December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Advertisements

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
Lecture 6: Web security: SSL
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Cryptography and Network Security Chapter 17
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Security Essentials Chapter 5
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
IT443 – Network Security Administration Instructor: Bo Sheng
Cryptography and Network Security
Secure Sockets Layer (SSL)
CSCE 715: Network Systems Security
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
Cryptography and Network Security
Cryptography and Network Security Chapter 16
Secure Web Application-SSL
Cryptography and Network Security
SSL (Secure Socket Layer)
Security at the Transport Layer: SSL and TLS
CSCE 815 Network Security Lecture 16
Cryptography and Network Security Chapter 16
Cryptography and Network Security
Presentation transcript:

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College

December 2006Prof. Reuven Aviv, SSL2 Outline Introduction - Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) –SSL Architecture –SSL Record Protocol –Handshake Protocol –In Closing: What does the SSL Really Protect? Why the Web Service is special?

Introduction December 2006Prof. Reuven Aviv, SSL3

December 2006Prof. Reuven Aviv, SSL4 Introduction All businesses have Web sites Most public organizations have Web sites Many individuals have Web sites Business are enthusiastic about setting facilities on the Web for electronic commerce However: Internet and the Web Servers are vulnerable Demand for security increases What software options are available?

December 2006Prof. Reuven Aviv, SSL5 Web Security Options HTTP Client Server; Standard IPSec is applicable (later lecture) BUT – we need special security mechanism: The WEB is very visible. –It is the front end of business –Breaking into it makes bad business –What risks are (not) countered by SSL

December 2006Prof. Reuven Aviv, SSL6 Web Security risks & counter-measures Corrupt server or browser data – done by Trojans, ActiveX, Applets Corrupt data in transit and session hijacking –Cryptographic checksum, Encryption –web proxy Denial of Service: flooding server, DNS attacks –Network Mitigation procedures Impersonation of users, and programs –signatures

December 2006Prof. Reuven Aviv, SSL7 Approaches to network Security Advantages and Disadvantages?

December 2006Prof. Reuven Aviv, SSL8 Approaches to network Security IPSec – below TCP – transparent to applications (and users) –Only filtered packets incur overhead –General purpose client server security –Complex configuration (packet oriented)

December 2006Prof. Reuven Aviv, SSL9 Approaches to network Security SSL/TLS – above TCP –General purpose –but controllable by application –What does that mean? At the application layer: PGP, S/MIME –Specific, tailored to the application

Secure Socket Layer December 2006Prof. Reuven Aviv, SSL10

December 2006Prof. Reuven Aviv, SSL11 SSL (Secure Socket Layer) & TLS SSL: Netscape, later Microsoft –SSL 3.0 Submitted to IETF IETF  TLS: Transport Layer Security – essentially SSLv3.1 Free Implementations: SSLRef, OpenSSL SSL support included in Microsoft IIS & IE What technologies are used for Privacy, Inegrity, Authentication, Non- Repudiation?

December 2006Prof. Reuven Aviv, SSL12 SSL Services Privacy – via user defined encryption algorithms Integrity – user specified hash functions Authentication – using X public key certificates, also Passwords, or none Non Repudiation – using signed messages

December 2006Prof. Reuven Aviv, SSL13 SSL/TLS Features I Separation of duties: encryption, authentication and data integrity use different keys (secrets) What are the benefits? decreasing risks & different key lengths Flexibility: authenticated connections with/without encryption Note: algorithm & keys determined by server, limited by both

December 2006Prof. Reuven Aviv, SSL14 SSL/TLS Features II Efficiency – use (slow) public key once to create “master secret”. “connection Secrets” on the fly Mutual Certificate based authentication Protect against MIM & Replay how? validating identities, sequencing messages and nonces

December 2006Prof. Reuven Aviv, SSL15 SSL Protocol Architecture SSL Record Protocol: transmission of blocks of data (records) between applications (e.g. HTTP) What are the purpose of the SSL Handshake & Alert protocols?

December 2006Prof. Reuven Aviv, SSL16 SSL Record Protocol Provides Services -- to whom?: Encryption Decryption of the payloads (TCP/HTTP, …) –conventional encryption algorithms (DES, AES,…) Message integrity – using MAC Via hash function secrets as agreed by a Handshake Protocol

December 2006Prof. Reuven Aviv, SSL17 SSL Record Protocol Operation What’s in the header?

December 2006Prof. Reuven Aviv, SSL18 Record Construction Compress Fragment Add Hash (MD5/SHA-1) of Fragment + Secret, Seq Num, Compression parameters Encrypt by (IDEA, DES, 3DES, RC4,…) Add a record header: –Payload Type (e.g. HTTP, Handshake, …) –Major/Minor version of SSL –Compressed Length of fragment why names of algorithms not in header?

December 2006Prof. Reuven Aviv, SSL19 SSL Record Format What is to be agreed by client/server during handshake?

December 2006Prof. Reuven Aviv, SSL20 What is to be agreed: Cipher Suit Key Exchange algorithm ID: Name of method to be used to create SSL Pre-Master Secret –One of four (e.g. D.H.), discussed below Cipher-Spec: Specifications of algorithms and parameters that will be used by the SSL Record Protocol to encrypt/authenticate

December 2006Prof. Reuven Aviv, SSL21 What’s in Cipher-Spec? Encryption Algorithms – RC4, AES, 3DES, … Cipher Type: Stream or Block IV size, Hash size in Bytes: 0, 16 (MD5), 20 (SHA-1),.. MAC Algorithm: HMAC-MD5 / HMAC-SHA-1 Key Materials: Sequence of Bytes –data used in creating Secrets

December 2006Prof. Reuven Aviv, SSL22 SSL: 6 Secrets two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC Procedure for derivation of secrets: Pre_Master_Secret (48 Bytes PMS): one time value Pre_master_secret  Master Secret  Secrets Several methods for deriving Pre_Master_Secret (PMS) Who calculates PMS / Master / Secrets?

