Embed Size (px)
Citation preview
2My Presentation
Main Contents:
• Introduction
• Key Scheme
• History and Development
• Why use SSL?
• SSL Certificate
• SSL Architecture
• SSL Protocols
• SSL Record Protocol
• SSL Handshake Protocol
Introduction:
• SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.
• SSL is transport layer protocol.
• SSL resides beneath of Application layer and above the network layer.
Application Layer
Transport Layer
Network Layer
3
Key Scheme:
SSL uses a cryptographic system that uses two keys to encrypt data
•Each client-server pair uses
• 2 public keys
• one for client (browser)
• created when browser is installed on client machine
• one for server (http server)
• created when server is installed on server hardware
• 2 private keys
• one for client browser
• one for client browser
4
5My Presentation
History and Development:
Invention
• The Netscape company created the SSL protocol in 1994.
Versions
• SSL 1.0
• Internal Netscape design, early 1994.
• Lost in the mists of time and was never publically released.
• SSL 2.0
• Published by Netscape, November 1994.
• 40 bit key uses for encryption and it was badly broken.
• SSL 3.0
• Designed by Netscape and Paul Kocher, November 1996.
• It relies on MAC’s that are encrypted at 128 bits.
6My Presentation
History and Development:
• TLS 1.0
• The Internet Engineering Task Force (IETF) began work to develop a standard protocol that provided the same functionality [as SSL]. They used SSL 3.0 as the basis for that work, which became the TLS protocol in
• IETF develop TLS 1.0 in January 1999 was defined in RFC 2246.
• TLS 1.1 was defined in RFC 2346 in April 2006.
• TLS 1.2 was defined in RFC 5246 in August 2008.
Why use SSL?
• The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it.
• A proper SSL certificate also provides authentication.
• SSL providers will also give you a trust seal that instills more trust in your customers.
• SSL protects from phishing
7
SSL Certificate:
• An SSL certificate is a digital certificate using SSL technology perform Two specific functions.
• Authentication
• SSL certificate has information about the authenticity of certain details regarding the identity of a person.
• Data Encryption
• SSL certificate also enables encryption which means that the sensitive information exchanged via the website cannot be intercepted and read by anyone other than the intended recipient.
8
Valid SSL Certificate:
9
SSL Architecture:
• The SSL is a method for providing security for web based applications.
• SSL is not a single protocol but rather two layers of protocols
as shown in figure
10
SSL Protocols:
• In particular the HTTP, which provides the transfer service for web client/server interaction, can operate on top SSL.
• Three Higher layer protocols are defined as part of SSL:
• The Change Cipher Spec Protocol
• The Alert Protocol
• Handshake Protocol
11
12
My Presentation
SSL Change Cipher Spec Protocol:
• The change cipher spec Protocol is one of 3 SSL specific protocols which use the SSL Record protocol.
• This protocol consists of a single message , which consists of a single byte with value 1.
• The purpose of message is to
• Cause copy of pending state to current state.
• Updates cipher suite to be used on the current connection .
SSL Alert Protocol:
• Used to conveys SSL-related alerts to peer entity(error messages fatal alerts and warnings).
• Alert protocol consists of two bytes
• 1st byte : warning or fatal.
• 2nd byte: code for specific alerts.
• Specific alert types
• unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter.
• close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown.
• Compressed & encrypted like all SSL data.
13
14
My Presentation
Fatal Alerts:
First , we list those alerts that are always fatal (definitions from the SSL specification)• Unexpected message: An inappropriate message was received. • Bad_record _mac: An incorrect MAC was received.• Decompression failure: The decompression function received improper Input . • Handshake failure: Sender was unable to negotiate an acceptable set of security parameters given the options available. • Illegal parameter: A field in a hand shake message was out of range or inconsistent with other field.
15
My Presentation
Warnings:
• No certificate: May be sent in the response to a certificate request if no appropriate certificate is available.
• Bad certificate: A received certificate was corrupt (e.g., contained a signature that did not verify).
• Unsupported certificate: The type of the received certificate is not supported .
• Certificate revoked: A certificate has been revoked by its signer.
• Certificate expired: A certificate has expired.
SSL Record Protocol
• The Record Protocol takes an application message to be transmitted, fragments the data into blocks, compresses the data (optionally), applies a MAC, encrypts, adds a header and transmits the resulting unit.
Steps:
• Fragmentation: The record layer fragments information blocks into SSL Plaintext records of 214 bytes or less.
• Compression: All records are compressed using the compression algorithm. The compression algorithm translates an SSL Plaintext structure into an SSL Compressed structure.
• Compute a MAC – All records are protected using the encryption and MAC algorithms defined in the current Cipher Spec. A shared secret key is used.
16
17
18
• Stand for message authentication code.• A MAC function is an authentication scheme deriver by applying a
secret key to a message in some form. This does not mean the symmetric key is used to encrypt the massage.
• MAC is responsible for the verification of integrity of the message include in the transmitted record . It is the result of a hash function that follows a specific hash algorithm , foe example MD5 or SHA-1 .
MAC is determined as a hash function.
MAC
Header:
• Content Type (8 bits):
• The higher layer protocol used to process the enclosed fragment.
• Major Version (8bits):
• Indicates major version of SSL in use. For SSL v 3, the value is 3.
• Major Version (8bits):
• Indicates minor version in use. For SSL v 3, the value is 0.
• Compressed Length (16bits):
• The length in bytes of the plaintext fragment (or compressed fragment if compression is used)
The maximum value is 214+2048.
19
SSL Handshake Protocol
• allows server & client to:
• authenticate each other
• to negotiate encryption & MAC algorithms
• to negotiate cryptographic keys to be used
• comprises a series of messages in phases
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
• Finish
20
21
Handshake Protocol
• This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record.
• The client sends a client hello message to which the server must respond with a server hello message.
• The client hello and server hello are used to establish security enhancement capabilities between client and server. The client hello and server hello establish the following attributes: protocol version, session ID, cipher suite, and compression method.
• After the hello messages, the server will send its certificate. A server key exchange message may be sent. If the server is authenticated, it may request a certificate from the client, if that is appropriate to the cipher suite selected.
22
• Now the server will send the server hello done message, indicating that the hello-message phase of the handshake is complete. The server will then wait for a client response.
• If the server has sent a certificate request message, the client must send the certificate message. The client key exchange message is sent, and the content of that message will depend on the public key algorithm selected between the client hello and the server hello. If the client has sent a certificate with a digitally-signed certificate, then a verify message is sent to explicitly verify the certificate.
23
• Null or standard stream cipher - Stream ciphers convert SSL Compressed fragment structures to and from stream SSL Cipher text
• CBC block cipher - For block ciphers (such as DES), the encryption and MAC functions convert SSL Compressed fragment structures to and from block SSL Cipher text fragment structures.
• Record header
24
The End
25
![[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP)](https://img.pdfslide.us/doc/110x75/61a4fc0b5fc6f545ec57f4f6/ms-sstp-secure-socket-tunneling-protocol-sstp.jpg)
