ssl_prequisites.tex 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235
  1. \chapter{The Secure Layer \label{chap:ssl}}
  2. Transport Layer Security, formerly known as SSL (Secure Socket Layer), aims
  3. to bring some security features over a communication channel, specifically
  4. providing \strong{integrity} and \strong{confidentiality} of the message,
  5. \strong{authenticity} of the server and optionally the client.
  6. %% fuck osi layers: there is no code explicitly structuring the internet in 7
  7. %% layers.
  8. Many ancient application protocols wrapped themselves to be over TLS/SSL, with
  9. the only difference of the ``s'' appended to the protocol name (such as HTTPs,
  10. IMAPs). It is nowadays widely adopted all over the world, becoming the de-facto
  11. standard for end-to-end encryption.
  12. \paragraph{Certification Authorities} are authorities to whom it is granted the
  13. power to \emph{authenticate} the peer. Pragmatically, they are public keys
  14. pre-installed on your computer that decide who and who not to trust by employing
  15. a digital signature.
  16. In order to overcome the proliferation of keys to be distributed, and satisfy the
  17. use-case of a mindless user willing to accomplish a secure transaction on the
  18. internet, the following, hierarchical trust model proliferated (~\cite{rfc4158},
  19. Fig.2)\footnote{
  20. The image is merely esemplificative, there is no boundary to the structure of
  21. the tree.}:
  22. \\
  23. \\
  24. %% E` BELLISSIMO QUESTO COSO
  25. \begin{center}
  26. \begin{tikzpicture}[
  27. scale=0.8,
  28. align=center,
  29. level/.style={sibling distance=60mm/#1}]
  30. \node [draw] (z){Root CA}
  31. child {node [circle,draw] (a) {CA}
  32. child {node [circle,draw] (b) {CA}
  33. child {node {$\vdots$}
  34. child {node [circle,draw] (d) {EE}}
  35. child {node [circle,draw] (e) {EE}}
  36. }
  37. child {node {$\vdots$}}
  38. }
  39. child {node [circle,draw] (g) {CA}
  40. child {node {$\vdots$}}
  41. child {node {$\vdots$}}
  42. }
  43. }
  44. child {node [circle,draw] (j) {CA}
  45. child {node [circle,draw] (k) {CA}
  46. child {node {$\vdots$}}
  47. child {node {$\vdots$}}
  48. }
  49. child {node [circle,draw] (l) {CA}
  50. child {node {$\vdots$}}
  51. child {node (c) {$\vdots$}
  52. child {node [circle,draw] (o) {EE}}
  53. child {node [circle,draw] (p) {EE}
  54. child [grow=right] {node (q) {$\Rightarrow$} edge from parent[draw=none]
  55. child [grow=right, xshift=1cm] {node (q) {End Entities} edge from
  56. parent[draw=none]
  57. child [grow=up] {node (r) {$\vdots$} edge from parent[draw=none]
  58. child [grow=up] {node (s)
  59. {Certification\\ Authorities} edge from parent[draw=none]
  60. child [grow=up] {node (t)
  61. {Certification\\ Authorities} edge from parent[draw=none]
  62. child [grow=up] {node (u) {Root Authorities} edge from
  63. parent[draw=none]}
  64. }
  65. }
  66. }
  67. }
  68. }
  69. }
  70. }
  71. }
  72. };
  73. \path (o) -- (e) node (x) [midway] {$\cdots$}
  74. child [grow=down] {
  75. %%node [draw] (y) {End User}
  76. edge from parent[draw=none]
  77. };
  78. \path (u) -- (z) node [midway] {$\Rightarrow$};
  79. \path (s) -- (l) node [midway] {$\Rightarrow$};
  80. \path (j) -- (t) node [midway] {$\Rightarrow$};
  81. %% \path (y) -- (x) node [midway] {$\Downarrow$};
  82. \path (e) -- (x) node [midway] {$\cdots$};
  83. \path (o) -- (x) node [midway] {$\cdots$};
  84. \path (r) -- (c) node [midway] {$\cdots$};
  85. \end{tikzpicture}
  86. \end{center}
  87. \vfill
  88. There are two types of authorities: root CAs and intermediate CAs. Root
  89. Authorities are the only nodes ultimately considered trustoworthy by the end
  90. user. Their private key is used to sign digital certificates, either to
  91. Certificate Authorities, to which is delegated the power of authenticating
  92. others, or End Entities, holders of a private key and their corresponding
  93. certificate whose identity has been verified.
