tlstut

Information about tlstut

Published on June 19, 2007

Author: Arkwright26

Source: authorstream.com

Content

An Introduction to SSL/TLS and Certificates:  An Introduction to SSL/TLS and Certificates Providing secure communication over the Internet Frederick J. Hirsch [email protected] CertCo Overview:  CertCo Overview Background Established in 1996. Banker’s Trust spinoff. Privately held. Mission CertCo provides secure and cost-effective business solutions that enable trust institutions to build a worldwide trust infrastructure to support high-value, secure electronic commerce. Expertise Cryptography, risk management, law, technology and banking. Location Headquarters: New York City Regional Offices: Cambridge (MA), Washington, DC, United Kingdom. Outline:  Outline Problem: Creating applications which can communicate securely over the Internet TLS: Transport Layer Security (SSL) Certificates Related technology: S-HTTP, IPSec, SET, SASL References Security Issues:  Security Issues Privacy Anyone can see content Integrity Someone might alter content Authentication Not clear who you are talking with TLS: Transport Layer Security :  TLS: Transport Layer Security formerly known as SSL: Secure Sockets Layer Addresses issues of privacy, integrity and authentication What is it? How does it address the issues? How is it used What is TLS?:  What is TLS? Protocol layer Requires reliable transport layer (e.g. TCP) Supports any application protocols TLS: Privacy:  TLS: Privacy Encrypt message so it cannot be read Use conventional cryptography with shared key DES, 3DES RC2, RC4 IDEA TLS:Key Exchange:  TLS:Key Exchange Need secure method to exchange secret key Use public key encryption for this 'key pair' is used - either one can encrypt and then the other can decrypt slower than conventional cryptography share one key, keep the other private Choices are RSA or Diffie-Hellman TLS: Integrity:  TLS: Integrity Compute fixed-length Message Authentication Code (MAC) Includes hash of message Includes a shared secret Include sequence number Transmit MAC with message TLS: Integrity:  TLS: Integrity Receiver creates new MAC should match transmitted MAC TLS allows MD5, SHA-1 TLS: Authentication:  TLS: Authentication Verify identities of participants Client authentication is optional Certificate is used to associate identity with public key and other attributes TLS: Overview:  TLS: Overview Establish a session Agree on algorithms Share secrets Perform authentication Transfer application data Ensure privacy and integrity TLS: Architecture:  TLS: Architecture TLS defines Record Protocol to transfer application and TLS information A session is established using a Handshake Protocol TLS: Record Protocol:  TLS: Record Protocol TLS: Handshake:  TLS: Handshake Negotiate Cipher-Suite Algorithms Symmetric cipher to use Key exchange method Message digest function Establish and share master secret Optionally authenticate server and/or client Handshake Phases:  Handshake Phases Hello messages Certificate and Key Exchange messages Change CipherSpec and Finished messages TLS: Hello:  TLS: Hello Client 'Hello' - initiates session Propose protocol version Propose cipher suite Server chooses protocol and suite Client may request use of cached session Server chooses whether to honor request TLS: Key Exchange:  TLS: Key Exchange Server sends certificate containing public key (RSA) or Diffie-Hellman parameters Client sends encrypted 'pre-master' secret to server using Client Key Exchange message Master secret calculated Use random values passed in Client and Server Hello messages Public Key Certificates:  Public Key Certificates X.509 Certificate associates public key with identity Certification Authority (CA) creates certificate Adheres to policies and verifies identity Signs certificate User of Certificate must ensure it is valid Validating a Certificate:  Validating a Certificate Must recognize accepted CA in certificate chain One CA may issue certificate for another CA Must verify that certificate has not been revoked CA publishes Certificate Revocation List (CRL) X.509: Certificate Content:  X.509: Certificate Content Version Serial Number Signature Algorithm Identifier Object Identifier (OID) e.g. id-dsa: {iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 1} Issuer (CA) X.500 name Validity Period (Start,End) Subject X.500 name Subject Public Key Algorithm Value Issuer Unique Id (Version 2 ,3) Subject Unique Id (Version 2,3) Extensions (version 3) optional CA digital Signature Subject Names:  Subject Names X.500 Distinguished Name (DN) Associated with node in hierarchical directory (X.500) Each node has Relative Distinguished Name (RDN) Path for parent node Unique set of attribute/value pairs for this node Example Subject Name:  Example Subject Name Country