Добавил:

Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Балтийский федеральный университет им. И.Канта

Предмет:

[НЕСОРТИРОВАННОЕ]

Файл:

Internet.Security

.pdf

Скачиваний:

Добавлен:

10.02.2015

Размер:

3.75 Mб

Скачать

☆

<<< < Предыдущая 19 20 21 22 23 24 25 26 27 28 29 30 3132 / 4332 33 34 35 36 37 38 39 40 41 42 43 > Следующая >>>

290	INTERNET SECURITY

The ﬁnished message is ﬁrst protected with just-negotiated algorithms, keys and secrets. Recipients of ﬁnished messages must verify that the contents are correct. Once a side has sent its ﬁnished message and received and validated the ﬁnished message from its peer, it may begin to send and receive application data over the connection. Application data treated as transparent data is carried by the Record Layer and is fragmented, compressed and encrypted based on the current connection state.

8.2 Cryptographic Computations

The key exchange, authentication, encryption and MAC algorithms are determined by the cipher suite selected by the server and revealed in the server hello message. The compression algorithm is negotiated in the hello messages, and the random values are exchanged in the hello messages. The creation of a shared master secret by means of the

key exchange and the generation of cryptographic parameters from the master secrete are
of interest to study as two further items.	Y
	L
8.2.1 Computing the Master SecretF

M A For all key exchange methods,Ethe same algorithm is used to convert the premaster secret

into the master secret. TIn order to create the master secret, a premaster secret is ﬁrst exchanged between two parties and then the master secret is calculated from it. The master secret is always exactly 48 bytes (384 bits) shared between the client and server. But the length of the premaster secret is not ﬁxed and will vary depending on the key exchange method. There are two ways for the exchange of the premaster secret:

•RSA: When RSA is used for server authentication and key exchange, a 48-byte premaster secret is generated by the client, encrypted with the server’s public key and sent to the server. The server decrypts the ciphertext (of the premaster secret) using its private key to recover the premaseter secret. Both parties then convert the premaster secret into the master secret as speciﬁed below.

•Difﬁe–Hellman: A conventional Difﬁe – Hellman computation is performed. Both client and server generate a Difﬁe-Hellman common key. This negotiated key is used as the premaster secret and is converted into the master secret, as speciﬁed below.

The client and server then compute the master secret as follows:

master_secret = MD5(pre_master_secret||SHA(‘A’|| pre_master_secret||ClientHello.random||

ServerHello.random))|| MD5(pre_master_secret||SHA(‘BB’|| pre_master_secret||ClientHello.random||

ServerHello.random))|| MD5(pre_master_secret||SHA(‘CCC’|| pre_master_secret||ClientHello.random||

ServerHello.random))

Team-Fly®

TRANSPORT LAYER SECURITY: SSLV3 AND TLSV1

291

						1
					premaster_secret
			2						3
		ClientHello.random						ServerHello.random
						1	2	3
‘A’	1	2	3	‘BB’	1	2	3	‘CCC’	1	2	3
SHA-1				SHA-1				SHA-1
	H1				H2				H3
1	H1		1		H2			1	H3
MD5			MD5					MD5

master_secret (48 bytes)

Figure 8.6 Computation of the master secret.

where ClientHello.random and ServerHello.random are the two nonce values exchanged in the initial hello messages.

The generation of the master secret from the premaster secret is shown in Figure 8.6.

8.2.2Converting the Master Secret into Cryptographic Parameters

CipherSpec speciﬁes the bulk data encryption algorithm and a hash algorithm used for MAC computation, and deﬁnes cryptographic attributes such as the hash size.

To generate the key material, the following is computed:

292	INTERNET SECURITY

key_block = MD5(master_secret||SHA(‘A’||master_secret|| ServerHello.random||ClientHello.random))||

MD5(master_secret||SHA(‘BB’||master_secret||

ServerHello.random||ClientHello.random))||

MD5(master_secret||SHA(‘CCC’||master_secret|| ServerHello.random||ClientHello.random))||. . .

until enough output has been generated. Note that the generation of the key block from the master secret uses the same format for generation of the master secret from the premaster secret. Figure 8.7 illustrates the steps for generation of the key block from the master secret.

						1
					master_secret
			2							3
		ServerHello.random							ClientHello.random
							1	2	3
‘A’	1	2	3	‘BB’	1	2	3		‘CCC’	1	2	3
SHA-1				SHA-1					SHA-1
	H1				H2					H3
1	H1		1		H2			1		H3
MD5			MD5					MD5

key_block

Figure 8.7 Generation of key block.

