Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald 0043306

Similar documents
Web Security Considerations

The Secure Sockets Layer (SSL)

Communication Systems SSL

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Overview. SSL Cryptography Overview CHAPTER 1

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

SSL A discussion of the Secure Socket Layer

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Lecture 7: Transport Level Security SSL/TLS. Course Admin

CSC Network Security

CSC 474 Information Systems Security

TLS/SSL in distributed systems. Eugen Babinciuc

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Secure Sockets Layer

Network Security Part II: Standards

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Secure Socket Layer. Security Threat Classifications

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Transport Layer Security Protocols

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Communication Security for Applications

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Chapter 17. Transport-Level Security

SSL Secure Socket Layer

SECURE SOCKETS LAYER (SSL)

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

Lab 7. Answer. Figure 1

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Some solutions commonly used in order to guarantee a certain level of safety and security are:

SSL Secure Socket Layer

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Three attacks in SSL protocol and their solutions

Information Security

Web Security: Encryption & Authentication

Authenticity of Public Keys

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Protocol Rollback and Network Security

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

Chapter 7 Transport-Level Security

Chapter 10. Network Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

SSL/TLS: The Ugly Truth

Properties of Secure Network Communication

Low-Level TLS Hacking

Lecture 4: Transport Layer Security (secure Socket Layer)

As enterprises conduct more and more

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Network Security Essentials Chapter 5

Transport Level Security

Cornerstones of Security

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Learning Network Security with SSL The OpenSSL Way

Securing Ship-to-Shore Data Flow

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

SSL: Secure Socket Layer

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

TLS and SRTP for Skype Connect. Technical Datasheet

Understanding Digital Certificates and Secure Sockets Layer (SSL)

SECURE SOCKET LAYER PROTOCOL SIMULATION IN JAVA. A Research Project NAGENDRA KARRI

Network Fundamentals Carnegie Mellon University

Programming with cryptography

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Virtual Private Networks

Savitribai Phule Pune University

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Secure network protocols: how SSL/TLS, SSH, SFTP and FTPS work

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Network Security Protocols

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Cipher Suite Rollback: A Misuse Pattern for the SSL/TLS Client/Server Authentication Handshake Protocol

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

ISA 562 Information System Security

Interested in learning more about security? SSL/TLS: What's Under the Hood. Copyright SANS Institute Author Retains Full Rights

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014

Security vulnerabilities in the Internet and possible solutions

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Security Policy Revision Date: 23 April 2009

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

A Study of the Performance of SSL on PDAs

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

The Beautiful Features of SSL And Why You Want to Use Them?

Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

NEWFOUNDLAND AND LABRADOR ELECTRONIC TAX SERVICE (NLETS)

Introduction to Cryptography

Transcription:

Software Engineering 4C03 Research Project An Overview of Secure Transmission on the World Wide Web Sean MacDonald 0043306 Tuesday April 5, 2005

Introduction Software Engineering 4C03 Research Project An Overview of Secure Transmission on the World Wide Web Sean MacDonald 0043306 Submitted on Tuesday April 5, 2005 Last Revised on Monday April 4, 2005 The question of Internet security is one that is becoming increasingly prevalent in the world of computing today. The number of online transactions taking place each day is increasing at an astronomical rate, and people, whether they are doing their banking, making online purchases or simply checking their email, take comfort in the fact that the information they are transmitting over the Internet is protected. If a system of protection was not in effect, individuals and corporations would most certainly incur monetary loss as well as compromise confidential information. How can you protect your information? The use of encryption is a primary means of protecting information that is transferred on the Internet. Encryption defined, is the process of obscuring information to make it unreadable without special knowledge. In this case, it is desired that the data being transferred be readable by the source and destination computer systems that the data is being transferred between, but not to any external observers. The special knowledge that must be known to read the message being transferred, comes in the form of a key. This key is used with a special function, and when applied to the encrypted message, decrypts it. There are two types of data encryption that are commonly used today. The first method, symmetric cryptography, uses the same key for both the encryption and decryption of a message. Both the client and server systems must know each other, and have agreed upon the key that is going to be used in advance. This method requires minimal CPU cycles in utilizing the key, but an inherent weakness in the system is introduced due to the fact that the key must be distributed in advance, outside of the actual cryptography system. The second method, asymmetric cryptography, uses one key for encrypting data, and a second key for decrypting data. The use of this method is advantageous as even if the key used for encryption is discovered by an external source, the key used for decryption must still be discovered if a message is to be compromised. This method does have its disadvantages however, as its performance is up to 1000 times more CPU intensive than symmetric cryptography, and therefore, inherently slower. Each of the cryptography systems described above has its own merits, but the user should not have to manually go through the process of utilizing either of them. This brings us to the Secure Sockets Layer Protocol, or SSL, which makes use of both cryptography system to transfer data securely over the Internet.

