ppt on web security by monodip singha roy
TRANSCRIPT
1
WEB SECURITY(SECURE SOCKET LAYER)
MONODIP SINGHA ROY M.TECH Dr. B.C.ROY ENGINEERING COLLEGE
2
ContentsWEB SECURITYWEB SECURITY TERMINOLOGYSSL ( SECURE SOCKET LAYER )SSL ARCHITECTURETLS ( TRANSPORT LAYER
SECURITY )PROS AND CONS OF SSL/TLSSUMMARY
3
WEB SECURITYAlmost everything in today’s
world relies on computer and internet. ◦Communications (emails, phones)◦Transportation (car engine system,
airplane navigation system)◦Medicine ( medical records,
equipments)◦Shopping (online store, online
payments)◦Entertainment (digital cables)
4
What is WEB SECURITY ??
Web security , also known as “cyber security “ involves protecting the information by protecting , preventing and responding to the attacks.
5
WEB SECURITY: TERMNOLOGYHACKERS: People who strive to
exploit weaknesses in software and computer for their own gain.
VIRUSES: Infects your computer before actually u can do something.
WORMS: Propagates without users intervention.
TROJAN: A software that claims to do something while in fact doing something in background.
6
WEB SECURITY: TERNINOLOGY
RANSOMWARE:◦A form of Trojan that has been since
1989, as known as ‘PC CYBORG’ Trojan.
◦It affects the user computer by encrypting the user’s personal files.
◦The victim then contacted and offered the decrypt key in exchange of cash.
7
WEB SECURITY: TERMINOLOGYKEYLOGGERS:
◦It is an software that monitor users activity such as key typed in keyboard.
◦KeyLoggers can Record keystrokes on keyboards. Record mouse movement and clicks. Record menus that are invoked. Takes screenshot of the desktop at pre
defined intervals.
8
Web SecurityWeb now widely used by
business, government, individualsbut Internet & Web are
vulnerablehave a variety of threats
◦integrity◦confidentiality◦denial of service◦authentication
need added security mechanisms.
9
What is SSL?SSL – Secure Socket Layer it provides a �
secure transport connection between applications (e.g., a web server and a browser)
SSL was developed by Netscapeuses TCP to provide a reliable end-to-end
serviceSSL has two layers of protocols SSL v3.0 was
specified in an Internet Draft (1996) it �evolved into RFC 246 and was renamed to TLS (Transport Layer Security)
TLS can be viewed as SSL v3.1
10
SSL Architecture
11
SSL Components
SSL HANDSHAKE PROTOCOL
SSL RECORD PROTOCOL
SSL ALERT PROTOCOL
SSL CHANGE CIPHER SPEC PROTOCOL
• Negotiation of security algorithms and parameters.• Key exchange.• Server authentication and optionally client authentication.
• Fragmentation.• Compression.• Encryption.• Message authentication and integrity protection.
• Error message ( fatal alerts and warning )
• A single message that indicates the end of SSL handshake.
12
Sessions and ConnectionsAn SSL session is a connection between
client and server. Sessions are stateful ; the session state
includes security algorithm and parameters. A session may include multiple secure
connection between same server and client. Connections of the same session share the
session state. Sessions are used to avoid expensive
negotiation of new security parameters for each state.
13
Session States… Session state
◦Session identifier – arbitrary byte sequence chosen by the server to identify the session.
◦Peer certificate – may be null.◦Compression method.◦Cipher Spec – bulk data encryption
algorithm and MAC algorithm ( eg. DES, MD5 ).
◦Master key – a 48 byte secret key is used in between client and server.
◦Resumable – a flag indicating whether the session can be used to initiate new connections.
14
Connection States…Connection State
◦Server and client random – random byte sequence is chosen by the client and server for new connection.
◦Server write MAC secret – secret key is used in MAC operations on data sent by the server.
◦Client write MAC secret – secret key is used in MAC operations on data sent by the client.
◦Server write key – secret encryption key for data, encrypted by the server.
