Wednesday, September 26, 2007

The Online Merchant of Venice

The Story
A play in which our hero, Antonio, uses the Internet to securely purchase airline tickets. But all is not what it seems on the Internet… for shady characters await to entrap poor Antonio.

Cliff Note: Internet based SSL is explained using a weak story and several bad Shakespeare references.

The Players
Antonio - The tragic hero of the story longs to visit his lover in Italy
Aye Eee - A clueless, befuddled web browser used by Antonio
|Bits Dotcom - (pronounced Orbitz.com) A travel broker offering deep discounts
Shylock.ru - A scheming character with a shady past, seeking profit by any means

Act I – Antonio Buys a Ticket

Antonio: Oh how I long to visit Italy, but tickets are so expensive. Maybe I can buy a ticket online with the help of my friend Aye Eee. [Speaking to Aye Eee] Aye Eee, create a secure SSL connection to |Bits

Aye Eee: [Speaking to |Bits] Client Hello. SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_256_MD5

|Bits: Server Hello. SSL_RSA_WITH_RC4_128_MD5 acceptable. Session ID = 123456.

Cliff Note: The first step of SSL communication is for the client and server to negotiate CipherSuite to use. The client begins with a Client Hello message and a list of acceptable encryptions. The server responds with a Server Hello and either the CipherSuite to use or a fatal alert.

|Bits: [Speaking to Aye Eee] Here is my digital certificate... My public key is 998877.

Aye Eee: Now I will generate a random value and encrypt it with |Bits's public key... [works hard, possibly grunts]... Perfect! My encrypted result is "!@#$^". I will send this result to |Bits in my "Client Key Exchange Message", and then I too will use the random value to create the session's master secret

Cliff Note: The delivery of these lines, especially the pronunciation of "!@#$%^", has been a career defining moment for many actors.

|Bits: Now that I possess the encrypted random value, I will decrypt it using my private key and calculate the session's master secret. Now both I, the server, and Aye Eee, the browser, possess the master secret.

Aye Eee: [Speaking to |Bits] Change cipher specification... from this point on all messages are secured using the negotiated parameters

|Bits: [Speaking to Aye Eee] Change cipher specification... from this point on all messages are secured using the negotiated parameters

Aye Eee: Using the master secret and SSL_RSA_WITH_RC4_128_MD5 encryption, I will now send the "Finished message"

|Bits: Using the master secret and SSL_RSA_WITH_RC4_128_MD5 encryption, I too will now send the "Finished message"

Cliff Notes: Both of the finished messages are the first messages passed be each party that is fully encrypted using the negotiated security parameters. From this point forward, all application data exchanged is encrypted, and any new connections to the site are also encrypted.

Aye Eee: [Speaking to Antiono] Here is your requested page, securely encrypted as you can see by the lock in the bottom right. Be careful now, and only give out personal information when you see the little lock.

Antonio: Wonderful. I am now safe to buy my tickets.

Cliff Note: An overview of the SSL Handshake is provided below:


Act II – Antonio Checks his Reservations

Antonio: I’m so excited for my trip that I just have to log on to |Bits and check me reservations. Aye Eee, take me securely to the site.

Aye Eee: [Speaking to |Bits] Client Hello. SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_256_MD5

Shylock.ru: [Masquarading as |Bits] Ah ha, disguised as |Bits, I will be able to extract 3000 ducats from innocent Antonio. [Speaking to Aye Eee] Alert - Warning. Unacceptable cipher spec. Try SSL_NULL_WITH_NULL_NULL

Cliff Note: This unencrypted CipherSpec should only be used during the SSL handshake, but some browsers will erroneously allow an SSL connection to be created with it. An Alert can be either a warning or an error, and is one of the four categories of SSL messages: Handshake, Alert, ChangeCipherSpec, and Application data.

Aye Eee: Client Hello. SSL_NULL_WITH_NULL_NULL

Shylock.ru: Hello. SSL_NULL_WITH_NULL_NULL acceptable. Here is your session ID.

Cliff Note: Notice how this degenerate CipherSpec does not require a digital certificate to be verified before sending the session ID.

Aye Eee: I’ll still generate my random value, but the CipherSpec says there is no need to encrypt it. I guess I’ll just send it to the server in plaintext and then use my random value to calculate the session's master secret.

Shylock.ru: Poor Aye Eee is almost snared in my trap. I’ll take the unencrypted random value and generate the session's master secret…

Aye Eee: [Speaking to |Bits] Change cipher specification...

Shylock.ru: [Speaking to Aye Eee] Change cipher specification...

Cliff Note: The Change Cipher specification message tells the players to use the negotiated security parameters for all communication going forward. However, the negotiated parameters now include sending application data in plaintext!

Aye Eee: [Speaking to |Bits] Finished message

Shylock.ru: [Speaking to Aye Eee] Finished message

Cliff Note: At this point, Aye Eee will display a “secure lock” in the browser. Shylock.ru can now impersonate |Bits because the lack of digital certificate in the CipherSpec means that there is no name mismatch warning. If the browser didn’t support the NULL CipherSpec then the illegitimate website could not impersonate the real site.

Aye Eee: Antonio, here is your requested page, securely encrypted as you can see by the lock in the bottom right. For some reason |Bits needs you to type in your credit card.

Shylock.ru: Poor Antonio doesn’t realize that all that glistens is not gold. If he just sends his credit card then I can extract my pound of flesh…

Antonio: Credit card number… sure, it is a secure site after all!

[Curtain closes as credit agencies rush in...]

No comments: