SSL Serguei Mokhov SOEN321, Fall 2004. Contents Background SET SSL –origins –protocol.

Slides:

Advertisements

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Advertisements

CP3397 ECommerce.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography and Network Security

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

Electronic Transaction Security (E-Commerce)

Cryptography and Network Security Chapter 17

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Chapter 8 Web Security.

Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.

CSCI 6962: Server-side Design and Programming

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Secure Socket Layer (SSL)

Apache and SSL Presented by Paul Weinstein, Waubonsie Consulting, O’Reilly Open Source Convention July 24, 2002.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Secure Socket Layer (SSL) and Secure Electronic Transactions (SET) Network Security Fall Dr. Faisal Kakar

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

1 DCS 835 – Computer Networking and the Internet Digital Certificate and SSL (rev ) Team 1 Rasal Mowla (project leader) Alvaro Restrepo, Carlos.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Application Services COM211 Communications and Networks CDA College Theodoros Christophides

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

 authenticated transmission  secure tunnel over insecure public channel  host to host transmission is typical  service independent WHAT IS NEEDED?

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

Secure Socket Layer Protocol Dr. John P. Abraham Professor, UTRGV.

Cryptography CSS 329 Lecture 13:SSL.

Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.

@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.

Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden

Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.

TOPIC: HTTPS (Security protocol)

Cryptography and Network Security

Cryptography and Network Security

Cryptography and Network Security

Cryptography and Network Security

Presentation transcript:

SSL Serguei Mokhov SOEN321, Fall 2004

Contents Background SET SSL –origins –protocol

Online Financial Transactions Do you buy stuff online? Do you bank online? What are threats? Using credit cards over the net  seem dangerous. –Need to avoid sniffers –Domain name spoofing to pass the transactions through you Big problem: –Merchant storing your credit cards in their web-linked database, for convenience of the shoppers. Convenience maybe is costly.

SET, Secure Electronic Transactions protocol A joint effort of IBM, Microsoft, Visa, and MasterCard Failed. Actually, never took off to fail. Why? –Too complex (>700 pages spec) –Quality suffered. Meanwhile….

SSL Meanwhile Netscape has been developing a simpler protocol for online transactions. They called it Secure Socket Layer. Which level of ISO model the SSL sits on?

ISO Stack Recall the 7-layer OSI model from the networks course: Application SSL is on Transport Presentation Session Transport Network Link Physical

Transport Layer Between an app and networking Refers to TCP and UDP Transport layer security sits on top of the Transport Layer: –Does not alter TCP/UPD headers –Security is maintained when apps perform socket calls, which being replaced by their secure versions, i.e. read(socketd) -> secure_read(socketd)

Transport Layer (2) SSL –Secure Socket Layer, SSL; was introduced by Netscape, then standardized, became TLS – Transport Layer Security, RFC –Typical example: Web browsers, and other Client sever architectures (RDBMS, for example). –Provides encryption and authentication. –Services can easily be configured on top of SSL, w/o requiring much knowledge of it.

Transport Layer (3) Advantages? –It’s easier just upgrade your browser to have SSL, then reinstall OS than say replacing insecure version of an IP stack. Disadvantages? –If no standard socket routines that map to the secure version, the apps have to be altered or provide two code paths, with and without the SSL.

SSL Idea Create a secure “pipe” between a browser and a server. Encrypted, possibly compressed (OpenSSL), with MACs, etc. Adequate enough for credit cards and online transactions. Recall the problem: merchants often store the card info in their databases, so if an attacker breaks in there, SSL won’t help (SET could have prevented this, but it didn’t make it). As the result, some companies started to issue one-time credit “cards”, linked to your main credit account.

SSL Protocol - Server Server (e.g. a web site) owners have to go through these steps to support SSL: –Generate server’s private/public key pair using RSA –Get a certificate for the public key from a root authority (to sign the key, usually costs money). A certificate contains identity and the public key of the merchant, signed, in some specific format for SSL protocol. –Install SSL support on the server site (if it’s a web server Apache, then for example, mod_ssl has to be enabled and configured to use the certificate you obtained in httpd.conf).

SSL Protocol - Client Most typical a browser. For web sites, use and port 443 by default. – A browser typically contains a collection (50-100) of root authorities’ public keys to verify signatures of the web server. So, it is practically transparent to the browser user when visiting secure sites.

The SSL Protocol 1) C -> S : {SSL ClientHello} –ClientHello contains SSL params, like crypto algos and their params supported on the client, called a ciphersuit, compression algo, SSL version. –Server matches the ClientHello to its own collection of ciphersuits and compression alogs and picks the most secure combo (SSL Version 2 had a bug picking of least secure one). 2) S -> C : {ChoosenSuit, sessionID} –SessionID serves to avoid key regeneration on every transaction. –Racal, there is NO permanent session/link maintained on the web via HTTP/HTTPS, only request-response. 3) S -> C: {cert} –C verifies the cert and if succeeds, extracts public key from it. –C generates session key material (symmetric, random) based on the ChoosenSuit –Session key material used to generate encryption and MAC keys for securing packet payload when communicating to the server. 4) C -> S : {SessionKeyMaterial}k +s –S decrypts SessionKeyMaterial and derives the encryption and MAC keys. 5) S -> C -> S {MAC of the dialog so far} –Both parties have the correct keys 6) Use the encryption key and MACs send application data.

Security Conclusions SSL is generally good. SSL as good as underlying crypto protocols used. Browsers are half-friendly: the tell there is an SLL mode going on (lock image), but don’t immediately tell with which server… Is the server serving the certificate actually the entity in the certificate?? Browsers usually issue a warning, but who reads them? DNS attacks (cache poisoning) effective against SSL. Not to neglect social aspect. User is responsible for verifying the identity of the server. Client caches. Performance (just with server certificates there two public key operations, high load on busy websites, what if we authenticate the clients as well?). SSL is not magical solution for web, but good enough.