Download - SSL Trust Pitfalls
![Page 1: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/1.jpg)
SSL Trust Pitfalls
Prof. Ravi Sandhu
![Page 2: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/2.jpg)
2© Ravi Sandhu
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate <-------- ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
RecordProtocol
HandshakeProtocol
![Page 3: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/3.jpg)
3© Ravi Sandhu
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate CertificateRequest <-------- ServerHelloDone Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
RecordProtocol
HandshakeProtocol
![Page 4: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/4.jpg)
4© Ravi Sandhu
SINGLE ROOT CA MODEL
RootCA
a b c d e f g h i j k l m n o p
RootCAUser
![Page 5: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/5.jpg)
5© Ravi Sandhu
SINGLE ROOT CAMULTIPLE RA’s MODEL
RootCA
a b c d e f g h i j k l m n o p
RootCA
User RA
User RA
User RA
![Page 6: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/6.jpg)
6© Ravi Sandhu
MULTIPLE ROOT CA’s MODEL
RootCA
a b c d e f g h i j k l m n o p
RootCAUser
RootCA
RootCA
RootCAUser
RootCAUser
![Page 7: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/7.jpg)
7© Ravi Sandhu
ROOT CA PLUS INTERMEDIATE CA’s MODEL
Z
X
Q
A
Y
R S T
C E G I K M O
a b c d e f g h i j k l m n o p
![Page 8: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/8.jpg)
8© Ravi Sandhu
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL
X
Q
A
R
S T
C E G I K M O
a b c d e f g h i j k l m n o p
![Page 9: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/9.jpg)
9© Ravi Sandhu
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL
X
Q
A
R
S T
C E G I K M O
a b c d e f g h i j k l m n o p
![Page 10: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/10.jpg)
10© Ravi Sandhu
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL
X
Q
A
R
S T
C E G I K M O
a b c d e f g h i j k l m n o p
![Page 11: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/11.jpg)
11© Ravi Sandhu
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL
Essentially the model on the web today
Deployed in server-side SSL mode Client-side SSL mode yet to happen
![Page 12: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/12.jpg)
12© Ravi Sandhu
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate <-------- ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
RecordProtocol
HandshakeProtocol
![Page 13: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/13.jpg)
13© Ravi Sandhu
SERVER-SIDE MASQUARADING
BobWeb browser
www.host.comWeb serverServer-side SSL
UltratrustSecurityServices
www.host.com
![Page 14: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/14.jpg)
14© Ravi Sandhu
SERVER-SIDE MASQUARADING
BobWeb browser
www.host.comWeb server
Server-side SSL UltratrustSecurityServices
www.host.comMallory’sWeb server
BIMMCorporation
www.host.com
Server-side SSL
![Page 15: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/15.jpg)
15© Ravi Sandhu
SERVER-SIDE MASQUARADING
BobWeb browser
www.host.comWeb server
Server-side SSL UltratrustSecurityServices
www.host.comMallory’sWeb server
Server-side SSL
BIMMCorporation
UltratrustSecurityServices
www.host.com
![Page 16: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/16.jpg)
16© Ravi Sandhu
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate CertificateRequest <-------- ServerHelloDone Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
RecordProtocol
HandshakeProtocol
![Page 17: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/17.jpg)
17© Ravi Sandhu
MAN IN THE MIDDLEMASQUARADING PREVENTED
BobWeb browser
www.host.comWeb server
Client-side SSL
UltratrustSecurityServices
www.host.com
Mallory’sWeb server
BIMMCorporation
Client-side SSL
UltratrustSecurityServices
www.host.com
Client Side SSLend-to-endUltratrust
SecurityServices
Bob
BIMMCorporation
UltratrustSecurityServices
Bob
![Page 18: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/18.jpg)
18© Ravi Sandhu
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Joe@anywhereWeb browser
BIMM.comWeb serverClient-side SSL
UltratrustSecurityServices
BIMM.com
UltratrustSecurityServices
Joe@anywhere
![Page 19: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/19.jpg)
19© Ravi Sandhu
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Alice@SRPCWeb browser
BIMM.comWeb serverClient-side SSL
UltratrustSecurityServices
BIMM.com
SRPC
Alice@SRPC
![Page 20: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/20.jpg)
20© Ravi Sandhu
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Bob@PPCWeb browser
BIMM.comWeb serverClient-side SSL
UltratrustSecurityServices
BIMM.com
PPC
Bob@PPC
![Page 21: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/21.jpg)
21© Ravi Sandhu
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Alice@SRPCWeb browser
BIMM.comWeb serverClient-side SSL
UltratrustSecurityServices
BIMM.com
SRPC
PPC
Bob@PPC
![Page 22: SSL Trust Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022081503/5681517f550346895dbfb81e/html5/thumbnails/22.jpg)
22© Ravi Sandhu
PKI AND TRUST
Got to be very careful Not a game for amateurs Not many professionals as yet