协议_SSL

Internet安全协议与标准第八章SSL/TLS协议张保稳2020/2/8本次课程教学安排Web安全问题SSLWTLSWEB安全Web服务器易于使用但正确配置比较复杂容易成为攻击目标Web安全问题威胁后果反对措施IntegrityModificationofDataTrojanhorsesLossofInformationCompromiseofMachineMACsandHashesConfidentialityEavesdroppingTheftofInformationLossofInformationPrivacyBreachEncryptionDoSStoppingFillingupDisksandResourcesStoppedTransactionsAuthenticationImpersonationDataForgeryMisrepresentationofUserAcceptfalseDataSignatures,MACs不同协议层的安全TCPIP/IPSECHTTPFTPSMTPTCPIPHTTPFTPSMTPSSL/TLSTCPIPS/MIMEPGPUDPKerberosSMTPSETHTTPAttheNetworkLevelAttheTransportLevelAttheApplicationLevelSSL概念SecureSocketsLayer：由Netscape于1994年始创，用于加固http层安全。Version3ofSSLwasreleasedin1995ItiswhatwethinkofwhenwesaySSLSlightvariationbecameTransportLayerSecurity(TLS)andwasacceptedbytheIETFin1999TLSisbackwardcompatiblewithSSLv3目的是使得TCP实现可靠、端对端的服务SSLconsistsoftwosublayers:SSLRecordProtocol(wherealltheactiontakesplace)SSLManagement:(Handshake/CipherChange/AlertProtocols)SSL\TLS的安全性TLSisusedconnection-orientedtransport,typicallyTCP.TLS可做到:Authentication以public/Privatekey方式來做Confidentiality利用一sessionkey，来encode和decode资料Integrity检查MAC(MessageAuthenticationCode)，确认是否被篡改不同的SSL版本1.SSL(SecureSocketLayer)是netscape公司设计的主要用于web的安全传输协议。这种协议在WEB上获得了广泛的应用。2.IETF()将SSL作了标准化，即RFC2246,并将其称为TLS（TransportLayerSecurity），从技术上讲，TLS1.0与SSL3.0的差别非常微小。由于本文中没有涉及两者间的细小差别，本文中这两个名字等价。3.在WAP的环境下，由于手机及手持设备的处理和存储能力有限，wap论坛（）在TLS的基础上做了WTLS协议（WirelessTransportLayerSecurity），以适应无线的特殊环境。SSL资料EvolvedthroughUnreleasedv1(Netscape)Flawed-but-usefulv2Version3fromscratchStandardTLS1.0SSL3.0withminortweaks,henceVersionfieldis3.1DefinedinRFC2246,Open-sourceimplementationat体系RecordProtocoltotransferapplicationandTLSinformationAsessionisestablishedusingaHandshakeProtocolTLSRecordProtocolHandshakeProtocolAlertProtocolChangeCipherSpecSSL在应用中的位置SSL基本过程建立一个会话AgreeonalgorithmsSharesecretsPerformauthentication传输应用数据Ensureprivacyandintegrity握手协议SSL的核心协议部分完成在传输应用数据之前进行的准备工作.相互认证协商加密算法建立共享密钥TheHandshakeProtocolconsistsofmessagesconsistingofthreefields:Type(1byte):Indicatestypeofthemessage.Thereare10types.Length(3bytes)Content:Thepayloadexchangedineachmessage握手协议NegotiateCipher-SuiteAlgorithms对称密钥密钥交换方法消息摘要函数握手协议基本过程Hello消息证书和密钥交换ChangeCipherSpecandFinishedmessages握手过程（1）}CompChoice,CiphChoice,SessID,r,#vers{:AG.2}CompList,CiphList,SessID,r,#vers{:GA.1GA•rAisanoncemadeof4bytesoftimestampand28bytesofrandom#.SimilarlyforrG.•SessID:0ifnewsession,elseisthesessionIDofanexistingsession(andtheHandshakewillupdateparameters)•CiphListisalistofalgorithmssupportedbytheclientinanorderofdecreasingpreference(KeyExchangeandEncryptionCipher)•CiphChoice:TheciphersuitechosenbytheServer.握手过程（2）服务器认证和密钥交换ServerbeginsbysendingitsX.509cert(andassociatedcertchain)Next,apublickeyissentServermayRequestaCertfromtheClientServersendsendround2message握手过程（2）}EndHello{:AG.6}uthoritiesValidCertA||CertType{:AG.5))e,n(||r||r(hashE||)e,n(:AG.4}Cert509X_G{:AG.3GGGAKGGGKGistheprivatekey,andhenceEKGisasignatureoperationbytheServerValidCertAuthoritiesidentifiestheauthoritiestheserverwillaccept证书SequenceofX.509certificatesServer’s,CA’s,…X.509CertificateassociatespublickeywithidentityCertificationAuthority(CA)createscertificateAdherestopoliciesandverifiesidentitySignscertificateUserofCertificatemustensureitisvalid证书校验问题MustrecognizeacceptedCAincertificatechainOneCAmayissuecertificateforanotherCAMustverifythatcertificatehasnotbeenrevokedCApublishesCertificateRevocationList(CRL)握手过程（3）客户机认证和密钥交换ClientverifiesthattheServer’sCertisvalid,andchecksthatparameterssentarevalidIfacertwasrequested,thentheClientsendsoneServergeneratesaPreMasterSecretsPM握手过程（3）GAPMPMGAPMPMGAPMPMAGPMKr||r||s||'CCC'1SHA||s5MD||r||r||s||'BB'1SHA||s5MD||r||r||s||'A'1SHA||s5MDMS))r||MS||8to1Messages(hash||r||MS(hash:GA.9sE:GA.8}Cert509X_A{:GA.7G+KGisthepublickey,andhenceE+KGisaencryptionusingthepublickeygainedfromthecertificateMessages1to8istheconcatenationoffirst8messagesMSismastersecretandStep9isforverification握手过程（3）ClienttellsServertochangecipher(viatheChangeCipherProtocol).ServerrespondswithitsownchangedciphermessageFinishedMessagearehashesforverification)r||MS||Server||9to1Messages(hash||r||MShash:AG.13}gedCipherChan{:AG.12)r||MS||Client||9to1Messages(hash||r||MShash:GA.11}erChangeCiph{:GA.10AGAGChangeCipherSpecAsinglebyteissentafternewcipherparametershavebeenagreedupon.“Pending”parametersbecomeactivated.SSLAlertProtocolSignalsthatunusualconditionshavebeenencountered.Eachmessageconsistsoftwobytes.Firstbyteisa(1)ifawarningora(2)ifafatalerror.Iferrorisfatal,theconnectionisterminated(otherconnectionsmaycontinue…).Secondbytesaysthetypeoferror.Unexpected_Message:FatalBad_Record_MAC:FatalDecompression_Failure:FatalHandshake_Failure:FatalAndmanymore…SSL加密MastersecretGeneratedbybothpartiesfrompremastersecretandrandomvaluesgeneratedbybothclientandserverKeymaterialGen