SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a...

SSL

By: Anthony Harris & Adam Shkoler

What is SSL?

• SSL stands for Secure Sockets Layer• SSL is a cryptographic protocol which

provides secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, and other data transfers.

• SSL is a part of the application layer.

Who invented the SSL?

• SSL v.3.0 was created by Netscape in 1996.• Major corporations such as Visa and

Mastercard have endorsed SSL for commerce over the internet.

• SSL led to the development of TLS v.1.0

or Transport Layer Security.

• SSL technology relies on the concept of “public key cryptography” to accomplish its tasks. In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages.

• In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person’s public key can only be decrypted with the private key and vice versa.

• Each user publicly tells the world what his public key is but keeps his private key for himself.

Weak points in SSL history

• Early implementations used 40-bit symmetric keys because of government cryptographic restrictions.

• This made SSL vulnerable to brute force attacks.• However, the government enforced this policy on

purpose, so law enforcement could monitor traffic while keeping less equipped civilians out.

• Modern implementations now use 128-bit cryptographic keys.

Incorrect Uses

• Some websites only secure the form submission page rather than the login page.

• Securing the login page but having non-secure media present. This leaves you open to man in the middle attacks.

• Commercial websites that have dropped the Ball• Bank of America• Washington Mutual• JPMorgan Chase & Co.• Paypal

How it works

1.A customer contacts your site and accesses a secured URL: a page secured by a Server ID (indicated by a URL that begins with "https:" instead of just "http:" or by a message from the browser).

• Obtaining an SSL Certificate

• XYZ Inc., intends to secure their customer checkout process, account management, and internal employee correspondence on their website, xyz.com.

• Step 1:   XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated.

• Step 2:   XYZ goes to a trusted, third party Certificate Authority, such as XRamp. XRamp takes the certificate signing request and validates XYZ in a two step process. XRamp validates that XYZ has control of the domain xyz.com and that XYZ Inc. is an official organization listed in public government records.

Obtaining a certificate cont’d

• Step 3:   When the validation process is complete, XRamp gives XYZ a new public key (certificate) encrypted with XRamp’s private key.

• Step 4:   XYZ installs the certificate on their webserver/s.

Crypto-licious!!!

• How Customers Communicate with the Server using SSL • Step 1:   A customer makes a connection to xyz.com on an SSL port,

typically 443. This connection is denoted with https instead of http. • Step 2:   xyz.com sends back its public key to the customer. Once

customer receives it, his/her browser decides if it is alright to proceed. • the xyz.com public key must NOT be expired • the xyz.com public key must be for xyz.com only • client must have XRamp public key for XRamp installed in their

browser certificate store. 99.9% of all modern browsers (1998+) include the XRamp root certificate. The customer has XRamp trusted public key, then they can trust that they are really communicating with XYZ, Inc.

• Step 3:   If the customer decides to trust the certificate, then the customer will be sent to xyz.com his/her public key.

• Step 4:   xyz.com will next create a unique hash and encrypt it using both the customer’s public key and xyz.com’s private key, and send this back to the client.

• Step 5:   Customer’s browser will decrypt the hash. This process shows that the xyz.com sent the hash and only the customer is able to read it.

• Step 6:   Customer and website can now securely exchange information.

Handshake phases

SSL Messages

OFFER CIPHER SUITEMENU TO SERVER

SELECT A CIPHER SUITE

SEND CERTIFICATE ANDCHAIN TO CA ROOT

CLIENT SIDE SERVER SIDE

SEND PUBLIC KEY TOENCRYPT SYMM KEY

SERVER NEGOTIATIONFINISHED

SEND ENCRYPTEDSYMMETRIC KEY

ACTIVATEENCRYPTION

CLIENT PORTIONDONE

( SERVER CHECKS OPTIONS )

ACTIVATESERVERENCRYPTION

SERVER PORTIONDONE

( CLIENT CHECKS OPTIONS )

NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION

A scenario for SSL

• SSL can be thought of as a conversation on the phone.

• 1.) Who are you speaking with? How do you know you are talking to an authorized

person if you’ve never talked to them before?

• 2.) Is Someone Listening to Your Conversation? Wire tapping is common practice. Are you sure

someone isn’t listening in and gathering information about you? (e.g., bank account, phone number, how you secretly enjoy celine dion)

• Two very real security issues for Internet correspondence arise.

• 1.) Being sure you are connected to the right computers; are you really on your bank’s website or is it a phisher’s scam website?

• 2.) Keeping your data safe and out of malicious hands during transit on the Internet.

A world without SSL is illustrated below

References!!

• http://www.xramp.com/resources/how-ssl-works

• www.wikepidia.org• www.ibm.com