SSL Trust Pitfalls - PowerPoint PPT Presentation

About This Presentation
Title:

SSL Trust Pitfalls

Description:

prof. ravi sandhu the certificate triangle server-side ssl (or 1-way) handshake with rsa client-side ssl (or 2-way) handshake with rsa single root ca model single ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 26
Provided by: RaviS8
Category:

less

Transcript and Presenter's Notes

Title: SSL Trust Pitfalls


1
SSL Trust Pitfalls
Prof. Ravi Sandhu
2
THE CERTIFICATE TRIANGLE
user
X.509 identity certificate
X.509 attribute certificate
attribute
public-key
SPKI certificate
3
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA
Handshake Protocol
Record Protocol
4
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA
Handshake Protocol
Record Protocol
5
SINGLE ROOT CA MODEL
Root CA
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
Root CA
User
6
SINGLE ROOT CAMULTIPLE RAs MODEL
Root CA
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
Root CA
7
MULTIPLE ROOT CAs MODEL
Root CA
Root CA
Root CA
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
Root CA
User
Root CA
User
Root CA
User
8
ROOT CA PLUS INTERMEDIATE CAs MODEL
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
9
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY
Root
Brand
Brand
Brand
Geo-Political
Bank
Acquirer
Customer
Merchant
10
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
11
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
12
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
13
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
  • Essentially the model on the web today
  • Deployed in server-side SSL mode
  • Client-side SSL mode yet to happen

14
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA
Handshake Protocol
Record Protocol
15
SERVER-SIDE MASQUARADING
Bob Web browser
www.host.com Web server
Server-side SSL
Ultratrust Security Services
www.host.com
16
SERVER-SIDE MASQUARADING
Bob Web browser
www.host.com Web server
Ultratrust Security Services
Server-side SSL
Server-side SSL
Mallorys Web server
www.host.com
BIMM Corporation
www.host.com
17
SERVER-SIDE MASQUARADING
Bob Web browser
www.host.com Web server
Ultratrust Security Services
Server-side SSL
Server-side SSL
BIMM Corporation
Mallorys Web server
www.host.com
Ultratrust Security Services
www.host.com
18
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA
Handshake Protocol
Record Protocol
19
MAN IN THE MIDDLEMASQUARADING PREVENTED
Client Side SSL end-to-end
Ultratrust Security Services
Bob Web browser
www.host.com Web server
Bob
Ultratrust Security Services
Client-side SSL
Client-side SSL
BIMM Corporation
BIMM Corporation
www.host.com
Mallorys Web server
Ultratrust Security Services
Ultratrust Security Services
www.host.com
Bob
20
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Joe_at_anywhere Web browser
BIMM.com Web server
Client-side SSL
Ultratrust Security Services
Ultratrust Security Services
Joe_at_anywhere
BIMM.com
21
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Alice_at_SRPC Web browser
BIMM.com Web server
Client-side SSL
SRPC
Ultratrust Security Services
Alice_at_SRPC
BIMM.com
22
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Bob_at_PPC Web browser
BIMM.com Web server
Client-side SSL
PPC
Ultratrust Security Services
Bob_at_PPC
BIMM.com
23
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING
Alice_at_SRPC Web browser
BIMM.com Web server
Client-side SSL
SRPC
Ultratrust Security Services
BIMM.com
PPC
Bob_at_PPC
24
PKI AND TRUST
  • Got to be very careful
  • Not a game for amateurs
  • Not many professionals as yet

25
REFERENCES
  • "An overview of PKI trust models" by Perlman, R.
    IEEE Network, Volume 13 Issue 6 , Nov.-Dec.
    1999 Page(s) 38-43
  • "The problem with multiple roots in Web
    browsers-certificate masquerading" by Hayes, J.M.
    Proceedings Seventh IEEE International Workshops
    on Enabling Technologies Infrastructure for
    Collaborative Enterprises, IEEE 1998. (WET ICE
    '98) 17-19 June 1998 Page(s) 306 -311.
  • "Restricting access with certificate attributes
    in multiple root environments - a recipe for
    certificate masquerading" by Hayes, J.M. Proc.
    15th Annual Computer Security Applications
    Conference, IEEE, 2001, Page(s) 386-390.
Write a Comment
User Comments (0)
About PowerShow.com