TRANSPORT LAYER SECURITY: SSLV3 AND TLSV1

293

8.3 TLS Protocol

The TLSv1 protocol itself is based on the SSLv3 protocol speciﬁcation as published by Netscape. Many of the algorithm-dependent data structures and rules are very close so that the differences between TLSv1 and SSLv3 are not dramatic. The current work on TLS is aimed at producing an initial version as an Internet standard. It is recommended that readers examine the comparative studies between the TLSv1 of RFC 2246 and SSLv3 of Netscape. In this section, we will not repeat every detailed step of identical protocol contents, but only highlight the differences.

8.3.1HMAC Algorithm

A Keyed-hashing Message Authentication Code (HMAC) is a secure digest of some data protected by a secret. Forging the HMAC is infeasible without knowledge of the MAC secret. HMAC can be used with a variety of different hash algorithms, namely MD5 and SHA-1, denoting these as HMAC MD5(secret, data) and HMAC SHA-1(secret, data).

There are two differences between the SSLv3 and TLSMAC schemes. TLS makes use of the HMAC algorithm deﬁned in RFC 2104. HMAC was fully discussed in Chapters 4 and 7 and deﬁned as:

HMAC = H [(K opad)||H [(K ipad)||M]]

where

ipad = 00110110(0x36) repeated 64 times (512 bits) opad = 01011100(0x5c) repeated 64 times (512 bits)

H = one-way hash function for TLS (either MD5 or SHA-1) M = message input to HMAC

K = padded secret key equal to the block length of the hash code (512 bits for MD5 and SHA-1)

The following explains the HMAC equation:

1.Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length and b = 512 bits, then K will be appended with 352 zero bits or 44 zero bytes 0x00).

2.XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.

3.Append M to the b-byte string resulting from step 2.

4.Apply H to the stream generated in step 3.

5.XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.

6.Append the hash result H from step 4 to the b-byte string resulting from step 5.

7.Apply H to the stream generated in step 6 and output the result.

294	INTERNET SECURITY

Padding
K ' = 512 bits		M
b = 512 bits		b = 512 bits	b	b	b	M	b
b = 512 bits
ipad	Ωi	\|\| M				…
ipad	Ωi	\|\| M	Ωi	M0	M1	…	ML −1
Ωi = K ' ipad ≡ b				b = 512 bits

opad

b = 512 bits

h = 160 bits (SHA-1)

160 bits (SHA-1)

128 bits (MD5)

Padding

b = 512 bits

160 bits (SHA-1) IV

128 bits (MD5)

HMAC(M)

Figure 8.8 Overall operation of HMAC computation using either MD5 or SHA-1 (message length computation based on i ||M).

Figure 8.8 illustrates the overall operation of HMAC – MD5 or HMAC – SHA-1.

Example 8.1 HMAC – SHA-1 computation using RFC method:

Data : 0x 7104f218 a3192e65 1cf7025d 8011bf79 4a19

Key : 0x 31fa7062 c45113e3 2679fd13 53b71264

–	A	B	C	D	E

IV	67452301	efcdab89	98badcfe	10325476	c3d2e1f0
H [(K ipad)\|\|M]	8efeef30	f64b360f	77fd8236	273f0784	613bbd4b
H [(K opad)\|\|H [(K	31db10b8	ed346850	d0f0b7dd	50fd71f4	2dacd24c
ipad)\|\|M]]

HMAC – SHA-1 = 0x 31 db10b8 ed346850 d0f0b7dd 50fd71f4 2dacd24c

The alternative operation for computation of either HMAC – MD5 or HMAC – SHA-1 is described in the following:

	TRANSPORT LAYER SECURITY: SSLV3 AND TLSV1						295
	K
	Padding
	K ' = 512 bits		Mi
			b = 512 bits			M
	b = 512 bits		Ωi \|\| Mi	b	b	b	b
	b = 512 bits					M1 …
	ipad			Ωi	M0	M1 …	ML −1
	Ωi = K ' ipad ≡ b					b = 512 bits
	Ωi					b = 512 bits
	Ωi			Mi
opad	IV	f	(IV)i	H
opad	IV	f		H
	128 bits		128 bits
				h = 128 bits
IV	f			Padding
128 bits
				b = 512 bits

(IV)0

128 bits

HMAC(M )

Figure 8.9 Alternative operation of HMAC computation using MD5 (message length computation is based on M only).

1.Append zeros to K to create a b-bit string K , where b = 512 bits.

2.XOR K (padding with zero) with ipad to produce the b-bit block.

3.Apply the compression function f(IV, K ipad) to produce (IV)i = 128 bits.

4.Compute the hash code h with (IV)i and Mi .

5.Raise the hash value computed from step 4 to a b-bit string.

6.XOR K (padded with zeros) with opad to produce the b-bit block.

