Encryption, SSL and CertificatesBY JOSHUA COX AND RACHAEL MEAD

Outline Cryptography

Encryption SSL

Overview Keys Statistics

Certificates Explanation of certificates MITM attacks with keys

Disadvantages

Encryption Type of Cryptography

The practice and study of techniques for secure communication in the presence of third parties.

The process of encoding messages so that only authorized parties can read it. Use of encryption keys to encrypt and decrypt the

message. Used in military communications in the past. Primarily

used for protecting computer data nowadays.

SSLWhat is SSL?  SSL stands for Secure Sockets Layer and it is a standard security technology

for establishing an encrypted link between a server and a client First SSL Certificate was created in 1994 by Netscape Communications SSL Certificate issuers are called Certificate Authority or CA’s SSL allows sensitive information such as credit card numbers and social security

numbers to be transmitted securely Required by the Payment Card Industry (PCI) to have an SSL Certificate Main component of SSL Certificates are keys which are the Public and Private key

SSLKeys Public Key –Encryption Private Key –Decryption Session Key- Temporary key shared by

sever and browser

SSL Asymmetric encryption or public-key cryptography uses a separate key for

encryption and decryption Only the intended receiver can decrypt the message Asymmetric keys are typically 1024 or 2048 bits. 2048 bit contains 617 digits of encryption code. 14 Billion years to crack. Video

Asymmetric Encryption

SSL Symmetric encryption uses a single key to both encrypt and decrypt data. Both the sender and the receiver need the same key to communicate Symmetric key sizes are typically 128 or 256 bits—the larger the key size,

the harder the key is to crack

Symmetric Encryption

SSLSymmetric vs. Asymmetric  Symmetric keys have a major disadvantage because the

same key is used for symmetric encryption and decryption. Asymmetric encryption doesn’t have this problem. As long as you keep your private key secret, no one can

decrypt your messages. Only the person with the private key can decrypt it, which

makes Asymmetric stronger.

SSLSSL Handshake/ Example Connection between Browser and Server is known as the

“SSL Handshake”. Class activity!

SSLStatistics 55.9% of websites do not use

SSL Certificate 11.3% use self signed

certificates Out of the 32.8% who use

SSL Certificate Authorities. 38.3% use Symantec

Owns Verisign, and Geotrust among others

Sources: w3techs.com, sslshopper

CertificatesCertificates and What They do? Electronic Credentials

Think of a passport or an ID

Help to prevent MITM attacks

Help preserve data integrity

CertificatesMan in the Middle Attacks Someone is intercepting

and modifying communications

Make new public keys and can eavesdrop on messages.

Capable of impersonating official websites

Suppose Alice is your grandmother and Bob is her banker. Then Mallory is intercepting their messages.

CertificatesHow to Solve MITM Attacks Certificates wrap the keys and other identifying

information, and encrypt them. Certificate is signed by a trusted Certificate

Authority. This is what allows you to host a secure website (https) Certificate Authorities range from 60$ a year to 500$ a

year Source: whichssl.com

Can make your own Certificate, is not trusted. Certificate Example: tldp.org

Disadvantages of SSL and Certificates

Certificate Authorities security can be breached Diginotar. In July 2011 a man was able to make a near perfect google

replica. Diginotar certificates are now banned from most browsers. Trustwave, an international Certificate Authority sold the trusted root

certificates to unknown client. There is reason to believe Trustwave is not the only CA to do this.

HeartBleed Bug heartbleed.com

There are Patented interception taps: patent Governments, and Vendors use interception taps.