SlideShare a Scribd company logo

SSL intro

Three Lee
Three Lee

An brief introduction to SSL/TLS protocol

Technology
1 of 26
Download to read offline
SSL(TLS), a Brief Introduction SIRUI LI 2006011324
Outline  Concepts • What is SSL/TLS? • Security Provided by SSL/TLS • Cipher Suite  How it works? • Handshaking procedure • Record protocol  Application
What is SSL/TLS?  Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet.  TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. —Wikipedia
Where does SSL/TLS works? • FTP, HTTP, IMAP, IRC , POP3, SMTP, SSH Application • DNS, Telnet, SSL/TLS*, etc. Transport • TCP, UDP, DCCP, SCTP, IL, RUDP, RSVP • IP (v4, v6) Internet • ICMP, IGMP, ICMPv6 Link • ARP, RARP, OSPF, IS-IS, NDP *Note: Protocols don’t have to fit in this reference model in order to be accepted as a standard. From the application protocol point of view, SSL/TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it.
A Bit of History  Secure Sockets Layer (SSL) • Developed by Netscape Corporation • Versions 1, 2, and 3 (released in 1996)  Transport Layer Security (TLS) • Successor of SSL • IETF standards track protocol, based on SSL 3.0 • Last updated in RFC 5246 (2008)
What Security is Provided?  By providing: • Endpoint Authentication • Unilateral or Bilateral • Communication Confidentiality  For preventing: • Eavesdropping • Tampering • Message Forgery
How Security is Provided? Symmetric-key Eavesdropping Encryption Cryptography Cryptographic Tampering Message Digest Hash Message Authentication Public-key & Digital Forgery signature Cryptography
How Security is Provided?  A simplified case (Unilateral Authentication) Key Exchange Symmetric key Symmetric key M E || C D H MAC H E D Compare Public key Private key Asymmetric Key-Gen
Cipher Suite  A suite of algorithms are needed for SSL/TLS connections • Bulk encryption algorithm • Message stream encryption algorithm • Message authentication code (MAC) algorithm • Cryptographic hash function • Asymmetric key algorithms • Key exchange algorithm • Pseudorandom function (PRF)
Cipher Suite (cont.)  Common Cipher Suite algorithms: • Bulk encryption algorithm • RC4, Triple DES, AES, IDEA, DES, Camellia • Message authentication code (MAC) algorithm • Authentication by RSA, DSA, ECDSA • Hashing by MD5, SHA • Key exchange algorithm • RSA, Diffie-Hellman, ECDH, SRP, PSK • Pseudorandom function (PRF)
Enhanced Security Measures  The server certificate is digitally signed by a certificate authority(CA) • The client accepts the server certificate if the CA is trusted  Sequence number are used for preventing replay attacks  Finishing handshake sends a hash of all exchanged handshake messages  etc.
SSL/TLS HOW IT WORKS
Handshaking  The client(Alice) and server(Bob) must agree on various parameters to establish the connection • Alice request a secure connections and presents a list of CipherSuites • Bob picks the strongest supported CipherSuite • Bob sends back his digital certificate • Including the certificate authority and his public key • By encrypting using the server’s public key, Alice send a random number to Bob securely • Alice and Bob generate key material from the random number • Secure connection established
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ClientHello Hdshk. CipherSuites CA's digital signature List of trusted CAs List of CipherSuites Server private key Public keys of trusted CAs Server public key During During Hdshk. Hdshk. List of Alice’s CipherSuites Alice request a secure connections and presents a list of CipherSuites.
