SSL/TLS

Pre-requisite

TCP/IP networking basics.

Goal

The goal of this series is to learn about SSL/TLS in details.

Target Audience

Computer Science, Information Tech., Engineering students or IT professionals or whoever is interested in learning SSL/TLS (assuming they know TCP/IP networking basics).

What is covered?

The job of SSL is simple–to secure application data and handover it to transport layer for delivery.  This series will cover how it is happening.

In SSL, the authentication of server and client mostly happens using SSL certificates via public key cryptography.  The most commonly used algorithm for this authentication part is RSA, DSA and ECDSA.  RSA is in high use compared to the other two for the authentication.  We will briefly cover all three of them.

After mutual authentication, there is a key exchange phase where client/server either exchange a key (symmetric key) or derive a key respectively using some common public parameters shared among them.  Most commonly used algorithm for this–RSA, DHE, ECDHE.  We will cover all three of them.

We will go through the entire handshake process and how it’s security is guaranteed at the end using a FINISHED message exchanged by both client and server.

When application data transmission starts after the handshake, it will be encrypted using a symmetric key algorithm such as a stream/block cipher (e.g. RC4, 3DES, AES, etc). Hence we will briefly cover some cryptography basics as well as the most commonly used stream/block ciphers in SSL.  We will also quickly go through the related cryptographic primitives such as hash function, MAC, HMAC, Pseudo Random Number Generator.

We will then see the TLS extensions commonly used.

I will try to show demo using openssl/python/curl/browser as much as possible, whenever I can.

Hope you will enjoy this series as much as I enjoy creating them and learning along with you.

Series Playlist:

Please watch the description below each video just in case if there is any ERRATA.  I will also include the ERRATA on this page.

Note: Public can ignore any reference to F5 BIGIP/ssldump in this series (this reference occur only in two episodes–ep.1 and 5 briefly). All other content are generic. It will not affect you in understanding SSL/TLS.

Episodes

Episode-1 (4 Dec 2017 SGT)
Duration: 18 min 37 sec

– What is SSL/TLS?
– where does it fit in the TCP/IP model?
– glimpse of SSL packets in wireshark/ssldump/tshark
– brief history of SSL
– commonly used SSL libraries

Episode-2 (5 Dec 2017 SGT)
Duration: 18 min 37 sec

– confidentiality, integrity, authenticity, non-repudiation, no replay
– cryptology, cryptography, cryptanalysis
– modular arithmetic, mod 2 addition, XOR
– why XOR is a good encryption function?
– encrypting using XOR

Episode-3 (6 Dec 2017 SGT)
Duration: 23 min 03 sec

– private/secret key cryptography
– public key cryptography
– symmetric and asymmetric cipher
– stream cipher and block cipher
– synchronous and asynchronous stream cipher
– RC4, A5/1, A5/2, SALSA20, CHACHA20
– hardware based stream cipher: Grain128a
– RC4 demo using openssl

Episode-4 (7 Dec 2017 SGT)
Duration: 24 min 39 sec

– RC4
– block cipher
– DES, 3DES, AES, A5/3, CAMELLIA, ARIA, blowfish, twofish
– DES/3DES security
ERRATA
1) DES = Data Encryption Standard. By mistake in the video I said it as Digital Encryption Standard. Sorry for the mistake.

Episode-5 (9 Dec 2017 SGT)
Duration: 31 min 24 sec

– review of DES/3DES security
– USSR competing standard to DES
– GOST 28147-89 (Magma)
– GOST R34.12-2015 (Kuznyechik)
– GOST security
– CAMELLIA from Japan
– ARIA from South Korea
– block cipher: what is secure permutation and mode of operation

Episode-6 (15 Dec 2017 SGT)
Duration: 24 min 46 sec

– NIST AES competition
– Rijndael
– Block Cipher: Mode of Operation
– ECB mode
– problems with ECB mode (retain pattern in input in the ciphertext, replay attack, deterministic encryption)
– Need for IV/Nonce; probabilistic encryption
– CBC mode (how it works)

Episode-7 (18 Dec 2017 SGT)
Duration: 38 min 47 sec

– DES-ECB demo using openssl
– change key, still cipher is same! – Why?
– concept of parity bit in DES key
– understand deterministic encryption
– DES-CBC demo using openssl
– observe “deterministic” and “probabilistic” encryption respectively in the demo
– block cipher padding demo using DES and openssl
– CTR (counter) mode of operation
– Effect of Nonce reuse for a given key
– demo to observe what block cipher, key size and mode of operation used in popular websites that use HTTPS

Episode-8 (19 Dec 2017 SGT)
Duration: 48 min 44 sec

– seeing encrypted binary output as readable text
– base64 encoding and how it works
– SSL cert in PEM format uses base64; see demo using openssl
– using password instead of key, IV
– PBKDF, PBKDF2; wifi e.g., python demo
– DES demo using password instead of key/IV
– openssl by default use salt – what is salt?
– 3DES: 168 bit vs 192 bit; 112 bit vs 128 bit
– 3DES key ring option#1 demo
– 3DES key ring option#2 demo
– AES-CBC mode demo with diff key size (IV size won’t change)

Episode-9 (21 Dec 2017 SGT)
Duration: 51 min 18 sec

– SSL very brief overview (parameter exchange, certificate exchange and authentication, key exchange and key computation, handshake integrity check, encrypted application data communication, close notify)
– where are we now in this series?
– integrity
– hashing function
– cryptographic vs non-cryptographic hash function with e.g.
– MD5
– security of a hash function
– preimage resistance
– second preimage resistance (weak collision resistance)
– collision resistance (strong collision resistance)
– MD5 security
– birthday paradox
– birthday attack

Episode-10 (27 Dec 2017 SGT)
Duration: 32 min 37 sec

– MD5 collision demo
– SHA-0 and its security
– SHA-1 and its security
– SHA-1 collision demo
– SHA-2 {224, 256, 384, 512} and its security
– NIST SHA-3 competition
– SHA-3
– SHAKE (Keccak – Extendable Output Function)
– BLAKE2
– Chinese SM3 hash function
– Russian StreeBog hash function
– Ukraine Kupyna hash function

Episode-11 (28 Dec 2017 SGT)
Duration: 35 min 45 sec

– MAC (Message Authentication Code)
– authenticity, integrity
– non-repudiation
– Digital Signature (e.g. using RSA)
– MAC vs Digital Signature
– MAC using hash function
– secret-prefix MAC
– secret-suffix MAC
– MAC: length extension attack
– Merkle–Damgård construction used in hash function
– MAC: diff key/message size attack
– MAC: collision attack
– HMAC
– HMAC-SHA256 demo

Episode-12 (3 Jan 2018 SGT)
Duration: 56m19s

– where are we in this series?
– problems with symmetric key cryptography
– key exchange problem
– large number of keys
– maintenance nightmare
– e.g. World War II: German Enigma
– WWII: code breakers at Bletchley Park
– WWII: Alan Turing Bombes
– WWII: German Lorenz Cipher
– WWII: British “Colossus” at Bletchley Park
– Very very brief history of Public Key Cryptography
– Ralph Merkle and public key distribution
– Whitfield Diffie
– Martin Hellman
– Invention of Diffie-Hellman Key Exchange and Digital Signature
– Ronald Rivest
– Adi Shamir
– Leonard Adleman
– Invention of RSA algorithm and full fledged practical public key crypto system
– The unsung heroes of public key cryptography
– secret project at GCHQ
– James Ellis
– Clifford Cocks
– Malcolm Williamson

Episode-13 (11 March 2018 – SGT)
Duration: 59m35s

– how RSA works
– integer factorization problem
– modulus, public exponent, private exponent
– Euler’s totient function
– need for faster exponentiation
– view RSA modulus and public exponent of google server certificate
– RSA encryption/decryption using openssl
– RSA encryption/decryption using python3
– RSA digital signature generation and verification using openssl

Episode-14 (14 March 2018 – SGT)
Duration: 16m36s

– how to use Chinese Remainder Theorem and Euler’s Theorem to perform faster exponentiation
– openssl RSA private key file has three additional parameters called exponent1, exponent2, and coefficient; what are they?
– exponent1: dP
– exponent2: dQ
– coefficient: qInv
– RSA decryption and signature generation uses CRT and performs 4 times faster

ERRATA:
1) At 3:42 instead of saying “hash of the message”, by mistake I said “hash of the signature”.
2) At 14:59, instead of dP, by mistake I said dQ for exponent1.

Episode-15 (15 March 2018 – SGT)
Duration: 30m38s

This episode is about RSA security. Due to lack of time, we will only discuss very few attack types.

– RSA problem
– e-th root
– modulus factorization
– given p and q, how to break RSA
– comparing the security of RSA vs symmetric algorithms (e.g. RSA-2048 vs AES-128)
– NIST 2016 recommendations for RSA security
– security bottleneck when you use RSA in SSL/TLS
– avoiding weak primes
– attack based on small “e”
– need for adding random padding with the message
– forward search attack
– attack based on small “d”
– RSA multiplicative property
– exploiting multiplicative property for adaptive chosen ciphertext attack
– common modulus attack
– RSA unconcealed messages

Episode-16 (16 March 2018 – SGT)
Duration: 39m32s

In this episode we will discuss about SSL record layer, which is the outer most layer in SSL/TLS.

