Presented By: Atish Baul Module: CSYM020, Internet Security Course: MSc Internet Computing.

Slides:

Advertisements

Similar presentations

Web security: SSL and TLS

Advertisements

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

CP3397 ECommerce.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Cryptography and Network Security

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Cryptography and Network Security Chapter 17

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Chapter 8 Web Security.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

CSCI 6962: Server-side Design and Programming

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Secure Socket Layer (SSL)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

1 Apache and Virtual Sites and SSL Dorcas Muthoni.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Network Security Essentials Chapter 5

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Cryptography and Network Security (SSL)

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

Tunneling and Securing TCP Services Nathan Green.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.

Cryptography and Network Security

Secure Sockets Layer (SSL)

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

Cryptography and Network Security

Cryptography and Network Security

Cryptography and Network Security

Presentation transcript:

Presented By: Atish Baul Module: CSYM020, Internet Security Course: MSc Internet Computing

Contents 1.Introduction 2.SSL Architecture 3.Analysis of an SSL Session 4.Applications of SSL 5.Implementation of SSL 6.Winning Features 7.References 2

1. Introduction What are SSL and TLS 3  Secure Socket Layer (SSL) and it's successor Transport Layer Security (TLS) are cryptographic protocols meant for secure data transmission across the internet.  Prevent eavesdropping, tampering and message forgery within the transport framework.  Provides endpoint authentication and communications privacy.  Used for web browsing, , instant messaging, etc. Multitude of uses, as we shall see later.  Used for both – Client-to-server communication – Server to server communication

1. Introduction  Typically, only the server is authenticated, client remains un-authenticated.  Sometimes both parties are authenticated. This is called "Mutual Authentication“. Manner of Usage 4

1. Introduction  Developed by Netscape as SSL 1.0 in 1996 for use with HTTP only, to secure communications between browser and client.  SSL has been endorsed by leading financial institutions (e.g. Visa, Master Card, etc) for commerce over the internet.  Still being updated and maintained by Netscape as SSL 2.0 and SSL 3.0, with endorsement from IETF and leading commercial bodies.  SSL 3.0 was used as basis for TLS 1.0 in 1999, an IETF standard protocol.  Specifications for TLS 1.1 were released in April It is a minor upgrade to TLS 1.0  SSL continues to be used alongside TLS, due to widespread support and legacy implementation. History of SSL, TLS 5

1. Introduction  SSL and TLS - Twin brothers.  Both protocols are so similar we can refer to them as one name, e.g.. SSL/TLS only.  They are similar, but they are not interchangeable.  Important difference is that TLS 1.0 applies a Keyed-Hashing for Message Authentication Code (HMAC) algorithm, whereas SSL 3.0 applies the Message Authentication Code (MAC) algorithm for authenticating messages. Pair of Twins 6

1. Introduction  SSL 1.0 has been deprecated.  SSL 2.0 (Mainly Legacy support).  SSL 3.0 (Current, being replaced by TLS for new projects).  TLS 1.0 (Current).  TLS 1.1 (Newly Introduced, not widely supported). Prevalent Versions 7

2. Architecture 2. SSL ARCHITECHTURE 8

2. Architecture SSL/TLS Protocol Stack 9 ISO Open Systems Interconnect model SSL runs beneath application layers. E.g. HTTP, FTP, SMTP etc SSL runs above transport protocols such as TCP.

2. Architecture SSL/TLS can be used with any application based over TCP. It’s applications are endless! 10

3. Analysis of SSL/TLS Session 3. Analysis of an SSL/TLS Session 11

3. Analysis of SSL/TLS Session 1.Peer negotiation for algorithm support  The two communicating parties negotiate a suitable cryptographic algorithm which they both support.  The most secure algorithm supported by both parties is chosen. 2.Public Key Encryption based key exchange, and Certificate based authentication.  E.g. RSA, Diffie-Hellman, DSA, etc. 3.Symmetric cipher-based traffic encryption.  E.g. RC2, RC4, DES, 3DES, etc. Three Basic Phases 12

3. Analysis of SSL/TLS Session Lifecycle of an SSL/TLS Session (Server only Authentication) 13

3. Analysis of SSL/TLS Session  An SSL session is basically an exchange of records of different types.  Each record may be compressed, encrypted and signed with a Message Authentication Code (MAC).  Each record has a content_type field that specifies which protocol is being used.  Some SSL protocols and their Content_type 20 : ChangeCipherSpec 21 : Alert 22 : Handshake Protocol. 22 : Record Layer Protocol. 23 : Application protocol. Simplistic Description 14

4. Applications of SSL/TLS Applications of SSL/TLS 15

4. Applications of SSL/TLS  Securing HTTP connections, also referred to as HTTPS.  Identified by prefix to the URL (within the address bar).  Is also indicated by padlock symbol at the status bar of a browser.  Implemented by installing an SSL certificate at the server. Secure connection over - HTTPS 16

