SSL. Secure Sockets Layer. - a short summary - By Christoph Gutmann and Khôi Tran

Transcription

1 SSL Secure Sockets Layer - a short summary - By Christoph Gutmann and Khôi Tran Page 1 / 7

2 Table of contents 1. Brief historic outline of SSL 2. Why did SSL come to life? 3. How does SSL work? 4. Where does SSL act? 5. SSL today where is it applied? 6. Questions 7. Answers 1. Brief historic outline of SSL In the early 90 s, many of you might remember that the masses were stunned as Netscape announced in public that they were giving away their Web-Browser free of charge. This was of course part of a bigger scheme. Many people started to use the Netscape-Browser. That browser had, additional to the standard HTML support, many more proprietary functions. One of those was SSL. That s right. To say it bluntly, non-secure servers were mobbed. While the press made all the users believe that credit card thieves were hanging behind every router, all the internet shop owners had to buy the quite expensive Netscape servers. That did not please quite a bunch of people. So there have been engagements to counter that Netscape lock-in. SHTTP (open-source) and STT (by Microsoft) just to mention a few names. That mix-up of available technologies did not only confuse consumers, but merchants and developers as well. In those times of chaos and confusion, Netscape realized that their monopolizing strategy was a bad idea and then signed over the specs of SSL to an industrial consortium (IETF - Internet Engineering Task Force). They also wouldn t get an export privilege from the American government, if they kept it proprietary. It was then known as TLS (Transport Layer Security) and was soon supported by all available major HTML-Browsers. TLS 1.0 was based on SSL 3.0 (developed by Netscape until 1996). 2. Why did SSL come to life? As mentioned in the historic outline, most of the internet users are paranoid or if they aren t, they will be made paranoid (ever seen that nasty popup about non-secure connections that comes up every time you send information?). It is indeed true that there could be evil people hiding everywhere using packet sniffers to get a hold onto your most personal information like name, address, credit card numbers, usernames, passwords, favorite food and even your cinema of choice! Therefore, as privacy is a human necessity, a way of secure communication through the widely open Internet was more than an urge need. The business also called for secure communication, as credit card frauds and problems with anonymity were growing each day. So where s a need, there ll be a deed. SSL came to life. Page 2 / 7

3 3. How does SSL work? SSL uses RSA public key cryptography. The characters RSA stand for the first letter of last names of the creators of RSA cryptography which are Ronald Rivest, Adi Shamir, and Leonard Adleman. Public key cryptography consists of a pair of keys. Each entity using that cryptography has a set of two keys a public key and a private key. The public key is accessible for every user, contrary to the private key, which is always kept secret. Data that has been encrypted with the public key can only be decrypted with the private key. On the other hand, data that has been encrypted with the private key can also be decrypted with the public key. This asymmetry makes public key cryptography very versatile and useful. Example 1: Using RSA public key cryptography for authentication Lets say Ann wants to talk to Bob. She has Bob s public key. She sends Bob a message and tells him to encrypt that message using his private key and send the encrypted data back. She then uses Bob s public key to decrypt the message, and if it matches with her old message, she ll know that it is the right Bob she s talking to. The flow diagram looks as follows: Ann Bob Bob s public key random_message encrypted (random_message) encrypt using Bob s private key decrypt using Bob s public key Compare random_message with decrypted(encrypted(random_message)) Page 3 / 7

4 Note that in this example, Ann needs to ensure that she received Bob s public key from the one Bob she wants to talk to. If she received the public key from an impostor, all the work was meaningless. To solve this problem, the standards community has invented something called certificate. A certificate is a closed piece of information, containing the subject, the public key of the subject and some time stamps. The certificate is usually only being issued once and it is also being encrypted using the subject s private key. That way, everyone can read the certificate, but they cannot modify it. As long as the certificate is being issued to the right person, all is well. So the new flow diagram using certificates is as follows: Ann Bob Bob s Certificate See whether Bob s public key and the key from the Certificate match random_message encrypted (random_message) encrypt using Bob s private key decrypt using Bob s public key Compare random_message with decrypted(encrypted(random_message)) Now that Ann knows that Bob is really the real Bob, she can send him data that ONLY he can decrypt. That is done by encrypting the data using Bob s public key. Even if some spy is listening to their conversation, he cannot decrypt the data meant for Bob by any means, because no one but Bob has Bob s private key. All he could do is damage the message Ann is sending to Bob. Page 4 / 7