7.Apply the compression function f(IV, K opad) to produce (IV)o = 128 bits.

8.Compute the HMAC with (IV)o and the raised hash value resulting from step 5.

Figure 8.9 illustrates the overall operation of HMAC – MD5.

Example 8.2 HMAC-MD5 computation using alternative method: Data : 0x 2143f501 f014a713 c1059e23 7123fd68

Key : 0x 31fa7062 c45113e3 2679fd13 53b71264

296 INTERNET SECURITY

–	A	B	C	D

IV	67452301	efcdab89	98badcfe	10325476
f[(K ipad), I V ] = (I V )i	13fbaf34	034879ab	35e73505	526a8d28
H [M, (I V )i]	90c6d9b0	0f281bc8	94d04b33	7f0f4265
f[(K opad), I V ] = (I V )o	5f8647d7	fa8e9afa	bffa4989	3cd471d1
H [H [M, (I V )i], (I V )o]	2c47cd5b	68830268	7d255059	45c7bef0

HMAC – MD5 = 0x 2c47cd5b 68830268 7d255059 45c7bef0

For TLS, the MAC computation encompasses the ﬁelds indicated in the following expression:

HMAC_hash(MAC_write_secret, seq_num||TLScompressed.type|| TLSCompressed.version||TLSCompressed.length|| TLSCompressed.fragment)

Note that the MAC calculation includes all of the ﬁelds covered by the SSLv3 computation, plus the ﬁeld TLSCompressed.version, which is the version of the protocol being employed.

8.3.2 Pseudo-random Function

TLS utilizes a pseudo-random function (PRF) to expand secrets into blocks of data for the purposes of key generation or validation. The PRF takes relatively small values such as a secret, a seed and an identifying label as input and generates an output of arbitrary longer blocks of data.

The data expansion function, P hash(secret, data), uses a single hash function to expand a secret and seed into an arbitrary quantity of output. The data expansion function is deﬁned as follows:

P_hash(secret, seed) = HMAC_hash (secret, A(1)||seed) || HMAC_hash (secret, A(2)||seed) || HMAC_hash (secret, A(3)||seed) ||. . .

where A() is deﬁned as:

A(0) = seed

A(i) = HMAC hash(secret, A(i-1)) and || indicates concatenation.

Applying A(i), i = 0, 1, 2, . . . , to P hash, the resulting sketch can be depicted as shown in Figure 8.10. As you can see, P hash is iterated as many times as necessary to produce the required quantity of data. Thus the data expansion function makes use of the HMAC algorithm with either MD5 or SHA-1 as the underlying hash function. As an example, consider SHA-1 whose value is 20 bytes (160 bits). If P SHA-1 is used to create 64 bytes (512 bits) of data, it will have to be iterated four times up to A(4), creating

TRANSPORT LAYER SECURITY: SSLV3 AND TLSV1

297

	Seed(A(0))
Secret	HMAC	A(1) = HMAC_hash (secret, A(0))
	A(1)	A(1) = HMAC_hash (secret, A(0))
	A(1)
	HMAC	HMAC	A(2) = HMAC_hash (secret, A(1))
		A(2)	A(2) = HMAC_hash (secret, A(1))
		A(2)
		HMAC	HMAC	A(3) = HMAC_hash (secret, A(2))
			A(3)	A(3) = HMAC_hash (secret, A(2))
			A(3)	. . .
				. . .

HMAC

. . .

data expansion unit by hashing

Figure 8.10 TLS data expansion mechanism using P hash(secret,seed).

20 × 4 = 80 bytes (640 bits) of output data. Hence, the last 16 bytes (128 bits) of the ﬁnal iteration A(4) must be discarded, leaving (80 − 16) = 64 bytes of output data. On the other hand, MD5 produces 16 bytes (128 bits). In order to generate an 80-byte output, P MD5 should exactly be iterated through A(5), while P SHA-1 will only iterate through A(4) as described above. In fact, alignment to a shared 64-byte output will be required to discard the last 16 bytes from both P SHA-1 and P MD5.

TLS’s PRF is created by splitting the secret into two halves (S1 and S2) and using one half to generate data with P MD5 and the other half to generate data with P SHA-1. These two results are then XORed to produce the output. S1 is taken from the ﬁrst half of the secret and S2 from the second half. Their length is respectively created by rounding up the length of the overall secret divided by 2. Thus, if the original secret is an odd number of bytes long, the last bytes of S1 will be the same as the ﬁrst byte of S2:

L S = length in bytes of secret

L S1 = L S2 = ceil(L S/2)

298	INTERNET SECURITY

The PRF is then deﬁned as the result of mixing the two pseudo-random streams by XORing them together. The PRF is deﬁned as:

PRF(secret, label, seed) = P MD5(S1, label||seed) P SHA − 1(S2, label||seed)

The label is an ASCII string. Figure 8.11 illustrates the PRF generation scheme to expand secrets into blocks of data.