What is the Secure Sockets Layer Protocol? The Secure Sockets Layer Protocol, or SSL, was a system developed by Netscape Communications to provide security for Internet data traffic. The three primary objectives for this system are: 1. Authenticating client and server systems to each other. 2. Securing data privacy, such that a message can be sent between client and server systems and only be readable by the intended recipient. 3. Ensuring data integrity, such that data cannot be tampered with while it is being transmitted. The SSL protocol was designed such that it could be integrated with the TCP/IP protocol suite. The communications tasks of this protocol suite are divided into five independent layers, with these layers being the Application Layer, the Transport Layer, the Internet Layer, the Network Interface Layer and the Physical Layer. The SSL Protocol is integrated between the Transport Layer and the Application Layer which allows virtually any application to make use of it. Through making use of the TCP/IP protocol suite, SSL provides a reliable and secure end-to-end service. Simply stated, the SSL protocol uses asymmetric cryptography, which is inherently slow, to encrypt a generated symmetric key, which is then distributed to both the client and server systems. This symmetric key is then decrypted and used for encrypting all other data that is sent along the connection between the client and server systems. How this is done specifically, will be explained in the following section. How does the Secure Sockets Layer Protocol work? The SSL protocol can be thought of as not a single protocol, but as a set of protocols that can be divided into low level and high level layers. The low level layer contains only the Record Protocol. which is used to provide basic security services to the protocols in the high level layer. The high level layer contains three protocols, the Handshake Protocol, the Change CipherSpec Protocol and the Alert Protocol, all of which are used in the management of SSL data transmissions. The use of both layers of protocols is required to create and maintain a connection between the client and server systems. Each of these protocols will be explained in the following section. When it is initially desired that a secure connection be made, the Handshake Protocol is used to initiate a session between the client and server systems, where a session is defined as a logical peer-to-peer connection between two nodes.when this takes place, the client system sends the server system a client_hello message which contains the following information: Version Random Data Session ID The version of SSL that is supported by the client system. Random data used to protect the key exchange between the client and server systems. A unique identifier for the data transmission session.

Cipher Suite A list of encryption algorithms and key exchange methods supported by the client system. In response to the client_hello message, the server issues a similar server_hello message which contains the following information: Version Random Data Session ID Cipher Suite The version of SSL that is supported by the server system. Random data used to protect the key exchange between the client and server systems. The random data generated by the server system is in no way related to the random data generated by the client system. The unique identifier for the data transmission session as sent by the client system. A list of encryption algorithms and key exchange methods that will be used throughout the data transmission. This list is created by the server based on the corresponding list that it has received from the client. After the server completes the sending of the server_hello message, it sends its digital certificate to the client system for authentication. The purpose of the digital certificate is to attest to the identity of an individual or other entity and allow verification that an individual or entity is in fact who it claims to be. SSL specifically makes use of X.509 certificates for identify verification, which should be issued by a trusted third party organization to verify that the certificate is from a reputable individual or entity. An X.509 contains information such as the issuer of the certificate, the start and end validity dates of the certificate and the public key of the owner of the certificate, as well as the algorithm used to generate the public key. Additionally, the public key of the owner is encrypted using the private key of the trusted third party organization. Following the transmission of this certificate, the server_hello message will be complete. When the client computer system receives the server_hello message, it first examines the digital certificate that it has received. It decrypts the encrypted public key it has received, using the public key of the trusted third party. If the client system is able to successfully verify the identity of the system, it will will then send a 384 bit premaster key to the server system, which when functionally combined with the Random Data generated by both the client and server systems, forms the symmetric encryption key that will be used for all further data encryption and decryption. After the symmetric key has been transmitted, the host and client systems each make use of the ChangeCipher Spec Protocol, which consists of a single message that carries the value of 1. This message allows the pending connection to be formally established. After the host and client systems have received this message from the other, the subsequent application data transmission takes place.

As with any computer system, errors are bound to happen. The Alert Protocol is therefore present and is used by both the client and server to indicate that errors have taken place. Each message used by the Alert Protocol is of length 2 bytes, where the first byte contains a value corresponding to either warning or fatal, depending on the severity of the error that has occurred. If a warning value is sent, the receiving party will determine the specific error that has taken place from the second byte of the message, and attempt to recover from it. If a fatal value is sent, the SSL connection will be terminated immediately. The overall functioning of the SSL protocol is illustrated in the following diagram. 1 client_hello 2 server_hello server_certificate server_key_exchange server_hello_done 3 certificate_verification client_key_exchange change_cipher_spec finished 4 change_cipher_spec finished 5 application_data Figure 1 - Making an SSL Connection The SSL Record Protocol, although mentioned above, was not explicitly discussed due to the length requirements of this paper. More information can be obtained in the listed references with respect to this topic. Will the use of the Secure Sockets Layer Protocol ensure data security? As in life, there are very few things that can be stated with absolute certainty. The SSL protocol is indeed not excluded from this, and the use of it will definitely not ensure data security. A determining factor in the overall security of an SSL implementation, is the length of the key that is used for encryption and decryption. A key with a shorter length is inherently more insecure than a key with a longer length. This was in fact the reason why the first version of SSL that was developed was never released, as it could only support 40 bit keys which are relatively easy to discover through the use of brute force methodologies. Modern implementations of SSL support keys with lengths of 128 and 256 bits,

which although extremely difficult to crack using brute force methodologies, it is not impossible. With a little determination and several months of time, it would be possible to accomplish this. The time requirement of this however, is much of a deterrent and the likelihood of anyone trying to complete this feat for an average individual is incredibly low. The advent of new technologies such as Quantum Computing will make the aforementioned brute methodologies trivial, and as such, the SSL protocol will have to be redesigned when Quantum computer systems become easily accessible. Conclusions With the use of online transaction systems increasing astronomically in the world of computing today, it is important to have a means of ensuring that information being transmitted is secure. The use of encryption techniques and systems such as SSL which utilize encryption techniques, provide a means for transferring data in a method which for the average person, is secure enough to be used with little concern. The current SSL implementation is more than appropriate for providing the required level of data protection, but as other technologies progress, it will most certainly need to undergo a major revision to prevent it from becoming obsolete. References [1] Encryption - definition of Encryption in Encyclopedia. Last accessed on April 4, 2005. <http://encyclopedia.laborlawtalk.com/encryption> [2] Secure Socket Layer. Last Accessed on April 4, 2005. <http://www.windowsecurity.com/pages/article_p.asp?id=440> [3] SSL: Foundation for Web Security - Volume 1, Issue 1, June 1998-The Internet Protocol Journal - Cisco Systems. Last accessed on April 4, 2005. <http://www.cisco.com/en/us/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html> [4] SSL: Introduction to Secure Sockets Layer [Web Site Security and SSL Solution] - Cisco Systems. Last accessed on April 4, 2005. <http://www.cisco.com/en/us/netsol/ns340/ns394/ns50/ns140/networking_solutions_w hite_paper09186a0080136858.shtml> [5] Software Engineering 4C03 Course Notes. Spring 2005.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information