secure socket layer
DESCRIPTION
TRANSCRIPT
Department of Computer Science G.C. University Lahore
2
SSL/Secure Sockets Layer
Department of Computer Science G.C. University Lahore
3
Presented To:
Network
Security
Mrs. Asma
Department of Computer Science G.C. University Lahore
4
Atif Naveed BSCS-04-B-020
Kinnan Nawaz BSCS-05-B-011
Qaiser Abbas BSCS-06-B-086
Group Members
Department of Computer Science G.C. University Lahore
5
Contents
• “Overview” of Secure Socket Layer (SSL) • Introduction to ”SSL” Secure Socket Layer• How SSL ”Works”?• “Benefits and Limitation” of SSL• “Advance Concepts” of SSL• Related Protocols• Introduction to TLS Transport Layer Security• “Importance” of TLS• “Benefits” of TLS• Summary
Department of Computer Science G.C. University Lahore
6
Overview of Secure Socket Layer (SSL)
Department of Computer Science G.C. University Lahore
7
Secure connection is an encrypted exchange of information
Information cannot be tampered while being sent, but it's possible to crack the
encryption.
Golden Lock icon in Status bar. (if IE)
Certificate used to encrypt connection also contains information about identity of website
owner or organization
What is a secure connection?
Department of Computer Science G.C. University Lahore
8
Validation SSL & Security Status Bar
Department of Computer Science G.C. University Lahore
9
Extended Validation (EV) SSL Certificates
Department of Computer Science G.C. University Lahore
10
• Certificate is out of date, invalid, or has an error, phishing. Red
• Certification authority that issued it cannot be verified. Yellow
• The certificate has normal validation, no personal information. White
• The certificate uses extended validation.Green
Why different colors in the Status bar?
Department of Computer Science G.C. University Lahore
11
Why different colors in the Status bar?
Department of Computer Science G.C. University Lahore
12
Why different colors in the Status bar?
Department of Computer Science G.C. University Lahore
13
Why different colors in the Status bar?
Department of Computer Science G.C. University Lahore
14
What about other browsers?
Opera
Safari
Department of Computer Science G.C. University Lahore
15
What about other browsers?
Firefox
Department of Computer Science G.C. University Lahore
16
Introduction to SSL Secure Socket Layer
Department of Computer Science G.C. University Lahore 17
Introduction to SSL Secure Socket Layer
SSL is the most widely known Protocol.
SSL offers privacy and good reliability for Client-Server communication.
SSL negotiates the Cryptography algorithms and keys between two sides of a communication.
SSL establishes an Encrypted tunnel through which other protocols (like HTTP) can be transported.
SSL can also Authenticate both sides of communication through the use of Certificates (Optionally).
Department of Computer Science G.C. University Lahore 18
Sub-Protocols of SSL
Department of Computer Science G.C. University Lahore
19
How SSL Works
Department of Computer Science G.C. University Lahore
20
How SSL works
Department of Computer Science G.C. University Lahore 21
SSL Handshake
• (3)• Verify server
certificate. • Check
Cryptographic Parameter
• (6)• Verify Client
Certificate• (if required)
(1) Client Hello
Cryptographic information
(2) Server Hello
Cipher Suite Server certificateClient certificate request (Optional)
(4) Client Key exchange
Send secret key information (encrypted with sever public Key)(5) Send Client Certificate
(8) Server Finished
(encrypted with shared secret Key)
(9) Exchange Messages
(7) Client Finished
Department of Computer Science G.C. University Lahore
22
Microsoft Internet Explorer, Firefox, Opera
Netscape Navigator and on most operating systems and Web servers
Microsoft Windows operating system
UNIX
Novell
Apache (version 1.3 and later)
Netscape Enterprise Server
Sun Solaris
It is often integrated in news readers
Variety of other applications
Web browsers & Operating Systems
Department of Computer Science G.C. University Lahore
23
Benefits of TLS/SSL
Strong authentication
Message privacy, and integrity
TLS/SSL can help to secure transmitted data using encryption.
TLS/SSL also authenticates servers.
Authenticates clients to prove identities of parties engage (Optionally).
It also provides data integrity through an integrity check value.
In addition to protecting against data disclosure.
Department of Computer Science G.C. University Lahore
24
TLS/SSL security protocol protect against masquerade attacks
Man-in-the-middle or bucket brigade attacks
Rollback attacks
Replay attacks.
Interoperability
Algorithm flexibility
Ease of deployment
Ease of use
Benefits of TLS/SSL
Department of Computer Science G.C. University Lahore
25
TLS/SSL provides options forAuthentication mechanisms
Encryption algorithms
Hashing algorithms that are used during the secure session
Benefits of TLS/SSL
Department of Computer Science G.C. University Lahore
26
Limitations of TLS/SSL
Increased Processor Load
• This is the most significant limitation to implementing TLS/SSL.
