SlideShare uma empresa Scribd logo

What is TLS/SSL?

Transferir como DOCX, PDF
Shehzad Imran
Shehzad Imran

This Document will help You to understand the TLS/SSL on Tnransport Layer

TecnologiaEducação
1 de 24
Outline:  Web Security  Executive Summary  Introduction to SSL/TLS  What is TLS/SSL?  Digital Certificates  Authentication and Verification  Services of SSL  The Four Upper Layer Protocols  Record Protocol  Change Cipher Spec Protocol  Alert Protocol  Handshake Protocol  Secure Socket Layer (SSL)  Where, What and How about SSL  Architecture  Transport Layer Security (TLS)  TLS Overview  Public Key Certificates  Implementation & Applications of SSL/TLS  Summary  References
Security:  Web is now widely used by businesses, government firms and individuals.  But Internet & Web space are vulnerable.  Have a variety of threats related to  Integrity: Someone might alter content  Confidentiality: Anyone can see content  Denial of service:  Authentication: Not clear who you are talking with  need added security mechanisms Executive Summary: Transport Layer Security or TLS,widelyknownalsoasSecureSocketsLayerorSSL,isthemostpopularapplicationofpublickeycryp tographyintheworld.ItismostfamousforsecuringWebbrowsersessions,butithaswidespreadapplicati ontoothertasks TLS/SSL canbeusedtoprovide strong authentication of bothparties inacommunicationsession,strongencryptionofdatain transitbetweenthem,andverificationofthe integrityofthatdataintransitTLS/SSLcanbe used tosecureabroadrangeofcriticalbusinessfunctionssuchasWebbrowsing,server-toservercommunications,emailclient-to-servercommunications,softwareupdating,databaseaccess, virtualprivatenetworkingandothersHowever,whenused improperly,TLScangivetheillusionofsecuritywherethecommunicationshave beencompromisedItisimportanttokeepcertificatesuptodateandcheckrigorouslyforerrorcond itionsInmany,butnotallapplicationsofTLS,theintegrityoftheprocessisenhancedbyusingacertificatei
ssuedbyan outside trusted CertificateAuthority(CA)ThispaperwillexplorehowTLSworks,bestpracticesforitsuse,andthevariou sapplicationsinwhichitcansecurebusinesscomputing. Introduction:  Secure Sockets Layer (SSL)  Developed by Netscape Corporation  Versions 1, 2, and 3 (released in 1996)  Transport Layer Security (TLS)  Successor of SSL  IETF standards track protocol, based on SSL 3.0  Last updated in RFC 5246 (2008)  Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet.  TLS and SSL encrypt the segments of network connections at the Transport Layer endto-end. Asthescience ofbusinesscomputing,andofcomputingsecurityinparticular, thetrendhasbeentofind securityweaknesseseverywhere wherecomplexityandfunctionalitygrow,sodotheopportunities forabuseofsystemsbymaliciousactors. hasadvanced, The solutions to these problems are varied and must be explored individually, but one technology shows up often: TLS or Transport Layer Security, often known by the name of the predecessor technology, SSL or Secure Sockets Layer TLSisbestknownasthetechnologywhichsecuresWebbrowsersessionsforbankingandothersensitivet asks,butitcanbeusedformuchmore. Clientservercommunicationwithavarietyofservertypes,inadditiontoWebservers,benefitsfromuseofTLS. Server-to-servercommunicationsalsoneedtobesecuredandcanbethroughTLS. ClientsupdatingapplicationsandothersoftwareontheirPCsshouldonlydosothroughasecureconnectio n,whichiswhysuchupdateapplicationsusuallyuseTLSor SSL. ThispaperwillexploretheseandotherapplicationsofTLSthatcansecuretheenterprisein themyriadplacesinwhichitcanbeattacked.
TLSprovides3basicbenefits:  Itprovidesauthenticationofthecommunicatingparties,eitherone-wayorin both directions  Itencryptsthecommunicationsession“onthewire”  Itensurestheintegrityofthedatatransferred What is TLS/SSL? TLS/SSLisatunnelingprotocolthatworksatthetransportlayer. Itprovidesencryption,authenticationandintegrityverificationofdata,anddoessobymeansofdigitalcer tificates. Digital Certificates Adigitalcertificateisanelectronicdocumentwhichconfirmstheidentityofanentity– whichcouldbeauser,aserver,acompany,aprogramonaclient,justaboutanything– andassociatesthatentitywithapublickey. Thedigitalcertificateistheentity’sidentificationtothepublickeyinfrastructure. EachpartytoaTLSsecuredcommunicationcanevaluatethecontentsofthecertificate. ThemostexaminedfieldistheCommonNameEachthencomparesittowhattheyexpect. Itisalsowisetochecktheissuerofthecertificate. Istheissueratrustedparty?FormoreontheseissuersseeTrustedCertificateAuthorities, Userscangeneratetheirowndigitalcertificates,calledself-signedcertificates,withfreetools. Butsuchcertificatesareinherentlyuntrustworthyandtherealvalueofcertificates comeswhentheyareissuedbyatrustedCA. UserscancreateandruntheirownCAontheirnetworkandsometimesthismakessense,butinmanycasesit isnecessarytouseanoutsidetrusted CA whichoutsidepartiescanalsotrustSymantec™isthelargestCA. Authentication and Verification
Publickeycryptographyallowstwopartiestoauthenticateeachother. Eachpartyhastwo keys,whicharelargenumericvalues. Amessageexchangedbetweentheparties isrunthroughahashingalgorithm. Ahashfunctiontakesablockofdataandcreatesavaluefromit,knownasahashordigestMakeevena small changeinthedataandthehashchangessignificantly. Atthesametimethereisnowaytorecreatethedatafromthehash. Thesendingpartytothecommunicationsusestheirprivatekeytoencryptthehashvalue. Thisencryptedvalueiscalledadigitalsignature. Themessageandsignaturearesenttotherecipientparty. Therecipientpartyusesthesender’spublickeytodecryptthesignature. Theygenerateahashofthemessageusingthesamealgorithmasthesenderandcomparethevalues. Ifthevaluesarethesamethentwothingsarecertain:thedatahasnotbeentamperedwithandthesenderiswh otheypurporttobe. Thisisbecausetheprivatekeycorrespondingtothepublickeyinthecertificatewasusedtosignthedata,an dtheprivatekeyshouldonlybe accessiblebythesendernamedinthecertificate. NeitherauthenticationnorintegrityverificationaremandatoryinTLSYoucanuseitsimplysothatthebits on thewireareencrypted. Butauthenticationis acorefeature,importanttomostcustomers. Services of SSL: SSL Provides several services on data received from the application layer.  Fragmentation: First SSL divides the data into blocks of 2^14 bytes or less.  Compression: Each fragment of data is compressed using one of the lossless compression methodnegotiated between the client and server. This service is optional.  Message Integrity: To preserve the integrity of data, SSL uses a keyed Hash function to create a MAC.  Confidentiality: To provide confidentiality, the original data and the MAC are encrypted using symmetric key cryptography  Framing:
