Oct 02, 2019 SSL/TLS works by binding the identities of entities such as websites and companies to cryptographic key pairs via digital documents known as X.509 certificates.Each key pair consists of a private key and a public key.The private key is kept secure, and the public key can be.
Major updates were introduced in the TLS 1.3 protocol. To take advantage of the security updates within the TLS 1.3 protocol, updates are required to your System SSL application.
TLS 1.3 includes the following updates:
Required Updates to Enable TLS 1.3If an existing z/OS System SSL application is being updated to support TLS 1.3, there are required updates. If the application supports parsing environment variables, they can be set to enable TLS 1.3. Otherwise, the application will need to be updated to call the System SSL gsk_attribute_set_**() routines.Enabling TLS 1.3 In Ssl Tls Who Generates The Session Key In ExcelTo enable TLS 1.3, set the new GSK_PROTOCOL_TLSV1_3 setting to ON.Cipher specifications TLS 1.3 introduced new ciphers that are only supported in TLS 1.3. Existing TLS 1.2 and prior ciphers are not supported in TLS 1.3. System SSL applications must programmatically enable support for 4-character ciphers by invoking gsk_attribute_set_enum() with GSK_V3_CIPHERS and GSK_V3_CIPHERS_CHAR4 values. Because the new TLS 1.3 ciphers were not added to the default cipher list, the GSK_V3_CIPHER_SPECS_EXPANDED setting must be updated to specify at least one of the new cipher specifications. The new cipher specifications are listed in Table 1. Table 1: New TLS 1.3 ciphers in System SSL ![]() In Ssl Tls Who Generates The Session Key ErrorKey sharesThe client and server sides each specify a key share group list with asymmetric groups. When the client attempts a TLS 1.3 handshake, it generates a public/private key pair for each supported group. The generated public values are put into the client’s initial handshake message. The server selects a group in common with the client’s groups and then generates its own public/private key pair for the selected group. The server takes its private value and the client’s public value to generate a shared secret, which is used to generate keys for encrypting and decrypting handshake messages. Likewise, the client generates the same shared secret with its private value associated with the server’s public value that is transmitted in the server’s initial handshake message. System SSL has two new settings, GSK_CLIENT_TLS_KEY_SHARES and GSK_SERVER_TLS_KEY_SHARES. They specify the key share groups that are supported within the client and server, respectively. The client or server-side settings are required when TLS 1.3 handshakes are attempted in that application. For the GSK_CLIENT_TLS_KEY_SHARES setting, keep the number of share key groups to a minimum. Public/private key pairs are generated for each key share group, which can be computationally expensive and might impact performance. For the GSK_SERVER_TLS_KEY_SHARES setting, you should list all desired supported key share groups to allow as many TLS 1.3 clients to successfully establish a secure connection. Table 2: Supported key share groups Supported certificate types In Ssl Tls Who Generates The Session KeysAs documented in the TLS 1.3 standard, System SSL only supports RSA key sizes 2048 bits and larger and ECC keys 256 bits and larger. RSA keys with a PKCS #1 v1.5 signature or with an RSASSA-PSS signature are supported. TLS 1.3 no longer supports DSA or DH certificates. If these certificates are used in your environment, new RSA or ECC certificates must be obtained and installed in the certificate repository. Optional Considerations for Certain ConfigurationsDepending on the current configuration of the application, the following might need to be considered when you migrate the System SSL application to TLS 1.3.Supported groups or elliptic curves A client application may specify the list of supported groups or elliptic curves with the GSK_CLIENT_ECURVE_LIST setting. When TLS 1.3 is enabled, the default GSK_CLIENT_ECURVE_LIST setting appends 0029 (x25519) to the end of the list. If the GSK_CLIENT_TLS_KEY_SHARES setting specifies 0030 (x448), you must manually update the GSK_CLIENT_ECURVE_LIST setting to include 0030 so that the key share is sent to the server. Any groups that are specified in the GSK_CLIENT_TLS_KEY_SHARES must be reflected in the GSK_CLIENT_ECURVE_LIST. Signature and hash algorithms The GSK_TLS_SIG_ALG_PAIRS setting indicates the list of supported hash and signature algorithms for use in digital signatures of X.509 certificates and TLS handshake messages. When an RSA end entity certificate is used, the TLS 1.3 handshake messages must be signed with an RSASSA-PSS signature algorithm. When enabled for TLS 1.3, the GSK_TLS_SIG_ALG_PAIRS default setting now includes the three new RSASSA-PSS signature and hash algorithms at the end of the list. If an application specified a GSK_TLS_SIG_ALG_PAIRS setting, it must be updated to include at least one of the RSASSA-PSS signature algorithms when an RSA certificate is used. Table 3: New RSASSA-PSS signature algorithms In z/OS 2.4, System SSL introduced the GSK_TLS_CERT_SIG_ALG_PAIRS optional setting. It lists the supported hash and signature algorithms that can be used in digital signatures of X.509 certificates. If the GSK_TLS_CERT_SIG_ALG_PAIRS setting is specified, it overrides the GSK_TLS_SIG_ALG_PAIRS setting when the X.509 certificate signature algorithm is checked. TLS 1.3 Session Key UpdatesTLS 1.3 no longer supports renegotiation to update session