1. Encryption, SSL and Certificates BY JOSHUA COX AND RACHAEL MEAD

2. Outline  Cryptography  Encryption  SSL  Overview  Keys  Statistics  Certificates  Explanation of certificates  MITM attacks with keys  Disadvantages

3. Encryption  Type of Cryptography  The practice and study of techniques for secure communication in the presence of third parties.  The process of encoding messages so that only authorized parties can read it.  Use of encryption keys to encrypt and decrypt the message.  Used in military communications in the past. Primarily used for protecting computer data nowadays.

4. SSL What is SSL?  SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client  First SSL Certificate was created in 1994 by Netscape Communications  SSL Certificate issuers are called Certificate Authority or CA’s  SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely  Required by the Payment Card Industry (PCI) to have an SSL Certificate  Main component of SSL Certificates are keys which are the Public and Private key

5. SSL Keys  Public Key –Encryption  Private Key –Decryption  Session Key- Temporary key shared by sever and browser

6. SSL  Asymmetric encryption or public-key cryptography uses a separate key for encryption and decryption  Only the intended receiver can decrypt the message  Asymmetric keys are typically 1024 or 2048 bits.  2048 bit contains 617 digits of encryption code. 14 Billion years to crack. VideoVideo Asymmetric Encryption

7. SSL  Symmetric encryption uses a single key to both encrypt and decrypt data.  Both the sender and the receiver need the same key to communicate  Symmetric key sizes are typically 128 or 256 bits—the larger the key size, the harder the key is to crack Symmetric Encryption

8. SSL Symmetric vs. Asymmetric  Symmetric keys have a major disadvantage because the same key is used for symmetric encryption and decryption.  Asymmetric encryption doesn’t have this problem.  As long as you keep your private key secret, no one can decrypt your messages.  Only the person with the private key can decrypt it, which makes Asymmetric stronger.

9. SSL SSL Handshake/ Example  Connection between Browser and Server is known as the “SSL Handshake”.  Class activity!

10. SSL Statistics  55.9% of websites do not use SSL Certificate  11.3% use self signed certificates  Out of the 32.8% who use SSL Certificate Authorities.  38.3% use Symantec  Owns Verisign, and Geotrust among others Sources: w3techs.com, sslshopper

11. Certificates Certificates and What They do?  Electronic Credentials  Think of a passport or an ID  Help to prevent MITM attacks  Help preserve data integrity

12. Certificates Man in the Middle Attacks  Someone is intercepting and modifying communications  Make new public keys and can eavesdrop on messages.  Capable of impersonating official websites Suppose Alice is your grandmother and Bob is her banker. Then Mallory is intercepting their messages.

13. Certificates How to Solve MITM Attacks  Certificates wrap the keys and other identifying information, and encrypt them.  Certificate is signed by a trusted Certificate Authority.  This is what allows you to host a secure website (https)  Certificate Authorities range from 60$ a year to 500$ a year  Source: whichssl.comwhichssl.com  Can make your own Certificate, is not trusted.  Certificate Example: tldp.orgtldp.org

14. Disadvantages of SSL and Certificates  Certificate Authorities security can be breached  Diginotar. In July 2011 a man was able to make a near perfect google replica. Diginotar certificates are now banned from most browsers.  Trustwave, an international Certificate Authority sold the trusted root certificates to unknown client. There is reason to believe Trustwave is not the only CA to do this.  HeartBleed Bug  heartbleed.com heartbleed.com  There are Patented interception taps: patentpatent  Governments, and Vendors use interception taps.