Example 8.3 Refer to Figure 8.11. Suppose the following parameters are given:

seed = 0x 80 af 12 5c 7e 36 f3 21

label = rocky mountains = 0x 72 6f 63 6b 79 20 6d 6f 75 6e 74 61 69 6e 73 secret = 0x 35 79 af 12 c4

Then

label||seed = 0x 72 6f 63 6b 79 20 6d 6f 75 6e 74 61 69 6e 73 80 af 12 5c 7e 36 f3 21

= A(0)

S1 = 0x 35 79 af for P MD5, S2 = 0x af 12 c4 for P SHA − 1

Data expansion by P MD5 :

A(1) = HMAC MD5(S1, A(0))

= d0 de 36 53 79 78 04 a0 21 b8 6f f8 29 60 d5 f7

	seed
label	\| \|
label

S1	P_MD5	P_SHA-1	S2
S1	P_MD5	P_SHA-1	S2

PRF(secret, label, seed)

S1: First half of the secret

S2: Second half of the secret

P_MD5: Data expansion function to expand a secret

S1 and (seed| | secret) using MD5

P_SHA-1: Data expansion function to expand a secret

S2 and (seed| | secret) using SHA-1

Figure 8.11 A pseudo-random function (PRF) generation scheme.

TRANSPORT LAYER SECURITY: SSLV3 AND TLSV1

299

HMAC MD5(S1, A(1)||A(0))

=32 fd b3 70 eb 36 11 70 a4 3b 50 a9 fb ea 2a ec A(2) = HMAC MD5(S1, A(1))

=8c ce 5b 50 02 af 75 91 e7 20 cd 86 d9 3e 67 9d HMAC MD5(S1, A(2)||A(0))

=1f a8 4c af 5d e1 20 01 ea b0 38 6a a5 76 f9 8e A(3) = HMAC MD5(S1, A(2))

=45 48 5d 00 4e 64 07 45 eb 2c 18 60 7c e6 fa 1f HMAC MD5(S1, A(3)|| A(0))

=f0 23 29 d9 5e 89 4b 70 cc 45 f8 aa 1f 58 8e 55 A(4) = HMAC MD5(S1, A(3))

=87 39 c6 d3 7a b f8 e3 29 79 3a ae 63 24 6a ff HMAC MD5(S1, A(4)|| A(0))

=2e 0c 27 26 d0 b4 78 85 09 a2 69 1c 1b 1b d7 8d A(5) = HMAC MD5(S1, A(4))

=3a 2c aa d8 b3 ec 2e 5d 40 1c 39 bd 3e 48 1a d9 HMAC MD5(S1, A(5)|| A(0))

=92 f2 63 5d 88 3a dd bf 8d ec e1 cf 0c 5c 8f 4c where S1 = 0x 35 79 af = ﬁrst half of the secret, and A(0) = label||seed

Thus, P MD5 equals:

(80 bytes)

Data expansion by P SHA-1 :

A(1) = HMAC SHA1(S2, A(0))

=aa ea 46 1b a6 ad 43 34 51 f8 c6 ef 70 dd f4 60 ca b9 40 2f HMAC SHA1(S2, A(1)|| A(0))

=d0 8a d5 07 e0 b8 30 78 70 d9 c8 bb dd ba f5 a3 d0 77 49 e8 A(2) = HMAC SHA1(S2, A(1))

=33 fd 23 41 01 ce 06 f8 c0 2b b3 e6 54 21 1c f4 6c 88 ab da

<<< < Предыдущая 19 20 21 22 23 24 25 26 27 28 29 30 3132 / 4332 33 34 35 36 37 38 39 40 41 42 43 > Следующая >>>

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]

#
31.07.201940.86 Кб13Informatika_2011.docx
#
21.11.2019368.64 Кб7inf_selfwork.doc
#
27.11.2019103.94 Кб7Institut_konfiskatsii_v_zarubezhnykh_stranakh.doc
#
10.02.201513.28 Mб25intel_v10_full_final.pdf
#
10.02.20156.96 Mб13InterAction_Noyabr_2013.pdf
#
10.02.20153.75 Mб30Internet.Security.pdf
#
10.02.201588.58 Кб65inzhiniring.doc
#
22.12.2018128.51 Кб10iogp_zachet_1.doc
#
22.08.20198.55 Mб10ISE_WP.docx
#
10.02.2015772.41 Кб33issledovanie_roli_fin1.docx
#
10.02.20157.36 Mб21ISSLEDOVATEL_SKAYa_2.doc