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ServerHello Hdshk. CipherSuites CA's digital signature List of trusted CAs Chosen CipherSuite Server private key Public keys of trusted CAs Server public key During During Selected CipherSuite Hdshk. Selected CipherSuite Hdshk. Alice saves the selected CipherSuite. Bob picks the strongest supported CipherSuite.
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. Certificate Hdshk. CipherSuites CA's digital signature List of trusted CAs Bob’s Digital Certificate Server private key Public keys of trusted CAs Server public key During Selected CipherSuite ServerHelloDone During Hdshk. Hdshk. Selected CipherSuite Server public key Alice tries to confirm Bob’s digital certificate by CA’s Bob sends back his digital certificate, signed by CA signature. Alice may contact CA if needed. with Bob’s public key.
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ClientKeyExchange Hdshk. CipherSuites Encrypted CA's digital signature List of trusted CAs random number (RN) Server private key Public keys of trusted CAs Server public key During Selected CipherSuite During Selected CipherSuite Hdshk. Hdshk. Server public key Random number (RN) Random number (RN) If Bob’s certificate is accepted, Alice generates and Bob decrypts the message using his private key and sends a random number using the server’s public key. saves RN.
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. CipherSuites Hdshk. CA's digital signature List of trusted CAs Server private key Public keys of trusted CAs Server public key During Selected CipherSuite During Selected CipherSuite Hdshk. Hdshk. Connection Keys Connection Keys Alice and Bob generate their key material from RN (depending on the selected CipherSuite).
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ChangeCipherSpec Hdshk. CipherSuites CA's digital signature List of trusted CAs Finished Server private key Public keys of trusted CAs Authenticated Server public key and encrypted During message During Selected CipherSuite Selected CipherSuite Hdshk. Hdshk. MAC Connection Keys Connection Keys Alice sends ChangeCipherSpec and an Bob decrypts and verify the message using his authenticated and encrypted Finished message. connection keys.
Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ChangeCipherSpec Hdshk. CipherSuites CA's digital signature List of trusted CAs Finished Server private key Public keys of trusted CAs Authenticated Server public key and encrypted During message During Selected CipherSuite Selected CipherSuite Hdshk. Hdshk. MAC Connection Keys Connection Keys Alice decrypts and verify the message using her If Alice’s message is verified, Bob sends connection keys. The secure connection is established. ChangeCipherSpec and another Finished message.
Bilateral-authenticated Handshake
General format of TLS records + Byte +0 Byte +1 Byte +2 Byte +3 Byte Content type 0 Bytes Version Length 1..4 (Major) (Minor) (bits 15..8) (bits 7..0) Bytes Protocol message(s) 5..(m-1) Bytes MAC (optional) m..(p-1) Bytes Padding (block ciphers only) p..(q-1)
SSL/TLS APPLICATIONS
Application of SSL/TLS  On top of the Transport Layer protocols • Primarily with TCP • Datagram Transport Layer Security(DTLS) for UDP  Encapsulating the application protocols • HTTP (HTTPS) for securing WWW traffic • FTP (FTPS), SMTP, NNTP, etc.
Implementations of SSL/TLS  SSL and TLS have been widely implemented • Open source software projects • OpenSSL, NSS, or GnuTLS • Microsoft Windows • Part of its Secure Channel • Browsers • Apple Safari • Mozilla Firefox (2+) • Internet Explorer, etc.
Thanks! JAN 2010