◦Client write key – secret encryption key for data, encrypted by the client.
15
How States changes??Operating state: current using
statePending state: state to be usedOperating state < Pending state:
at the transmission and reception of change cipher spec messageThe
sending part of the pending state is copied into the sending part of
operating state
The receiving
part of the pending state is
copied into the
receiving part of
operating stateParty
AParty
B
Change Cipher Spec
16
SSL session◦an association between client &
server◦created by the Handshake Protocol◦define a set of cryptographic
parameters◦may be shared by multiple SSL
connections
SSL connection◦a transient, peer-to-peer,
communications link◦associated with 1 SSL session
17
SSL Handshake ProtocolHandshake protocol is used to
exchange all the information required by both sides for the exchange of actual application data by the TRANSPORT LAYER SECURITY
18
SSL Record Protocolconfidentiality
◦using symmetric encryption with a shared secret key defined by Handshake Protocol
◦IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
◦message is compressed before encryption
message integrity◦using a MAC with shared secret key◦similar to HMAC but with different
padding
19
SSL Change Cipher Spec Protocol
one of 3 SSL specific protocols which use the SSL Record protocol
a single messagecauses pending state to become
currenthence updating the cipher suite
in use.
20
SSL Alert Protocolconveys SSL-related alerts to peer
entityseverity
warning or fatalspecific alert
unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter
close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
compressed & encrypted like all SSL data
21
What is TSL??Internet Engineering Task Force
standard RFC 2246 similar to SSLv3 with minor differences:◦In record format version number◦Uses HMAC for MAC◦Has optional alert code◦Some changes in supported ciphers◦Change in use of certificate
negotiation ◦Change in use of padding
22
Changes from SSLv3 to TLS…Fortezza removedAdditional alerts addedModification of hash calculationProtocol version 3.1 in client
hello, server hello
23
TLS : PrivacyEncrypt message so it cannot be
readUse conventional cryptography
with shared key◦DES , 3DES◦RC2, RC4◦IDEA
A (Message) $@#&!@ B(Message)
24
TLS: Key Exchange
Need secure method to exchange key
Use public key encryption for this
Choices are RSA & Diffie-Hellman
25
TLS: Integrity
Compute fixed length message authentication code (MAC)◦Includes hash of message◦Includes a shared secret key◦Includes sequence number◦Transmit MAC with message
26
TLS : AuthenticationVerify identities of participantsClient authentication is optionalCertificate is used to associate
identity with public key and other attributes
A B
CERTIFICATES
27
TLS: HTTP ApplicationHTTP is most common TLS
application https://Requires TLS-capable web serverRequires TLS-capable web
browser◦Netscape navigator◦Internet explorer◦Cryptozilla
28
Implementation of SSL/TLSSSL & TLS have widely been
implemented◦Open source software projects
( openSSL, NSS & GnuTLS)◦Microsoft windows : part of its secure
channel◦Browsers
Apple safari Internet explorer Mozilla firefox
29
Pros & Cons of SSL/TLSPros :
◦Customer will trust your website: many visitors are now savvy enough to recognize when a webpage is encrypted and protected by SSL.
◦Avoid dispute due to credit/debit card frauds: visitors uses their credit/debit cards information's on unprotected servers and faces identity theft.
30
Cons ….Cons :
◦Regular renewal : just like website domain and hosting plan, SSL certificates also expires after short period of time ; usually one to five years.
◦Complex installation : SSL is very difficult to install on websites for those who are unaware of website development.
31
Application of SSL/TLSOn top of the Transport layer
protocols◦Primarily with TCP◦Datagram transport layer security
(DTLS) for UDPEncapsulating the applications
protocols◦HTTP◦Securing WWW traffic◦FTP, SMTP, etc
32
SUMMARYSSL/TLS address the need for
security in internet communications◦Privacy – conventional encryption◦Integrity – message authentication
codes◦Authentication – X.509
SSL in use today with web browsers and servers.
33
Thank You