A header is added to the encrypted payload. The payload is then passed to a reliable transport protocol. The Four Upper Layer Protocols  Application Encryption Protocol  Encrypt/Decrypt application data  Change Cipher Spec Protocol  Alert to a change in communication variables  Alert Protocol  Messages important to SSL connections  Handshaking Protocol  Establish communication variables SSL Record Protocol Services provided are:  Confidentiality  using symmetric encryption with a shared secret key defined by Handshake Protocol  IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128  message is compressed before encryption  Message integrity  using a MAC (Message Authentication Code) created using a shared secret key and a short message
SSL Change Cipher Spec Protocol:  one of 3 SSL specific protocols which use the SSL Record protocol  a single message  Purpose of message  Cause copy of pending state to current state.  Updates cipher suite to be used on the current connection. SSL Alert Protocol:  conveys SSL-related alerts to peer entity  Consists of two bytes  1st byte : warning or fatal  2nd byte: code for specific alerts  specific alert types  unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter  close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown  compressed & encrypted like all SSL data SSL Handshake Protocol:  The most complex part of SSL.
 allows server & client to:  authenticate each other  to negotiate encryption & MAC algorithms  to negotiate cryptographic keys to be used  comprises a series of messages in phases  Establish Security Capabilities  Server Authentication and Key Exchange  Client Authentication and Key Exchange  Finish  The client(Alice) and server(Bob) must agree on various parameters to establish the connection  Alice request a secure connections and presents a list of Cipher Suites  Bob picks the strongest supported Cipher Suite  Bob sends back his digital certificate o Including the certificate authority and his public key  By encrypting using the server’s public key, Alice send a random number to Bob securely  Alice and Bob generate key material from the random number  Secure connection established
`
SSL Handshake Protocol:  This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record.
TLS (Transport Layer Security) SSL Key Exchange (Simplified) 1. SSL client connects to an SSL server 2. Server then sends its own certificate that contains its public key 3. Client then creates a random key (premaster key) and uses server's public key to encrypt it
4. Client then sends encrypted premaster key to the server 5. Server then decrypts it (only the server that has the matching private key can decrypt it) and uses decrypted premaster key to create secret session key 6. Now both client and server uses secret session key for further communication Secure Socket Layer (SSL): Where SSL fits? SSL runs over TCP:  Confidentiality (Privacy)  Data integrity (Tamper-proofing)  Server authentication (Proving a server is what it claims it is) – Used in typical B2C transaction  Optional client authentication – Would be required in B2B (or Web services environment in which program talks to program) What security is provided?
 By providing:  Endpoint Authentication  Unilateral or Bilateral  Communication Confidentiality  For preventing:  Eavesdropping  Tampering  Message Forgery Eavesdropping Tampering Message Forgery • Encryption • Symmetric-key Cryptography • Message Digest • Cryptographic Hash • Authentication & Digital signature • Public-key Cryptography SSL Architecture: TLS (Transport Layer Security)  TLS uses stronger encryption algorithms and has the ability to work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version 3.0.  IETF standard RFC 2246 similar to SSLv3
 with minor differences  In record format version number  Uses HMAC for MAC  A pseudo-random function expands secrets  Has additional alert codes  Some changes in supported ciphers  Changes in certificate negotiations  Changes in use of padding Changes from SSL 3.0 to TLS: TLSisthesuccessortechnologytoSSL, whichwasdevelopedbyNetscapein1994. ThefirstpublicreleasewasSSLversion,andwasquicklyfollowedbyversion. TheTLSspecificationwasreleasedin1999inRFC2246,andisonlyaminormodificationofSSL3. Changeshavecomeatamuchslowerpacesincethen,withTLS1.1and1.2largelyconcernedwithsecurity improvements. TLSisstillwidelycalledSSL,especiallyinproductnames,evenifthetermisstrictlyinaccurate. TLSversionsaredesignedtointeractwith androllbacktoearlierprotocolssuchasSSL3. Infact,intheprotocolhandshake,TLS1.0,1.1 and1.2 usetheversionnumbers3.1,3.2and3.3 Oneofthemaindifferencesyou’llseebetweenSSLandTLSversionsarethecryptographicfeatures,inclu dingtheciphers,hashalgorithmsandkeyexchangemechanismstheysupport. Astimeandversionsadvance,supportforweakerfeaturesisdroppedfromtheprotocolandstrongeronesa dded.  Fortezza removed  Additional Alerts added  Modification to hash calculations  Protocol version 3.1 in ClientHello, ServerHello What is TLS?  Protocol layer  Requires reliable transport layer (e.g. TCP)  Supports any application protocols
TLS: Privacy:  Encrypt message so it cannot be read  Use conventional cryptography with shared key  DES, 3DES  RC2, RC4  IDEA TLS: Key Exchange:  Need secure method to exchange secret key  Use public key encryption for this  “key pair” is used - either one can encrypt and then the other can decrypt  slower than conventional cryptography  share one key, keep the other private  Choices are RSA or Diffie-Hellman TLS: Integrity:  Compute fixed-length Message Authentication Code (MAC)  Includes hash of message  Includes a shared secret  Include sequence number  Transmit MAC with message  Receiver creates new MAC  should match transmitted MAC  TLS allows MD5, SHA-1 TLS: Authentication:  Verify identities of participants  Client authentication is optional  Certificate is used to associate identity with public key and other attributes TLS: Architecture:
 TLS defines Record Protocol to transfer application and TLS information  A session is established using a Handshake Protocol TLS: Record Protocol: TLS: Handshake:  Negotiate Cipher-Suite Algorithms  Symmetric cipher to use  Key exchange method  Message digest function  Establish and share master secret  Optionally authenticate server and/or client Handshake Phases:  Hello messages  Certificate and Key Exchange messages  Change Cipher Spec and Finished messages Implementation of SSL/TLS:  SSL and TLS have been widely implemented  Open source software projects ○ OpenSSL, NSS, or GnuTLS  Microsoft Windows
○ Part of its Secure Channel  Browsers ○ Google Chrome ○ Internet Explorer, etc. Client Side: <? Php//-------------------------------------Message Encryption Start .......................// $plan_text=$_POST['text']; $befor_cipher=$plan_text; $strlen=strlen($plan_text)."<br />"; $abc=array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s", "t","u","v","w","x","y","z"); $count=0; $replace=array(); for($count=0; $count<$strlen; $count++) { foreach($abc as $key=>$value) { if($plan_text[$count]==$value)
