SSL Trust Pitfalls
This document delves into the intricacies of SSL handshakes, contrasting server-side (1-way) and client-side (2-way) protocols using RSA. It explores various root CA models, including single and multiple CA configurations with intermediate CAs, highlighting trust pitfalls and vulnerabilities, such as man-in-the-middle attacks and masquerading threats. Emphasizing the importance of careful deployment in both SSL modes, this guide serves as a critical resource for professionals looking to secure web communications effectively.
SSL Trust Pitfalls
E N D
Presentation Transcript
SSL Trust Pitfalls Prof. Ravi Sandhu
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
SINGLE ROOT CA MODEL Root CA a b c d e f g h i j k l m n o p Root CA User
User RA User RA User RA SINGLE ROOT CAMULTIPLE RA’s MODEL Root CA a b c d e f g h i j k l m n o p Root CA
MULTIPLE ROOT CA’s MODEL Root CA Root CA Root CA a b c d e f g h i j k l m n o p Root CA User Root CA User Root CA User
ROOT CA PLUS INTERMEDIATE CA’s MODEL Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL • Essentially the model on the web today • Deployed in server-side SSL mode • Client-side SSL mode yet to happen
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com
SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL Mallory’s Web server www.host.com BIMM Corporation www.host.com
SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL BIMM Corporation Mallory’s Web server www.host.com Ultratrust Security Services www.host.com
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
MAN IN THE MIDDLEMASQUARADING PREVENTED Client Side SSL end-to-end Ultratrust Security Services Bob Web browser www.host.com Web server Bob Ultratrust Security Services Client-side SSL Client-side SSL BIMM Corporation BIMM Corporation www.host.com Mallory’s Web server Ultratrust Security Services Ultratrust Security Services www.host.com Bob
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Joe@anywhere Web browser BIMM.com Web server Client-side SSL Ultratrust Security Services Ultratrust Security Services Joe@anywhere BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services Alice@SRPC BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Bob@PPC Web browser BIMM.com Web server Client-side SSL PPC Ultratrust Security Services Bob@PPC BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services PPC BIMM.com Bob@PPC
PKI AND TRUST • Got to be very careful • Not a game for amateurs • Not many professionals as yet
