Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using SSL – Secure Socket Layer

Similar presentations


Presentation on theme: "Using SSL – Secure Socket Layer"— Presentation transcript:

1 Using SSL – Secure Socket Layer
Chapter 4 – pp 2018/9/19

2 Basic Encryption lab 4 using ABI software
In order to protect the message (like word document), the sender and receiver will encrypt and decrypt the message based on the agreed method such as Data Encryption Standard (DES) at application level. However, there is still a drawback. The hacker cannot see the word document, but still can see the other messages such as messages to establish the protocols over the network. lab 4 using ABI software 2018/9/19

3 Basic - With and without SSL
With SSL on I can see the contents using Sniffer (lab 7) I cannot see the contents as it has been encrypted. 2018/9/19

4 Example – CityU home, we can see the contents
2018/9/19

5 CityU, when you login, it change to https
2018/9/19

6 Overview SSL at work Site Certificates Personal Certificates
Establishing an SSL connection Encryption automatic between two machines over the network Site Certificates Personal Certificates VeriSign personal Certificates Browser SSL setting 2018/9/19

7 The rationale of using SSL
Network eavesdropping (monitor) is a problem on the Internet. Packet sniffers as demonstrated in the laboratory seven is easy to tap the information. Using SSL can reduce the risk of being monitored as the data is encrypted automatically. FOR MORE INFO... SSL: Secure Socket Layer is a generic protocol in the transport layer and is automatic once it is “on”. 2018/9/19

8 Establishing an SSL connection
To use the SSL, simply access URL and fill out a form. Please note that the URL starts with https, not traditional http You must have a valid certificate in your browser. 2018/9/19

9 The screen of fedex using SSL
You must have a certificate. 2018/9/19

10 NO certificate It will redirect you to other site using http if you don’t have. FOR MORE INFO... List location or contact for competitive analysis (or other related documents) here 2018/9/19

11 How to get a certificate from VeriSign
Access 2018/9/19

12 Fill in the form 2018/9/19

13 Things to Watch Site name Mismatches Mixed Pages
Export and Domestic grade Cryptography Certificate Revocation and Expiration CA and Site Certificates 2018/9/19

14 Site Name Mismatches When a Web browser connects to an SSL server, it does some basic validation of the sites’ certificate. It checks whether the name listed on the certificate matches the sites’ URL. If the two do not match, the browser presents a warning. 2018/9/19

15 Mixed Pages It is possible for HTML pages to contain a mixture of encrypted and unencrypted information. The main page may have been fetched using SSL, but others might from different servers which are not encrypted. 2018/9/19

16 Export and Domestic Grade Cryptography
Some browser might use less key lengths such as 40 bits, which is insecure. (SSL version 2, 40 bits, SSL version 3, 128 bits) This key length is sufficient to deter causal nosiness but insufficient to protect valuable secrets. Check your session key length version 2 version 3 2018/9/19

17 Certificate Revocation and Expiration
Under certain circumstances, a sites’ certificate may be revoked (reactivated). If a remote server offers the browser certificate that is past its expiration date, the browser will present a warning and might disconnect the connection. 2018/9/19

18 CA and Site Certificates
Each browser that is shipped comes with the public keys of several certifying authorities (CA) preinstalled. The public keys are installed in the form of self-signed certificates, digital certificates. 2018/9/19

19 CA supports by Netscape
Communicator  tools  security info  signers 2018/9/19

20 CA in IE Explorer 2018/9/19

21 Certificates – is also called digital ID
There are two types: Personal certificate- is used when you send personal information over the Internet to a Web site that requires a certificate verifying your identity. Site Certificate – specifies that a web site is genuine and secure 2018/9/19

22 Personal Certificates
Get one from Hong Kong Post Office Personal Certificates In addition to the site certificates, we can apply for certificate to prove our identity. Some browser have incorporated the digital identity (digital ID means certificate) into the standard installation script. Personal certificates contain the name, address, and the public-key-half of a public/private key pair. 2018/9/19

23 VeriSign Personal Certificates
VeriSign offers two types of certificates: Class 1 and Class 2 Class 1: We need to complete a form on VeriSign’s Web site. The application is processed automatically without any attempt to validate the information. Class 2: We must provide detailed information such as driver’s license and a social security number (applies to US citizen). The information will be sent using surface mail. (In Hong Kong, you need to show your HKID.) 2018/9/19

24 How CA works – from http://www. verisign
No need to memorise Legend in CA 2018/9/19

25 Step – Send “Server hello”
Firstly, the client application tries to connect to a secure page. The application first sends a random challenge string to the server, then chooses-on behalf of the user-which suite of encryption protocols to use. The client application must choose a session key exchange (server authentication) algorithm (such as DES), a private key encryption algorithm (such as RC2 or RC4), and a message integrity (hashing) algorithm (such as MD5) to use during the secure transaction. 2018/9/19

26 Step 2 – server hello The server asserts its identity by returning its secure server certificate plus an acknowledgment that it can support the set of algorithms chosen by the client. It also generates a random connection identifier to be used throughout the communications phase. 2018/9/19

27 Step 3 –client master key
The client application verifies the server certificate by comparing the signature of the certification authority (CA) in the server's certificate to the public key of the CA embedded in the client application. If the client does not have a CA key, or the client CA certificate does not match the server CA, the user receives a message warning that this server contains a certificate not known by the client application. 2018/9/19

28 Step 4 – Accept Certificate
Assuming the web site is configured to accept client certificates, the server now requests that the client present a valid client Digital ID, and sends the client a new challenge phrase, encrypted using the server-write key. 2018/9/19

29 Example – using PC at home –SSL version 3
2018/9/19

30 Summary SSL in Netscape and IE Explorer
Sequence for exchanging the certificate with Verisign Personal and site certificates. 2018/9/19

31 Next Week Web Security Linux Security 2018/9/19


Download ppt "Using SSL – Secure Socket Layer"

Similar presentations


Ads by Google