1 / 31

Secure Socket Layer SSL

rufus
Télécharger la présentation

Secure Socket Layer SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Secure Socket Layer (SSL)

    2. 2 TCP/IP Protocol Stack

    3. 3 Protocols IP (Internet Protocol) has IP address (32 bits, network + host portions) ICMP (Internet Control Message Protocol) control IP traffic TCP (Transmission Control Protocol) implements virtual circuit for reliable connection-oriented comm. UDP (User Datagram Protocol) implements connectionless comm. HTTP -- for WWW LDAP directory access IMAP access email over Internet TELNET -- for remote login DNS -- translates names into IP addresses NFS -- network file system, for sharing files among systems PING -- checks other machines

    4. 4 Let us find out the routers when we shop on-line When we connect from USCUpstate computers to http://www.amazon.com/ via IE or Netscape, our packets have a long trip to get there:

    5. 5

    6. 6

    7. 7 Location of SSL

    8. 8 SSL v.s. IPSec and others

    9. 9 X.509 public key certificate

    10. 10 Flow of actions in SSL Authenticate the server to the client. Allow the client and server to select the cryptographic algorithms they both support. Optionally authenticate the client to the server. Use public-key encryption to generate shared secrets. Establish an encrypted SSL connection.

    11. 11 Capabilities of SSL To establish an encrypted, not necessarily authenticated, communication channel between a client and a server. To authenticate the server, and establish an secure channel (the case of RSA). To authenticate the server, and establish an secure channel (general case, incl RSA). To authenticate the server AND the client, and establish an authenticated secure channel.

    12. 12 Establish encrypted, but unauthenticated, channel

    13. 13 4 moves & 9 messages in SSL

    14. 14 1. ClientHello (C ? S) Version Identifies the highest version of the SSL protocol that the client can support RandonNumber 32-bit random number used to seed the cryptographic computation Session ID Identifies a specific SSL session CipherSuites A list of cryptographic parameters/schemes that the client can support CompressionMethods Identifies data compression methods that the client can support

    15. 15 2. ServerHello (C ? S) Version Identifies the highest version of the SSL protocol to be used for this communication RandonNumber 32-bit random number used to seed the cryptographic computation Session ID Identifies a specific SSL session CipherSuites The cryptographic parameters/schemes to be used CompressionMethods The data compression methods to be used

    16. 16 3. ServerKeyExchange (C ? S) Contains the (public) key information Exact format depends on the particular public key algorithm selected Not encrypted !

    17. 17 4. ServerHelloDone (C ? S) Contains no information, other than that its done !

    18. 18 5. ClientKeyExchange (C ? S) Client tells the server key information for symmetric ciphers to be used Encrypted using the servers public key !

    19. 19 6 & 8. ChangeCipherSpec (C ? S & C ? S) After the message #5, a preliminary SSL negotiation is complete, and both parties are ready to use security services negotiated These 2 messages are to explicitly indicate that security services should now be invoked In other words, to activate the options

    20. 20 7 & 9. Finished To authenticate Key information Contents of all previous SSL handshake messages exchanged between the 2 parties A special value to indicate whether the sender is a client or a server

    21. 21 Establish encrypted channel, with server being authenticated

    22. 22 Certificate message from server Contains a certificate chain beginning with the servers public key certificate and ending with the root certificate authoritys certificate The client browser usually has well known CA certificates preloaded The certificate contains Internet domain name of the server which must be verified by the client

    23. 23 Advantages Separating encryption from authentication Applicable to not only RSA but also other digital signature-only schemes such as DSS Preferred to the previous technique which did NOT separate encryption from authentication (ServerKeyExchange is signed using the servers private key, for the client to verify using the servers matching public key !)

    24. 24 Establish encrypted channel, with mutual authentication

    25. 25 CertificateRequest (C ? S) CertificateTypes A list of certificate types acceptable to the server DistinguishedNames A list of distinguished names of certificate authorities acceptable to the server (X.500 names) (the server MUST authenticate itself, ie, must have Certificate from S to C)

    26. 26 Certificate (C ? S) The clients public key is used for signature verification only, not for encryption If the client does not have a certificate, it sends a NoCertificateAlert

    27. 27 CertificateVerify (C ? S) The client signs Key information Contents of all previous SSL handshake messages exchanged between them The server verifies the identify of the client using its public key

    28. 28 Cryptographic algorithms supported by SSL v3.0 Public key encryption/key-distribution RSA, Diffie-Hellman Digital signature RSA, DSS Symmetric ciphers RC2, RC4, DES, 3DES, IDEA, FORTEZZA 1-Way hash MD5, SHA

    29. 29 Securing other applications using SSL

    30. 30 Components of SSL

    31. 31 References for SSL SSL http://home.netscape.com/eng/ssl3/ Open source for SSL developers http://www.openssl.org/

More Related