Web Security: Encryption & Authentication



Similar documents
SSL/TLS: The Ugly Truth

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

What is an SSL Certificate?

Apache Security with SSL Using Linux

Apache, SSL and Digital Signatures Using FreeBSD

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Properties of Secure Network Communication

Apache Security with SSL Using Ubuntu

Chapter 17. Transport-Level Security

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

As enterprises conduct more and more

Three attacks in SSL protocol and their solutions

SSL Overview for Resellers

Overview. SSL Cryptography Overview CHAPTER 1

Instructions on TLS/SSL Certificates on Yealink Phones

Building Customer Confidence through SSL Certificates and SuperCerts

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

2014 IBM Corporation

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

TLS/SSL in distributed systems. Eugen Babinciuc

White Paper. Enhancing Website Security with Algorithm Agility

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

mod_ssl Cryptographic Techniques

SSL A discussion of the Secure Socket Layer

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Securing your Online Data Transfer with SSL

Savitribai Phule Pune University

How To Understand And Understand The Security Of A Key Infrastructure


Introduction to Cryptography

Transport Layer Security Protocols

Websense Content Gateway HTTPS Configuration

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Implementing Secure Sockets Layer on iseries

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Network Security Essentials Chapter 5

[SMO-SFO-ICO-PE-046-GU-

Secure Socket Layer (SSL) Machines included: Contents 1: Basic Overview

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

Tel: Tel: +44 (0) Comodo Group.

How To Encrypt Data With Encryption

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Generating and Installing SSL Certificates on the Cisco ISA500

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle

An Overview of the Secure Sockets Layer (SSL)

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Communication Systems SSL

Grid Computing - X.509

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

OFTP 2 Secure Data Exchange Via the Internet

Cornerstones of Security

Secure Client Applications

How To Secure Your Online Business

The Secure Sockets Layer (SSL)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Chapter 7 Transport-Level Security

Implementing Secure Sockets Layer (SSL) on i

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

GT 6.0 GSI C Security: Key Concepts

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

Network Security Protocols

SBClient SSL. Ehab AbuShmais

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Lukasz Pater CMMS Administrator and Developer

How to configure SSL proxying in Zorp 3 F5

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Enabling SSL and Client Certificates on the SAP J2EE Engine

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

TELNET CLIENT 5.0 SSL/TLS SUPPORT

Security Goals Services

QualitySSL by BitEngines Nellikevaenget Vallensbaek Denmark. WWW:

Angel Dichev RIG, SAP Labs

Quickstream Connectivity Options

Security Protocols/Standards

Lecture 9 - Network Security TDTS (ht1)

TLS and SRTP for Skype Connect. Technical Datasheet

National Certification Authority Framework in Sri Lanka

Lecture 7: Transport Level Security SSL/TLS. Course Admin

SSL BEST PRACTICES OVERVIEW

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

ERserver. iseries. Securing applications with SSL

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

ISM/ISC Middleware Module

E-commerce Shopping Carts Digital Cert. Merchants

SSL Guide. (Secure Socket Layer)

Vulnerabilità dei protocolli SSL/TLS

Transcription:

Web Security: Encryption & Authentication Arnon Rungsawang fenganr@ku.ac.th Massive Information & Knowledge Engineering Department of Computer Engineering Faculty of Engineering Kasetsart University, Bangkok, Thailand.

Outline What are SSL/TLS? Symmetric vs. Asymmetric ciphers Shortcomings of both ciphers Cipher strength Digital certificates Certificate content Secure transaction 2

SSL & TLS SSL (Secure Sockets Layer), developed by the Netscape Communications, and TLS (Transport Layer Security), the open-standard replacement for SSL, are two protocols that add encryption and authentication onto the TCP/IP stack. Two main SSL/TLS features: Ciphers: enable the encryption of data between two parties, i.e. a client and a server. Digital certificates: provide the authentication of the two parties. 3

Ciphers Two types of ciphers Symmetric (secret-key ciphers) Use a single key for both encrypting and decrypting data. The encrypted data is secure only if the key can be securely distributed to both parties. Asymmetric (public-key ciphers) Public key is used to encrypt data. Private key is used to decrypt data. Only the private key can decrypt the data that has been encrypted by its public key pair. Data encoded with the public key is secure as long as the private key stays secure. You can freely distribute your public key without security risk as long as you keep your private key secure. 4

Ciphers Shortcomings of both ciphers Symmetric encoded data can be secure only so long as the key used is secured. Asymmetric encoded data require a longer processing time. SSL/TLS use both types of ciphers: Use asymmetric cipher to securely exchange the symmetric key. Use symmetric cipher during data transfer. 5

Ciphers Cipher strength Cipher size or strength plays an important role is secure transaction. 40-bit or 56-bit cipher size in common web browser is considered weak since it can be cracked in approximately one week using current computer processing power. 6

Ciphers Cipher strength (2) 128-bit strength ciphers are not unbreakable, but involve a larger time and resource commitment that reduces the usefulness of the data being sought. We can crack a weak ciphered credit card data and go shopping within a week. We must take time and employ much resource (albeit money) to crack a strong ciphered credit card data and perhaps, if success, can go shopping within 6 month! 7

Digital certificates Allow authentication of the parties engaged in a secure transaction. Two types of certificates: Server certificates Client certificates Both types of certificates are in the X.509 format, and issued by Certificate Authorities (albeit CAs, such as VeriSign, Thawte, Entrust) that act as a trusted third party. CAs verifies the identity of the two parties. Server certificates are required in and SSL/TLS transaction, client certificates are in general not needed. 8

Digital certificates Certificate content A serial number Name of the CA Period the certificate is valid for Information of the party in question, such as name, street address and/or email address Subject s public key A signature from the issuing CA 9

Secure transaction using SSL/TLS The client requests a secure transaction (by accessing a URL with https) and lets the server know what ciphers and key sizes it can handle. The server sends the requested server certificate, which contains the server s public key in a package that has been encrypted by a CA. It also sends a list of ciphers and key sizes in order of priority. The client: Generate a new symmetric session key based on the priority list sent by the server. Compare the CA that issued the certificate to its list of trusted CAs, verify that the certificate has not expired, and check that the certificate is used by the server that is listed in the certificate. 10

Secure transaction using SSL/TLS (2) The client encrypts a copy of the new session key with the public key sent by the server. The client then sends the new encrypted key to the server. The server decrypts the new session key with its own private key. At this point, both the client and server have the same secured session key which can now be used to encrypt and decrypt the rest of the transferred data. If the server wishes to verify the client it will now ask for the client certificate. 11

Any questions? 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information