  94. Upon connecting, the client will check to see if the certificate presented was issued
  95. by a CA present in the trust store (root CA); otherwise it will check to see if
  96. it has been issued by a trusted CA, and so on until either a trusted CA is
  97. found or no trusted authority is found. In the latter case, the connection is aborted.
  98. \paragraph{The protocol} is actually a collection of many sub-protocols:
  99. \begin{itemize}
  100. \setlength{\itemsep}{1pt}
  101. \setlength{\parskip}{0pt}
  102. \setlength{\parsep}{0pt}
  103. \item \strong{\emph{handshake}} protocol, a messaging protocol that allows to
  104. \emph{authenticate} the peers, and eventually restore a past encrypted
  105. session.
  106. \item \strong{\emph{record}} protocol, permitting the encapsulation of higher level protocols,
  107. like HTTP and even the next two sub-protocols. It is the fulcrum for all data
  108. transfer.
  109. \item \strong{alert} protocol, which steps-in at any time from handshake to closure of the
  110. session in order to signal a fatal error. The connection will be closed
  111. immediately after sending an alert record.
  112. \item \strong{changespec} protocol, to notify and negotiate with the receiver that
  113. subsequent records will be protected under the just negotiated keys and
  114. \texttt{Cipher Spec}.
  115. \end{itemize}
  116. We will now proceed with a brief synopsis of the first two of these protocols,
  117. due to their relevant role inside the connection, but will not proceed further,
  118. as they were the only two we actually used in our research.
  119. \section{The \texttt{handshake} protocol}
  120. As mentioned above, the handshake occurs whenever a machine attempts to start
  121. a TLS connection. If there is no session identifier, a new one is being built
  122. up; otherwise the client will include the session-id in the initial
  123. communication and the server will eventually skip the key agreement phase since
  124. %% XXX. check the use of verb happened
  125. it has happened recently\footnote{``recently'' is not well-defined in
  126. the standard - it is suggested an upper limit of 24-hours lifetime, but the
  127. only actual constraint is that both client and server agree on it.}.\\
  128. A new session identifier gets built as follows. Once a communication channel
  129. over the transport layer has been established, the client sends a hello
  130. message, to which the server must respond with a server hello, or else a fatal error
  131. will occurr. The above hello messages agree the two parties on the TLS protocol
  132. version, compression and encryption methods, and establish a session identifier
  133. (\cite{rfc2246} \S 7.3).
  134. Following the hello messages, the server will send its certificate,
  135. if it is to be authenticated. If the client is happy with it, a RSA or
  136. Diffie-Hellmann key exchange is initiated by the client to establish the
  137. symmetric key to be used for the ensuing session.
  138. \section{The \texttt{record} protocol}
  139. Once the two parties share a common secret, called \emph{premaster secret},
  140. they can generate a new key to be used for symmetric encryption of message, and
  141. another for message authentication.
  142. All TLS protocol messages move in records of up to 16K, containing 3
  143. main components: MAC-data, data, and padding.
  144. \begin{itemize}
  145. \item {MAC-data} is no other than the Message Authentication Code over the
  146. encrypted \emph{data} sent
  147. (SSL performs the encrypt-then-mac mode of operation).
  148. It provides \strong{authenticity} and \strong{integrity} of the message.
  149. \item {Data} is the actual message, encrypted after a possible compression.
  150. \item The {Padding} section contains informations about the padding algorithm
  151. adopted, and the padding size.
