Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security SSL & TLS Story of a protocol Itamar Gilad (infosec15 at modprobe dot net)

Published byHeather Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security SSL & TLS Story of a protocol Itamar Gilad (infosec15 at modprobe dot net)"— Presentation transcript:

1 Introduction to Information Security SSL & TLS Story of a protocol Itamar Gilad (infosec15 at modprobe dot net)

2 Motivations for SSL/TLS Military & state secrets Medical & “regular” business confidential information Online banking & online shopping Secure access to online services (webmail, social networks and many different cloud services) Protecting against phishing attacks, traffic manipulation, cookie stealing and many other forms of attack Basic privacy – Who did I speak to, when, about what and why?

3 Definitions & History HTTPS = HTTP Secure (“HTTP over SSL”) SSL = Secure Socket Layer o 1.0 o 2.0 1995 o 3.0 1996 (comprehensive re-design!) o superseded by TLS, but v3 was often enabled and used until 2014 (!) TLS = Transport Layer Security o v1.0 (1999) o v1.1 (2006) o v1.2 (2008) – current stable version o v1.3 (2015?) – draft status Leading implementations – o S-Channel (Windows) o OpenSSL, LibreSSL (community fork), BoringSSL (fork by Google) o GnuTLS (Linux and others) o Mozilla NSS (Many), BouncyCastle (Java, C#, etc.), many more…

4 Early SSL History Leading design criteria: protection against a passive attacker Simplified session stages – o Alice & Bob exchange session keys using Diffie-Hellman / RSA o They also negotiate a symmetric cipher algorithm they both can use o Alice uses her session key to encrypt connection data, and sends her data to Bob o Bob does the same in the other direction o And they both lived happily ever after… o Or did they?

5 Eve is Passive-Aggressive Turns out that Eve can perform a MITM (Man-In-The-Middle) attack o Eve can pretend to be Bob as far as Alice is concerned o Eve can pretend to be Alice as far as Bob is concerned o Therefore – Eve can place herself in the middle of the connection in a transparent manner, and have access to the secret contents of the communication These attacks are not theoretical. They can be carried out – o By a rogue sys-admin / ISP / Internet exchange o By a malicious/compromised user on the local network The key issue is a lack of authentication

6 Solutions to the MITM Issue Have a pre-shared secret between both parties! But that’s really hard… Solution: Authenticate using a common third party both sides can trust And thus, the CA (Certificate Authority) model was born Basic concept – o Alice trusts the CA o Bob presents a certificate to Alice, signed by the CA o Alice and Bob use information from the certificate to set up an authenticated session o Eve can no longer MITM, because Alice will know and promptly terminate the session o (Often, only the server will be authenticated explicitly, but there is support for client authentication as well)

7 More CAs Root CA Intermidiate CA #1 Intermidiate CA #2 Certificate for example.com

8 Being a CA is hard Problem – o As a CA, you have to verify each certificate request and stake your reputation on it Solution – o More CAs were created More CAs o New, more thorough validation standards added (EV = Extended Validation) o CAs delegated further. Most OS and browsers will trust 10-100 root CAs out of the box, and 100-1000 CAs implicitly

9

10 Issues with the CA model Each and every CA your system trusts can be evil (or at least – incompetent) and compromise everything o CAs can be fooled into signing bad certificates o Some CAs were compromised (DigiNotar) o Some CAs are “evil”/forced into being evil (TurkSign, CNNIC) o Even worse – even when shown to be bad, some CAs were not removed (Comodo) because they were “too big to fail”. More infoMore info The root cause – o The CA model was designed when the Internet was a very small and innocent place o Designers of this system never imagined having to verify and issue 10M+ certificates

11 Fixing the CA model Certificate Pinning – o Storing a digest of the certificate inside the browser/application, and validation the otherwise trusted certificate yourself o Very effective in preventing tampering, but can cause other issues (e.g.: availability) Signing restrictions – o Defining authoritative bodies for different domain suffixes to limit the effect of rogue bodies (i.e.: CNNIC can only sign for *.cn) Certificate transparency – o Each CA publishes a list of all the certificates it has ever signed o Only Certificates on that list are trusted o Anyone can audit the published list, and any wrongdoings can result in removing trust from that CA o Can prevent “back-room” signing (but not fix everything)

12 Alternatives to the CA model DANE (DNS-based Authentication of Named Entities) – o Relying on DNSSEC to solve the trust issue, which in turn means DNS zone controllers also control TLS authentication Web-of-trust model o Shifting trust to a continuum rather than a binary value o Users define a level of trust per peer, which make a weighted graph o End-to-end trust level is a product of all trust levels on the arcs of the best path

13 Certificates Each domain (or HTTP origin) must have a certificate (X.509 ITU-T) Basic structure: o Version, Serial Number o Algorithm ID o Issuer o Validity - Not Before & Not After dates o Subject (target) o Subject Public Key Info Public Key Algorithm Subject Public Key o Certificate Signature Algorithm o Certificate Signature

14 Certificate Lifetime On some occasions, the certificate must be invalidated earlier than expected (e.g.: after a server holding the private key is known to be compromised) This is done using a protocol known as OCSP (Online Certificate Status Protocol) Basically, when creating a new TLS connection, the client must communicate with a “OCSP Responder” for that CA to verify that the certificate is still valid The OCSP response is signed by the CA and and verified by the client

15 Problems with OCSP If the attacker can already MITM the traffic, they can fail the OCSP checks (which usually fail-unsafe) OCSP overload – o OCSP is traffic heavy (an OCSP request should in theory be made before each HTTPS / TLS connection on the Internet...) o As an attacker, DDoSing the OCSP responders is very useful Performing an extra lookup to the OCSP responder means the responder can learn which hosts a client is communicating with Solution – o “OCSP Stapling” (TLS Certificate Status Request), which works by including a recently signed OCSP response in the TLS Handshake o Cannot be forged by the original certificate owner, because the OCSP response is signed by the CA, not the certificate holder

Download ppt "Introduction to Information Security SSL & TLS Story of a protocol Itamar Gilad (infosec15 at modprobe dot net)"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
The Dog’s Biggest Bite. Overview History Start Communication Protocol Weakness POODLE Issues.

The Dog’s Biggest Bite. Overview History Start Communication Protocol Weakness POODLE Issues.
CP3397 ECommerce.

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
More Trick For Defeating SSL

More Trick For Defeating SSL
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Similar presentations

Ads by Google