Advanced Client Server Authentication in TLS Adam Hess Jared

Advanced Client/Server Authentication in TLS Adam Hess, Jared Jacobson, Hyrum Mills, Ryan Wamsley, Kent E. Seamons, Bryan Smith Internet Security Research Lab Brigham Young University http: //isrl. cs. byu. edu seamons@cs. byu. edu Network and Distributed System Security Symposium February 7 -8, 2002 San Diego, CA 1

Overview ¨ Motivation ¨ Trust negotiation protocol vs. strategy ¨ TLS client/server authentication ¨ Trust negotiation in TLS (TNT) protocol ¨ Future work ¨ Conclusions 2

Motivation: Trust Establishment ¨ Trust establishment between strangers in open system. – The client and server are not in the same security domain. – Identity is irrelevant to the access control decision. ¨ Access control is often based on attributes of the client or server other than identity. – Examples: citizenship, clearance, job classification, group memberships, licenses, client’s role within an organization, etc. 3

Digital Credentials ¨ A credential is the vehicle for carrying attribute information reliably. ¨ A credential contains attributes of the credential owner asserted by the issuer (attribute authority). ¨ Credentials may contain sensitive information and should be treated as protected resources. 4

Access Control Policies ¨ The disclosure of a sensitive credential is governed by an access control policy that specifies credentials that must be received from another party prior to disclosing the sensitive credential to that party. ¨ Policies themselves may be disclosed so that the participants can discover the requirements for establishing trust. ¨ Policies may be sensitive. – Support for sensitive policies using a policy graph (Seamons et al. , NDSS 2001). 5

Trust Negotiation ¨ The iterative exchange of digital credentials between two negotiation participants in order to gradually establish trust. – Begin by exchanging less sensitive credentials. – Build trust gradually in order to exchange more sensitive credentials. 6

Trust Negotiation Example Here’s my reseller I license. Iis to be request mya Here have credit card. But prove exemptcard credit from you are member of sales tax. number. Better Business Bureau first. Landscape Designer Show me your Here license reseller is my You are Better along with your qualified to be credit card Business exempt from number or your Bureau sales tax. CPN member Certificate. card. Champaign Prairie Nursery 7

Negotiation Protocol vs. Strategy ¨ Protocol – defines the ordering of messages and the type of information messages contain. ¨ Strategy – controls the exact contents of messages. – Which credentials to disclose and when to disclose them – Which credentials to request and when to request them – When to terminate a negotiation ¨ Goal: a single trust negotiation protocol capable of supporting multiple, interoperable negotiation strategies (Yu et al. , CCS 2001). – Negotiation strategy family - all strategies within a negotiation strategy family can interoperate. 8

Trust. Builder Trust Negotiation Architecture Trust. Builder Negotiation Strategy Negotiation Strategy Trust. Builder Protocol HTTPS TNT 9

Trust Negotiation Protocol Requirements ¨ Exchange credentials and policies ¨ Confidential communication to safeguard contents from an eavesdropper ¨ Verify credential contents ¨ Prove ownership of private keys 10

Trust Negotiation in TLS (TNT) ¨ TLS-based protocol for trust negotiation ¨ Result from an analysis of the SSL/TLS handshake protocol for its suitability as a protocol for trust negotiation. – TLS provides an option for client/server authentication using certificates – Goal: extend TLS client/server authentication to support trust negotiation 11

TLS Handshake Protocol using RSA Key Exchange Client Server Client. Hello Server. Hello Certificate. Request Server. Hello. Done Certificate Client. Key. Exchange Certificate. Verify Change. Cipher. Spec Finished 12

TLS Handshake Protocol Hello messages: Client Server Clien t. Hell o ello erver. H S 13

TLS Handshake Protocol Server certificate: Client Server C fic erti ifi Cert ate Req cate uest e o. Don Hell ver Ser 14

TLS Handshake Protocol Client certificate: Client Server Certif icate Client K ey. Exch ange Certif icate. V e rify 15

TLS Handshake Protocol Conclusion: Client Server Change Cipher Spec Finish ed Cipher Change Spec ed Finish 16

Limitations in TLS Authentication ¨ TLS client/server authentication has limitations for use in establishing trust between strangers. – Certificates are exchanged in plain text, allowing an eavesdropper access to sensitive certificates. – The client and server each disclose a single certificate chain to each other. – The server specifies a list of distinguished names of certifying authorities that the server trusts. In contrast, the client has no such opportunity. 17

Limitations in TLS Authentication – The server discloses its certificates before the client discloses a certificate. – The client always receives a certificate from the server before it must disclose a certificate. However, server certificate ownership is not established when the client certificate is disclosed. – There is no facility for requesting additional certificates from the client or server during the handshake. 18