  152. \end{itemize}
  153. Failure to authentication, or decryption will result in I/O error and a close of
  154. the connection.
  155. \vfill
  156. \section{What is inside a certificate \label{sec:ssl:x509}}
  157. SSL certificates employed the X.509 PKI standard, which specifies, among other
  158. things, the format for revocation lists, and certificate path validation
  159. algorithms.
  160. \\
  161. \begin{center}
  162. \scalebox{0.7}{
  163. \begin{bytefield}[bitwidth=0.95em]{16}
  164. \begin{rightwordgroup}{Certificate}
  165. \wordbox{1}{Version} \\
  166. \wordbox{1}{Serial Number} \\
  167. \wordbox{1}{Algorithm ID} \\
  168. \wordbox{2}{Validity \\ \tiny{$\angular{\text{NotBefore, NotAfter}}$}} \\
  169. \wordbox{2}{Issuer \\ \tiny{eventually plus Issuer Unique Identifier}} \\
  170. \wordbox{2}{Subject \\ \tiny{eventually plus Subject Unique Identifier}} \\
  171. \wordbox{2}{Subject Public Key Information \\
  172. \tiny{$\angular{\text{PubKey algorithm, PubKey}}$}} \\
  173. \wordbox[lrt]{1}{Extensions} \\
  174. \skippedwords \\
  175. \wordbox[lrb]{1}{}
  176. \end{rightwordgroup} \\
  177. \wordbox{1}{Certificate Signature Algorithm} \\
  178. \wordbox{1}{Certificate Signature} \\
  179. \end{bytefield}
  180. }
  181. \end{center}
  182. It is a pretty old standard, defined in the eighties by the International
  183. Telecommunication Union.
  184. Born before HTTP, it was initially thought \emph{in abstracto} to be
  185. extremely flexible and general\footnote{
  186. \textit{``X.509 certificates can contain just anything''} ~\cite{SSLiverse}
  187. }.
  188. And precisely for this flexibility and its adaptation to the SSL/TLS protocol
  189. without a very-well defined structure have been its major flaws: it is still
  190. difficult to write good, reliable software parsing a X.509 certificate.
  191. \section{Remarks among SSL/TLS versions}
  192. The first, important difference to point out here is that SSLv2 is no more
  193. considered secure. There are known attacks on the primitives adopted (MD5, for
  194. example \cite{rfc6176}) as well as protocol flaws.
  195. SSLv2 would allow a connection to be closed via a not-authenticated TCP segment
  196. with the \texttt{FIN} flag set (\cite{rfc6176} \S 2). Padding informations are sent in
  197. clear, and the payload is not compressed before encrypting, allowing a malicious
  198. attacker traffic analysis capabilities \cite{sslpadding}. The ciphersuite is negotiated using
  199. non-authenticated informations, allowing an attacker to influence the choice of
  200. the \texttt{Cipher Spec} and weaken the security of the communication
  201. \cite{rfc6176} \S 2.
  202. Most of these vulnerabilities have been addressed by the later SSLv3, which
  203. introduced compression and protection against truncation attacks.
  204. Its standardized twin, TLS 1.0, only differs on the cipher suite and key
  205. calculation requirements, strengthen in order to increase the security of the
  206. channel \cite{rfc2246}.
  207. Both SSLv3 and TLS 1.0 have been threatened in 2011 by an attack that could break
  208. the same origin policy, known as BEAST. It is not dramatic, and almost any
  209. browser now mitigates its spectrum of action.
  210. Even if TLS 1.1, and TLS 1.2 are considered safe as of today, attacks such as
  211. CRIME, and lately BREACH constitute a new and valid instance of threat for HTTP
  212. compressions mechanisms. However, as their premises go beyond the scope of this
  213. document, all these attacks have not been analyzed. For further informations, see
  214. \url{http://breachattack.com/}.
  215. %%% Local Variables:
  216. %%% mode: latex
  217. %%% TeX-master: "question_authority.tex"
  218. %%% End: