Secure Socket Layer - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Secure Socket Layer

Description:

How does this impact web apps. No changes should be necessary, just include the https URL ... login page is https, then a man-in-the-middle cant read and spoof ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 14
Provided by: markc195
Category:
Tags: layer | secure | socket

less

Transcript and Presenter's Notes

Title: Secure Socket Layer


1
Secure Socket Layer
  • SSL and TLS

2
SSL Protocol
  • Peer negotiation for algorithm support
  • Public key encryption -based key exchange and
    certificate-based authentication
  • Symmetric cipher -based traffic encryption

3
TLS,SSL,HTTPS
Transport Layer Security, Secure Socket Layer
4
SSL
  • Each browser is configured with a root CA
  • https connects to a different port (443 instead
    of 80)
  • When a session is initiated, server and client
    agree on security capabilities. (most clients
    are 40 bit encryption, but 128 bit encryption is
    available on many strong servers
  • The server is authenticated by the certificate
    authority
  • Using the server public key from the CA, the
    client sends a DES key to the server
  • The DES key is used to encrypt the session

5
How it Works
  • The client sends and receives several handshake
    structures
  • It sends a ClientHello message specifying the
    list of cipher suites, compression methods and
    the highest protocol version it supports. It also
    sends random bytes which will be used later
  • Then it receives a ServerHello, in which the
    server chooses the connection parameters from the
    choices offered by the client earlier.
  • When the connection parameters are known, the
    client and server exchange certificates
    (depending on the selected public key cipher).
    These certificates are currently X.509, but there
    is also a draft specifying the use of OpenPGP
    based certificates.
  • The server can request a certificate from the
    client, so that the connection can be mutually
    authenticated.
  • The client and server negotiate a common secret
    called the "master secret", possibly using the
    result of a Diffie-Hellman exchange, or simply
    encrypting a secret with a public key that is
    decrypted with the peer's private key. All other
    key data is derived from this "master secret"
    (and the client- and server-generated random
    values), which is passed through a carefully
    designed "pseudorandom function".

6
Certificates
CA
Certified Entity
Register with CA, send client Public Key
Albert Levi
Albert Levi
CA-Publickey and Certificate with RSA(client
Public Key,CA-privatekey)
Certificate
Verifier Decrypt senders public key using
CA-publickey
Albert Levi
7
Hierarchical PKI Example
RSA(UserPubK,CAPriK) RSA(CAPubK.UCAPriK) RSA(UCAPu
bK,RootCAPriK)
8
How does this impact web apps
  • No changes should be necessary, just include the
    https URL
  • You will have to set up your server to perform
    the handshake, but it probably already has the
    capabilities
  • Performance will suffer, the initial handshake is
    expensive
  • Web servers must have a certificate for each IP
    address they serve

9
Common Mistakes
  • Put the login form on an unencrypted http page,
    but send the data to a https cgi script
  • A man in the middle can spoof the page, then
    replace the https URL with a server he controls
  • The user will have no UI clues that would allow
    him to know that the submit button goes to a
    secure site
  • If the login page is https, then a
    man-in-the-middle cant read and spoof the form as
    easily

10
Common Mistakes
  • Mixing secure and insecure data
  • The users learn to ignore the this form contains
    secure and insecure data very quickly
  • The user has no way of knowing which parts are
    being sent securely

11
Another Encryption ExamplePrivacy Enhanced Mail
(PEM)
12
PEM message integrity and authentication
mE(MD5(m),privatesender)
13
PEM Certificates
Write a Comment
User Comments (0)
About PowerShow.com