Recommended

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
SSL
SSLSSL
SSLtheekuchi
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 

Recommended

Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
SSL
SSLSSL
SSLtheekuchi
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail securityDr.Florence Dayana
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kalin|u - The Open Security Community
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL? Shehzad Imran
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?pqrs1234
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
HTTPS
HTTPSHTTPS
HTTPSmaroti164
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
Public private key
Public private keyPublic private key
Public private keyStudsPlanet.com
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerPina Parmar
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Don’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresDon’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresChristopher Brown
 

More Related Content

What's hot

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshellFrank Kelly
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?pqrs1234
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerPina Parmar
 

What's hot (20)

SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
SSL
SSLSSL
SSL
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
HTTPS
HTTPSHTTPS
HTTPS
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
Public private key
Public private keyPublic private key
Public private key
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 

Viewers also liked

Don’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresDon’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresChristopher Brown
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)
[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)
[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)Sang Don Kim
 
Mqtt 소개
Mqtt 소개Mqtt 소개
Mqtt 소개Junho Lee
 
Comparing CoAP vs MQTT
Comparing CoAP vs MQTTComparing CoAP vs MQTT
Comparing CoAP vs MQTTkellogh
 
푸시개발 정리 - Push Notification Summary
푸시개발 정리 - Push Notification Summary푸시개발 정리 - Push Notification Summary
푸시개발 정리 - Push Notification SummaryBrave Cheon
 
안드로이드 플랫폼기반의 푸시서버 아키텍처
안드로이드 플랫폼기반의 푸시서버 아키텍처안드로이드 플랫폼기반의 푸시서버 아키텍처
안드로이드 플랫폼기반의 푸시서버 아키텍처JavaCommunity.Org
 
모바일 메신저 아키텍쳐 소개
모바일 메신저 아키텍쳐 소개모바일 메신저 아키텍쳐 소개
모바일 메신저 아키텍쳐 소개Hyogi Jung
 
ARM CoAP Tutorial
ARM CoAP TutorialARM CoAP Tutorial
ARM CoAP Tutorialzdshelby
 
Android Push Server & MQTT
Android Push Server & MQTTAndroid Push Server & MQTT
Android Push Server & MQTT광운 이
 
MQTT - A practical protocol for the Internet of Things
MQTT - A practical protocol for the Internet of ThingsMQTT - A practical protocol for the Internet of Things
MQTT - A practical protocol for the Internet of ThingsBryan Boyd
 
Introducing MQTT
Introducing MQTTIntroducing MQTT
Introducing MQTTAndy Piper
 
Internet of Things (IoT) protocols COAP MQTT OSCON2014
Internet of Things (IoT) protocols COAP MQTT OSCON2014Internet of Things (IoT) protocols COAP MQTT OSCON2014
Internet of Things (IoT) protocols COAP MQTT OSCON2014Vidhya Gholkar
 

Viewers also liked (17)

Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
Don’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresDon’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data Structures
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
 
[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)
[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)
[Td 2015]개발하기 바쁜데 푸시서버와 메시지큐는 있는거 쓸래요(김영재)
 
Mqtt 소개
Mqtt 소개Mqtt 소개
Mqtt 소개
 
Comparing CoAP vs MQTT
Comparing CoAP vs MQTTComparing CoAP vs MQTT
Comparing CoAP vs MQTT
 
푸시개발 정리 - Push Notification Summary
푸시개발 정리 - Push Notification Summary푸시개발 정리 - Push Notification Summary
푸시개발 정리 - Push Notification Summary
 
안드로이드 플랫폼기반의 푸시서버 아키텍처
안드로이드 플랫폼기반의 푸시서버 아키텍처안드로이드 플랫폼기반의 푸시서버 아키텍처
안드로이드 플랫폼기반의 푸시서버 아키텍처
 
모바일 메신저 아키텍쳐 소개
모바일 메신저 아키텍쳐 소개모바일 메신저 아키텍쳐 소개
모바일 메신저 아키텍쳐 소개
 
ARM CoAP Tutorial
ARM CoAP TutorialARM CoAP Tutorial
ARM CoAP Tutorial
 
Android Push Server & MQTT
Android Push Server & MQTTAndroid Push Server & MQTT
Android Push Server & MQTT
 
MQTT - A practical protocol for the Internet of Things
MQTT - A practical protocol for the Internet of ThingsMQTT - A practical protocol for the Internet of Things
MQTT - A practical protocol for the Internet of Things
 
Introducing MQTT
Introducing MQTTIntroducing MQTT
Introducing MQTT
 
Internet of Things (IoT) protocols COAP MQTT OSCON2014
Internet of Things (IoT) protocols COAP MQTT OSCON2014Internet of Things (IoT) protocols COAP MQTT OSCON2014
Internet of Things (IoT) protocols COAP MQTT OSCON2014
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to SSL intro