at Highest Level (e.g. US) Organization typically at next level (e.g. CertCo) Individual below (e.g. Common Name 'Elizabeth' with Id = 1) DN = { C=US; O=CertCo; CN=Elizabeth, ID=1} Version 3 Certificates:  Version 3 Certificates Version 3 X.509 Certificates support alternative name formats as extensions X.500 names Internet domain names e-mail addresses URLs Certificate may include more than one name Certificate Signature:  Certificate Signature RSA Signature Create hash of certificate Encrypt using CA’s private key Signature verification Decrypt using CA’s public key Verify hash TLS: ServerKeyExchange:  TLS: ServerKeyExchange Client ClientHello Server ServerHello Certificate ServerKeyExchange TLS: Certificate Request:  TLS: Certificate Request Client ClientHello Server ServerHello Certificate ServerKeyExchange CertificateRequest TLS: Client Certificate:  TLS: Client Certificate Client ClientHello ClientCertificate ClientKeyExchange Server ServerHello Certificate ServerKeyExchange CertificateRequest TLS: Change Cipher Spec, Finished:  TLS: Change Cipher Spec, Finished Client [ChangeCipherSpec] Finished Application Data Server [ChangeCipherSpec] Finished Application Data TLS: Change Cipher Spec/Finished:  TLS: Change Cipher Spec/Finished Change Cipher Spec Announce switch to negotiated algorithms and values Finished Send copy of handshake using new session Permits validation of handshake TLS: Using a Session:  TLS: Using a Session Client ClientHello (Session #) [ChangeCipherSpec] Finished Application Data Server ServerHello (Session #) [ChangeCipherSpec] Finished Application Data Changes from SSL 3.0 to TLS:  Changes from SSL 3.0 to TLS Fortezza removed Additional Alerts added Modification to hash calculations Protocol version 3.1 in ClientHello, ServerHello TLS: HTTP Application:  TLS: HTTP Application HTTP most common TLS application https:// Requires TLS-capable web server Requires TLS-capable web browser Netscape Navigator Internet Explorer Cryptozilla Netscape Mozilla sources with SSLeay Web Servers:  Web Servers Apache-SSL Apache mod_ssl Stronghold Roxen iNetStore Other Applications:  Other Applications Telnet FTP LDAP POP SSLrsh Commercial Proxies TLS: Implementation:  TLS: Implementation Cryptographic Libraries RSARef, BSAFE TLS/SSL packages SSLeay SSLRef X.509 Certificate Issues:  X.509 Certificate Issues Certificate Administration is complex Hierarchy of Certification Authorities Mechanisms for requesting, issuing, revoking certificates X.500 names are complicated Description formats are cumbersome (ASN.1) X.509 Alternative: SDSI:  X.509 Alternative: SDSI SDSI: Simple Distributed Security Infrastructure (Rivest, Lampson) Merging with IETF SPKI: Simple Public-Key Infrastructure in SDSI 2.0 Eliminate X.500 names - use DNS and text Everyone is their own CA Instead of ASN.1 use 'S-expressions' and simple syntax Name and Authorization certificates TLS “Alternatives”:  TLS 'Alternatives' S-HTTP: secure HTTP protocol, shttp:// IPSec: secure IP SET: Secure Electronic Transaction Protocol and infrastructure for bank card payments SASL: Simple Authentication and Security Layer (RFC 2222) Summary:  Summary SSL/TLS addresses the need for security in Internet communications Privacy - conventional encryption Integrity - Message Authentication Codes Authentication - X.509 certificates SSL in use today with web browsers and servers References - 1:  References - 1 Engelschall, Ralph, mod_ssl, andlt;http://www.engelschall.com/sw/mod_sslandgt; Ford, Warwick, Baum, Michael S. Secure Electronic Commerce, Prentice Hall 1997. Hirsch, Frederick J. 'Introduction to SSL and Certificates Using SSLeay', World Wide Web Journal, Summer 1997, andlt;http://www.fjhirsch.com/wwwj/andgt; Hudson, Tim J, Young, Eric A , 'SSLeay and SSLapps FAQ', andlt;http://www.psy.uq.oz.au/~ftp/Crypto/andgt; Kaufman, Charlie, Perlman, Radia, Speciner,Mike Network Security: PRIVATE Communication in a PUBLIC World, Prentice Hall, 1995. References - 2:  References - 2 Rivest, Ron, SDSI, andlt;http://theory.lcs.mit.edu/~cis/sdsi.htmlandgt; Stallings, William Cryptography and Network Security: Principles and Practice, 2nd Edition, Prentice Hall, 1999. Wagner, David, Schneier, Bruce 'Analysis of the SSL 3.0 Protocol' andlt;http://www.counterpane.com/ssl.htmlandgt; Internet Drafts and RFCs andlt;http://www.ietf.org/andgt;. Use the keyword search on TLS or SSL in the Internet Drafts section to find the TLS Protocol specification and other relevant documents. PKCS standards: andlt;http://www.rsa.com/rsalabs/pubs/PKCS/andgt; References - 3:  References - 3 Microsoft Security Documents andlt;http://www.microsoft.com/workshop/security/contents.htmandgt; Netscape Security Documents andlt;http://www.netscape.com/eng/security/andgt; Slide44:  http://www.fjhirsch.com/~fhirsch/SSL/

