Handshake Protocol In TLS And SSL Communication

The goal of this project is to simulate the key agreement from TLS/SSL handshake in C++. the key agreement should be done with RSA and DHE
please note that all the documents mentioned below are provided in a zip file attached to this email:

makesfiles and CryptoPP library

source code for TCP layer (src/tcp) and part of SSL (src/ssl)

logger class: contains functions to sniff the traffic. When SslServer and SslClient starts, they will create a new instance of Logger. What TCP sent and receive will be contained inside the log files created by the loggers. 

TLS server

Brabson,2011 found out that handshake is an authentication program between these two protocols which acknowledges the communication between them. In this communication there are sockets for both the client and the server, a server is made from the available two choices, either TLS or SSL but in this project TLS is the server while SSL is the client and the communication uses RSA and DHE. Using RSA and DHE the communication is very secure between the client and the server. RSA is an encryption algorithm which does not necessarily need to exchange secret keys separately. It is used for both public key encryption and digital signatures. The security of RSA encryption is almost guaranteed thus making it very popular.

TLS server.

Creating the TLS server, Oppliger,2016, writes that  firstly an open ssl is needed, so the ssl is created as the first step in the making of the server, this is done by initializing the int_openssl () function then load the strings that are used for error messages. After creation of the server, an SSL_CTX also called the SSL context is then created. This is achieved by use of the SSLv23_server method and the context configured therein. To do this configuration a function SSL_CTX_set_ecdh_auto tells the openssl() to handle the elliptic curves. This is followed by specification of the certificates and the private keys.

From creating the openssl and the whole procedure there comes normal socket programming which now handles the actual communication. SSL structure is created to hold the information which pertains the connection. Using the SSL_set_fd to communicate to the openssl() the kind of file descriptor to be used.

Steps for establishing the connection.

1. The client sends a " hello" message to the server, alongside the random value for the client and reinforced cipher suites.
2. The server replies by sending a " hello too" to the client, alongside the random value for the server.
3. The server sends its certificate to the client for substantiation and requests a certificate from the client though not very necessary
4. If the server had requested for a certificate from the client, the client sends it to the server.
5. The client then generates a random Pre-Master Secret and then encrypts it with the public key emanatingfrom the server's certificate, then sends the encrypted Pre-Master Secret to the server.
6. The server accepts the Pre-Master Secret. The server and client each of them generates the Master Secret and session keybasing on the Pre-Master Secret.
7. The client sends "Alter cipher specification" notice to server to designate that the client will now or sooner flinch using the new session keyfor hashing and even encrypting messages. Client also sends "Client is done" message. For acknowledgement, now when all these steps are executed successfully, a TLS/SSL handshake is said to have occurred.
8. Server accepts "Changes cipher specifications" and switches its handshake layer security state to symmetrical encryptionby use of the session keys. Server relays "Server complete" notification to the client.
9. Client and server can therein exchange application data over the secured communication channel that has been established. All messages and notifications sent from client to server and from server to client are encrypted by use of session key thus very safe even in the communication channel. Basically it is an end to end encrypted kind of channel between the server side and the client side. Below is a conceptualized overview of the handshake concept.

SSL client.

The TLS/SSL protocol provides for a possibility of a secure communication over the internet, the two have got two layers over which they communicate, record protocol and handshake over TCP/IP. Retrieved from https://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt.

Other files are assistant files in c++ which makes serve-client communication possible but important in the completion of the program.

Authentication.

In TLS/SSL communication the server has to prove its authenticity as well as the client for the communication be successful, this uses the private/public key pairs. The server and the client exchange random numbers and a unique number known as the Pre-master secret. The numbers are pooled with extra data authorizing client and server to create the shared secret, termed the Master Secret. The Master Secret is used by client and server to produce the write MAC secret; the session key used in hashing, and the write key, the session used for encryption.

Steps for establishing the connection

Code.

Below are the codes for the TLS/SSL handshake:

Server:

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <pthread.h>

#include <string>

#include <fstream>

#include <iostream>

#include "ssl_server.h"

using namespace std;

#define NUM_THREADS 2

void* handle_client(void* args) {

  SSL* ssl_cxn = (SSL*)args;

  if ( ssl_cxn != NULL ) {

    string recv_msg;

    int code = ssl_cxn->recv(&recv_msg);

    printf("s: received '%s'%dn", recv_msg.c_str(), code);

  }

  pthread_exit(NULL);

}

int main() {

  SslServer *s = new SslServer();

  if ( s->start() != 0 ) {

    cout << "s: couldn't start server" << endl;

    return 1;

  }

  // cout << "a" << endl;

  string hostname = s->get_hostname();

  int port = s->get_port();

  cout << "s: started on " << hostname << " " << port << endl;

  ofstream addrfile;

  addrfile.open("address.txt");

  addrfile << hostname << endl << port << endl;

  addrfile.close();

