SSL. Secure Sockets Layer. - a short summary - By Christoph Gutmann and Khôi Tran



Similar documents
Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

CRYPTOGRAPHY IN NETWORK SECURITY

Building Customer Confidence through SSL Certificates and SuperCerts

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Internet Programming. Security

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Is your data safe out there? -A white Paper on Online Security

Transport Layer Security Protocols

Web Security. Mahalingam Ramkumar

How To Encrypt Data With Encryption

SSL Handshake Analysis

What is network security?

Key Management (Distribution and Certification) (1)

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

What is an SSL Certificate?

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Blaze Vault Online Backup. Whitepaper Data Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

RemotelyAnywhere. Security Considerations

The Mathematics of the RSA Public-Key Cryptosystem

Chapter 7 Transport-Level Security

Cryptography: Authentication, Blind Signatures, and Digital Cash

Chapter 10. Network Security

Chapter 5. Data Communication And Internet Technology

Lecture G1 Privacy, Security, and Cryptography. Computing and Art : Nature, Power, and Limits CC 3.12: Fall 2007

DFW Backup Software. Whitepaper Data Security

Overview. SSL Cryptography Overview CHAPTER 1

An Introduction to Cryptography as Applied to the Smart Grid

Wireless Encryption Protection

The science of encryption: prime numbers and mod n arithmetic

Internet Privacy Options

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Topics in Network Security

Three attacks in SSL protocol and their solutions

GT 6.0 GSI C Security: Key Concepts

mkryptor allows you to easily send secure s. This document will give you a technical overview of how. mkryptor is a software product from

How to Create and Maintain an Anonymous Identity Online

How To Understand And Understand The Security Of A Key Infrastructure

DataTrust Backup Software. Whitepaper Data Security. Version 6.8

Network Security Protocols

Authenticity of Public Keys

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Secure Transfers. Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

The Misuse of RC4 in Microsoft Word and Excel

Wireless Local Area. Network Security

As enterprises conduct more and more

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Communication Systems SSL

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

THE UNIVERSITY OF TRINIDAD & TOBAGO

Introduction to Cryptography

Security: Focus of Control. Authentication

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Chapter 17. Transport-Level Security

DRAFT Standard Statement Encryption

Client Server Registration Protocol

Cornerstones of Security

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Transport Level Security

Virtual Private Networks

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

PENN. Social Sciences Computing a division of SAS Computing. SAS Computing SSC. File Security. John Marcotte Director of SSC.

Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle

Security Digital Certificate Manager

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

EXAM questions for the course TTM Information Security May Part 1

What Are Certificates?

Network Security Essentials Chapter 5

NWIMS. Online Backup Security Documentation

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Lukasz Pater CMMS Administrator and Developer

Properties of Secure Network Communication

Lecture 9 - Network Security TDTS (ht1)

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Evaluation of different Open Source Identity management Systems

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Ahsay Online Backup. Whitepaper Data Security

First Semester Examinations 2011/12 INTERNET PRINCIPLES

SSL: Secure Socket Layer

Securing Ship-to-Shore Data Flow

7.1. Remote Access Connection

Lecture 9: Application of Cryptography

Project 2: Penetration Testing (Phase II)

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Data Superhero Online Backup Whitepaper Data Security

Transcription:

SSL Secure Sockets Layer - a short summary - By Christoph Gutmann and Khôi Tran Page 1 / 7

Table of contents 1. Brief historic outline of SSL 2. Why did SSL come to life? 3. How does SSL work? 4. Where does SSL act? 5. SSL today where is it applied? 6. Questions 7. Answers 1. Brief historic outline of SSL In the early 90 s, many of you might remember that the masses were stunned as Netscape announced in public that they were giving away their Web-Browser free of charge. This was of course part of a bigger scheme. Many people started to use the Netscape-Browser. That browser had, additional to the standard HTML support, many more proprietary functions. One of those was SSL. That s right. To say it bluntly, non-secure servers were mobbed. While the press made all the users believe that credit card thieves were hanging behind every router, all the internet shop owners had to buy the quite expensive Netscape servers. That did not please quite a bunch of people. So there have been engagements to counter that Netscape lock-in. SHTTP (open-source) and STT (by Microsoft) just to mention a few names. That mix-up of available technologies did not only confuse consumers, but merchants and developers as well. In those times of chaos and confusion, Netscape realized that their monopolizing strategy was a bad idea and then signed over the specs of SSL to an industrial consortium (IETF - Internet Engineering Task Force). They also wouldn t get an export privilege from the American government, if they kept it proprietary. It was then known as TLS (Transport Layer Security) and was soon supported by all available major HTML-Browsers. TLS 1.0 was based on SSL 3.0 (developed by Netscape until 1996). 2. Why did SSL come to life? As mentioned in the historic outline, most of the internet users are paranoid or if they aren t, they will be made paranoid (ever seen that nasty popup about non-secure connections that comes up every time you send information?). It is indeed true that there could be evil people hiding everywhere using packet sniffers to get a hold onto your most personal information like name, address, credit card numbers, usernames, passwords, favorite food and even your cinema of choice! Therefore, as privacy is a human necessity, a way of secure communication through the widely open Internet was more than an urge need. The business also called for secure communication, as credit card frauds and problems with anonymity were growing each day. So where s a need, there ll be a deed. SSL came to life. Page 2 / 7

