TLS Protocol Flashcards
Static vs ephermeral DH
static DH: always use same private DH key
EDH: use new private DH key for every new connection -> forward security
Same for ECDH and ECDHE
RSA authentication
- client checks validity of certificate (follow cert. chain to root of trust)
- Use public key extracted from cert to auth the private-key-signed message
- encrypt the premastersecret with the public key –> only the server knowing the private key can decrypt it.
FRAGE: Replay attack knowing nonce
Cannot decrypt message, but replay to trigger non idempotent operations (like transferring money)
explain aufbau cipher TLS_DH_WITH_AES_256_CBC_SHA
DH: Key exchange
AES_256_CBC: encryption
SHA: MAC
Problematic ciphers Key exhange
DH, DH_anon, ECDH -> no forward secrecy, no auth
RSA-> no forward secrecy
Problematic ciphers encryption
Block ciphers are ill advised: CBC: padding oracle attack: POODLE
DES: not secure
Problematic MAC algo
SHA: not collision resistant
MD5: broken
Role of ClientFinished / ServerFinished
ClientFinished= PRF(ms, transcript) used to compare views of the protocol, prevents downgrade attacks
Role of nonce in client Hello
used to prevent replay attack. attacker that can guess the nonce can replay a handshake with the same nonce
Main Goals of TLS Handshake
- Protects negotiation of all cryptographic parameters (TLS version number, algorithms etc)
- Provides Authentication of server (usually) / client (rarely)
- Establish keys used in record protocol -> mastersecret and derive all other keys from that
Draw RSA vs DH based key establishement protocol
slides 03-tls 14/15
authentication in DH
server certificate contains DH parameters –> authenticated
no forward secrecy because static
draw tls key derivation
03-tls 24
splitting up of key_block into components depends on cipher suite
goal of record protocol
- data origin auth. and integrity (by MAC)
- confidentiality (by symmetric encryption)
- anti-replay using sequence numbers