Extend TLS Authentication to Support Trust Negotiation ¨ Extend the TLS handshake protocol to function as a trust negotiation protocol. ¨ TNT leverages existing and proposed features of the TLS handshake protocol. – Client hello and server hello extensions – TLS rehandshake – Session resumption 19

TLS Hello Message Extensions ¨ Currently, there is a proposal to the IETF to extend the hello messages such that a TLS client and server can communicate new capabilities to each other. ¨ TNT makes use of these extensions to indicate support for trust negotiation and to specify the trust negotiation strategy family to be used during the negotiation. – The client submits a list of possible negotiation strategy families, and the server responds with a single selection. 20

TLS Rehandshake ¨ In the context of an encrypted TLS session, either the client or the server may initiate a rehandshake. – The server desires further certificates from the client for purposes of authentication or authorization. – Cipher suite upgrading – Replenishment of keying material ¨ Trust negotiations involving sensitive credentials and policies must be conducted over a secure channel in order to remain confidential. The initial TLS handshake is not confidential. ¨ TNT is designed to occur in the context of a TLS rehandshake. 21

TLS Session Resumption ¨ Session resumption is an optimization that allows a client and server to resume a session without repeating expensive cryptographic operations. – The server maintains a cache of SSL session IDs and the master secret used to generate keying material. ¨ In TNT, once a trust negotiation succeeds during a rehandshake, the client and server conclude using the session resumption optimization, thus avoiding the need to establish a new master secret. – This same approach should be adopted in the TLS standard for any TLS rehandshake. 22

TNT Protocol Client Server Hello. Negotiation. Request Client. Hello Server. Hello Certificate * Overview: * Certificate. Verify Policy Server. Turn. Done + Certificate. Verify Policy Client. Turn. Done * * Negotiation. Done Change. Cipher. Spec Finished 23

TNT Protocol Hello messages: Client Server quest e iation. R lo. Negot Hel Client H ello e Server. H 24

TNT Protocol Server certificate: Client Server ate fic Certi * erify V icate ertif C y Polic * e rn. Don r. Tu Serve 25

TNT Protocol Client certificate: Client Server Certif icate Certi ficat e. Veri f y * Polic y Client Turn. Do ne * 26

TNT Protocol Negotiation: Client Server icate f Certi * y Verif icate f Certi y Polic * + one Turn. D erver S Certif icate Certi ficat e Verif y * Polic y Client Turn. Do ne * 27

TNT Protocol Conclusion: Client Server n. Done iatio Negot c er. Spe e. Ciph Chang hed Finis Chang e. Ciph e r. Spec Finis h ed 28

TNT Protocol Client Server Hello. Negotiation. Request Client. Hello Server. Hello Overview: Certificate * * Certificate. Verify Policy Server. Turn. Done + Certificate. Verify Policy Client. Turn. Done * * Negotiation. Done Change. Cipher. Spec Finished 29

Overcoming TLS Limitations ¨ TNT overcomes the limitations in TLS client/server authentication for use in establishing trust between strangers. – TNT is conducted within the scope of an encrypted TLS rehandshake. – The client and server can exchange multiple certificate chains during each round of a negotiation. – The TNT protocol allows either the client or server to disclose certificates first. 30

Overcoming TLS Limitations – The client and server have equal opportunity to disclose policies to one another to specify their trust requirements. – The client and server both send certificate verify messages to one another after disclosing a certificate to establish certificate ownership. – Client and server may request multiple certificates from each other. 31

TNT Implementation ¨ A prototype of TNT has been developed for the Trust. Builder architecture. – TNT implementation is an extension to the Java Pure. TLS toolkit developed by Eric Rescorla (see http: //www. rftm. com/). – Policy language and compliance checker is built using the IBM Trust Establishment system developed at the IBM Haifa Research Lab (RSA Security Conference 2001). 32

TNT Implementation Architecture Pure. TLS Client a RMI d Trust. Builder b, c Pure. TLS Server TNT d IBM Trust Establishment Module a d, e Key ( a ) Remote Certificates / Policies ( b ) Remote Certificates / Local Policies ( c ) Local Certificates / Remote Policies ( d ) Unlocked Local Certificates/ Policies ( e ) Authorization Decision Trust. Builder b, c d, e IBM Trust Establishment Module Certificates Policies Services 33

Conclusions ¨ TNT Trust Negotiation Protocol – TNT protocol extends the TLS handshake protocol to – – support trust negotiation, overcoming limitations in the current TLS handshake for establishing trust between strangers Support for confidential trust negotiation, credential verification, and verification of credential ownership Straightforward to implement by extending existing TLS implementations Provides robust experimental testbed for trust negotiation strategies Potential technology transfer path for trust negotiation 34

Future Work ¨ Interoperable trust negotiation strategies ¨ Trust Negotiation Protocol – HTTPS-based protocol using web servlet architecture – TLS handshake – IPsec authentication ¨ Client-initiated trust establishment ¨ Out-of-band trust negotiation architecture 35

36