  // cout << "b" << endl;

  pthread_t threads[NUM_THREADS];

  for( int i = 0 ; i < NUM_THREADS ; i += 1 ) {

    SSL* client = s->accept();

    if ( client == NULL ) {

      cerr << "Error: couldn't accept" << endl;

      exit(1);

    }

    cout << "s: accepted " << i+1 << " client(s)" << endl;

    int retcode;

    retcode = pthread_create(&threads[i], NULL, handle_client, (void *)client);

    if ( retcode != 0 ) {

      perror("Error: can't create thread.n");

      exit(1);

    }

  }

  // cout << "c" << endl;

  void* status;

  for( int i = 0 ; i < NUM_THREADS ; i += 1 ) {

    int retcode;

    retcode = pthread_join(threads[i], &status);

    if (retcode){

      cerr << "Error:unable to join," << retcode << endl;

      exit(1);

    }

    // cout << "Main: completed thread id :" << i ;

    // cout << "  exiting with status :" << status << endl;

  }

  cout << "s: broadcasting " << endl;

  if ( s->broadcast("Server says "HELLO ALL"") < 0 ) {

    cerr << "Error: couldn't broadcast" << endl;

    exit(1);

  }

  cout << "s: shutting down " << endl;

  if ( s->shutdown() != 0 ) {

    cerr << "Error: couldn't shut down" << endl;

    exit(1);

  }

  cout << "s: free-ing " << endl;

  sleep(2);

  delete s;

  cout << "s: exiting " << endl;

  return 0;

}

Server side:

#include "ssl_server.h"

#include <stdlib.h>

#include <string.h>

#include <iostream>

#include <sstream>

#include "dh.h"

#include "integer.h"

#include "osrng.h"

#include "crypto_adaptor.h"

#include "tcp.h"

#include "logger.h"

#include "utils.h"

using namespace std;

SslServer::SslServer() {

  string datetime;

  if ( get_datetime(&datetime, "%Y%m%d-%H%M%S") != 0 ) {

    exit(1);

  }

  this->logger_ = new Logger(("ssl_server_"+datetime+".log"));

  this->tcp_->set_logger(this->logger_);

  get_datetime(&datetime, "%Y/%m/%d %H:%M:%S");

  this->logger_->log("Server Log at " + datetime);

  this->closed_ = false;

  // init dhe

  generate_pqg(this->dh_p_, this->dh_q_, this->dh_g_);

  // init rsa

  generate_rsa_keys(this->private_key_, this->public_key_);

}

SslServer::~SslServer() {

  if ( !this->closed_ ) {

    this->shutdown();

  }

  delete this->logger_;

}

int SslServer::start(int num_clients) {

  if ( this->closed_ ) {

    return -1;

  }

  return this->tcp_->socket_listen(num_clients);

}

SSL* SslServer::accept() {

  if ( this->closed_ ) {

    return NULL;

  }

  TCP* cxn = this->tcp_->socket_accept();

  if ( cxn == NULL ) {

    cerr << "error when accepting" << endl;

    return NULL;

  }

  cxn->set_logger(this->logger_);

  SSL* new_ssl_cxn = new SSL(cxn);

  this->clients_.push_back(new_ssl_cxn);

  // IMPLEMENT HANDSHAKE HERE

  return NULL;

}

int SslServer::shutdown() {

  if ( this->closed_ ) {

    return -1;

  }

  // pop all clients

  while ( !this->clients_.empty() ) {

    SSL* cxn = this->clients_.back();

    this->clients_.pop_back();

    if ( cxn != NULL ) {

      delete cxn;

    }

  }

  return 0;

}

vector<SSL*> SslServer::get_clients() const {

  return vector<SSL*>(this->clients_);

}

int SslServer::broadcast(const string &msg) {

  if ( this->closed_ ) {

    return -1;

  }

  int num_sent = 0;

  // this->logger_->log("broadcast:");

  // this->logger_->log_raw(msg);

  for ( vector<SSL*>::iterator it = this->clients_.begin() ;

        it != this->clients_.end() ; ++it ) {

    ssize_t send_len;

    send_len = (*it)->send(msg);

    if ( send_len == (unsigned int)msg.length() ) {

      num_sent += 1;

    }

  }

  return num_sent;

}

To execute the program, a c++ terminal running software must be installed in this case minGW is used but Cygwin can as well be used. Also the path for minGW or Cygwin has to be specified well during the installation of c++ development software, netbeans or code blocks, this is important and otherwise the program will not be executed and if executes it will be with errors not to the desired requirements.

In the event of fatal errors in the compiler such as sys.h not found or the directory does not exist,

Just make that header file if it is netbeans, click on the left-most + sign at the top.

In the event or error: fatal error: no input files found, ensure all the project files are in one directory or add the files in the execute command path(for windows).

References:

Brabson, R. F. (2011). U.S. Patent No. 8,086,846. Washington, DC: U.S. Patent and Trademark Office.

Oppliger, R. (2016). SSL and TLS: Theory and Practice. Artech House.