How does TLS work?
How does TLS work?How does TLS work?
How does TLS work?Hyeonsu Lee
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introductionAvirot Mitamura
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authenticationFrank Denis
 
Let's go HTTPS
Let's go HTTPSLet's go HTTPS
Let's go HTTPSCodemotion
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki conceptMostafa El Lathy
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 

Similar to SSL intro (20)

How does TLS work?
How does TLS work?How does TLS work?
How does TLS work?
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introduction
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Let's go HTTPS
Let's go HTTPSLet's go HTTPS
Let's go HTTPS
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
Authentication services
Authentication servicesAuthentication services
Authentication services
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
 

Recently uploaded

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

SSL intro

  • 2. Outline  Concepts • What is SSL/TLS? • Security Provided by SSL/TLS • Cipher Suite  How it works? • Handshaking procedure • Record protocol  Application
  • 3. What is SSL/TLS?  Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet.  TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. —Wikipedia
  • 4. Where does SSL/TLS works? • FTP, HTTP, IMAP, IRC , POP3, SMTP, SSH Application • DNS, Telnet, SSL/TLS*, etc. Transport • TCP, UDP, DCCP, SCTP, IL, RUDP, RSVP • IP (v4, v6) Internet • ICMP, IGMP, ICMPv6 Link • ARP, RARP, OSPF, IS-IS, NDP *Note: Protocols don’t have to fit in this reference model in order to be accepted as a standard. From the application protocol point of view, SSL/TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it.
  • 5. A Bit of History  Secure Sockets Layer (SSL) • Developed by Netscape Corporation • Versions 1, 2, and 3 (released in 1996)  Transport Layer Security (TLS) • Successor of SSL • IETF standards track protocol, based on SSL 3.0 • Last updated in RFC 5246 (2008)
  • 6. What Security is Provided?  By providing: • Endpoint Authentication • Unilateral or Bilateral • Communication Confidentiality  For preventing: • Eavesdropping • Tampering • Message Forgery
  • 7. How Security is Provided? Symmetric-key Eavesdropping Encryption Cryptography Cryptographic Tampering Message Digest Hash Message Authentication Public-key & Digital Forgery signature Cryptography
  • 8. How Security is Provided?  A simplified case (Unilateral Authentication) Key Exchange Symmetric key Symmetric key M E || C D H MAC H E D Compare Public key Private key Asymmetric Key-Gen
  • 9. Cipher Suite  A suite of algorithms are needed for SSL/TLS connections • Bulk encryption algorithm • Message stream encryption algorithm • Message authentication code (MAC) algorithm • Cryptographic hash function • Asymmetric key algorithms • Key exchange algorithm • Pseudorandom function (PRF)
  • 10. Cipher Suite (cont.)  Common Cipher Suite algorithms: • Bulk encryption algorithm • RC4, Triple DES, AES, IDEA, DES, Camellia • Message authentication code (MAC) algorithm • Authentication by RSA, DSA, ECDSA • Hashing by MD5, SHA • Key exchange algorithm • RSA, Diffie-Hellman, ECDH, SRP, PSK • Pseudorandom function (PRF)
  • 11. Enhanced Security Measures  The server certificate is digitally signed by a certificate authority(CA) • The client accepts the server certificate if the CA is trusted  Sequence number are used for preventing replay attacks  Finishing handshake sends a hash of all exchanged handshake messages  etc.
  • 13. Handshaking  The client(Alice) and server(Bob) must agree on various parameters to establish the connection • Alice request a secure connections and presents a list of CipherSuites • Bob picks the strongest supported CipherSuite • Bob sends back his digital certificate • Including the certificate authority and his public key • By encrypting using the server’s public key, Alice send a random number to Bob securely • Alice and Bob generate key material from the random number • Secure connection established
