Client Server Computing - Security Protocols

SSL

SSL is the secure sockets layer. This sits above TCP, and it is intended that other protocols such as telnet, http, etc can be layered on top of this.

SSL includes a handshake stage which is responsible for authenticating the server (and optionally the client), determining the encryption and hashing algorithms to be used, and exchanging keys. The handshake may use public keys.

Following the handshake stage, data may be transferred. It is always encrypted, using private key encryption (for speed).

The next sections are an extracted version of the SSL 3.0 protocol from http://home.netscape.com/eng/ssl3/3-SPEC.HTM

State

The session state includes the following elements:

session identifier
An arbitrary byte sequence chosen by the server to identify an active or resumable session state
peer certificate
X509.v3 certificate of the peer. This element of the state may be null.
compression method
The algorithm used to compress data prior to encryption.
cipher spec
Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also defines cryptographic attributes such as the hash_size.
master secret
48-byte secret shared between the client and server.
is resumable
A flag indicating whether the session can be used to initiate new connections.

The connection state includes the following elements:

server and client random
Byte sequences that are chosen by the server and client for each connection.
server write MAC secret
The secret used in MAC operations on data written by the server.
client write MAC secret
The secret used in MAC operations on data written by the client.
server write key
The bulk cipher key for data encrypted by the server and decrypted by the client.
client write key
The bulk cipher key for data encrypted by the client and decrypted by the server.
initialization vectors
When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL handshake protocol. Thereafter the final ciphertext block from each record is preserved for use with the following record.
sequence numbers
Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers are of type uint64 and may not exceed 264-1.

7.5 Handshake protocol overview

The cryptographic parameters of the session state are produced by the SSL Handshake Protocol, which operates on top of the SSL Record Layer. When a SSL client and server first start communicating, they agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use public-key encryption techniques to generate shared secrets. These processes are performed in the handshake protocol, which can be summarized as follows:

The client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The client hello and server hello are used to establish security enhancement capabilities between client and server. The client hello and server hello establish the following attributes: protocol version, session ID, cipher suite, and compression method. Additionally, two random values are generated and exchanged: ClientHello.random and ServerHello.random.

Following the hello messages, the server will send its certificate, if it is to be authenticated. Additionally, a server key exchange message may be sent, if it is required (e.g. if their server has no certificate, or if its certificate is for signing only). If the server is authenticated, it may request a certificate from the client, if that is appropriate to the cipher suite selected.

Now the server will send the server hello done message, indicating that the hello-message phase of the handshake is complete. The server will then wait for a client response.

If the server has sent a certificate request message, the client must send either the certificate message or a no certificate alert. The client key exchange message is now sent, and the content of that message will depend on the public key algorithm selected between the client hello and the server hello. If the client has sent a certificate with signing ability, a digitally-signed certificate verify message is sent to explicitly verify the certificate.

At this point, a change cipher spec message is sent by the client, and the client copies the pending Cipher Spec into the current Cipher Spec. The client then immediately sends the finished message under the new algorithms, keys, and secrets. In response, the server will send its own change cipher spec message, transfer the pending to the current Cipher Spec, and send its Finished message under the new Cipher Spec. At this point, the handshake is complete and the client and server may begin to exchange application layer data. (See flow chart below.)

The contents and significance of each message will be presented in detail in the following sections.

7.6 Handshake protocol

The SSL Handshake Protocol is one of the defined higher level clients of the SSL Record Protocol. This protocol is used to negotiate the secure attributes of a session. Handshake messages are supplied to the SSL Record Layer, where they are encapsulated within one or more SSLPlaintext structures, which are processed and transmitted as specified by the current active session state.

enum {
     hello_request(0), client_hello(1),
     server_hello(2), certificate(11),
     server_key_exchange (12), certificate_request(13),
     server_hello_done(14), certificate_verify(15),
     client_key_exchange(16), finished(20), (255) 
} HandshakeType;

struct {
     HandshakeType msg_type;         /* type of handshake message */
     uint24 length;  /* # bytes in handshake message body */
     select (HandshakeType) {
         case hello_request: HelloRequest;
         case client_hello: ClientHello;
         case server_hello: ServerHello;
         case certificate: Certificate;
         case server_key_exchange: ServerKeyExchange;
         case certificate_request: CertificateRequest;
         case server_hello_done: ServerHelloDone;
         case certificate_verify: CertificateVerify;
         case client_key_exchange: ClientKeyExchange; 
         case finished: Finished;
     } body;
} Handshake;

The handshake protocol messages are presented in the order they must be sent; sending handshake messages in an unexpected order results in a fatal error.

