WEB SECURITY SSL - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

WEB SECURITY SSL

Description:

Virtually all businesses, most governments agencies, and many individuals now ... Impersonation. Data Forgery. Authentication. Killing of user threads ... – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 24
Provided by: abirl
Category:

less

Transcript and Presenter's Notes

Title: WEB SECURITY SSL


1
WEB SECURITYSSL
  • Presented by
  • Samia Gad Omar
  • March 2005

2
Contents
  • Handshake Protocol
  • SSL Record Protocol
  • Change C-Spec Protocol
  • HTTPS
  • SSL 3.0 Analysis
  • Conclusion
  • References
  • Introduction
  • Network Security Services
  • Web Security Threats
  • Web Security
  • What is SSL?
  • SSL Services
  • SSL Architecture

3
Introduction
  • Virtually all businesses, most governments
    agencies, and many individuals now have Web
    sites, the number of sites expanding rapidly. As
    a result, businesses are setting up facilities on
    the web for electronic commerce. This explosive
    growth of the Internet and the World Wide Web has
    brought with it a need to securely protect
    sensitive communications sent over this open
    network.

4
Network Security Services
  • Authentication the assurance that the
    communicating entity is the one that is claims to
    be.
  • Data Confidentiality the protection of data from
    unauthorized disclosure.
  • Data Integrity the assurance that data received
    are exactly as sent by an authorized entity.
  • Non Repudiation provides protection against
    denial by one of the entities involved in the
    communication.
  • Access Control the prevention of unauthorized
    use of a resource.

5
Web Security
  • Web Security can be divided into three main
    parts
  • Naming objects and resources securely.
  • (Secure DNS, Self-certifying names,)
  • Secure authenticated connection.
  • (SSL Secure Sockets Layer)
  • Mobile Code Security.
  • (Most of the pages now a days contain
    executable code, including Java applets, ActiveX
    controls, and Java scripts.)

6
Web Security Threats
7
What is SSL?
  • In 1995 Netscape Communication Corp, introduced a
    security package called SSL (Secure Socket Layer)
    to meet the demands for secure connections.
  • SSL is a protocol that transmits your
    communications over the internet in an encrypted
    form. SSL ensure that the information is sent
    unchanged, only to the server you communicate
    with.
  • Online shopping sites frequently use SSL
    technology to safeguard your information and
    financial transactions.
  • In 1996 Netscape Communication Corp, turned SSL
    over to IETF for standardization, the result was
    TLS (Transport Layer Security).

8
SSL Services
  • SSL builds a secure connection between two
    sockets, including
  • Parameter negotiation between client and server.
  • Mutual authentication of client and server
  • Secret communication
  • Data integrity protection.

9
SSL Architecture
  • SSL is a new layer interposed between the
    application layer and the transport layer.
  • SSL is divided into two layers
  • 1- Upper layer a key exchange protocol which
    initializes and synchronizes cryptographic state
    at the two endpoints.
  • 2- Lower layer compression and encryption of
    sensitive application data.
  • SSL supports a variety of different algorithms
    and options.

10
Handshake Protocol
  • It is the most complex part of SSL. It consists
    of a series of message exchanged by client and
    server.
  • Phase 1 Establish security capabilities,
    including protocol version, session ID, cipher
    suite, compression method, and initial random
    number.
  • Phase 2 Server may send certificate key
    exchange, and request certificate.
  • Phase 3 Client sends certificate, key exchange,
    certificate verification.
  • Phase 4 Change cipher suite and finish handshake
    protocol.

11
SSL Record Protocol
  • The protocol takes an application message to be
    transmitted, fragments the data into manageable
    blocks, optionally compresses the data, applies
    MAC, encrypts, adds a header, and transmits the
    resulting unit in a TCP segment. Received data
    are decrypted, verified, decompressed, and
    reassembled and then delivered to higher level
    user.

12
HTTPS
Change Cipher Spec Protocol
  • This protocol consists of a single message, the
    purpose of it is to cause the pending state to be
    copied in to the current state, which updates the
    cipher suite to be used on this connection.
  • HTTP is called Secure HTTP (or HTTPS) when it is
    used over SSL.

13
Alert Protocol
  • This protocol convey SSL-related alerts to the
    peer entity.
  • Alert message are compresses and encrypted.
  • First byte convey the severity of the message,
    warning or Fatal.
  • Second byte contains the code of the alert
    (failure, illegal parameter, unknown
    certificate,).

14
The network is weaker than the weakest point in
the network
15
SSL Analysis
  • SSL 3.0 aims to provide Internet client/server
    applications with a practical, widely applicable
    connection-oriented communications security
    mechanism. A number of minor flaws in the
    protocol and several new attacks on SSL are
    presented.

16
The Key Exchange Layer Analysis
  • The most important attacks are of the type man-in
    the middle attacks
  • Dropping the change cipher spec message.
  • Key-exchange algorithm rollback.
  • Version rollback attacks.

17
The Key Exchange Layer Analysis
  • Dropping the change cipher spec message

18
The Key Exchange Layer Analysis
  • Key-exchange algorithm rollback.

19
The Key Exchange Layer Analysis
  • Version rollback attacks

20
The Record Layer Analysis
  • Confidentiality Eavesdropping.
  • Confidentiality Traffic analysis
  • Confidentiality Active attacks
  • Cut-and-Paste attack, Short-block attack.
  • Message Authentication HMAC.
  • Replay Attacks
  • The Horton principle
  • Authenticate what was meant, not what was said

21
Conclusion
  • The protection of application data by the SSL
    record layer is quite good.
  • The SSL handshake protocol has several
    vulnerabilities and worrisome features. Most of
    the weaknesses (active attacks) described
    previously arise from a small oversight and can
    be corrected without overhauling the basic
    structure of the protocol, of course , they are
    still worth fixing.
  • In general SSL 3.0 provides excellent security
    against passive attacks.

22
References
  • A. S. Tanenbaum, Computer Networks, 4thedition,
    2002, Prentice Hall, Ch 8.
  • W. Stallings, Cryptography and Network Security
    Principles and Practice, 3rdedition, 2003,
    Pearson Education, CH 17.
  • Analysis of the SSL 3.0 potocol, David Wagner
    Bruce Schneier.

23
Thank You
Write a Comment
User Comments (0)
About PowerShow.com