keys. Instead, it performs session key updates by exchanging a keyUpdate protocol message.The local application can update its write key by calling gsk_secure_socket_misc() with a GSK_RESET_CIPHER value. A keyUpdate protocol message is then sent to notify the peer to update its read key. If the peer decides to update its write key, it responds with its own keyUpdate message, which then updates the local application’s read key. With TLS 1.3, you can update the local application’s write key (peer’s read key) by calling gsk_secure_socket_misc() with a GSK_RESET_WRITE_CIPHER value. TLS 1.3 Session ResumptionIn previous protocols, the client and server sides each maintained a session ID cache. When a client attempted to reestablish a previous connection, its cache was queried to obtain the session ID to put into the initial handshake message. When the server received the session ID, it queried its own cache to determine whether it existed and whether the connection parameters were the same. If they were the same, the server retrieved the previous connection state from its cache and indicated its acceptance by putting the same session ID in its initial handshake message that was sent to the client.In TLS 1.3, the server no longer maintains session state in a cache. After a successful TLS 1.3 handshake, the server optionally sends a session ticket, which contains an encrypted data block of the TLS 1.3 session information, to the client. The client stores any received session tickets in its cache. When the client attempts to reestablish a previous TLS 1.3 connection, it queries the cache to obtain a valid session ticket and attaches it to the client’s initial handshake message, which the server attempts to decrypt. If the session ticket is successfully decrypted and is still valid, the server resumes the previously established connection and indicates a successfully resumed session in its initial handshake message. If the session ticket cannot be decrypted or is no longer valid, a full TLS 1.3 handshake is attempted underneath the covers. There are new session ticket settings for the client:
Take Advantage of TLS 1.3 UpdatesTo accompany the TLS 1.3 updates done in System SSL, Application Transparent—TLS (AT-TLS) was updated to support TLS 1.3 in its policy definitions.Major updates were introduced in the TLS 1.3 protocol. To take advantage of the security updates within the TLS 1.3 protocol, updates are required to your System SSL application. For more information about the AT-TLS updates, see “z/OS Communications Server: IP Configuration Guide.” See “z/OS Cryptographic Services System SSL Programming” for more information about System SSL.
SSL stands for Secure Sockets Layer and was originally created by Netscape. SSLv2 and SSLv3 are the 2 versions of this protocol (SSLv1 was never publicly released). After SSLv3, SSL was renamed to TLS.
TLS stands for Transport Layer Security and started with TLSv1.0 which is an upgraded version of SSLv3.
Those protocols are standardized and described by RFCs.
OpenSSL provides an implementation for those protocols and is often used as the reference implementation for any new feature.
The goal of SSL was to provide secure communication using classical TCP sockets with very few changes in API usage of sockets to be able to leverage security on existing TCP socket code.
SSL/TLS is used in every browser worldwide to provide https ( http secure ) functionality.
The latest standard version is TLSv1.2 http://tools.ietf.org/html/rfc5246, while the upcoming TLS v1.3 is still in the draft stage.
Connection-less support is provided via DTLS.
Those protocols are configurable and can use various ciphers depending on their version.
Security[edit]
Besides implementation problems leading to security issues, there is security inherent to the protocol itself.
It is recommended to run TLSv1.0, 1.1 or 1.2 and fully disable SSLv2 and SSLv3 that have protocol weaknesses.
For the very same reason it is recommended to control protocol downgrade.
POODLE : SSLv3 harmful[edit]versions tricks[edit]SCSV[edit]
Signaling cipher suite value (SCSV), i.e., it does not actually correspond to a suite of cryptosystems.Its presence is used to signal some facts or contextual information allowing it to not break existing implementations that just ignore this unsupported cipher suite.
SCSV was created with TLS_EMPTY_RENEGOTIATION_INFO_SCSV in rfc5746 draft. http://tools.ietf.org/html/rfc5746#section-3.3Usage of a cipher suite value is explained by the fact that some SSLv3 and TLSv1.0 implementations fail to ignore extensions that they do not support, so using a cipher suite allows the bypass of these implementation problems.
openssl : SSL3_CK_SCSV
openssl : SSL3_CK_FALLBACK_SCSV
Handshake[edit]
A connection always starts with a handshake between a client and a server. This handshake is intended to provide a secret key to both client and server that will be used to cipher the flow.
In fact a master secret is obtained from the handshake from which the secret key is derived. In OpenSSL this master_secret is kept within the SSL Session SSL_SESSION.
The initial handshake can provide server authentication, client authentication or no authentication at all.
Default usage in HTTPS is to verify server authenticity with trusted Certificate Authorities known by the browser.
A quick presentation for a classical TLS handshake ( RSA, without Session tickets and without client authentication ) under CC BY license http://blog.artisanlogiciel.net/public/tech/classical_handshake.odp feel free to improve it.