– the job of SSL record layer
– record layer header: type, version, length
– record layer data
– breaking application data into multiple SSL records
– breaking a single SSL record into multiple TCP segments
– reassembling SSL records spanning multiple TCP segments
– reassembling application data spanning multiple SSL records
– single TCP segment containing multiple SSL records
– client and server side sequence number
– purpose of using sequence number
– output of record layer may contain only plaintext
– record layer data types:
* Handshake Data (handled by Handshake Protocol)
* ChangeCipherSpec Data (handled by ChangeCipherSpec Protocol)
* Application Data (handled by Application Data Protocol)
* Alert Data (handled by Alert Protocol)
– TLS version negotiation using ClientHello and ServerHello
– difference between non-AEAD and AEAD ciphers
– how record layer do encryption, MAC for {stream/block/AEAD} ciphers.
– concept of MAC-then-encryption
– concept of producing ciphertext and authentication tag in one go (in AEAD ciphers)

Episode-17 (17 March 2018 – SGT)
Duration: 41m21s

– purpose of TLS_NULL_WITH_NULL_NULL cipher suite
– TLS compression
– TLS extensibility
– TLS ContentType registry (IANA)
– Handshake Protocol: ClientHello
– ClientHello header: type, version, length
– client random
– Session ID
– Cipher Suite: format, various examples
– anonymous cipher suite
– signalling cipher suite
– role of MAC/PRF in cipher suite: when it is MAC, when it is PRF
– compression method: null
– TLS extension details in ClientHello
– Handshake Protocol: ServerHello
– server random
– Session ID to use for the purpose of session resume
– selected cipher suite
– supported TLS extensions

Episode-18 (20 March 2018 – SGT)
Duration: 34m33s

– SSL Authentication
– cert vs non-cert based authentication
– Public Key Infrastructure (Internet PKI, PKIX WG)
– PKI concepts: subscriber, relying party
– Server Auth using certificates
– RSA can be used for KeyEx and AuthN
– How RSA keyex+authN works using Certificate, CertificateKeyExchange and FINISHED message
– Certificate Signing Request (CSR)
– Registration Authority (RA/LRA)
– Certification Authority (CA)
– root CA, intermediate CA
– Cross Certification
– X.509v3
– ASN.1
– BER, DER, PEM format
– certificate chain
– certificate path (towards root CA)
– certificate chain depth
– self-signed cert
– cert discussion will continue in next episode

Episode-19 (22 March 2018 – SGT)
Duration: 1h9m42s

This episode is full of demos only, using openssl. Sorry I tried to keep it under 30 min by removing several topics from my agenda, but still ended up with 1+ hour.

– observe certificate chain and depth
– observe cross certified root CA (see diff in depth when compared to self-signed root CA)
– multiple certificate path to reach root CA
– how to build a trusted CA bundle using “go” routine from Mozilla trusted root store
– purpose of -CAfile, -CApath
– default directory where openssl will look for trusted root certs/store
– how to find this directory
– what is “unable to get local issuer certificate” means?
– purpose of Subject Key Identifier
– observe self-signed certificate (subject=issuer)
– Distinguished Name in subject/issuer field
– purpose of CN vs SAN (Subject Alternative Name)
– wildcard cert
– view http://www.google.com certificate using openssl and observe all the diff X.509v3 fields in it one by one; what it means?
– how to connect using a particular TLS version?
– how to connect using a particular cipher suite?
– how to show all certs in the chain?
– same server can support multiple types of cert to handle diff authentication algorithm (e.g. one for RSA, one for DSA, one for ECDSA, one for EdDSA)
– cert type and CA signature algorithm can be different (e.g. cert containing ECDSA public key signed by CA using RSA)

Episode 20 – 14 Nov 2021 SGT

Duration: 24m 46 sec

In this episode, we learn about Diffie Hellman Key Exchange in details.

Who invented DHKE?
how it works?
DH: static and DH: ephemeral
issues with DHKE.
FFDHE
TLS supported_groups extension

SSL/TLS Lecture Series – Episode 21
Date: 15 Nov 2021
Duration: 10m29s

in this episode, we will learn a numerical example to understand DH key exchange and also take a look at the real packet capture and observe the diff values involved in DHE key exchange. We also briefly learn about Discrete Logarithm Problem and how DHKE security depends on solving the DLP which is not possible in our life time provided we use very large prime number for p. (e.g. 2048 bits or higher).

SSL/TLS Lecture Series  – Episode 22

Date: 28 Nov 2021
Duration: 39m:21sec

In this episode, we will learn about why some servers are reusing the DH domain parameters g and p values and also see demo of certain servers reusing the private key (and hence public key). We will also see what is meant by ephemeral keys and see a demo of how to turn on ephemeral behaviour (we use F5 BIGIP as example) and also observe the DH ephemeral behaviour in Windows 2012 R2 server. We will also learn the concept of Perfect Forward Secrecy (PFS) and why RSA should not be used anymore for Key Exchange. We will also see a demo of how much time it is taking to generate the DIffie Hellman Domain Parameters (g and p).

ERRATA
In the one of past episode, I made a wrong statement that 3DES was one of the algorithm submitted in AES competition. This is a mistake. There were 15 algorithms ((Rijndael, MARS, RC6, Serpent, Twofish, CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, SAFER+) submitted in AES competition but 3DES is not one of them. 3DES was in use much before AES was finalized. When people found that DES is theoretically broken, immediately they needed an interim solution (until a much secure 128 bit block cipher is ready which came in the form of AES later) and hence decided to use 3DES (basically 3 rounds of DES). Sorry for my mistake in that episode. I am human 🙂 (and learn from mistakes).