7.6.1 Hello messages

The hello phase messages are used to exchange security enhancement capabilities between the client and server. When a new session begins, the CipherSpec encryption, hash, and compression algorithms are initialized to null. The current CipherSpec is used for renegotiation messages.

7.6.1.2 Client hello

When a client first connects to a server it is required to send the client hello as its first message. The client can also send a client hello in response to a hello request or on its own initiative in order to renegotiate the security parameters in an existing connection.

The client hello message includes a random structure, which is used later in the protocol.

struct {
   uint32 gmt_unix_time;
   opaque random_bytes[28];
} Random;

gmt_unix_time
The current time and date in standard UNIX 32-bit format according to the sender's internal clock. Clocks are not required to be set correctly by the basic SSL Protocol; higher level or application protocols may define additional requirements.

random_bytes
28 bytes generated by a secure random number generator.

The CipherSuite list, passed from the client to the server in the client hello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (first choice first).

The client hello includes a list of compression algorithms supported by the client, ordered according to the client's preference. If the server supports none of those specified by the client, the session must fail.

The structure of the client hello is as follows.

struct {
        ProtocolVersion client_version;
        Random random;
        SessionID session_id;
        CipherSuite cipher_suites<2..216-1>; 
        CompressionMethod compression_methods<1..28-1>; 
} ClientHello;
After sending the client hello message, the client waits for a server hello message. Any other handshake message returned by the server except for a hello request is treated as a fatal error.

7.6.1.3 Server hello

The server processes the client hello message and responds with either a handshake_failure alert or server hello message.

struct {
        ProtocolVersion server_version;
        Random random; 
        SessionID session_id;
        CipherSuite cipher_suite;
        CompressionMethod compression_method;
} ServerHello;

7.6.2 Server certificate

If the server is to be authenticated (which is generally the case), the server sends its certificate immediately following the server hello message. The certificate type must be appropriate for the selected cipher suite's key exchange algorithm, and is generally an X.509.v3 certificate The same message type will be used for the client's response to a server certificate request message.

7.6.3 Server key exchange message

The server key exchange message is sent by the server if it has no certificate, has a certificate only used for signing (e.g., DSS [DSS] certificates, signing-only RSA [RSA] certificates), or fortezza/DMS key exchange is used. This message is not used if the server certificate contains Diffie-Hellman [DH1] parameters.

7.6.5 Server hello done

The server hello done message is sent by the server to indicate the end of the server hello and associated messages. After sending this message the server will wait for a client response.

struct { } ServerHelloDone;

Upon receipt of the server hello done message the client should verify that the server provided a valid certificate if required and check that the server hello parameters are acceptable.

7.6.6 Client certificate

This is the first message the client can send after receiving a server hello done message. This message is only sent if the server requests a certificate. If no suitable certificate is available, the client should send a no certificate alert instead. This error is only a warning, however the server may respond with a fatal handshake failure alert if client authentication is required.

Client certificates are sent using a Certificate structure.

7.6.7 Client key exchange message

The choice of messages depends on which public key algorithm(s) has (have) been selected.

7.6.9 Finished

A finished message is always sent immediately after a change cipher specs message to verify that the key exchange and authentication processes were successful. The finished message is the first protected with the just-negotiated algorithms, keys, and secrets. No acknowledgment of the finished message is required; parties may begin sending confidential data immediately after sending the finished message. Recipients of finished messages must verify that the contents are correct.

Application messages

Following the handshake, application level messages may be exchanged. There is also the possibility of changing encryption methods mid-stream. So SSL defines the data exchange message format.