{ $replace[$count]=$abc[25-$key]; } } } $cipher_text=implode($replace); //.................................................... Message Encrption End .......................... // //........................................ Codding For Connection Start ....................// $host = "192.168.1.9"; $port = 25003; //set_time_limit(0); echo "<h1>Message Sent</h1><br />"; echo "Plan Text : ".$befor_cipher; echo "<br />Cipher Text : ".$cipher_text; // create socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); // connect to server $result = socket_connect($socket, $host, $port) or die("Could not connect to servern"); // send string to server socket_write($socket, $cipher_text, strlen($cipher_text)) or die("Could not send data to servern"); // close socket socket_close($socket); // ...........................................Codding for connection End.............................// ?> Server Side:
<?php //.............................................Codding Start.........................// for SERVER Connection // set some variables $host = "192.168.1.9"; $port = 25003; // don't timeout! set_time_limit(0); // create socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); // bind socket to port $result = socket_bind($socket, $host, $port) or die("Could not bind to socketn"); // start listening for connections $result = socket_listen($socket, 10) or die("Could not set up socket listenern"); // accept incoming connections // spawn another socket to handle communication $spawn = socket_accept($socket) connectionn"); or die("Could not accept incoming // read client input $cipher_text = socket_read($spawn, 1024) or die("Could not read cipher_textn"); echo "<h1>Message Received</h1><br />"; echo "Cipher text :".$cipher_text."<br />"; // close sockets socket_close($spawn); socket_close($socket); //.............................................Codding End.........................// for SERVER //.................................................Decription Start.........................// Connection
$strlen=strlen($cipher_text)."<br />"; $abc=array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s", "t","u","v","w","x","y","z"); $count=0; $replace=array(); for($count=0; $count<$strlen; $count++) { foreach($abc as $key=>$value) { if($cipher_text[$count]==$value) {$replace[$count]=$abc[25-$key];} } } $plan_text=implode($replace); echo "Plan Text : ".$plan_text; //...............................................Decription Enc.........................// ?> Socket Programming in PHP Introduction Sockets are used for inter process communication. Inter process communication is generally based on client-server model. In this case, client-server is the applications that interact with each other. Interaction between client and server requires a connection. Socket programming is responsible for establishing that connection between applications to interact. By the end of this tip, we will learn how to create a simple client-server in PHP. We will also learn how client application sends message to server and receives it from the same. Using the Code Aim: Develop a client to send a string message to server and server to return reverse of the same message to client.
PHP SERVER Step 1: Set variables such as "host" and "port" $host = "127.0.0.1"; $port = 5353; // No Timeout set_time_limit(0); Port number can be any positive integer between 1024 -65535. Step 2: Create Socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); Step 3: Bind the socket to port and host Here the created socket resource is bound to IP address and port number. $result = socket_bind($socket, $host, $port) or die("Could not bind to socketn"); Step 4: Start listening to the socket After getting bound with IP and port server waits for the client to connect. Till then it keeps on waiting. $result = socket_listen($socket, 3) or die("Could not set up socket listenern"); Step 5: Accept incoming connection This function accepts incoming connection request on the created socket. After accepting the connection from client socket, this function returns another socket resource that is actually responsible for communication with the corresponding client socket. Here “$spawn” is that socket resource which is responsible for communication with client socket. $spawn = socket_accept($socket) or die("Could not accept incoming connectionn"); So far, we have prepared our server socket but the script doesn't actually do anything. Keeping to our aforesaid aim, we will read message from client socket and then send back reverse of the received message to the client socket again. Step 6: Read the message from the Client socket $input = socket_read($spawn, 1024) or die("Could not read inputn");
Step 7: Reverse the message $output = strrev($input) . "n"; Step 8: Send message to the client socket socket_write($spawn, $output, strlen ($output)) or die("Could not write outputn"); Close the socket socket_close($spawn); socket_close($socket); This completes with the server. Now we will learn to create PHP client. PHP CLIENT The first two steps are the same as in the server. Step 1: Set variables such as "host" and "port" $host = "127.0.0.1"; $port = 5353; // No Timeout set_time_limit(0); Note: Here the port and host should be same as defined in server. Step 2: Create Socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); Step 3: Connect to the server $result = socket_connect($socket, $host, $port) or die("Could not connect toservern"); Here unlike server, client socket is not bound with port and host. Instead it connects to server socket, waiting to accept the connection from client socket. Connection of client socket to server socket is established in this step. Step 4: Write to server socket socket_write($socket, $message, strlen($message)) or die("Could not send data to servern"); In this step, client socket data is sent to the server socket.
Step 5: Read the response from the server $result = socket_read ($socket, 1024) or die("Could not read server responsen"); echo "Reply From Server :".$result; Step 6: Close the socket socket_close($socket); Application of SSL/TLS:  On top of the Transport Layer protocols  Primarily with TCP  Datagram Transport Layer Security(DTLS) for UDP  Encapsulating the application protocols  HTTP (HTTPS)  for securing WWW traffic  FTP (FTPS) SMTP, NNTP, etc. References:  William Stallings, 5th Edition, “Transport-Level Security”, Chapter 16, Pages : 509-543  www.cse.buffalo.edu/DBGROUP/nachi/ecopres/fengmei  http://www.slideshare.net/leethree/ssl-intro

Recomendados

Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
Prabhat Goel
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
Rana assad ali
 
Cryptography
CryptographyCryptography
Cryptography
Darshini Parikh
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
SSL
SSLSSL
SSL
theekuchi
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 

Recomendados

Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
Prabhat Goel
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
Rana assad ali
 
Cryptography
CryptographyCryptography
Cryptography
Darshini Parikh
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
SSL
SSLSSL
SSL
theekuchi
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Samip jain
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
Email security
Email securityEmail security
Email security
Mohammed Hilal
 
Pgp
PgpPgp
Pgp
Reham Maher El-Safarini
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption Standard
Dr.Florence Dayana
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Cryptography
CryptographyCryptography
Cryptography
EmaSushan
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Huda Seyam
 
cryptography
cryptographycryptography
cryptography
Abhijeet Singh
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Damien Magoni
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
IOS security
IOS securityIOS security
IOS security
bakhti rahman
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
Ibrahiem Mohammed
 
Ip security
Ip security Ip security
Ip security
Dr.K.Sreenivas Rao
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
Dr.Florence Dayana
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
pavansmiles
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Email security
Email securityEmail security
Email security
 
Pgp
PgpPgp
Pgp
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption Standard
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Cryptography
CryptographyCryptography
Cryptography
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
cryptography
cryptographycryptography
cryptography
 
SSL
SSLSSL
SSL
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Ssl https
Ssl httpsSsl https
Ssl https
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
 
IOS security
IOS securityIOS security
IOS security
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
 
Ip security
Ip security Ip security
Ip security
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
 

Destaque

Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 

Destaque (9)

Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
SSL, FFL, SFL Abbreviations
SSL, FFL, SFL AbbreviationsSSL, FFL, SFL Abbreviations
SSL, FFL, SFL Abbreviations
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Plan symbols
Plan symbolsPlan symbols
Plan symbols
 

Semelhante a What is TLS/SSL?

Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
ImXaib
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
Mumbai Academisc
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
cscpconf
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
csandit
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
CSCJournals
 

Semelhante a What is TLS/SSL? (20)

Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
ssl
sslssl
ssl
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
Unit 6
Unit 6Unit 6
Unit 6
 
Web Security
Web SecurityWeb Security
Web Security
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
ssl
sslssl
ssl
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
 
Ssl
SslSsl
Ssl
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

What is TLS/SSL?

  • 1. Outline:  Web Security  Executive Summary  Introduction to SSL/TLS  What is TLS/SSL?  Digital Certificates  Authentication and Verification  Services of SSL  The Four Upper Layer Protocols  Record Protocol  Change Cipher Spec Protocol  Alert Protocol  Handshake Protocol  Secure Socket Layer (SSL)  Where, What and How about SSL  Architecture  Transport Layer Security (TLS)  TLS Overview  Public Key Certificates  Implementation & Applications of SSL/TLS  Summary  References
  • 2. Security:  Web is now widely used by businesses, government firms and individuals.  But Internet & Web space are vulnerable.  Have a variety of threats related to  Integrity: Someone might alter content  Confidentiality: Anyone can see content  Denial of service:  Authentication: Not clear who you are talking with  need added security mechanisms Executive Summary: Transport Layer Security or TLS,widelyknownalsoasSecureSocketsLayerorSSL,isthemostpopularapplicationofpublickeycryp tographyintheworld.ItismostfamousforsecuringWebbrowsersessions,butithaswidespreadapplicati ontoothertasks TLS/SSL canbeusedtoprovide strong authentication of bothparties inacommunicationsession,strongencryptionofdatain transitbetweenthem,andverificationofthe integrityofthatdataintransitTLS/SSLcanbe used tosecureabroadrangeofcriticalbusinessfunctionssuchasWebbrowsing,server-toservercommunications,emailclient-to-servercommunications,softwareupdating,databaseaccess, virtualprivatenetworkingandothersHowever,whenused improperly,TLScangivetheillusionofsecuritywherethecommunicationshave beencompromisedItisimportanttokeepcertificatesuptodateandcheckrigorouslyforerrorcond itionsInmany,butnotallapplicationsofTLS,theintegrityoftheprocessisenhancedbyusingacertificatei
  • 3. ssuedbyan outside trusted CertificateAuthority(CA)ThispaperwillexplorehowTLSworks,bestpracticesforitsuse,andthevariou sapplicationsinwhichitcansecurebusinesscomputing. Introduction:  Secure Sockets Layer (SSL)  Developed by Netscape Corporation  Versions 1, 2, and 3 (released in 1996)  Transport Layer Security (TLS)  Successor of SSL  IETF standards track protocol, based on SSL 3.0  Last updated in RFC 5246 (2008)  Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet.  TLS and SSL encrypt the segments of network connections at the Transport Layer endto-end. Asthescience ofbusinesscomputing,andofcomputingsecurityinparticular, thetrendhasbeentofind securityweaknesseseverywhere wherecomplexityandfunctionalitygrow,sodotheopportunities forabuseofsystemsbymaliciousactors. hasadvanced, The solutions to these problems are varied and must be explored individually, but one technology shows up often: TLS or Transport Layer Security, often known by the name of the predecessor technology, SSL or Secure Sockets Layer TLSisbestknownasthetechnologywhichsecuresWebbrowsersessionsforbankingandothersensitivet asks,butitcanbeusedformuchmore. Clientservercommunicationwithavarietyofservertypes,inadditiontoWebservers,benefitsfromuseofTLS. Server-to-servercommunicationsalsoneedtobesecuredandcanbethroughTLS. ClientsupdatingapplicationsandothersoftwareontheirPCsshouldonlydosothroughasecureconnectio n,whichiswhysuchupdateapplicationsusuallyuseTLSor SSL. ThispaperwillexploretheseandotherapplicationsofTLSthatcansecuretheenterprisein themyriadplacesinwhichitcanbeattacked.
  • 4. TLSprovides3basicbenefits:  Itprovidesauthenticationofthecommunicatingparties,eitherone-wayorin both directions  Itencryptsthecommunicationsession“onthewire”  Itensurestheintegrityofthedatatransferred What is TLS/SSL? TLS/SSLisatunnelingprotocolthatworksatthetransportlayer. Itprovidesencryption,authenticationandintegrityverificationofdata,anddoessobymeansofdigitalcer tificates. Digital Certificates Adigitalcertificateisanelectronicdocumentwhichconfirmstheidentityofanentity– whichcouldbeauser,aserver,acompany,aprogramonaclient,justaboutanything– andassociatesthatentitywithapublickey. Thedigitalcertificateistheentity’sidentificationtothepublickeyinfrastructure. EachpartytoaTLSsecuredcommunicationcanevaluatethecontentsofthecertificate. ThemostexaminedfieldistheCommonNameEachthencomparesittowhattheyexpect. Itisalsowisetochecktheissuerofthecertificate. Istheissueratrustedparty?FormoreontheseissuersseeTrustedCertificateAuthorities, Userscangeneratetheirowndigitalcertificates,calledself-signedcertificates,withfreetools. Butsuchcertificatesareinherentlyuntrustworthyandtherealvalueofcertificates comeswhentheyareissuedbyatrustedCA. UserscancreateandruntheirownCAontheirnetworkandsometimesthismakessense,butinmanycasesit isnecessarytouseanoutsidetrusted CA whichoutsidepartiescanalsotrustSymantec™isthelargestCA. Authentication and Verification
