1 / 17

Encryption, SSL, & Certificates

Encryption, SSL, & Certificates. Maggie Wettergreen & Scott Crooks. Agenda. Encryption What is it? Why is it necessary? How does it work? Public Key Certificates Definition Usage Strengths & Weaknesses SSL/TLS (Secure Sockets Layer/ Transport Layer Security) Protocols Encryption

rey
Télécharger la présentation

Encryption, SSL, & Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Encryption, SSL, & Certificates Maggie Wettergreen & Scott Crooks

  2. Agenda • Encryption • What is it? • Why is it necessary? • How does it work? • Public Key Certificates • Definition • Usage • Strengths & Weaknesses • SSL/TLS (Secure Sockets Layer/ Transport Layer Security) • Protocols • Encryption • Handshake

  3. Encryption Process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can Used to protect sensitive data that is transferred between parties on the internet such as e-commerce transactions

  4. Symmetric Key Encryption Encryption requiring a previously agreed upon cipher key held by both parties which encrypts and decrypts plaintext.

  5. Public Key Encryption Process using a public knowledge key to encrypt plaintext, while using a secret private key to decrypt ciphertext. Also known as Asymmetric Cryptography.

  6. Public Key Certificates Document that binds public key to an identity.

  7. Public Key Infrastructure (PKI) Collection of hardware, software, people, policies, procedures etc. Required to create, manage, distribute, use, store, and revoke digital certificates

  8. Certificate Authority (ca) • Issues a certificate that verifies the ownership of a public key by the named party. • Certificates usually purchased. • PKI can not be considered “provable security” unless a trusted third party CA is used. • Trust in the CA is extended to those the CA vouches for.

  9. Certificate Authority (ca) • Issues a certificate that verifies the ownership of a public key by the named party. • Certificates usually purchased. • PKI can not be considered “provable security” unless a trusted third party CA is used. • Trust in the CA is extended to those the CA vouches for.

  10. Vendor Classes • Certificate vendors may define classes which require different levels of verification before certificates can be issued. • Example: • Class 1 for individuals, intended for email. • Class 2 for organizations — proof of identity is required. • Class 3 for servers and software signing —independent verification and checking of identity and authority done by the issuing certificate authority. • Classes depend on the vendor. • Requirements tailored to your security need.

  11. Extended Validation • Extensive Verification • Issuing Criteria • Criticism • Availability to small businesses • Effectiveness against phishing

  12. Weaknesses • Presenting a different certificate • Built-in trusted Root Certificates • Users(and applications) are free to extend the Root list

  13. SSL/TLS • Secure Socket Layer/Transport Layer Security • Cryptographic Protocol to provide security • Authentication via Asymmetric Encryption • Confidentiality through Symmetric Encryption • TCP/IP & OSI Implementation • Session Layer • Handshake • Asymmetric encryption • Presentation Layer • Data encrypted using shared key encryption

  14. Purpose • Prevent Eavesdropping and Tampering • Man in the middle attacks • Cross site attacks • Spoofing • Client must request SSL/TLS use • Connect to a specific port • Protocol specific message • Web Applications • E-Commerce • Asset Management

  15. Handshake Process • Client Hello • Server Hello • Certificate • Server Hello Done • Client Key Exchange • Client Sends Change Cipher Spec • Server sends Change Cipher Spec • Handshake Complete

  16. Security Risks • BEAST Attack • CRIME Attack • Padding Attacks • RC4 Attacks • Many security flaws have been addressed in newer versions of TLS • But…

  17. Browser support of TLS Versions

More Related