ssl and certificates

Topic:Topic:Implementation of SSL & Implementation of SSL &

TLS for Application serversTLS for Application servers

03/19/08 1

Introduction:

Internet - network for everyone. Everyone and everything open. Highly insecure Internet Thus, Netscape Corporation -protocol

SSL. For secure Transactions.

03/19/08 2

SSL –Secured Socket Layer Protocol for data encryption . Open & nonproprietary protocol .Current implementation-OpenSSLused for:

a. data-encryptionb. server authentication c. data integrity d. client authentication

03

/19

/08

3

  Enhance and ensure transactional data

Securing transactions on the Web using Apache-SSL.

Securing user access for remote access

Securing e-mail services (IMAP, POP3)  

03/19/08 4

TLS:

Transport Layer Security(TLS)

Provides security at transport layer.

Non –proprietory version of SSL.

Allows two parties to exchange messages in secure environment.

03/19/08 5

Position of TLS:

03/19/08 6

TLS requirementsTLS requirements::

Protocols:Protocols:**entity authentication protocol entity authentication protocol

*message authentication protocol*message authentication protocol

*encryption/decryption protocol*encryption/decryption protocol

Each party uses a predefined function to create session Each party uses a predefined function to create session keys.keys.

Digest calculated & appended to each message .Digest calculated & appended to each message . Message & digest are encrypted using encryption Message & digest are encrypted using encryption

/decryption protocols./decryption protocols. Each party extracts necessary keys and parameters for Each party extracts necessary keys and parameters for

message authentication & encryption/decryptionmessage authentication & encryption/decryption..

03/19/08 7

8

**In Greek means “secret writing.”In Greek means “secret writing.” *Refers to the science and art of transforming *Refers to the science and art of transforming messages to make them secure and immune to messages to make them secure and immune to attacks.attacks.

Types of Cryptography:Types of Cryptography:

Symmetric-Key Cryptography Symmetric-Key Cryptography Asymmetric-Key Cryptography Asymmetric-Key Cryptography

9

Symmetric-key cryptography

Asymmetirc Cryptography:Asymmetirc Cryptography:

Use two keys – public & private key.

keys -completely independent .

a private key cannot be deduced from a public one.

sign a message using public key, only the holder of the private key can read it.

public key is open.Private key is secret.03/19/08 10

11

Asymmetric-key encryption

03/19/08 12

Asymmetric Encryption/Decryption

Asymmetric cryptography Simulate the security properties of a

handwritten signature Two algorithms-

1. for signing which involves the user' private key,

2. for verifying signatures which involves the user's public key.

03/19/08 13

TCP/IP Protocol Suite 14

Hash function

TCP/IP Protocol Suite 15

Sender site

16

Receiver site

03/19/08 17

Your public key:

Your name & e-mail address:

Expiration date of the public key:

Name of the company:

Serial number of the Digital ID

03/19/08 18

Bob’s private key

Bob’s public key

Pat Doug Susan

Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself

Bob’sCo-workers

03/19/08 19

"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

HNFmsEm6UnBejhhyCGKOKJUxhiygSBCEiC0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"

Susan

Bob

03/19/08 20

Bob prepares a message Digest using Hash function

03/19/08 21

Bob encrypts the digest with his private key.

Digital Signature Created

03/19/08 22

Digital Signature Appended to the Original document &Sent to Susan

03/19/08 23

Separates Original Document & Digital signature

TCP/IP Protocol Suite 24

Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption

must be applied.

Note:Note:

Important tools:1.GNUPG:Stands for GNU privacy guard.Used for: * encrypt data *create digital signatures *help authenticating using Secure

Shell * provide a framework for public

key cryptography.

03/19/08 25

OpenPGP part of the GNU Privacy Guard (GnuPG).

provide digital encryption and signing services using

the OpenPGP standard.

2

03/19/08 26

03/19/08

Standard sponsored by Standard sponsored by ITUITU

International standard International standard for for digital certificates digital certificates

used to used to authenticate digital authenticate digital signatures.signatures.

X.509:X.509:

27

2828

X.509 fieldsX.509 fields

03/19/08 29

Certificate:

body of data placed in a message to serve as Proof of the sender’s authenticity. consists of encrypted information that associates a public key with the true identity of an individual

Includes the identification and electronic signature of Certificate Authority (CA).

Includes serial number and period of time when the certificate is Valid

Why do I need Digital certificate?

AuthenticationPrivacyIntegrityNonrepudiation

03/19/08 30

Certificate Signing Request: Request made to a CA from an organization to obtain a digital certificate.

Requesting party includes information that proves its identity and digitally signs the CSR with the private key.

03/19/08 31

03/19/0803/19/08 3232

Certificate Authority :

trusted organization that issues certificates for both servers and clients.

create digital certificates that securely bind the names of users to their public keys.

Two types of CA:

* Commercial CA* Self-certified private CA

COMMERCIAL CA:

JOB - TO VERIFY THE AUTHENTICITY OFOTHER COMPANIES’ MESSAGES ON THE INTERNETEXAMPLE:VERISIGN,THAWTE.

03

/19

/08

33

Self-certified CA:

Root-level commercial CA: It’s self-certified.

Typically used in a LAN or WAN environment

03/19/08 34

Public-key infrastructure(PKI)

provides public-key encryption & digital signature services.

Manage keys and certificates- organization establishes and maintains a trustworthy networking environment.

03/19/08 35

E-mail server security:

Biggest problem- unsolicited mail or spam.

Simple Mail Transport Protocol (SMTP) -simple & insecure.

biggest abuse of e-mail service- open mail relay.

03/19/08 36

.

03/19/08 37

Open mail Relay:

• send unwanted emails to people

• Waste resources.

legal problems for companies that leave their email system open.

Web-server security

The Web site hacked because holes in applications or scripts are exploited.

protecting Web site - understanding & identifying security risks.

03/19/08 38

ConclusionConclusion Secure Digital transactions- an Secure Digital transactions- an

important part of electronic commerce important part of electronic commerce in the future.in the future.

Privacy of transactions, and Privacy of transactions, and authentication of all parties, is authentication of all parties, is important for achieving the level of important for achieving the level of trust. trust.

encryption algorithms and key-sizes encryption algorithms and key-sizes must be robust enough to prevent must be robust enough to prevent observation by hostile entitiesobservation by hostile entities03/19/08 39

Thank you

41