The record layer fragments information blocks into SSLPlaintext records of 214 bytes or less. Client message boundaries are not preserved in the record layer (i.e., multiple client messages of the same ContentType may be coalesced into a single SSLPlaintext record).

struct {
        uint8 major, minor;
} ProtocolVersion;
enum {
        change_cipher_spec(20), alert(21),
        handshake(22), application_data(23), (255)
} ContentType;
struct {
        ContentType type;
        ProtocolVersion version;
        uint16 length;
        opaque fragment[SSLPlaintext.length];
} SSLPlaintext;

SSLRef

Netscape have a reference implementation of the SSL v3.0 protocol, known as SSLRef. This may not be exported outside the US.

SSLRef changes the implementation of the standard socket library, replacing it with one that talks on port 443. The client and server implementations transfer the "old" information on this port, and then send it on to the "real" ports (I guess).

SSLRef controls security behaviour by adding behaviour to setsockopt() and getsockopt(). Extra flags and structures use new security values.

SSLRef is used to build the SSL support in Netscape browser and HTTP server. The international versions of these are crippled because of US export restrictions.

SSLeay

SSLeay is a free implementation of SSL v2.0 which is available outside of the US from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ SSLeay has been added to NCSA browsers and servers, and version of telnet and ftp using SSLeay are available.

Electronic payment systems

EFT systems can be divided into the broad categories of

Issues in electronic commerce

First Virtual

Users establish an account with First Virtual. In return for a fee and a credit card number, users are issued with a cardholder identifier i.e. a cardnumber. The credit card information never appears on the network, and is sent by e.g. snail mail. The cardnumber may be used in the clear on the network.

When a user makes a purchase, they tell the merchant the cost, their cardnumber. The merchant forwards this information to FV. FV will then query the user as to whether or not they authorise this purchase, with a reply of Yes, No or Fraud. If the replay is Yes, then FV tells the merchant who will then forward the goods. FV will bill the credit card of the purchaser at some later date.

The principal advantages are security to the purchaser. Their credit card is never on the network, not even encrypted. They cannot be charged for goods they never ordered because they have to approve each purchase with FV. Their email address is not publically linked to the cardnumber, so there is little chance of forgery.

The protocol used is defined in the Green Commerce Model, an IETF draft. It is a low-bandwidth model, assuming that most of the information will be sent around by email, although the possibility of a dedicated service is allowed.

Transactions

The possible transcations are

Money format

Money is described by a combination of a numeric value to indicate the quantity of money, and a currency descriptor that names the currency in which the money is denominated. The grammar for currency descriptors is a coded three character alphabetic code abbreviation as defined by ISO 4217, followed by a human-readable string giving the name of the currency.

The quantity of money to be paid is represented as a floating point number, rounded as necessary for the relevant currency.

Syntactic elements

Account identifiers consist of from 1 to 30 alphanumeric characters, and may contain spaces and punctuation characters which are not significant for comparison purposes. Further, account identifiers are case-insensitive for comparison purposes.

An account identifier is used by a green commerce server to determine names and email addresses, which are not public information.

The following is simplified from the full syntax.

BUYER
The value specifies the account identifier for the paying party.
SELLER
The value specifies the account identifier for the party to be paid.
TRANSFER-ID
The value is a unique identifier, enclosed in angle brackets, specified by the initiator of a transfer, in a TRANSFER-REQUEST, and passed on in subsequent TRANSFER-QUERY and TRANSFER-RESULT transactions. It is limited to 78 characters, but otherwise uses the syntax of Internet mail Message-ID values.
SERVER-ID
The value is a unique identifier, with the same syntax as TRANSFER-ID, generated by the Green Commerce server, that may be used to correlate the different transactions (notably TRANSFER-QUERY, TRANSFER-RESPONSE, TRANSFER-RESULT, TRANSFER- NOTIFICATION, PAYIN-CHARGEBACK-NOTIFICATION, PAYOUT-CHARGEBACK- NOTIFICATION, REFUND-REQUEST, REFUND-QUERY, REFUND-RESULT, REFUND-NOTIFICATION, and REFUND-FAILURE-NOTIFICATION) involved in a funds transfer.

