Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Slides:

Advertisements

Similar presentations

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.

Advertisements

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Web security: SSL and TLS

CP3397 ECommerce.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Cryptography and Network Security

Secure Socket Layer.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

Transport Layer Security (TLS) Bill Burr November 2, 2001.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Web Security (SSL / TLS)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.

Chapter 8 Web Security.

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Transport-level and Web Security (SSL / TLS, SSH)

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Secure Socket Layer (SSL)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Cryptography and Network Security (SSL)

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.

Tunneling and Securing TCP Services Nathan Green.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

Cryptography and Network Security Chapter 16 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

A Cross-Protocol Attack on the TLSProtocol Nikos Mavrogiannopoulos, Frederik Vercauteren, VesselinVelichkov, Bart Preneel. Presented by: Nitin Subramanian.

1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.

Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.

Executive Director and Endowed Chair

CSCE 715: Network Systems Security

Visit for more Learning Resources

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

CSE 4095 Transport Layer Security TLS, Part II

CSE 4095 Transport Layer Security TLS

CSE 4095 TLS Attacks Continued

CS 465 TLS Last Updated: Oct 31, 2017.

Cryptography and Network Security

SSL (Secure Socket Layer)

Security at the Transport Layer: SSL and TLS

TLS and DLP Behind the green lock.

SSL Protocol Figures used in the presentation

The Secure Sockets Layer (SSL) Protocol

Transport Layer Security (TLS)

TLS Encryption and Decryption

Presentation transcript:

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

SSL De facto Standard for client-server security IETF RFC: The TLS Protocol Version 1.0 (RFC 2246) All commodity browsers support SSL Open implementations (e.g. SSLRef, SSLPlus, SSLava, SSLeay, openSSL, modSSL)

SSL/TLS Framework HTTP(S) TCP Hand- shake Change Cipher Applica tion Alert Record Layer Key Exchange Data Enc/Auth

SSL/TLS Record Layer HTTP-Data Lengthhttp3.1 Lengthhttp3.1 Lengthhttp3.1Padd.MACP. Length Fragmentation Compression Encryption

SSL/TLS: Handshake bank. com bank. com

Protocol Specification

SSL/TLS: ciphersuites Key Exchange- Algorithm Certificate Type ServerKey- Exchange ClientKey- Exchange Description RSARSA Encryption NoEncrypted premaster secret Client encrypts premaster secret with server's public key RSAExport (>512 Bit) RSA SigningYes (ephemeral RSAKey 512 Bit) Encrypted premaster secret Client encrypts premaster secret with server's ephemeral public key DHE-DSSDSS SigningYes (g s mod p) g c mod pDiffie-Hellman key exchange, Server signs (g s mod p) with DSS- signature.

SSL/TLS: ciphersuites Key Exchange Algorithm. Certificate Typ ServerKey- Exchange ClientKey- Exchange Description DHE-RSARSA SigningYes (g s mod p) g c mod pDiffie-Hellman Key exchange, Server signs (g s mod p) with RSA signature DH-DSSsigned DH, using DSS signature No (g s mod p in server certificate) g c mod pDiffie-Hellman key exchange with server's static DH exponent DH-RSAsigned DH, using RSA signature No (g s mod p in server certificate) g c mod pDiffie-Hellman key exchange with server's static DH exponent

TLS Renegotiation The spec allows a party (either I or R) to initiate a change cipher procedure by sending a special message, authenticated under the current session key. As a result, a new key is negotiated from scratch. There is no binding between the old and new keys – these are two independent sessions. Still the two sessions appear for applications as the same stream. Consequently, it is possible to attack the protocol:

TLS Renegotiation attack Client Attacker Server

TLS Renegotiation attack Client Attacker Server There is much work currently done at the IETF on how to fix the protocol. This is a great example for the importance of modeling and proof in practical crypto.