Cipher Suites[edit]
What TLS 1.2 rfc says :
So basically server has the decision choice and does not provide a list of its own ciphersuites but just the selected one
What are best ciphersuites to choose ?
An interesting hint here: http://zombe.es/post/4078724716/openssl-cipher-selection
Not much more than what is told for 'How cipher suites are negotiated?'
So it is implementation dependent. In openssl there are two modes:
Manual:SSL_CTX_set_cipher_list(3) where string cipher parameter is described in Manual:ciphers(1)
Session Resumption[edit]
Since the handshake uses public key cryptography heavily and this is CPU intensive compared to symmetric ( secret key ) cryptography, the protocol provides ways to reuse existing credentials to reissue new secret keys for new connections ( new TCP connections ) or to renew existing connections.
Browsers use this heavily when connecting to https sites since they open multiple connections to the same site at a time. The first connection does the handshake while all the others use a quick handshake (can be named resumed, abbreviated or restart handshake) allowing saving for both client and server CPU.
RFC 2246, section 7, p. 23
This explains difference the between an OpenSSL SSL Connection ( SSL ) and an SSL Session ( SSL_SESSION ) , each SSL Connection runs on its TCP connection and can share the same SSL Session with other SSL connections.
( to obtain session from connection use function : SSL_SESSION *SSL_get_session(const SSL *ssl) )
Renegotiation[edit]
On a Ssl connection a renegotiation can occur to request for new cipher suites or key materials.
To renegotiate :
a Client will send a ClientHello over its existing SSL connection
a Server will send a HelloRequest and expects Client to renegotiate with a ClientHello in very short time.
Server renegotiation ( without resumption ):
To use both renegotiation and resumption use : SSL_renegotiate_abbreviated(con) which won't request to recreate a new session ( since 1.0.1 ).
It created a vulnerability that was addressed by TLS extension to notify server whenever a connection is renegotiating and allows to verify it is legit.
This is RFC5746 'Transport Layer Security (TLS) Renegotiation Indication Extension' http://tools.ietf.org/html/rfc5746 to perform Secure Renegotiation
TLS Extensions[edit]Server Name Indication[edit]
SNI Extension from RFC 3546, Transport Layer Security (TLS) Extensions.
Allows a client to specify at the very beginning of the handshake what server name it wants to connect to.
This is very useful for a web server that serves multiple domains but doesn't have a wildcard certificate or a certificate containing a full list of supported domains.
In this case the server can learn from the client what Certificate the client expects to receive.
See how a C program can use Libssl API and provide SNI information with SSL_set_tlsext_host_name See example in SSL/TLS_Client
Server Authentication[edit]Server Certificate[edit]
This is Public Key Certified by a Certificate with Trust from the client. Trust from the client can be done automatically with Certificate Authority trust.
It is crucial that clients check the Server Certificate against the expected hostname Hostname_validation
No Authentication Aka Anonymous[edit]
Even if it look like is a strange idea, it is possible to select cipher suite that does not provide any server authentication but still provide confidentiality.
Selecting string cipher aNULLManual:ciphers(1) allows to select such cipher suite. Remark this is not same a eNULL that provides no confidentiality at all.
Anonymous Diffie_Hellman exchange (DH) and Anonymous Elliptic Curves Diffie Hellman Exchange (ECDH) methods provide this anonymous authentication.
Client Authentication[edit]
Client authentication is optional. In many cases the client does not authenticate at the ssl layer, but rather with the usage of protocols above ssl, for example with HTTP authentication methods.
Client Certificates[edit]
Server can send a Certificate Request with digest algorithms and a list CA Distinguished names which will be used by the client to select the Client Certificate it will send.
Client send its Client Certificate first then all intermediate Certificates, if any, up to the CA ( optionally excluded ).
The Client sends a Certificate Verify that is signed by the private key counterpart of its Client public key included in the Certificate with digest algorithm over whole handshake messages so far ( excluding this one of course ).
This proves that this client owns the private key that applies to this specific handshake and hence authenticates the client for this session.
Alternate Authentication Methods[edit]Public Key Certificate[edit]
This is the most commonly used method. With X509 Certificates and Certficate Authorities.
It applies To Server Certificate or to Client Certificate authentication.
Depending on CipherSuite, for Server Public Key can be used to derive pre-master-key.
Pre-Shared Keys[edit]
TLS PSK Pre Shared Key
Kerberos[edit]Password[edit]
TLS SRP : Secure Remote Password. Allows authentication with a password over TLS.
Supported by OpenSSL with version 1.0.1.
RFC5054
TLS SRP is negotiated with various ciphersuites, currently all use SHA to compute SRP.
With SRP trust is based on the fact that both parties should know the password ( or Password Verifier ) to complete the SRP Verify Handshake.
It is possible to use RSA or DSS additionaly to prove Server identity with Certificates.
In Ssl Tls Who Generates The Session Key Studio
Retrieved from 'https://wiki.openssl.org/index.php?title=SSL_and_TLS_Protocols&oldid=2606'
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |