CS 090.3 – E-commerce Technologies – Lecture 07 HTTPS

Security Primer All concepts related to security are discussed in a high level context. For actual implementation consult RFC 2818 : HTTP Over TLS

Problems with HTTP End User Web Server

Steal Data End User Web Server

Redirect Spoof/Websites Using "HTTP" any middle-man between you and the website can serve you ANY content they want. Your home router (possibly compromised) Your ISP Your Local Government Upside-down-ternet www.ex-parrot.com/pete/upside-down-ternet.html

Impersonate Website End User Web Server

Impersonate Users End User Web Server

Solution: HTTPS HTTP over SSL (Before 1999) / HTTP over Transport Layer Security (After 1999) HTTPS = HTTP + TLS TLS (Transport Layer Security) The name was changed from SSL to avoid any legal issues with Netscape so that the protocol could be open and free

HTTPS Overview Certificate Validation Public Key Encryption of a Symmetric Key (Slow) Symmetric Key encryption of messages. (Fast)

Key Exchange Algorithm

Key Exchange Algorithm The above video explains a key exchange algorithm called Diffie–Hellman key exchange. (D-H) HTTPS uses a another key exchange algorithm called Rivest-Shamir-Adleman (RSA) mainly because RSA is more widely supported. D-H uses the discrete logarithm problem in its encryption. RSA uses the integer factorization problem in its encryption.

Public Key Encryption Public Key Used ONLY to encrypt Private key Used ONLY to decrypt

Symmetric Key Encryption One keys for both encryption and decryption. Symmetric key encryption is used when you have already established keys beforehand. It is orders of magnitude faster than public key encryption. Limited in Scope To get the best of both technologies, HTTPS uses public key encryption to agree on a symmetric key. The symmetric key is then used to encrypt all further communications.

Encryption (Two types) Public Key Symmetric Lock + Key Anyone with the public key (lock) can ONLY encrypt messages. Anyone with the private key (key) can ONLY decrypt messages. You share your public key so anyone can send you secrets. Examples: D-H, RSA Key Anyone with the key can encrypt and decrypt messages. They can also duplicate the key. Examples: AES, 3DES

Man In the Middle Attacks Problem: The person in the middle is not just listening on our communications like Eve, they can actively participate. Not just an insecure channel— It is a hostile channel Hi, I am google.com Let's exchange keys End User google.com

Certificate Authority (CA) On your computer is a set of certificates that were installed at the same time as the OS. These are called Root Certificates, your operating system trusts these providers.

Digital Certificate/Signature Certificates and Signatures work as reversed lock+key encryption. Signatures are private. (encrypt) Certificates are public. (decrypt) Anyone can read the contents of a certificate, but only a person with the private key can write a message. Signatures prevent impersonation.

Certificate Authority can be trusted Hi, I am verisign. Here's my public key so you can send me encrypted messages. –versign.com verisign.com using TLS please Open Copy End User verisign.com Image Credits: Certificate - Sarah Abraham https://thenounproject.com/term/certificate/100644/ CC 3.0 License: http://creativecommons.org/licenses/by/3.0/us/ Key – MisterMatt~commonswiki https://commons.wikimedia.org/wiki/File:Key-crypto-sideways.png CC BY-SA 3.0: https://creativecommons.org/licenses/by-sa/3.0/deed.en

Signatures Prevent Impersonation Hi, I am verisign. Here's my public key so you can send me encrypted messages. –versign.com verisign.com using TLS please End User verisign.com

CA's can vouch for other servers Hi, I am google.com. Here's my public key so you can send me encrypted messages. It is signed by [CA] –google.com [CA] google.com using TLS please End User google.com

How did the public key get signed? To validate ownership of google.com: 1. Put this message "2336" on google.com/2403. 2. Send a copy of your signed public key, and 3. Sign this message "7e50cs0". Can you vouch for me? google.com [CA] Checks google.com/2403 7e50cs0

Server's can vouch recursively Hi, I am ?????.com. Here's my public key. It is signed by [CA3]. [CA2] has signed for [CA3]. [CA] has signed for [CA2]. I've also include certificates from [CA3] and [CA2] [CA] ?????.com using TLS please End User ?????.com

Signed Public Keys are TLS Certificates A TLS Certificate and a signed public key contain the same information. CA signature server CA's public key expiration public key for website certificate authority

Revisit the first example verisign.com using TLS please End User verisign.com

Extended Validation Certificate Most websites that implement SSL look like this Some websites may pay extra money annually to Certificate Authority's to get Extended Validation. This involves having the CA verify your legal entity exists annually. You get a cool upgrade on the address bar though

TLS Resources SSL Diagram https://github.com/ychaouche/SSL-diagram The First Few Milliseconds of an HTTPS Connection http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html TLS 1.2 RFC https://tools.ietf.org/html/rfc5246 HTTPS RFC https://tools.ietf.org/html/rfc2818

Lets Encrypt Let's Encrypt is a certificate authority that launched in 2016 that provides free certificates for TLS.

Extra Notes SSH (Secure Shell) does not use TLS, it uses its own technology under the hood.