Transactions relating to Movement of Funds

1. TRANSFER-REQUEST -- Initiates a fund transfer between two account holders. To be RECEIVED by a Green Commerce server.

2. TRANSFER-QUERY -- Query the paying party to verify a fund transfer requested by a TRANSFER-REQUEST transaction. To be SENT by a Green Commerce server.

3. TRANSFER-RESPONSE -- The paying party's response to a TRANSFER-QUERY transaction. To be RECEIVED by a Green Commerce server.

4. TRANSFER-RESULT -- The acknowledgment to the party receiving payment informing that party of the buyer's response. To be SENT by a Green Commerce server.

5. TRANSFER-NOTIFICATION -- The notification to the party receiving payment that an actual charge has been authorized by the underlying payment engine. To be SENT by a Green Commerce server if requested in the TRANSFER-REQUEST.

6. PAYIN-NOTIFICATION -- The notification to the paying party that an actual charge has been posted to the underlying payment engine. To be SENT by a Green Commerce server.

7. PAYOUT-NOTIFICATION -- The notification to an account holder that a credit has been posted to the underlying payment engine. To be SENT by a Green Commerce server.

8. PAYIN-CHARGEBACK-NOTIFICATION -- A report to the paying party in a previous transfer, indicating that a chargeback has been received from the underlying payment engine, and detailing its consequences. To be SENT by a Green Commerce server.

9. PAYOUT-CHARGEBACK-NOTIFICATION -- A report to the party receiving payment in a previous transfer, indicating that a chargeback has been received from the underlying payment engine, and detailing its consequences. To be SENT by a Green Commerce server.

10. PAYIN-FAILURE-NOTIFICATION -- A report to the paying party in a funds transfer, indicating that the underlying payment engine has declined to issue payment. To be SENT by a Green Commerce Server.

11. COLLECTION-FAILURE-NOTIFICATION -- A report to the party receiving payment in a funds transfer, indicating that the underlying payment engine has declined to issue payment. To be SENT by a Green Commerce Server.

Transfer-request

A fund transfer between two accounts is initiated by a TRANSFER- REQUEST transaction, delivered (either via email or SGCP) as a MIME entity with a content-type of "application/green-commerce; transaction=transfer-request".

The following are among the required attributes for TRANSFER-REQUEST transactions:

For example, the following MIME entity describes a request to transfer $19.99 from the account of "Joe Internaut" to the account of "CrazyRDIM", the account-id for "Crazy Rupert's Discount Information Mart". Note that no special attention is given to human readability in this transaction, since TRANSFER-REQUEST transactions are not directed to human beings, but only to the Green Commerce server. Content-type: application/green-commerce; transaction=transfer-request BUYER: wham-Joe is a cool dude SELLER: CrazyRDIM AMOUNT: 19.99 CURRENCY: USD US Dollars TRANSFER-ID: <CRDIM424242@somewhere.com> SECURITY-REQUIREMENTS: None DESCRIPTION: Purchase of slightly-used stock quotes We gave you lots of useful stock quotes and tips that may have helped you in your investments, and it isn't our fault if a grand jury is interested in you!

Transfer-query

When a Green Commerce server receives a TRANSFER-REQUEST transaction, the buyer must be asked to confirm that the charge is legitimate. This is accomplished by generating an email message to the buyer with a content-type of "application/green- commerce; transaction=transfer-query". The following are among the required attributes for TRANSFER-QUERY transactions: For example, the following MIME entity describes the payment query corresponding to the fund transfer initiated by the previous example. Note that special attention is given to human readability for users without specialized Green Commerce software. Reply-to: response@card.com Subject: <ABCDEFG1234567@card.com> -- Please Confirm Content-type: multipart/alternative; boundary=fv42 --fv42 Transaction: Purchase of slightly used stock quotes Cost: US $19.99 SELLER-NAME: Crazy Rupert's Discount Information Mart Crazy Rupert's Discount Information Mart has requested that you (Joe Internaut) should be charged $19.99 for "Purchase of slightly used stock quotes". Please respond to this message by using the reply command of your mail system, making sure to preserve the special code in the Subject field. The body of your reply message needs to contain only one word: "Yes" will authorize this fund transfer, "No" will disallow this fund transfer according to the terms of your agreement as our customer, and "Fraud" will report that you did not initiate this transaction and therefore suspect that someone is abusing your account. (Claiming fraud will freeze all use of your account until further notice.) Please ignore anything that appears below this line. --fv42 Content-type: application/green-commerce; transaction=transfer-query SERVER-ID: <ABCDEFG1234567@card.com> BUYER-NAME: Joe Internaut SELLER-NAME: Crazy Rupert's Discount Information Mart AMOUNT: 19.99 CURRENCY: USD US Dollars DESCRIPTION: Purchase of slightly-used stock quotes This message was provided by the transaction's originator: We gave you lots of useful stock quotes and tips that may have helped you in your investments, and it isn't our fault if a grand jury is interested in you! --fv42--