December 2006Prof. Reuven Aviv, SSL23 What is to be agreed: PMS derivation method [1] RSA Method: Client creates PMS (random) send PMS to server encrypted by Server’s RSA public key –Client needs Server’s Public Key Certificate

December 2006Prof. Reuven Aviv, SSL24 PMS derivation methods [2] Anonymous Diffie Hellman Method q,  agreed by two sides Public keys (Y) are exchanged PMS (calculated by each party) = Y X (modq) No exchange of Certificates [3] Fixed Diffie Hellman Method Server is authenticated by a D.H. certificate (with D.H. public key). Rest is Anonymous D.H. Disadvantage relative to RSA method?

December 2006Prof. Reuven Aviv, SSL25 PMS derivation methods [4] Ephemeral Diffie Hellman Method: Most secure way - both parties are authenticated D.H. public keys are exchanged by messages signed by senders’ private keys (RSA) PMS is created by both parties Signing keys (RSA or DSS) keys are presented via Certificates, themselves signed by CAs

December 2006Prof. Reuven Aviv, SSL26 Handshake Protocol: full scenario

December 2006Prof. Reuven Aviv, SSL27 1. Hello Phase

December 2006Prof. Reuven Aviv, SSL28 Hello messages: Establishing Security Capabilities Client sends ClientHello (1) –ProtocolVersion (3.1 for TLS 1.0) –timestamp + random_num1 What are the purpose of these? Session ID What is the purpose of this? Lists of Cipher-Suites & Compression methods supported by client

December 2006Prof. Reuven Aviv, SSL29 Hello messages: Establishing Security Capabilities Server sends ServerHello (2) Protocol Version, Timestamp, random num2 –Session ID: new value (or, if updating, old) –Selected Cipher-Suite, compression method Is the PMS Derivation method determined at this stage?

December 2006Prof. Reuven Aviv, SSL30 2. Server Authentication & Key exchange Certificate (3): one (or more) X.509 certificate Certificate present public key, that will be used for encrypting secrets and/or signing Server client These are optional. Who determines if these Messages are sent?

December 2006Prof. Reuven Aviv, SSL31 Server Key_exchange_Message (4) Sent from the Server to provide its public key Not needed in RSA [1] or fixed D.H [3] methods – public key of Server was sent by Certificate (3) What is the content of this message? The Diffie Hellman public key (Y) Message required in the Anonymous D.H. [2] –Message not signed Why not?

December 2006Prof. Reuven Aviv, SSL32 Server Key_exchange_Message (4) Message required in the Ephemeral D.H [4] –Message signed by what? by RSA or DSS private key What is the signature? encrypted hash of D.H. parameters and the rand. in the Hello messages why? K RSA {hash(Cl.Hello.rand|| Ser.Hello.rand || D.H. parameters)}

December 2006Prof. Reuven Aviv, SSL33 End of Phase 2: Server In all methods except Anonymous D.H. [2] Server sends Ceritificate_Request (5) requesting Client to authenticate itself by Certificate(s) –List of types, usages & names of acceptable certificates & CAs Server sends ServerDone (6) message What will the client do?

December 2006Prof. Reuven Aviv, SSL34 End of Phase 2: Client Client Checks the acceptability of parameters in ServerHello (selected Cipher Suite & PMS method) Client checks receipt of the required certificates Client checks the validity of certificates

December 2006Prof. Reuven Aviv, SSL35 Phase 3: Client Authentication & Key Exchange What’s in Client_key_Exchange (8)? CertificateVerify (9): a signed hash of previous messages. What is the purpose of this? Client Server

December 2006Prof. Reuven Aviv, SSL36 ClientKeyExchange (8) Required. PMS calculated after this message Content depends on method of key generation: RSA [1]: Client generates a 48-byte PMS, encrypts with the certified Server’s public key Ephemeral [4] or Anonymous D.H. [2]: Client sends its public D.H. key (Y) Fixed D.H. (3): null, because Client’s public D.H. sent in previous message, Certificate (7) –In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS

December 2006Prof. Reuven Aviv, SSL37 Certificate_Verify (9) Sent by Client – if previously sent a Certificate with signing capabilities –i.e. Not Certificates with D.H. parameters Purpose: proving that the client in the negotiation and the owner of the certificate are the same entities What could be in this message?

December 2006Prof. Reuven Aviv, SSL38 Certificate_Verify (cont’d) Hash of collected shared knowledge –K Client {hash(Master_Secret || pad2 || hash (handshake_messages||Master_Secret||pad1))} Signed by Client Private key cannot be done by one who stole the Client certificate why?

December 2006Prof. Reuven Aviv, SSL39 4. Finish phase ChangeCipherSpec: –Let’s start using agreed Cipher-Suite Finished: hash of master secret, & other info –Using the agreed upon Cipher Suit

December 2006Prof. Reuven Aviv, SSL40 In closing: What does SSL really protect? It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform It does not solve the hard problems of E- Commerce: –DOS Attacks –Application Layer Attacks on the client and servers. A notable risk of the later is stealing credit cards

December 2006Prof. Reuven Aviv, SSL41 In closing: What does SSL really protect? These are “solved” by: – Multi-layer Enterprise security system (last lecture) –Policies of Credit cards companies (Canceling cards and returning charges

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.