT_WITH_DES40_CBC_SHA={0,8}SSL_RSA_WITH_DES_CBC_SHA={0,9}SSL_RSA_WITH_3DES_EDE_CBC_SHA={0,10}

SMUCSE5349/7349ServerHelloVersionRandomNumberProtectsagainsthandshakereplaySessionIDProvidedtotheclientforlaterresumptionofthesessionCiphersuiteUsuallypicksclient’sbestpreference–NoobligationCompressionmethodSMUCSE5349/7349CertificatesSequenceofX.509certificatesServer’s,CA’s,…X.509CertificateassociatespublickeywithidentityCertificationAuthority(CA)createscertificateAdherestopoliciesandverifiesidentitySignscertificateUserofCertificatemustensureitisvalidSMUCSE5349/7349ValidatingaCertificateMustrecognizeacceptedCAincertificatechainOneCAmayissuecertificateforanotherCAMustverifythatcertificatehasnotbeenrevokedCApublishesCertificateRevocationList(CRL)SMUCSE5349/7349ClientKeyExchangePremastersecretCreatedbyclient;usedto“seed”calculationofencryptionparameters2bytesofSSLversion+46randombytesSentencryptedtoserverusingserver’spublickeyThisiswheretheattackhappenedinSSLv2SMUCSE5349/7349ChangeCipherSpec&

FinishedMessagesChangeCipherSpecSwitchtonewlynegotiatedalgorithmsandkeymaterialFinishedFirstmessageencryptedwithnewcryptoparametersDigestofnegotiatedmastersecret,theensembleofhandshakemessages,senderconstantHMACapproachofnestedhashingSMUCSE5349/7349SSLEncryptionMastersecretGeneratedbybothpartiesfrompremastersecretandrandomvaluesgeneratedbybothclientandserverKeymaterialGeneratedfromthemastersecretandsharedrandomvaluesEncryptionkeysExtractedfromthekeymaterialSMUCSE5349/7349GeneratingtheMasterSecret

SOURCE:THOMAS,SSLANDTLSESSENTIALSSERVER’SPUBLICKEYISSENTBYSERVERINServerKeyExchangeCLIENTGENERATESTHEPREMASTERSECRETENCRYPTSWITHPUBLICKEYOFSERVERCLIENTSENDSPREMASTERSECRETINClientKeyExchangeSENTBYCLIENTINClientHelloSENTBYSERVERINServerHelloMASTERSECRETIS3MD5HASHESCONCATENATEDTOGETHER=384BITSSMUCSE5349/7349GenerationofKeyMaterialSOURCE:THOMAS,SSLANDTLSESSENTIALSJUSTLIKEFORMING

THEMASTERSECRETEXCEPTTHEMASTERSECRETISUSEDHEREINSTEADOFTHEPREMASTERSECRET...SMUCSE5349/7349ObtainingKeysfromtheKeyMaterial

SOURCE:THOMAS,SSLANDTLSESSENTIALSSECRETVALUESINCLUDEDINMESSAGEAUTHENTICATIONCODESINITIALIZATIONVECTORSFORDESCBCENCRYPTIONSYMMETRICKEYSSMUCSE5349/7349SSLRecordProtocolSMUCSE5349/7349RecordHeaderThreepiecesofinformationContenttypeApplicationdataAlertHandshakeChange_cipher_specContentlengthSuggestswhentostartprocessingSSLversionRedundantcheckforversionagreementSMUCSE5349/7349Protocol(cont’d)Max.recordlength214–1MACDataHeadersSequencenumberTopreventreplayandreorderingattackNotincludedintherecordSMUCSE5349/7349AlertsandClosureAlerttheothersideofexceptionsDifferentlevelsTerminateandsessioncannotberesumedClosurenotifyTopreventtruncationattack(sendingaTCPFINbeforethesenderisfinished)SMUCSE5349/7349SSLSessionsSessionsvs.ConnectionsMultipleconnectionswithinasessionsOnenegotiation/sessionSessionResumptionThroughsessionIDsClientsuseserverIPaddressornameasindexServersusethesessionIDsprovidebytheclientsUseofrandomnumbersinresumedsessionkeycalculationensuresdifferentkeysSessionRe-handshakeClientcaninitiateanewhandshakewithinasessionUseofServerGatedCryptography(SGC)foraddedsecuritySMUCSE5349/7349SSLOverhead2-10timesslowerthanaTCPsessionWheredowelosetimeHandshakephaseClientdoespublic-keyencryptionServerdoesprivate-keyencryption(stillpublic-keycryptography)UsuallyclientshavetowaitonserverstofinishDataTransferphaseSymmetrickeyencryptionSMUCSE5349/7349SSLApplicationsHTTP–originalapplicationSecuremailServertoclientconnectionSMTP/SSL?Telnet,ftp..Resources:/related/apps.htmlSMUCSE5349/49３“支付寶”為什么不用更安全的協議？SMUCSE5349/49WTLSSMUCSE5349/7349WAPGatewayArchitectureWTLSHTTP/SSLHTTP/SSLWirelessGatewayApplicationServersSMUCSE5349/7349WAPStackConfigurationSMUCSE5349/7349WirelessTransportLayerSecurity(WTLS)Providessecurityservicesbetweenthemobiledevice(client)andtheWAPgatewayDataintegrityPrivacy(throughencryption)Authentication(throughcertificates)Denial-of-serviceprotection(detectsandrejectsmessagesthatarereplayed)SMUCSE5349/7349WTLSProtocolStackSMUCSE5349/7349WTLSRecordProtocolTakesinfofromthenexthigherlevelandencapsulatesthemintoaPDUPayloadiscompressedAMACiscomputedCompressedmessageplusMACcodeareencryptedusingsymmetricencryptionRecordprotocoladdsaheadertothebeginningtoencryptedpayloadSMUCSE5349/734