Transfer-response

In order for a fund transfer to be effected, the paying party must respond to the TRANSFER-QUERY transaction with a TRANSFER- RESPONSE transaction directed back to a Green Commerce server. Such a transaction should have a content-type of "application/green-commerce; transaction=transfer-response", deliverable either as email or via SGCP. The following are among the required attributes for TRANSFER-RESPONSE transactions: For example, the following MIME entity describes a positive response to Joe Internaut's information purchase in the earlier example: Content-type: application/green-commerce; transaction=transfer-response SERVER-ID: <ABCDEFG1234567@card.com> AUTHORIZATION: Yes

Transfer-result

When a Green Commerce server has received a TRANSFER-RESPONSE transaction, the party named in that transaction as the seller will be informed of the buyer's response. This is accomplished by generating an email message to the seller with a content-type of "application/green-commerce; transaction=transfer-result". The following are among the required attributes for TRANSFER-RESULT transactions: For example, the following MIME entity informs Crazy Rupert that Joe Internaut has authorized the fund transfer. Note that special attention is given to human readability for users without specialized Green Commerce software. Content-type: multipart/alternative; boundary=fv43 Subject: <ABCDEFG1234567@card.com> -- Purchase confirmed --fv43 Transaction: Purchase of slightly used stock quotes Cost: US $19.99 BUYER-NAME: Joe Internaut Joe Internaut has authorized the transfer of $19.99 to your First Virtual account. For Terms and Conditions of this account, please send email to fineprint@fv.com. Please ignore anything that appears below this line. --fv43 Content-type: application/green-commerce; transaction=transfer-result TRANSFER-ID: <CRDIM424242@somewhere.com> SERVER-ID: <ABCDEFG1234567@card.com> AUTHORIZATION-RESULT: Yes BUYER-NAME: Joe Internaut SELLER-NAME: Crazy Rupert's Discount Information Mart AMOUNT: 19.99 CURRENCY: USD US Dollars DESCRIPTION: Purchase of slightly-used stock quotes --fv43--

Privacy Encryption

The Simple Green Commerce Protocol in general, and application/green-commerce data structures in particular, have been designed to be completely orthogonal to, and independent of, encryption technology. In general, it is not necessary to encrypt application/green-commerce data. However, it is sometimes desirable to do so for purposes of privacy protection.

As of 1996 only one such encryption format is supported: PGP (Pretty Good Privacy). Anyone submitting a message to a Green Commerce server may do so using this format, encrypting with one of the privacy keys returned by a KEY-REQUEST transaction.

An example of such an encrypted message follows below:

