-
-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an Understanding TLS chapter #4
base: master
Are you sure you want to change the base?
Conversation
Force or IETF, is an organisation that publishes many of the standards relevant | ||
to SSL/TLS. The standards are published in the form of documents known as RFCs. | ||
The most significant of these from our perspective are RFC6101 (SSL3.0), | ||
RFC2246 (TLS1.0), RFC4346 (TLS1.1) and RFC5246 (TLS1.2)} and was renamed to TLS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems TLS1.3 could be added here.
And for a starter, he/she might feel confused about why SSL3.0 RFC number is greater than all TLS RFC numbers, would it be better if a footnote is added here to explain the RFC6101 is a 'historical record'?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I added it as RFCXXXX. It'll need to be filled in when its published.
This text is actually already in a footnote...so a footnote to a footnote seems to be going a bit far? ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh, didn't notice it's in footnote...
Identity is established through the use of a \emph{digital certificate}. The | ||
digital certificate provides public data about a server for which it is issued. | ||
For example, the certificate will contain the hostname(s) for which it is | ||
valid. In order to obtain a certificate a server operator must first create a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the CA is going to be talked about in following paragraph, I guess this sentence could be adjust a little. Because nowadays it's common for server operators get their [private key + certificate] together from the CA via some cloud computing platforms, with one-button-click...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So readers might be confused about: why I don't need to prepare a pair of pub/priv keys and I can still get them from a certificate seller? :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because nowadays it's common for server operators get their [private key + certificate] together from the CA via some cloud computing platforms, with one-button-click...
I did not know that. Interesting. I added this sentence a little further down:
"Some cloud computing platforms provide the capability to generate a private key
and a CA issued certificate in a single operation as part of the cloud service."
Does that cover it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think this is fine.
Both the digital certificate, and the associated private key are installed on | ||
the SSL/TLS server. When a client accesses the server, the server will send | ||
its certificate back to the client. In order for authentication to be | ||
successful the client must verify two things: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems there should be the 3rd thing to verify: the identity the server declaims is matched with the certificate, specifically the CN field?
E.g., Alice wants to connect to aaa.com, and Eve hijacks the traffic to bbb.com which domain is owned by Eve so she can have the valid bbb.com certificates and corresponding private key, if Alice doesn't check the CN of the certificate she gets, tragedy happens....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I added that.
As mentioned above it is also possible for the server to authenticate the | ||
client as part of the SSL/TLS protocol. If this capability is used then it works | ||
in a very similar way to that described above. The primary difference is that | ||
the client will also have to create a private/public key pair and obtain a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this could also need to consider the scenario without key generation by users. Same as above discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm...maybe...but this seems less likely to be automated by a cloud provider? If someone is planning on setting up a client auth infrastructure then they're going to need to have a really good understanding on what is really happening.
length input data and output a fixed length ``hash'' value that exhibits | ||
certain security properties (including that it is not possible to derive the | ||
input data from the hash output). Alternatively, integrity could be provided by | ||
a \emph{mode} of the underlying encryption cipher. Modes are a complex topic, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should mode be notified in the 'Encryption' section above? 'Modes' sounds more like to use defined due to symmetric ciphers....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right - but in the context of SSL/TLS, we're only really interested in whether the mode provides integrity or not. So in my mind it seems to sit better here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, that's also rational.
I made some updates to take account of TLSv1.3 in a few places. Also various updates for @InfoHunter's comments. |
Makefile
Outdated
@@ -11,7 +11,8 @@ EXE= | |||
|
|||
BOOKELEMS= openssl-book.tex | |||
|
|||
all: openssl-book.pdf | |||
all: openssl-book.pdf \ | |||
tls/understand-tls/understand-tls.tex |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm? Shouldn't it rather be added in BOOKELEMS
above? And foundations/about/about.tex
should as well, yeah?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, yeah. You're right - good catch. Fixed.
I added some new content on sessions and key updates. Taking this out of WIP. Please review! |
to perform a \emph{renegotiation}. This is a new handshake on an already | ||
existing connection. The new handshake can be full, or it could be abbreviated | ||
using previously saved session information (such as from the original | ||
handshake). A renegotiation handshake is not allowed in TLS 1.3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if it's necessary to mention a bit here that the renegotiation
is not secure and thus in TLS 1.3 it's obsolete by the new mechanism.
