The Secure Sockets Layer Protocol (SSL) Taher Elgamal Danvers IETF Meeting April 1995 Agenda o Transaction security on the Internet o Which problems does SSL target o Objectives for SSL o The SSL protocol in detail o Other Internet security issues o Future directions for SSL Transaction Security on the Internet o Privacy - Encryption of data o Authentication - Client and server authentication - Proof of authorship - User authentication and non-repudiation o Integrity - Guard against tampering with data on the network Privacy o Data encryption is required for privacy applications o Ensure data only readable by intended recipient -- not necessarily the first recipient Authentication o Client authentication to the server, and server authentication to the client to create an authenticated channel - System function at connection time - Should be independent of the application or the application protocol o Digital signatures for proof of authorship - Authorize financial transactions o Signatures on receipts and other data for non-repudiation purposes - Application specific in general Integrity o Ensure non-tampering of the data either intentionally or unintentionally Which problems does SSL target o Authenticating the client and the server to each other o Securing the traffic over the communications channel o Ensuring data integrity SSL -- Design objectives and constraints o Support many applications and protocols o Use available TCP/IP based networks o Requires a reliable transport layer (e.g. TCP) o Applications (and developers) need to support SSL, but do not need to worry about key generation and negotiation techniques SSL in detail _________________________________________________ | | | Application Layers | |_________________________________________________| ______ ______ ______ ______ | | | | | | | | | | | | | | | | | HTTP | | NNTP | | FTP | . . . | SHTTP| | | | | | | | | |______| |______| |______| |______| _________________________________________________ | SSL | |_________________________________________________| _________________________________________________ | | | TCP/IP | | | |_________________________________________________| SSL -- Negotiation phase o The client initiates the session o The server responds and sends its certificate o The client generates the master key and sends it encrypted using the server's public key o Requires a server certificate but does not require a client certificate o Requires a certain level of trust in the server's certificate o Optional client certificate can be used to authenticate the client to the server SSL -- Negotiation phase __________ _______________ | | | | | Client | | Server | |__________| |_______________| start session --------------------------> certificate <-------------------------- encrypted master key --------------------------> Session established, <-------------------------- request cert certificate and other data ---------------------------> data encrypted with <--------------------------> session key SSL -- Supported methods o Symmetric Ciphers - DES, RC2, RC4, IDEA and Triple DES - 40-bit exportable versions of RC2, RC4 o Public-key Ciphers - RSA for key encryption and digital certificates SSL -- Supported Methods o Certificates - X.509 certificate support o Message Digests - MD5 used for MAC computation SSL -- Privacy o Master key established by the client using the server's public key o Master key used to generate two session keys (one for each direction) o Once the session keys are established, all traffic is "transparently" encrypted in both directions o All operations can happen transparently from the user's (and higher layer protocols) point of view SSL -- Authentication and integrity o Server certificate is required to authenticate the server o Client certificate is optional o MAC computed for each record using MD5 o Uses a record sequence number to ensure record freshness SSL -- efficiency issues o Master key can be used for multiple sessions -- reduce the overhead of private key encryption operations o Session key generation uses MD5 -- very fast o Two session keys for RC4 support SSL Exportability o Supports 40-bit RC2 and RC4 for bulk encryption o Supports 512-bit RSA keys for digital certificates SSL availability o Informational RFC o Reference implementation available o SSLREF 1.1 is almost complete, full source in ANSI C o Protocol spec available Other Internet security issues o Access control and authorization schemes o Digital signatures - Proof of origination o Non-repudiation - Proof of receipt SSL -- future directions o Key Negotiation - Diffie-Hellman o Improved Certificate Management - Certificate chains - Longer RSA keys for server certificates - PKCS #7, PEM certificate formats o Other implementation items SSL -- future directions o Solicit input from standard bodies and other interested groups o Work with other standards efforts to establish common standards for security issues in different applications and protocols