3. How does SSL work? SSL uses RSA public key cryptography. The characters RSA stand for the first letter of last names of the creators of RSA cryptography which are Ronald Rivest, Adi Shamir, and Leonard Adleman. Public key cryptography consists of a pair of keys. Each entity using that cryptography has a set of two keys a public key and a private key. The public key is accessible for every user, contrary to the private key, which is always kept secret. Data that has been encrypted with the public key can only be decrypted with the private key. On the other hand, data that has been encrypted with the private key can also be decrypted with the public key. This asymmetry makes public key cryptography very versatile and useful. Example 1: Using RSA public key cryptography for authentication Lets say Ann wants to talk to Bob. She has Bob s public key. She sends Bob a message and tells him to encrypt that message using his private key and send the encrypted data back. She then uses Bob s public key to decrypt the message, and if it matches with her old message, she ll know that it is the right Bob she s talking to. The flow diagram looks as follows: Ann Bob Bob s public key random_message encrypted (random_message) encrypt using Bob s private key decrypt using Bob s public key Compare random_message with decrypted(encrypted(random_message)) Page 3 / 7

Note that in this example, Ann needs to ensure that she received Bob s public key from the one Bob she wants to talk to. If she received the public key from an impostor, all the work was meaningless. To solve this problem, the standards community has invented something called certificate. A certificate is a closed piece of information, containing the subject, the public key of the subject and some time stamps. The certificate is usually only being issued once and it is also being encrypted using the subject s private key. That way, everyone can read the certificate, but they cannot modify it. As long as the certificate is being issued to the right person, all is well. So the new flow diagram using certificates is as follows: Ann Bob Bob s Certificate See whether Bob s public key and the key from the Certificate match random_message encrypted (random_message) encrypt using Bob s private key decrypt using Bob s public key Compare random_message with decrypted(encrypted(random_message)) Now that Ann knows that Bob is really the real Bob, she can send him data that ONLY he can decrypt. That is done by encrypting the data using Bob s public key. Even if some spy is listening to their conversation, he cannot decrypt the data meant for Bob by any means, because no one but Bob has Bob s private key. All he could do is damage the message Ann is sending to Bob. Page 4 / 7

In order to counter possible data garbling by third parties, SSL generates a temporary key between the two communicants (in this case between Ann and Bob). That temporary key is called message authentication code (MAC). The MAC is exchanged between the two by encrypting the MAC using the public keys (so only the other member can decrypt the MAC). Since the MAC is shared between the two, they cannot be changed by an attacker. And as for a spy to guess the MAC the odds are about 1 in 18 446 744 073 709 551 616 if a 128-bit MAC is used (i.e. by using something like Message Digest 5 (MD5) made by the RSA a MAC computation algorithm). 4. Where does SSL act? The SSL can be seen as an additional layer located between the application layer and the transport layer. It takes the bits and bytes from the Application Layer and encrypts them into incomprehensible garbage in the Transport Layer and vice-versa decrypts incoming data from the transport layer into comprehensible data in order for the application to understand. Application Layer (HTTP) Secure Sockets Layer (SSL) Transport Layer (TCP) Switching Layer (IP) Link layer (PPP) Physical (ex. Modem) 5. SSL today where is it applied? Whenever a real-time private and secure communication or the authentication between two entities is wished for (for some people it is always), SSL can be used. Just a few examples: Secure bank transactions What is everyone s most guarded secret? It s the bank account balance with all its transactions! It is also pretty important that no one but yourself (SSL authentication) else can make payments and transactions. E-shopping If E-shopping wasn t secure, you could always find out what your best friend is going to give you as a present at your next birthday! Wouldn t that ruin the surprise? SFTP Anyone ever played the latest beta of Half Life 2 yet? SSH (ex. Putty) Well I just entered my root password 5 minutes ago, but I didn t remember doing a chmod 777 /etc/shadow. Wait a minute! Why is my home directory empty? WTF changed my lilo.conf? Why is You have been hacked! blinking on my screen? W-LAN, VPN, Bluetooth Page 5 / 7

6. Questions Content: 1. Why is it a good idea to compare the public key from the user and the public key from the certificate? 2. How long (in bits) is a key made of nowadays? 3. Who invented SSL? 4. Why became SSL open source? 5. Why is RSA necessary to use SSL? Mathematical: 1. Suppose you found a suitcase with a lock with three numbers on it which can vary between 0 and 9. How long would it take to find out the key number using a brute force method in the worst case? Let s say that you can test a number combination in 3 seconds. 2. In that suitcase, you find a credit card and it happens to be the one of bill gates next to you, there is a credit card hacking tool that can try out combinations every second. Tempted by the thought, you calculate the needed time to crack the credit card. What s the result? Unlucky you, Bill Gates has only chosen a six number pin. 3. After finding out the credit card s code, your face saddens as you notice that the credit card has been blocked before you took advantage of it. But as if it was heaven s call you find a loose PS/2 connector at the banking machine. Luckily you have your foldable keyboard with you (gadgets are cool). With your lightning fingers, you can type in 3 000 000 16-byte codes per second (man you re good!). Also, your best friend told you that the banking machine s root password has been made using a random 128-bit code. How many years after your retirement would it take in addition to find out the banking machine s root password? Page 6 / 7

7. Answers Content: 1. Because it provides additional authentication security as the certificate has been issued way longer ago than the present public key. So if they don t match, you know that the certificate owner and the current user you communicate aren t the same. 2. 128-bits or 16-bytes 3. Netscape, see chapter 1 4. American government, chaos in secure communication technology 5. RSA provides the encryption basics in order to apply SSL. Mathematical: 1. 1 000 key possibilities = 10 bit key (2^10 > 1000) = 3072 s = 51.2 min 2. 1 000 000 key possibilities = 20 bit key = 1 048 576 s = 12 days 3 hours 16 min 3. 2^128 key possibilities = 128-bit key = 2^128 / 3 * 10^6 = 3 596 761 023 602 004 729 656 843 years 65 retirement age = some time after your burial. Page 7 / 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information