SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Slides:



Advertisements
Similar presentations
Web security: SSL and TLS
Advertisements

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Lecture 6: Web security: SSL
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.
Internet Security Protocols
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Cryptography and Network Security Chapter 17
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CSCI 6962: Server-side Design and Programming
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Tunneling and Securing TCP Services Nathan Green.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Secure Socket Layer Protocol Dr. John P. Abraham Professor, UTRGV.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
Cryptography and Network Security
Secure Sockets Layer (SSL)
Visit for more Learning Resources
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Cryptography and Network Security
Cryptography and Network Security
Lecture 5: Transport layer (TLS / SSL) and Security ( PGP )
Transport Layer Security (TLS)
Electronic Payment Security Technologies
Cryptography and Network Security
Presentation transcript:

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption

Outline Server-side certificates The SSL protocol –Algorithm selection –Certificate exchange –Key generation SSL data transmission –Encryption and information integrity Initiating secure sessions

Web Security Problems Encryption of sensitive data sent between client and server Authentication of server –How does client know who they are dealing with? Information integrity –How do we know third party has not altered data en route? Change so item shipped to Darth Address information Bob’s web site Alice thinks she is at Bob’s site, but Darth is spoofing it Bob’s web site

Certificates Web sites that deal in ecommerce must have certificates for authentication –Installed at server –Transmitted to client for authentication –Validated by browser using CA’s public key Client Browser Request for secure session Web Server Web Container (JSP, ASP) Certificate signed by CA CA

Certificates Public keys stored in browser –Can request from other CAs via public key infrastructure as needed

Secure Socket Layer Protocol Latest upgrade: Transport Layer Security (TLS) Same structure as SSL, somewhat more secure

SSL Protocol: Phase 1 Phase 1: Information exchange Problem: Large number of encryption algorithms in use –How do client and server agree on which to use? –How does client tell server which ones it supports?

SSL Protocol: Phase 1 Client passes preferred algorithms to server via https request Public key encryption algorithms Private key encryption algorithms Hash algorithms Compression algorithms Also random number for key generation Server replies with algorithms that will be used Also passes own random number

SSL Protocol: Phase 2 Phase 2: Server Authentication and Key Exchange Server passes their certificates to client –Client uses issuer public key to verify identity –Client retrieves server public key from certificate –Server may pass chain of certificates for authentication

SSL Protocol: Phase 2 If no certificate containing a public key, separate public key must be passed Certificate contains RSA public key, so no separate key passed No certificate, so Diffie- Hellman key exchange parameters passed

SSL Protocol: Phase 2 Server can also request appropriate client certificates to authenticate client –Online banking –Remote access to company database

SSL Protocol: Phase 3 Phase 3: Client Authentication and Key Exchange Client sends certificate or public key if requested by server

SSL Key Generation Client generates “pre-master key” Sends to server encrypted with server public key Client and server use to generate master key used to create cipher keys –Also use client, server random numbers exchanged in phase 1

SSL Key Generation

Key material used to generate: –Keys for encryption and authentication (MAC) –IV’s for cipher block chaining

Phase 4: Final Handshake Client and server verify protocols and keys Sender signs/encrypts “finished” message Receiver decrypts/verifies message to confirm keys

SSL Data Transmission Message broken into blocks Block compressed Compressed block hashed with authentication key to get MAC (message integrity) Compressed block + MAC encrypted with cipher key Encrypted block + record protocol header with version/length information sent

SSL Data Transmission MAC algorithm is modified HMAC –Two stage hash with secret MAC key inserted at each stage –Values similar to IPAD and OPAD also inserted

Sessions and SSL Connection: single transmission between client and server Session: set of connections for some purpose –Example: Ecommerce payment session: Credit card, Address, etc. Can reuse same keys for all connections in session –Much more efficient than restarting SSL protocol each connection

Https Protocol When started, requests secure session from server –Uses separate port in some servers Invokes SSL protocol

Https protocol is expensive –Should not do unless necessary Once done with secure transactions, should go back to using non-secure channel –Return to non-secure port Https Protocol