5 In order to counter possible data garbling by third parties, SSL generates a temporary key between the two communicants (in this case between Ann and Bob). That temporary key is called message authentication code (MAC). The MAC is exchanged between the two by encrypting the MAC using the public keys (so only the other member can decrypt the MAC). Since the MAC is shared between the two, they cannot be changed by an attacker. And as for a spy to guess the MAC the odds are about 1 in if a 128-bit MAC is used (i.e. by using something like Message Digest 5 (MD5) made by the RSA a MAC computation algorithm). 4. Where does SSL act? The SSL can be seen as an additional layer located between the application layer and the transport layer. It takes the bits and bytes from the Application Layer and encrypts them into incomprehensible garbage in the Transport Layer and vice-versa decrypts incoming data from the transport layer into comprehensible data in order for the application to understand. Application Layer (HTTP) Secure Sockets Layer (SSL) Transport Layer (TCP) Switching Layer (IP) Link layer (PPP) Physical (ex. Modem) 5. SSL today where is it applied? Whenever a real-time private and secure communication or the authentication between two entities is wished for (for some people it is always), SSL can be used. Just a few examples: Secure bank transactions What is everyone s most guarded secret? It s the bank account balance with all its transactions! It is also pretty important that no one but yourself (SSL authentication) else can make payments and transactions. E-shopping If E-shopping wasn t secure, you could always find out what your best friend is going to give you as a present at your next birthday! Wouldn t that ruin the surprise? SFTP Anyone ever played the latest beta of Half Life 2 yet? SSH (ex. Putty) Well I just entered my root password 5 minutes ago, but I didn t remember doing a chmod 777 /etc/shadow. Wait a minute! Why is my home directory empty? WTF changed my lilo.conf? Why is You have been hacked! blinking on my screen? W-LAN, VPN, Bluetooth Page 5 / 7

6 6. Questions Content: 1. Why is it a good idea to compare the public key from the user and the public key from the certificate? 2. How long (in bits) is a key made of nowadays? 3. Who invented SSL? 4. Why became SSL open source? 5. Why is RSA necessary to use SSL? Mathematical: 1. Suppose you found a suitcase with a lock with three numbers on it which can vary between 0 and 9. How long would it take to find out the key number using a brute force method in the worst case? Let s say that you can test a number combination in 3 seconds. 2. In that suitcase, you find a credit card and it happens to be the one of bill gates next to you, there is a credit card hacking tool that can try out combinations every second. Tempted by the thought, you calculate the needed time to crack the credit card. What s the result? Unlucky you, Bill Gates has only chosen a six number pin. 3. After finding out the credit card s code, your face saddens as you notice that the credit card has been blocked before you took advantage of it. But as if it was heaven s call you find a loose PS/2 connector at the banking machine. Luckily you have your foldable keyboard with you (gadgets are cool). With your lightning fingers, you can type in byte codes per second (man you re good!). Also, your best friend told you that the banking machine s root password has been made using a random 128-bit code. How many years after your retirement would it take in addition to find out the banking machine s root password? Page 6 / 7

7 7. Answers Content: 1. Because it provides additional authentication security as the certificate has been issued way longer ago than the present public key. So if they don t match, you know that the certificate owner and the current user you communicate aren t the same bits or 16-bytes 3. Netscape, see chapter 1 4. American government, chaos in secure communication technology 5. RSA provides the encryption basics in order to apply SSL. Mathematical: key possibilities = 10 bit key (2^10 > 1000) = 3072 s = 51.2 min key possibilities = 20 bit key = s = 12 days 3 hours 16 min 3. 2^128 key possibilities = 128-bit key = 2^128 / 3 * 10^6 = years 65 retirement age = some time after your burial. Page 7 / 7