Ssl and https for web communication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

SSL and HTTPS for Web Communication PowerPoint PPT Presentation


  • 42 Views
  • Uploaded on
  • Presentation posted in: General

SSL and HTTPS for Web Communication. CSCI 5857: Encoding and Encryption. Web Security Problems. Major concerns: Encryption of sensitive data sent between client and server Authentication of server How does client know who they are dealing with? Information integrity

Download Presentation

SSL and HTTPS for Web Communication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ssl and https for web communication

SSL and HTTPS for Web Communication

CSCI 5857: Encoding and Encryption


Web security problems

Web Security Problems

Major concerns:

  • Encryption of sensitive data sent between client and server

  • Authentication of server

    • How does client know who they are dealing with?

  • Information integrity

    • How do we know third party has not altered data en route?

Bob’s web site

Alice thinks she is at Bob’s site, but Darth is spoofing it

Bob’s web site

Address information

Change so item shipped to Darth


Certificates

Certificates

  • Web sites that deal in ecommerce must have certificates for authentication

    • Installed at server

    • Transmitted to client for authentication

    • Validated using CA’s public key

Server machine

CA

Request for secure session

Client machine

Web Container

(JSP, ASP)

Browser

Certificatesigned by CA


Certificates1

Certificates

  • Public keys stored in browser

    • Can request from other CAs via public key infrastructure as needed


Secure socket layer protocol

Secure Socket Layer Protocol

  • Secure Socket Layer protocol for web communication

    • Latest upgrade: Transport Layer Security (TLS)

    • Same structure as SSL, somewhat more secure


Ssl protocol phase 1

SSL Protocol: Phase 1

Phase 1: Information exchange

  • Problem: Large number of encryption algorithms in use

    • How do client and server agree on which to use?

    • How does client tell server which ones it supports?


Ssl protocol phase 11

SSL Protocol: Phase 1

  • Client passes preferred algorithms to server via https request

    • Public key encryption algorithms

    • Private key encryption algorithms

    • Hash algorithms

    • Compression algorithms

    • Also random number for key generation

  • Server replies with algorithms that will be used

    • Also passes own random number


  • Ssl protocol phase 2

    SSL Protocol: Phase 2

    Phase 2: Server Identification and Key Exchange

    • Server passes their certificates to client

      • Client uses issuer public key to verify identity

      • Client retrieves server public key from certificate

      • Server may pass many certificates for authentication


    Ssl protocol phase 21

    SSL Protocol: Phase 2

    • If no certificate containing a public key, separate public key must be passed

    Certificate contains RSA public key, so no separate key passed

    No certificate, so Diffie-Hellman key exchange parameters passed


    Ssl protocol phase 22

    SSL Protocol: Phase 2

    • Server can also request appropriate client certificates to authenticate client

      • Online banking

      • Remote access to company database


    Ssl protocol phase 3

    SSL Protocol: Phase 3

    Phase 3: Client Identification and Key Exchange

    • Client sends certificate or public key if requested by server


    Ssl key generation

    SSL Key Generation

    • Client generates “pre-master key”

    • Sends to server encrypted with server public key

    • Client and server use to generate master key used to create cipher keys

      • Also use client, server random numbers exchanged in phase 1


    Ssl key generation1

    SSL Key Generation


    Ssl key generation2

    SSL Key Generation


    Ssl key generation3

    SSL Key Generation

    • Key material used to generate:

      • Keys for encryption and authentication (MAC)

      • IV’s for cipher block chaining


    Phase 4 final handshake

    Phase 4: Final Handshake

    Client and server verify protocols and keys

    • Sender signs/encrypts “finished” message

    • Receiver decrypts/verifies message to confirm keys


    Ssl data transmission

    SSL Data Transmission

    • Message broken into blocks

    • Block compressed

    • Compressed block hashed with authentication key to get MAC (message integrity)

    • Compressed block + MAC encrypted with cipher key

    • Encrypted block + record protocol header with version/length information sent


    Ssl data transmission1

    SSL Data Transmission

    • MAC algorithm is modifiedHMAC

      • Two stage hash with secret MAC key inserted at each stage

      • Values similar to IPAD and OPAD also inserted


    Sessions and ssl

    Sessions and SSL

    • Connection: single transmission between client and server

    • Session: set of connections for some purpose

      • Example: Ecommerce payment session: Credit card, Address, etc.

      • Often involves same https sessions

    • Can reuse same keys for all connections in session

      • Much more efficient than restarting SSL protocol each connection

      • Can still require for maximum security


    Https protocol

    Https Protocol

    • When started, requests secure session from server

      • Uses separate port in some servers

    • Invokes SSL protocol


    Https protocol1

    Https Protocol

    • Https protocol is expensive

      • Should not do unless necessary

    • Once done with secure transactions, should go back to using non-secure channel

      • Return to non-secure port


  • Login