Related presentations


Other presentations created by Arkwright26

transportation
07. 11. 2007
0 views

transportation

wonderful world
19. 06. 2007
0 views

wonderful world

2006911155950435
28. 04. 2008
0 views

2006911155950435

dietrich
17. 04. 2008
0 views

dietrich

ME Individual DM JG 2006
16. 04. 2008
0 views

ME Individual DM JG 2006

H106n
14. 04. 2008
0 views

H106n

DM GlobalFDI Movements240306
13. 04. 2008
0 views

DM GlobalFDI Movements240306

may30
10. 04. 2008
0 views

may30

Ulad using crop residues
09. 04. 2008
0 views

Ulad using crop residues

coral reef and climate change
07. 04. 2008
0 views

coral reef and climate change

Ian Brinkley DtF 07 06
30. 03. 2008
0 views

Ian Brinkley DtF 07 06

Temperature
14. 02. 2008
0 views

Temperature

AP Review 1400 1800
20. 02. 2008
0 views

AP Review 1400 1800

New Sony
03. 10. 2007
0 views

New Sony

Literary Vocabulary Rhyme
10. 10. 2007
0 views

Literary Vocabulary Rhyme

Chapter1McMurry
13. 10. 2007
0 views

Chapter1McMurry

FinanceTransition
16. 10. 2007
0 views

FinanceTransition

rexcor baker
15. 10. 2007
0 views

rexcor baker

kakande
28. 11. 2007
0 views

kakande

bernsteintwo
16. 10. 2007
0 views

bernsteintwo

What Is Internal Control
29. 10. 2007
0 views

What Is Internal Control

11 40 063
07. 11. 2007
0 views

11 40 063

Il Nazismo
14. 11. 2007
0 views

Il Nazismo

kryukov 20041004
12. 10. 2007
0 views

kryukov 20041004

1015 1
19. 11. 2007
0 views

1015 1

AI 120 Examples
17. 10. 2007
0 views

AI 120 Examples

galaxy physics
01. 12. 2007
0 views

galaxy physics

Qualitative tools
29. 11. 2007
0 views

Qualitative tools

pannebecker
03. 01. 2008
0 views

pannebecker

infectious
05. 01. 2008
0 views

infectious

b e flows
07. 01. 2008
0 views

b e flows

CSI pres
07. 10. 2007
0 views

CSI pres

1A Quality of our Water
02. 01. 2008
0 views

1A Quality of our Water

OPVII AldusEquity
01. 10. 2007
0 views

OPVII AldusEquity

wheat 1
04. 10. 2007
0 views

wheat 1

Lexical Semantics II
21. 11. 2007
0 views

Lexical Semantics II

Forklift Standard 12 14 99
27. 02. 2008
0 views

Forklift Standard 12 14 99

manuel scott powerpoint
25. 03. 2008
0 views

manuel scott powerpoint

subspace
19. 06. 2007
0 views

subspace

skos ecoterm 2006