  • 14. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ClientHello Hdshk. CipherSuites CA's digital signature List of trusted CAs List of CipherSuites Server private key Public keys of trusted CAs Server public key During During Hdshk. Hdshk. List of Alice’s CipherSuites Alice request a secure connections and presents a list of CipherSuites.
  • 15. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ServerHello Hdshk. CipherSuites CA's digital signature List of trusted CAs Chosen CipherSuite Server private key Public keys of trusted CAs Server public key During During Selected CipherSuite Hdshk. Selected CipherSuite Hdshk. Alice saves the selected CipherSuite. Bob picks the strongest supported CipherSuite.
  • 16. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. Certificate Hdshk. CipherSuites CA's digital signature List of trusted CAs Bob’s Digital Certificate Server private key Public keys of trusted CAs Server public key During Selected CipherSuite ServerHelloDone During Hdshk. Hdshk. Selected CipherSuite Server public key Alice tries to confirm Bob’s digital certificate by CA’s Bob sends back his digital certificate, signed by CA signature. Alice may contact CA if needed. with Bob’s public key.
  • 17. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ClientKeyExchange Hdshk. CipherSuites Encrypted CA's digital signature List of trusted CAs random number (RN) Server private key Public keys of trusted CAs Server public key During Selected CipherSuite During Selected CipherSuite Hdshk. Hdshk. Server public key Random number (RN) Random number (RN) If Bob’s certificate is accepted, Alice generates and Bob decrypts the message using his private key and sends a random number using the server’s public key. saves RN.
  • 18. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. CipherSuites Hdshk. CA's digital signature List of trusted CAs Server private key Public keys of trusted CAs Server public key During Selected CipherSuite During Selected CipherSuite Hdshk. Hdshk. Connection Keys Connection Keys Alice and Bob generate their key material from RN (depending on the selected CipherSuite).
  • 19. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ChangeCipherSpec Hdshk. CipherSuites CA's digital signature List of trusted CAs Finished Server private key Public keys of trusted CAs Authenticated Server public key and encrypted During message During Selected CipherSuite Selected CipherSuite Hdshk. Hdshk. MAC Connection Keys Connection Keys Alice sends ChangeCipherSpec and an Bob decrypts and verify the message using his authenticated and encrypted Finished message. connection keys.
  • 20. Simple Handshaking Case ALICE (CLIENT) BOB (SERVER) Before List of supported Before List of supported CipherSuites Hdshk. ChangeCipherSpec Hdshk. CipherSuites CA's digital signature List of trusted CAs Finished Server private key Public keys of trusted CAs Authenticated Server public key and encrypted During message During Selected CipherSuite Selected CipherSuite Hdshk. Hdshk. MAC Connection Keys Connection Keys Alice decrypts and verify the message using her If Alice’s message is verified, Bob sends connection keys. The secure connection is established. ChangeCipherSpec and another Finished message.
  • 22. General format of TLS records + Byte +0 Byte +1 Byte +2 Byte +3 Byte Content type 0 Bytes Version Length 1..4 (Major) (Minor) (bits 15..8) (bits 7..0) Bytes Protocol message(s) 5..(m-1) Bytes MAC (optional) m..(p-1) Bytes Padding (block ciphers only) p..(q-1)
  • 24. Application of SSL/TLS  On top of the Transport Layer protocols • Primarily with TCP • Datagram Transport Layer Security(DTLS) for UDP  Encapsulating the application protocols • HTTP (HTTPS) for securing WWW traffic • FTP (FTPS), SMTP, NNTP, etc.
  • 25. Implementations of SSL/TLS  SSL and TLS have been widely implemented • Open source software projects • OpenSSL, NSS, or GnuTLS • Microsoft Windows • Part of its Secure Channel • Browsers • Apple Safari • Mozilla Firefox (2+) • Internet Explorer, etc.