And also, this paragraph, it sounds like the renegotiation is only the alternative for key update, but it seems renegotiation has other usages like force-a-client-authentication...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some more text at the end to cover this.
Mention previous security issues with reneg, and also its use to force client authentication.
Ping @openssl/committers for review. |
to SSL/TLS. The standards are published in the form of documents known as RFCs. | ||
The most significant of these from our perspective are RFC6101 (SSL3.0), | ||
RFC2246 (TLS1.0), RFC4346 (TLS1.1), RFC5246 (TLS1.2) and RFCXXX (TLS1.3)} and | ||
was renamed to TLS (Transport Layer Security). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what year?
is shown in figure \ref{fig:typical-hand}. | ||
|
||
\begin{figure}[t] | ||
\fbox{\includegraphics[width=0.9\textwidth]{tls/understand-tls/typicalhand.pdf}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think this graphic needs a indicator for time. Like an arrow on the right side which points downwards?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This depicts an initial connection of TLS, not an entire session right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a time indicator.
This depicts an initial connection of TLS, not an entire session right?
Correct (this whole section describes the initial handshake, as explained in the text)
is shown in figure \ref{fig:typical-hand}. | ||
|
||
\begin{figure}[t] | ||
\fbox{\includegraphics[width=0.9\textwidth]{tls/understand-tls/typicalhand.pdf}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This depicts an initial connection of TLS, not an entire session right?
|
||
A typical ClientHello contains: | ||
\begin{itemize} | ||
\item The highest protocol version supported by the client or, for TLS 1.3, a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be helpful if these bullet points were numbered. Then the graphic could be labeled and described better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disagree. This bullet point list describes just the initial ClientHello. As such they all apply to the very first arrow on the diagram - so I don't think it would be helpful to add additional labels to the diagram.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, gotcha
using previously saved session information (such as from the original | ||
handshake). | ||
|
||
There have been historic security issues with renegotiation, and for that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth linking to an example of the research/data for one of these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a footnote with a reference
Also, makes a few other tweaks based on feedback received.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just some typo
application data is sent until the connection has been established and | ||
cryptographic parameters have been agreed. A MAC of the entire set of handshake | ||
messages is calculated and verified at the last step of the handshake process. | ||
In this way, even though inidividual records do not have integrity protection, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
inidividual
|
||
The initial exchange of messages during which cryptographic parameters are | ||
exchanged is known as the \emph{handshake}. While making the initial connection | ||
no crypotgraphic parameters will have yet been agreed. Therefore there is no |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
crypotgraphic
Having obtained a private/public key pair a server operator must obtain their | ||
certificate from a \emph{Certificate Authority} (CA)\footnote{CAs can be | ||
privately run and purely internal to an organisation; or they could be public. | ||
Which type is most appropriate will depend on what the certificte will be used |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
certificte
A group of algorithms combined in this way is known as a \emph{ciphersuite}. | ||
There are many different ciphersuites that are available\footnote{At the time | ||
of writing OpenSSL 1.1.0 supports 168 different ciphersuites}. Each | ||
ciphersuite identifies a set of algorithms that it will use to satsify the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
satsify
between both ends of the communication and must be \emph{private} to prevent an | ||
eavesdropper from being able to decrypt messages. Key exchange algorithms solve | ||
the problem of how two parties will agree on a key without enabling an | ||
eavedropper to work out what it is. Examples of algorithms that are used for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/eavedropper/eavesdropper
information: | ||
\begin{itemize} | ||
\item The ciphersuite name such as \lstinline!ECDHE-ECDSA-AES256-CCM8!. | ||
\item The earliest protcol version that the ciphersuite is available from. Note |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
protcol
In this way, even though inidividual records do not have integrity protection, | ||
the handshake as a whole does. | ||
|
||
Handshake messages are transmitted between the client and server in rec-ords. A |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rec-ords ?
Stills needs some content on sessions and resumption