From: joe@mythical.fv.com To: sgcs@test.card.com Mime-Version: 1.0 Subject: Encrypted transfer Content-Type: multipart/encrypted; boundary=424242; protocol="application/pgp-encrypted" --424242 Content-Type: application/pgp-encrypted Version: 1 --424242 Content-Type: application/octet-stream -----BEGIN PGP MESSAGE----- Version: 2.6.1 hIwD930Vix6TwIEBA/0a6+H26jFuG2T7ZIGE/OQblWHVKx6nC63yrGwkewqehmVS Cg9yuTaqDj8oNN9nrK+Q/I9TR5iRg4v0pFAq9FHbVSY7cTPZg4CD4o5AX8KMrOVV 7r7YkmjAJ7iQlBps3GS0eArtD/gPBF8GxvDi8IuSQ0rgWbOIC1yh4/6AID4QL6YA AAD2AkKVG/PLIatMTfeG9xU23GEcSKfvySfMXp22X2LiMD0ya+asQU9FyAXVRizN W8zYUqEAzJ1ICBOEr8PjdYzV8onrhSxgb8H6smM6IlwJhIvkkJ+bqMGyCnznKMhe bPTbCQcRuWMbLrJ674F/UDPHtLshQMQv81FxO6MXDdWe4b9SJxA4qBgfraRYKKNa T8X8kc6Rhk7PUDxR3W33PgR789PHx0MbPbhfcmCLSH/CD9HkWv3cS/c+81xsjId+ qW9NswwCbI56SYBV9L6pipEDLtHbe/3qH0F12HfPGH1foTPAjyEFGcmX2Fmnu5sE FLbUNPkMeG/h =NamY -----END PGP MESSAGE-----

Digicash

Digicash is electronic cash that is purchased from a bank and stored on your computer. When a purchase is made, cash is transferred from the bank to your computer

To make a purchase, you send cash to the merchant, who forwards it on to the bank for validation (checking that it hasn't been spent twice)

The cash normally goes back to the bank, but can be sent to the merchant via a round-trip

The ecash flow is

Format

When you buy ecash from the bank, you send the bank a set of random numbers that you chose. The bank then digitally signs them and returns them. The signature is the stamp of validity. By a couple of obscure tricks, the person buying the ecash is able to change the number sent but preserve the signature, so that the money becomes anonymous.

Anyone can check the signature to ensure that the money really came from the bank. To avoid forgery, the bank can check that the money has not been spent twice.

Messages to the mint

The format of an unencrypted message is rec hdr_stuff = { int version_code time timestamp int reserved } rec userhdr = { int userID time timestamp int bankID } rec {OPENACC1, WITHDRAW3, ...}

The format of an encrypted message is

bank_enr = { int keyno rec rsaenc = { RSA encrypted key } rec encrypt = { int algo int size data enc_data } }

Requests

Payment request (shop to customer) PAYREQ = [ int currency int amount time timestamp int shop_bankID string shop_accID string descr string conn_host /* optional */ int conn_port /* optional */ ] Payment (customer to shop) PAYMENT = [ payment_hdr pcoins ; list of coins ] payment_hdr = [ int bankID int protocol int amount int currency int ncoins ; number of coins in payment time timestamp int expires int shop_bankID string shop_accID data payer_hash ; = f(payer_code) data descr_hash ; = f(descr) ----- data before this is used in "payment hash" ----- int flags string descr ; payment description string comment ; optional comment (currently not used) data payer_code ; random code generated by payer int seqno ; used for storing in DB time rcv_time ; only used for received payments int payment_version ] The descr field is only sent from customer to shop, the payer_code is only sent in payment cancellations, from client to mint. The comment field is never sent, this can be used for private annotations. pcoins = [ onl_coin onl_coin ... ] onl_coin = [ int keyversion ; low 5 bits are denomination MPI n ; coin number MPI sig ; encrypted coin signature ] The "payment hash" is the SHA digest of first part of the payment header (the part before the line). Before sending a coin to the shop, the signature is xored with the "payment hash" and encrypted with the mints public key. The "payment hash" is not sent from payer to shop, or shop to mint. The shop checks if the descr_hash matches the description, and only sends the hashed part of the payment header to the mint. The mint can only decrypt and accept a coin if the payment header is received unmodified.

References

SSL v3.0 specification - http://home.netscape.com/eng/ssl3/3-SPEC.HTM. This is also an IETF RFC.

SSLeay - ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/

R. Kalakota and A. B. Whinston Frontiers of Electronic Commerce Addison-Wesley, 1996

G. Wrightson and A. Furche Computer Money: A Systematic Overview of Electronic Payment Systems Springer-Verlag, 1996

N. Borenstein and M. Rose The Green Commerce Model IETF RFC

The digicash protocol http://www.digicash.com/ecash/protocol.html

The IETF RFC's may be obtained from http://ds.internic.net/ds/dspg1intdoc.html


This page is maintained by Jan Newmarch http://jan.newmarch.name