• Cryptography, specifically public key operations, is CPU-intensive. As a result, performance varies when you are using SSL. Unfortunately, there is no way to know how much performance you will lose.
• The performance varies, depending on how often connections are established and how long they last.
• TLS uses the greatest resources while it is setting up connections.
Administrative Overhead
• A TLS/SSL environment is complex and requires maintenance; the system administrator must configure the system and manage certificates.
Department of Computer Science G.C. University Lahore
27
Advance Concepts of SSL
Department of Computer Science G.C. University Lahore
28
• SSL-secured transactions with an e-commerce Web site• Authenticated client access to an SSL-secured Web site• Remote access• SQL access• E-mail
Common TLS/SSL Scenarios
Many people think of TLS and SSL as protocols that are used with Web browsers to browse the Internet more securely.
However, they are also general purpose protocols that can be used whenever authentication and data protection are necessary.
For example, you can use TLS/SSL for:
Department of Computer Science G.C. University Lahore
29
• This situation is a typical use of SSL between a browser and a Web server. • An example is an e-commerce shopping site where clients need to provide
their credit card numbers. • The protocol first confirms that the certificate of the Web site is valid, and
then sends the client’s credit card information as cipher text. • For this type of transaction, where the server’s certificate comes from a
trusted source, authentication only occurs for the server. • TLS/SSL must be enabled for the Web page, such as an order form, where
the data transactions occur.
Common TLS/SSL Scenarios
SSL-secured transactions with an e-commerce Web site
Department of Computer Science G.C. University Lahore
30
Common TLS/SSL Scenarios
• Both the client and server need certificates from a mutually-trusted certification authority (CA).
• With Schannel, client certificates can be mapped on a one-to-one or many-to-one basis to their Windows Server 2003 user or computer accounts, and they can be managed by Active Directory Users and Computers.
• Users can then be authenticated to a Web site without needing to supply a password.• Many-to-one mapping has several uses. For example, if you want to give several users
access to confidential material, you can create a group, map the users’ certificates to the group, and give the group the necessary permissions to the material.
• In one-to-one mapping, the server has a copy of the client’s certificate; whenever the client logs in; the server verifies that they are identical. This one-to-one mapping is typically used for private material, such as a banking Web site where only one individual has the right to view a personal account.
Authenticated client access to an SSL-secured Web site
Department of Computer Science G.C. University Lahore
31
• In this situation, telecommuting is a common use for Schannel. You can use this technology to provide authentication and data protection when users remotely log in to Windows-based systems or networks.
• Users can more securely access their e-mail or enterprise applications from home or while traveling, reducing the risk of exposure of the information to anyone on the Internet.
Common TLS/SSL Scenarios
Remote access
• With Microsoft SQL Server, you can require authentication of the client when connecting to the server running SQL Server.
• Either the client or server can be configured to require encryption of the data that is transferred between them. Very sensitive information, such as financial or medical databases, can be protected to prevent unauthorized access and disclosure of information about the network.
SQL access
Department of Computer Science G.C. University Lahore
32
• When using Exchange servers, you can use Schannel to help protect data as it moves from server to server on the intranet or Internet.
• Full end-to-end security might require the use of Secure/Multipurpose Internet Mail Extensions (S/MIME);
• however, helping to protect data in a server-to-server exchange allows companies to use the Internet to securely transfer e-mail among divisions within the same company, subsidiaries, and partners. This can be done regardless of whether S/MIME is used.
Common TLS/SSL Scenarios
Department of Computer Science G.C. University Lahore
33
• In the Windows Server 2003 operating system, the Schannel Security Support Provider SSP authentication protocol suite contains TLS. The following diagram shows where Schannel fits among these and other technologies in Windows Server 2003. Client applications or server applications use Secur32.dll by way of SSPI calls to communicate with the Local Security Authority Subsystem (LSASS).
Technologies Related to Schannel
Department of Computer Science G.C. University Lahore
34
Technologies Related to Schannel
Department of Computer Science G.C. University Lahore
35
Component Description
Schannel.dll The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) authentication protocol. This protocol provides authentication over an encrypted channel instead of a less-secure clear channel.
Lsasrv.dll The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA.
Netlogon.dll TLS-relevant services that the Net Logon service performs: Net Logon passes the user’s certificate information through an SSL-secured channel
to the domain controller to map the user certificate to a user account.
Secur32.dll The multiple authentication provider that implements SSPI.