  • 5. Publickeycryptographyallowstwopartiestoauthenticateeachother. Eachpartyhastwo keys,whicharelargenumericvalues. Amessageexchangedbetweentheparties isrunthroughahashingalgorithm. Ahashfunctiontakesablockofdataandcreatesavaluefromit,knownasahashordigestMakeevena small changeinthedataandthehashchangessignificantly. Atthesametimethereisnowaytorecreatethedatafromthehash. Thesendingpartytothecommunicationsusestheirprivatekeytoencryptthehashvalue. Thisencryptedvalueiscalledadigitalsignature. Themessageandsignaturearesenttotherecipientparty. Therecipientpartyusesthesender’spublickeytodecryptthesignature. Theygenerateahashofthemessageusingthesamealgorithmasthesenderandcomparethevalues. Ifthevaluesarethesamethentwothingsarecertain:thedatahasnotbeentamperedwithandthesenderiswh otheypurporttobe. Thisisbecausetheprivatekeycorrespondingtothepublickeyinthecertificatewasusedtosignthedata,an dtheprivatekeyshouldonlybe accessiblebythesendernamedinthecertificate. NeitherauthenticationnorintegrityverificationaremandatoryinTLSYoucanuseitsimplysothatthebits on thewireareencrypted. Butauthenticationis acorefeature,importanttomostcustomers. Services of SSL: SSL Provides several services on data received from the application layer.  Fragmentation: First SSL divides the data into blocks of 2^14 bytes or less.  Compression: Each fragment of data is compressed using one of the lossless compression methodnegotiated between the client and server. This service is optional.  Message Integrity: To preserve the integrity of data, SSL uses a keyed Hash function to create a MAC.  Confidentiality: To provide confidentiality, the original data and the MAC are encrypted using symmetric key cryptography  Framing:
  • 6. A header is added to the encrypted payload. The payload is then passed to a reliable transport protocol. The Four Upper Layer Protocols  Application Encryption Protocol  Encrypt/Decrypt application data  Change Cipher Spec Protocol  Alert to a change in communication variables  Alert Protocol  Messages important to SSL connections  Handshaking Protocol  Establish communication variables SSL Record Protocol Services provided are:  Confidentiality  using symmetric encryption with a shared secret key defined by Handshake Protocol  IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128  message is compressed before encryption  Message integrity  using a MAC (Message Authentication Code) created using a shared secret key and a short message
  • 7. SSL Change Cipher Spec Protocol:  one of 3 SSL specific protocols which use the SSL Record protocol  a single message  Purpose of message  Cause copy of pending state to current state.  Updates cipher suite to be used on the current connection. SSL Alert Protocol:  conveys SSL-related alerts to peer entity  Consists of two bytes  1st byte : warning or fatal  2nd byte: code for specific alerts  specific alert types  unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter  close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown  compressed & encrypted like all SSL data SSL Handshake Protocol:  The most complex part of SSL.
  • 8.  allows server & client to:  authenticate each other  to negotiate encryption & MAC algorithms  to negotiate cryptographic keys to be used  comprises a series of messages in phases  Establish Security Capabilities  Server Authentication and Key Exchange  Client Authentication and Key Exchange  Finish  The client(Alice) and server(Bob) must agree on various parameters to establish the connection  Alice request a secure connections and presents a list of Cipher Suites  Bob picks the strongest supported Cipher Suite  Bob sends back his digital certificate o Including the certificate authority and his public key  By encrypting using the server’s public key, Alice send a random number to Bob securely  Alice and Bob generate key material from the random number  Secure connection established
  • 9. `
  • 10.
  • 11. SSL Handshake Protocol:  This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record.
  • 12. TLS (Transport Layer Security) SSL Key Exchange (Simplified) 1. SSL client connects to an SSL server 2. Server then sends its own certificate that contains its public key 3. Client then creates a random key (premaster key) and uses server's public key to encrypt it
  • 13. 4. Client then sends encrypted premaster key to the server 5. Server then decrypts it (only the server that has the matching private key can decrypt it) and uses decrypted premaster key to create secret session key 6. Now both client and server uses secret session key for further communication Secure Socket Layer (SSL): Where SSL fits? SSL runs over TCP:  Confidentiality (Privacy)  Data integrity (Tamper-proofing)  Server authentication (Proving a server is what it claims it is) – Used in typical B2C transaction  Optional client authentication – Would be required in B2B (or Web services environment in which program talks to program) What security is provided?