19. 06. 2007
0 views

skos ecoterm 2006

services
19. 06. 2007
0 views

services

Working with Automatic PGA
19. 06. 2007
0 views

Working with Automatic PGA

wider context
19. 06. 2007
0 views

wider context

weinberg wfi
19. 06. 2007
0 views

weinberg wfi

VS Mod Presentation
19. 06. 2007
0 views

VS Mod Presentation

Unicode from a distance
19. 06. 2007
0 views

Unicode from a distance

Unicode AndIndia
19. 06. 2007
0 views

Unicode AndIndia

tunable abw
19. 06. 2007
0 views

tunable abw

Tsunefum Mizuno sep14 05
19. 06. 2007
0 views

Tsunefum Mizuno sep14 05

synergy redesign demo
19. 06. 2007
0 views

synergy redesign demo

acadien
19. 06. 2007
0 views

acadien

y report
19. 06. 2007
0 views

y report

Tom Worthington
19. 06. 2007
0 views

Tom Worthington

Millennials
14. 07. 2007
0 views

Millennials

vienna a6
19. 06. 2007
0 views

vienna a6

unit armorer sustainment
28. 02. 2008
0 views

unit armorer sustainment

SCI1010 C2
13. 11. 2007
0 views

SCI1010 C2

Slides 2006 fin year web3
19. 06. 2007
0 views

Slides 2006 fin year web3

MNEaula07
28. 12. 2007
0 views

MNEaula07

OUR SCAVENGER HUNT edited
16. 11. 2007
0 views

OUR SCAVENGER HUNT edited

ImplicationsResearch
03. 01. 2008
0 views

ImplicationsResearch

Jonh Roberts
31. 07. 2007
0 views

Jonh Roberts

wstechnology
19. 06. 2007
0 views

wstechnology

DiapoAnglaisdÃf
23. 10. 2007
0 views

DiapoAnglaisdÃf

QM chip
15. 10. 2007
0 views

QM chip

zend talk
19. 06. 2007
0 views

zend talk

seminarpresent
24. 02. 2008
0 views

seminarpresent

High School Counsellor Session
23. 11. 2007
0 views

High School Counsellor Session

xml cop feb05
19. 06. 2007
0 views

xml cop feb05

Value of Org RWG
19. 06. 2007
0 views

Value of Org RWG

Promo wkshp Downes
13. 03. 2008
0 views

Promo wkshp Downes

yw
17. 10. 2007
0 views

yw

WP1b
15. 10. 2007
0 views

WP1b

Regency Traffic111508 3 1
11. 03. 2008
0 views

Regency Traffic111508 3 1

Superstar
19. 06. 2007
0 views

Superstar

BUS 400
05. 10. 2007
0 views

BUS 400

950321
11. 10. 2007
0 views

950321

perry presentation
04. 03. 2008
0 views

perry presentation

vergados 1
20. 11. 2007
0 views

vergados 1

vlad
19. 06. 2007
0 views

vlad

Darstellung des HH AZM
15. 11. 2007
0 views

Darstellung des HH AZM