4. Applications of SSL/TLS  SSL is not just for the web, it is a suite of cryptographic protocols meant to be used in various ways.  Thus, HTTPS is different from just SSL.  Other ways SSL is commonly implemented in Client-Server mode: – File Transfer Protocol Secure (FTPS) – SSL over Database connections to SQL Server, Oracle, etc. – Secure .  Peer-to-peer or Server-to-Server (mutual authentication ) uses: – Secure Web services – Semantic Web – Virtual Private Network – Session Initiation Protocol (SIP) applications such as Internet Telephony using VoIP. 17 Secure connection over - HTTPS

4. Applications of SSL/TLS  Default Outlook express port configuration:  Outlook express configured to use SSL (With Gmail POP3/SMTP settings): Example – SSL over POP3/SMTP 18

4. Applications of SSL/TLS SSL also has a place within the proposed Semantic Web. 19 The trust architecture is based around SSL/TLS.

5. Implementation Implementation of SSL 20

5. Implementation  On the server, a Certificate Signing Request (CSR) is generated. This creates two cryptographic keys: – Public Key : used to encrypt message to the server. This is sent to the Certificate Authority (CA) and gets downloaded by browser clients. It is then used to encrypt message to server. – Private Key : Stored on server, used to decrypt secure messages encrypted using the public key.  This CSR is then submitted to a relevant CA, along with relevant legal organisational details – E.g. Thawte, Verisign, GoDaddy.  CA verifies that details provided by organisation are correct, and issues a certificate file.  This file is copied and installed on the server, and it is ready to accept secure connections. SSL certificate on Server 21

5. Implementation  SSL mechanisms need to be enabled within the web server. – E.g. Apache, Internet Information Server.  Apache web server has ‘modules’ that implement SSL: – OpenSSL – ModSSL – Apache-SSL Enabling SSL within Web Server 22

5. Implementation  A typical browser come pre-installed with a list of Certificate Authorities SSL on client (Browser) 23 Mozilla Firefox

5. Implementation  Browsers support a variety of SSL/TLS versions: Support for SSL/TLS versions 24 Mozilla Firefox

5. Implementation  Browser can download and display (when asked) complete certificate details of the server: Certificate Details 25 Mozilla Firefox displaying Gmail’s SSL Certificate

5. Implementation  The browser will connect to relevant CA and verify a number of details, and perform separate checks. It will usually issue warnings explaining the severity of discrepancies, if any: Security Checks by Client 26 Mozilla Firefox detects inconsistencies with Gmail.com’s SSL certificate.

6. Winning Features Winning Features of SSL/TLS 27

6. Winning Features  Integrity – No one tampers with the contents during transport. E.g. Man-in-the-middle attacks.  Privacy – Prevent eavesdropping by encrypting messages.  Authentication – Verify remote party’s identity. – YOU ARE who you say YOU ARE.  Non-repudiation – Digital signature prove that a message was actually sent by a party. Prime Features 28

6. Winning Features  Asymmetric Public-Private key structure alleviates need for special setup for each session.  Depends on Public Key Infrastructure (PKI) implemented via Certificate Authorities (CA).  Conventions followed by manufacturers to pre-set software and appliances with globally agreed data. No setup per session or machine! 29

6. Winning Features  Uses X.509 certificate  OpenPGP certificates have been proposed for inclusion. Certificates 30

6. Winning Features  Previously limited to 40-bit symmetric keys by US govt restrictions  Now, 56-bit, 128-bit, 256-bit keys are commercially available, very easily.  2048-bit and 4096-bit keys are also supported by some products.  SSL/TLS itself does not restrict key size, but products and technologies on place have their own restrictions. Large key sizes 31

6. Winning Features  Cryptographic Algorithms can be rendered obsolete.  Extensible and upgradeable structure ensures latest and strongest cryptographic algorithms are used always.  Current supports includes – RSA, Diffie-Hellman, DSA (for Public Key cryptography). – RC2, RC4, IDEA, DES, 3DES (for Symmetric Ciphers). – MD2, MD4, MD5, SHA (One Way hash functions).  …. And more will come. Future-Proofing 32

References Thawte (2006). Securing your Online Data Transfer with SSL - A guide to understanding SSL Certificates [online]. Available from: [Accessed 2 April 2007] IETF (2006). RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1. Bussler, C. et al (2002) A conceptual architecture for Semantic Web Enabled Services. Special section on semantic web and data management. [Pages 24 – 29]. Thawte (2006). Enrolment guide for thawte SSL Web Server Certificates and SGC Supercerts [online]. Available from: [April 2, 2007] Wikipedia (2007a). Transport Layer Security [online]. Available from: [April 02, 2007] Wikipedia (2007b). Semantic Web [online]. Available from: [Jan 2, 2007] Minai, A. (2007) Internet Security, Msc Internet Computing, CSYM020. University of Northampton,

Thank you! 34