  • 14.  By providing:  Endpoint Authentication  Unilateral or Bilateral  Communication Confidentiality  For preventing:  Eavesdropping  Tampering  Message Forgery Eavesdropping Tampering Message Forgery • Encryption • Symmetric-key Cryptography • Message Digest • Cryptographic Hash • Authentication & Digital signature • Public-key Cryptography SSL Architecture: TLS (Transport Layer Security)  TLS uses stronger encryption algorithms and has the ability to work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version 3.0.  IETF standard RFC 2246 similar to SSLv3
  • 15.  with minor differences  In record format version number  Uses HMAC for MAC  A pseudo-random function expands secrets  Has additional alert codes  Some changes in supported ciphers  Changes in certificate negotiations  Changes in use of padding Changes from SSL 3.0 to TLS: TLSisthesuccessortechnologytoSSL, whichwasdevelopedbyNetscapein1994. ThefirstpublicreleasewasSSLversion,andwasquicklyfollowedbyversion. TheTLSspecificationwasreleasedin1999inRFC2246,andisonlyaminormodificationofSSL3. Changeshavecomeatamuchslowerpacesincethen,withTLS1.1and1.2largelyconcernedwithsecurity improvements. TLSisstillwidelycalledSSL,especiallyinproductnames,evenifthetermisstrictlyinaccurate. TLSversionsaredesignedtointeractwith androllbacktoearlierprotocolssuchasSSL3. Infact,intheprotocolhandshake,TLS1.0,1.1 and1.2 usetheversionnumbers3.1,3.2and3.3 Oneofthemaindifferencesyou’llseebetweenSSLandTLSversionsarethecryptographicfeatures,inclu dingtheciphers,hashalgorithmsandkeyexchangemechanismstheysupport. Astimeandversionsadvance,supportforweakerfeaturesisdroppedfromtheprotocolandstrongeronesa dded.  Fortezza removed  Additional Alerts added  Modification to hash calculations  Protocol version 3.1 in ClientHello, ServerHello What is TLS?  Protocol layer  Requires reliable transport layer (e.g. TCP)  Supports any application protocols
  • 16. TLS: Privacy:  Encrypt message so it cannot be read  Use conventional cryptography with shared key  DES, 3DES  RC2, RC4  IDEA TLS: Key Exchange:  Need secure method to exchange secret key  Use public key encryption for this  “key pair” is used - either one can encrypt and then the other can decrypt  slower than conventional cryptography  share one key, keep the other private  Choices are RSA or Diffie-Hellman TLS: Integrity:  Compute fixed-length Message Authentication Code (MAC)  Includes hash of message  Includes a shared secret  Include sequence number  Transmit MAC with message  Receiver creates new MAC  should match transmitted MAC  TLS allows MD5, SHA-1 TLS: Authentication:  Verify identities of participants  Client authentication is optional  Certificate is used to associate identity with public key and other attributes TLS: Architecture:
  • 17.  TLS defines Record Protocol to transfer application and TLS information  A session is established using a Handshake Protocol TLS: Record Protocol: TLS: Handshake:  Negotiate Cipher-Suite Algorithms  Symmetric cipher to use  Key exchange method  Message digest function  Establish and share master secret  Optionally authenticate server and/or client Handshake Phases:  Hello messages  Certificate and Key Exchange messages  Change Cipher Spec and Finished messages Implementation of SSL/TLS:  SSL and TLS have been widely implemented  Open source software projects ○ OpenSSL, NSS, or GnuTLS  Microsoft Windows
  • 18. ○ Part of its Secure Channel  Browsers ○ Google Chrome ○ Internet Explorer, etc. Client Side: <? Php//-------------------------------------Message Encryption Start .......................// $plan_text=$_POST['text']; $befor_cipher=$plan_text; $strlen=strlen($plan_text)."<br />"; $abc=array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s", "t","u","v","w","x","y","z"); $count=0; $replace=array(); for($count=0; $count<$strlen; $count++) { foreach($abc as $key=>$value) { if($plan_text[$count]==$value)
  • 19. { $replace[$count]=$abc[25-$key]; } } } $cipher_text=implode($replace); //.................................................... Message Encrption End .......................... // //........................................ Codding For Connection Start ....................// $host = "192.168.1.9"; $port = 25003; //set_time_limit(0); echo "<h1>Message Sent</h1><br />"; echo "Plan Text : ".$befor_cipher; echo "<br />Cipher Text : ".$cipher_text; // create socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); // connect to server $result = socket_connect($socket, $host, $port) or die("Could not connect to servern"); // send string to server socket_write($socket, $cipher_text, strlen($cipher_text)) or die("Could not send data to servern"); // close socket socket_close($socket); // ...........................................Codding for connection End.............................// ?> Server Side:
  • 20. <?php //.............................................Codding Start.........................// for SERVER Connection // set some variables $host = "192.168.1.9"; $port = 25003; // don't timeout! set_time_limit(0); // create socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); // bind socket to port $result = socket_bind($socket, $host, $port) or die("Could not bind to socketn"); // start listening for connections $result = socket_listen($socket, 10) or die("Could not set up socket listenern"); // accept incoming connections // spawn another socket to handle communication $spawn = socket_accept($socket) connectionn"); or die("Could not accept incoming // read client input $cipher_text = socket_read($spawn, 1024) or die("Could not read cipher_textn"); echo "<h1>Message Received</h1><br />"; echo "Cipher text :".$cipher_text."<br />"; // close sockets socket_close($spawn); socket_close($socket); //.............................................Codding End.........................// for SERVER //.................................................Decription Start.........................// Connection
  • 21. $strlen=strlen($cipher_text)."<br />"; $abc=array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s", "t","u","v","w","x","y","z"); $count=0; $replace=array(); for($count=0; $count<$strlen; $count++) { foreach($abc as $key=>$value) { if($cipher_text[$count]==$value) {$replace[$count]=$abc[25-$key];} } } $plan_text=implode($replace); echo "Plan Text : ".$plan_text; //...............................................Decription Enc.........................// ?> Socket Programming in PHP Introduction Sockets are used for inter process communication. Inter process communication is generally based on client-server model. In this case, client-server is the applications that interact with each other. Interaction between client and server requires a connection. Socket programming is responsible for establishing that connection between applications to interact. By the end of this tip, we will learn how to create a simple client-server in PHP. We will also learn how client application sends message to server and receives it from the same. Using the Code Aim: Develop a client to send a string message to server and server to return reverse of the same message to client.
  • 22. PHP SERVER Step 1: Set variables such as "host" and "port" $host = "127.0.0.1"; $port = 5353; // No Timeout set_time_limit(0); Port number can be any positive integer between 1024 -65535. Step 2: Create Socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); Step 3: Bind the socket to port and host Here the created socket resource is bound to IP address and port number. $result = socket_bind($socket, $host, $port) or die("Could not bind to socketn"); Step 4: Start listening to the socket After getting bound with IP and port server waits for the client to connect. Till then it keeps on waiting. $result = socket_listen($socket, 3) or die("Could not set up socket listenern"); Step 5: Accept incoming connection This function accepts incoming connection request on the created socket. After accepting the connection from client socket, this function returns another socket resource that is actually responsible for communication with the corresponding client socket. Here “$spawn” is that socket resource which is responsible for communication with client socket. $spawn = socket_accept($socket) or die("Could not accept incoming connectionn"); So far, we have prepared our server socket but the script doesn't actually do anything. Keeping to our aforesaid aim, we will read message from client socket and then send back reverse of the received message to the client socket again. Step 6: Read the message from the Client socket $input = socket_read($spawn, 1024) or die("Could not read inputn");
  • 23. Step 7: Reverse the message $output = strrev($input) . "n"; Step 8: Send message to the client socket socket_write($spawn, $output, strlen ($output)) or die("Could not write outputn"); Close the socket socket_close($spawn); socket_close($socket); This completes with the server. Now we will learn to create PHP client. PHP CLIENT The first two steps are the same as in the server. Step 1: Set variables such as "host" and "port" $host = "127.0.0.1"; $port = 5353; // No Timeout set_time_limit(0); Note: Here the port and host should be same as defined in server. Step 2: Create Socket $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die("Could not create socketn"); Step 3: Connect to the server $result = socket_connect($socket, $host, $port) or die("Could not connect toservern"); Here unlike server, client socket is not bound with port and host. Instead it connects to server socket, waiting to accept the connection from client socket. Connection of client socket to server socket is established in this step. Step 4: Write to server socket socket_write($socket, $message, strlen($message)) or die("Could not send data to servern"); In this step, client socket data is sent to the server socket.
  • 24. Step 5: Read the response from the server $result = socket_read ($socket, 1024) or die("Could not read server responsen"); echo "Reply From Server :".$result; Step 6: Close the socket socket_close($socket); Application of SSL/TLS:  On top of the Transport Layer protocols  Primarily with TCP  Datagram Transport Layer Security(DTLS) for UDP  Encapsulating the application protocols  HTTP (HTTPS)  for securing WWW traffic  FTP (FTPS) SMTP, NNTP, etc. References:  William Stallings, 5th Edition, “Transport-Level Security”, Chapter 16, Pages : 509-543  www.cse.buffalo.edu/DBGROUP/nachi/ecopres/fengmei  http://www.slideshare.net/leethree/ssl-intro