Encryption, SSL and Certificates By Joshua Cox and Rachael Mead
Outline • Cryptography • Encryption • SSL • Overview • Keys • Statistics • Certificates • Explanation of certificates • MITM attacks with keys • Disadvantages
Encryption • Type of Cryptography • The practice and study of techniques for secure communication in the presence of third parties. • The process of encodingmessages so that only authorized parties can read it. • Use of encryption keys to encrypt and decrypt the message. • Used in military communications in the past. Primarily used for protecting computer data nowadays.
SSL What is SSL? SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client First SSL Certificate was created in 1994 by Netscape Communications SSL Certificate issuers are called Certificate Authority or CA’s SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely Required by the Payment Card Industry (PCI) to have an SSL Certificate Main component of SSL Certificates are keys which are the Public and Private key
SSL Keys • Public Key –Encryption • Private Key –Decryption • Session Key- Temporary key shared by sever and browser
SSL Asymmetric Encryption • Asymmetric encryption or public-key cryptography uses a separate key for encryption and decryption • Only the intended receiver can decrypt the message • Asymmetric keys are typically 1024 or 2048 bits. • 2048 bit contains 617 digits of encryption code. 14 Billion years to crack. Video
SSL Symmetric Encryption • Symmetric encryption uses a single key to both encrypt and decrypt data. • Both the sender and the receiver need the same key to communicate • Symmetric key sizes are typically 128 or 256 bits—the larger the key size, the harder the key is to crack
SSL Symmetric vs. Asymmetric Symmetric keys have a major disadvantage because the same key is used for symmetric encryption and decryption. Asymmetric encryption doesn’t have this problem. As long as you keep your private key secret, no one can decrypt your messages. Only the person with the private key can decrypt it, which makes Asymmetric stronger.
SSL SSL Handshake/ Example • Connection between Browser and Server is known as the “SSL Handshake”. • Class activity!
SSL Statistics • 55.9% of websites do not use SSL Certificate • 11.3% use self signed certificates • Out of the 32.8% who use SSL Certificate Authorities. • 38.3% use Symantec • Owns Verisign, and Geotrust among others Sources: w3techs.com, sslshopper
Certificates Certificates and What They do? • Electronic Credentials • Think of a passport or an ID • Help to prevent MITM attacks • Help preserve data integrity
Certificates Man in the Middle Attacks Suppose Alice is your grandmother and Bob is her banker. Then Mallory is intercepting their messages. • Someone is intercepting and modifying communications • Make new public keys and can eavesdrop on messages. • Capable of impersonating official websites
Certificates How to Solve MITM Attacks • Certificates wrap the keys and other identifying information, and encrypt them. • Certificate is signed by a trusted Certificate Authority. • This is what allows you to host a secure website (https) • Certificate Authorities range from 60$ a year to 500$ a year • Source: whichssl.com • Can make your own Certificate, is not trusted. • Certificate Example: tldp.org
Disadvantages of SSL and Certificates • Certificate Authorities security can be breached • Diginotar. In July 2011 a man was able to make a near perfect google replica. Diginotar certificates are now banned from most browsers. • Trustwave, an international Certificate Authority sold the trusted root certificates to unknown client. There is reason to believe Trustwave is not the only CA to do this. • HeartBleed Bug • heartbleed.com • There are Patented interception taps: patent • Governments, and Vendors use interception taps.