Ntdsa.dll The directory service module, which supports the Windows Server 2003 and Windows 2000 replication protocol and LDAP, and manages partitions of data.
Security Subsystem Components used in TLS/SSL Authentication
Department of Computer Science G.C. University Lahore
36
Related Protocols
Department of Computer Science G.C. University Lahore
37
SSL, PCT, TLS and WTLS
SSL v2.0 (1994)
PCT v1.0 (1995)
SSL v3.0 (1996)
TLS v1.0/ SSL v3.1 (1999)
WTLS
Department of Computer Science G.C. University Lahore
38
Released by Netscape Communications in 1994.
The main goal of this protocol was to provide security for transactions over the World Wide Web.
Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use:
weak MAC construction
possibility of forcing parties to use weaker encryption
no protection for handshakes
possibility of an attacker performing truncation attacks
SSL v2.0
Department of Computer Science G.C. University Lahore
39
Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0
and was aimed to replace SSL.
However, this protocol has never gained as much popularity as SSL v3.0.
PCT v1.0
Department of Computer Science G.C. University Lahore
40
Released in 1996 by Netscape Communications. SSL v3.0
solved most of the SSL v2.0 problems,
and incorporated many of the features of PCT.
Pretty quickly become the most popular protocol for securing communication over WWW
SSL v3.0
Department of Computer Science G.C. University Lahore
41
Published by IETF in 1999.
This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches.
It is important to note that although TLS is based on SSL,
it is not a 100% backward compatible with its predecessor.
IETF did some security improvements, such as using HMAC instead of MAC, using a different calculation of the master secret and key material, adding additional alert codes, no support for Fortezza cipher suites, and so on.
The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.
TLS v1.0
Department of Computer Science G.C. University Lahore
42
"Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier.
It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices.
WTLS was introduced with the WAP 1.1 protocol, and was released by the WAP Forum.
However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol,
which is much more secure -- mainly because there is no need for decryption and re-encryption of the traffic at the WAP gateway.
WTLS
Department of Computer Science G.C. University Lahore
43
Introduction to TLS Transport Layer Security
Department of Computer Science G.C. University Lahore
44
An acronym for Transport Layer Security, is a feature of mail servers designed to secure the transmission of electronic mail from one server to another using encryption technology.
TLS can reduce the risk of eavesdropping
Tampering
Message forgery mail communications.
TLS is a security protocol from the Internet Engineering Task Force (IETF) that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape.
Introduction to TLS Transport Layer Security
The TLS protocol is made up of two layers
The TLS record protocol is designed to protect confidentiality by using symmetric data encryption.
The TLS handshake protocol allows authentication between the server and client
The negotiation of an encryption algorithm and cryptographic keys before the application protocol transmits or receives any data.
TLS Protocols Layers
Department of Computer Science G.C. University Lahore 45
TLS is the successor to Secure Sockets Layer (SSL).
SSL and TLS are frameworks that include cryptographic protocols
which are intended to provide secure communications on the Internet.
Is TLS something new?
Department of Computer Science G.C. University Lahore 46
When TLS is enabled on the mail servers of both the sender and the receiver of the e-mail, Information exchanged between the servers is encrypted in a format that encodes plain text into non-readable form. Mail servers use Simple Mail Transfer Protocol (SMTP) to send and receive messages.
Enable TLS communications for SMTP traffic
The sending party checks whether TLS services are offered
The server sends its TLS certificate to the client
The TLS session starts, and the SMTP message is transmitted
How TLS works
Department of Computer Science G.C. University Lahore 47
Sending unencrypted messages increases the risk that messages can be intercepted or altered.
TLS security technology automatically encrypts e-mail messages between servers thereby reducing the risk of eavesdropping, interception, and alteration.
Importance of TLS
Department of Computer Science G.C. University Lahore 48
Protection
Every e-mail sent and received is encrypted
E-mail encryption is transparent
TLS is globally accepted
Industry Standard
E-mail can be easily inspected for viruses
Reduced cost
No overhead for end-users.
Rapid deployment
Benefits of TLS
Department of Computer Science G.C. University Lahore 49
Department of Computer Science G.C. University Lahore
50
• “Overview” of Secure Socket Layer (SSL) • Introduction to ”SSL” Secure Socket Layer• How SSL ”Works”?• “Benefits and Limitation” of SSL• “Advance Concepts” of SSL• Related Protocols• Introduction to TLS Transport Layer Security• “Importance” of TLS• “Benefits” of TLS
Summary
Department of Computer Science G.C. University Lahore
51
Department of Computer Science G.C. University Lahore
52
THANKS TO BEAR WITH
US…