SSL - PowerPoint PPT Presentation

About This Presentation
Title:

SSL

Description:

SSL is a cryptographic protocol which provides secure communications on the ... ( e.g., bank account, phone number, how you secretly enjoy celine dion) ... – PowerPoint PPT presentation

Number of Views:506
Avg rating:3.0/5.0
Slides: 19
Provided by: Harr258
Learn more at: http://www.cs.fsu.edu
Category:
Tags: ssl | celine | dion

less

Transcript and Presenter's Notes

Title: SSL


1
SSL
  • By Anthony Harris Adam Shkoler

2
What is SSL?
  • SSL stands for Secure Sockets Layer
  • SSL is a cryptographic protocol which provides
    secure communications on the Internet for such
    things as web browsing, e-mail, Internet faxing,
    and other data transfers.
  • SSL is a part of the application layer.

3
Who invented the SSL?
  • SSL v.3.0 was created by Netscape in 1996.
  • Major corporations such as Visa and Mastercard
    have endorsed SSL for commerce over the internet.
  • SSL led to the development of TLS v.1.0
  • or Transport Layer Security.

4
  • SSL technology relies on the concept of public
    key cryptography to accomplish its tasks. In
    normal encryption, two communicating parties each
    share a password or key, and this is used to both
    encrypt and decrypt messages.
  • In public key cryptography, each party has two
    keys, a public key and a private key. Information
    encrypted with a persons public key can only be
    decrypted with the private key and vice versa.
  • Each user publicly tells the world what his
    public key is but keeps his private key for
    himself.

5
Weak points in SSL history
  • Early implementations used 40-bit symmetric keys
    because of government cryptographic restrictions.
  • This made SSL vulnerable to brute force attacks.
  • However, the government enforced this policy on
    purpose, so law enforcement could monitor traffic
    while keeping less equipped civilians out.
  • Modern implementations now use 128-bit
    cryptographic keys.

6
Incorrect Uses
  • Some websites only secure the form submission
    page rather than the login page.
  • Securing the login page but having non-secure
    media present. This leaves you open to man in
    the middle attacks.

7
  • Commercial websites that have dropped the Ball
  • Bank of America
  • Washington Mutual
  • JPMorgan Chase Co.
  • Paypal

8
How it works
  • A customer contacts your site and accesses a
    secured URL a page secured by a Server ID
    (indicated by a URL that begins with "https"
    instead of just "http" or by a message from the
    browser).

9
  • Obtaining an SSL Certificate
  • XYZ Inc., intends to secure their customer
    checkout process, account management, and
    internal employee correspondence on their
    website, xyz.com.
  • Step 1   XYZ creates a Certificate Signing
    Request (CSR) and during this process, a private
    key is generated.
  • Step 2   XYZ goes to a trusted, third party
    Certificate Authority, such as XRamp. XRamp takes
    the certificate signing request and validates XYZ
    in a two step process. XRamp validates that XYZ
    has control of the domain xyz.com and that XYZ
    Inc. is an official organization listed in public
    government records.

10
Obtaining a certificate contd
  • Step 3   When the validation process is
    complete, XRamp gives XYZ a new public key
    (certificate) encrypted with XRamps private key.
  • Step 4   XYZ installs the certificate on their
    webserver/s.

11
Crypto-licious!!!
  • How Customers Communicate with the Server using
    SSL
  • Step 1   A customer makes a connection to
    xyz.com on an SSL port, typically 443. This
    connection is denoted with https instead of http.
  • Step 2   xyz.com sends back its public key to
    the customer. Once customer receives it, his/her
    browser decides if it is alright to proceed.
  • the xyz.com public key must NOT be expired
  • the xyz.com public key must be for xyz.com only
  • client must have XRamp public key for XRamp
    installed in their browser certificate store.
    99.9 of all modern browsers (1998) include the
    XRamp root certificate. The customer has XRamp
    trusted public key, then they can trust that they
    are really communicating with XYZ, Inc.

12
  • Step 3   If the customer decides to trust the
    certificate, then the customer will be sent to
    xyz.com his/her public key.
  • Step 4   xyz.com will next create a unique hash
    and encrypt it using both the customers public
    key and xyz.coms private key, and send this back
    to the client.
  • Step 5   Customers browser will decrypt the
    hash. This process shows that the xyz.com sent
    the hash and only the customer is able to read
    it.
  • Step 6   Customer and website can now securely
    exchange information.

13
Handshake phases
14
SSL Messages
SERVER SIDE
CLIENT SIDE
OFFER CIPHER SUITE MENU TO SERVER
SELECT A CIPHER SUITE
SEND CERTIFICATE AND CHAIN TO CA ROOT
SEND PUBLIC KEY TO ENCRYPT SYMM KEY
SERVER NEGOTIATION FINISHED
SEND ENCRYPTED SYMMETRIC KEY
ACTIVATE ENCRYPTION
( SERVER CHECKS OPTIONS )
CLIENT PORTION DONE
ACTIVATESERVER ENCRYPTION
( CLIENT CHECKS OPTIONS )
SERVER PORTION DONE
NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION
15
A scenario for SSL
  • SSL can be thought of as a conversation on the
    phone.
  • 1.) Who are you speaking with? How do you know
    you are talking to an authorized person if youve
    never talked to them before?
  • 2.) Is Someone Listening to Your Conversation?
    Wire tapping is common practice. Are you sure
    someone isnt listening in and gathering
    information about you? (e.g., bank account, phone
    number, how you secretly enjoy celine dion)

16
  • Two very real security issues for Internet
    correspondence arise.
  • 1.) Being sure you are connected to the right
    computers are you really on your banks website
    or is it a phishers scam website?
  • 2.) Keeping your data safe and out of malicious
    hands during transit on the Internet.

17
A world without SSL is illustrated below
18
References!!
  • http//www.xramp.com/resources/how-ssl-works
  • www.wikepidia.org
  • www.ibm.com
Write a Comment
User Comments (0)
About PowerShow.com