1

WEB SECURITY(SECURE SOCKET LAYER)

MONODIP SINGHA ROY M.TECH Dr. B.C.ROY ENGINEERING COLLEGE

2

ContentsWEB SECURITYWEB SECURITY TERMINOLOGYSSL ( SECURE SOCKET LAYER )SSL ARCHITECTURETLS ( TRANSPORT LAYER

SECURITY )PROS AND CONS OF SSL/TLSSUMMARY

3

WEB SECURITYAlmost everything in today’s

world relies on computer and internet. ◦Communications (emails, phones)◦Transportation (car engine system,

airplane navigation system)◦Medicine ( medical records,

equipments)◦Shopping (online store, online

payments)◦Entertainment (digital cables)

4

What is WEB SECURITY ??

Web security , also known as “cyber security “ involves protecting the information by protecting , preventing and responding to the attacks.

5

WEB SECURITY: TERMNOLOGYHACKERS: People who strive to

exploit weaknesses in software and computer for their own gain.

VIRUSES: Infects your computer before actually u can do something.

WORMS: Propagates without users intervention.

TROJAN: A software that claims to do something while in fact doing something in background.

6

WEB SECURITY: TERNINOLOGY

RANSOMWARE:◦A form of Trojan that has been since

1989, as known as ‘PC CYBORG’ Trojan.

◦It affects the user computer by encrypting the user’s personal files.

◦The victim then contacted and offered the decrypt key in exchange of cash.

7

WEB SECURITY: TERMINOLOGYKEYLOGGERS:

◦It is an software that monitor users activity such as key typed in keyboard.

◦KeyLoggers can Record keystrokes on keyboards. Record mouse movement and clicks. Record menus that are invoked. Takes screenshot of the desktop at pre

defined intervals.

8

Web SecurityWeb now widely used by

business, government, individualsbut Internet & Web are

vulnerablehave a variety of threats

◦integrity◦confidentiality◦denial of service◦authentication

need added security mechanisms.

9

What is SSL?SSL – Secure Socket Layer it provides a �

secure transport connection between applications (e.g., a web server and a browser)

SSL was developed by Netscapeuses TCP to provide a reliable end-to-end

serviceSSL has two layers of protocols SSL v3.0 was

specified in an Internet Draft (1996) it �evolved into RFC 246 and was renamed to TLS (Transport Layer Security)

TLS can be viewed as SSL v3.1

10

SSL Architecture

11

SSL Components

SSL HANDSHAKE PROTOCOL

SSL RECORD PROTOCOL

SSL ALERT PROTOCOL

SSL CHANGE CIPHER SPEC PROTOCOL

• Negotiation of security algorithms and parameters.• Key exchange.• Server authentication and optionally client authentication.

• Fragmentation.• Compression.• Encryption.• Message authentication and integrity protection.

• Error message ( fatal alerts and warning )

• A single message that indicates the end of SSL handshake.

12

Sessions and ConnectionsAn SSL session is a connection between

client and server. Sessions are stateful ; the session state

includes security algorithm and parameters. A session may include multiple secure

connection between same server and client. Connections of the same session share the

session state. Sessions are used to avoid expensive

negotiation of new security parameters for each state.

13

Session States… Session state

◦Session identifier – arbitrary byte sequence chosen by the server to identify the session.

◦Peer certificate – may be null.◦Compression method.◦Cipher Spec – bulk data encryption

algorithm and MAC algorithm ( eg. DES, MD5 ).

◦Master key – a 48 byte secret key is used in between client and server.

◦Resumable – a flag indicating whether the session can be used to initiate new connections.

14

Connection States…Connection State

◦Server and client random – random byte sequence is chosen by the client and server for new connection.

◦Server write MAC secret – secret key is used in MAC operations on data sent by the server.

◦Client write MAC secret – secret key is used in MAC operations on data sent by the client.

◦Server write key – secret encryption key for data, encrypted by the server.

◦Client write key – secret encryption key for data, encrypted by the client.

15

How States changes??Operating state: current using

statePending state: state to be usedOperating state < Pending state:

at the transmission and reception of change cipher spec messageThe

sending part of the pending state is copied into the sending part of

operating state

The receiving

part of the pending state is

copied into the

receiving part of

operating stateParty

AParty

B

Change Cipher Spec

16

SSL session◦an association between client &

server◦created by the Handshake Protocol◦define a set of cryptographic

parameters◦may be shared by multiple SSL

connections

SSL connection◦a transient, peer-to-peer,

communications link◦associated with 1 SSL session

17

SSL Handshake ProtocolHandshake protocol is used to

exchange all the information required by both sides for the exchange of actual application data by the TRANSPORT LAYER SECURITY

18

SSL Record Protocolconfidentiality

◦using symmetric encryption with a shared secret key defined by Handshake Protocol

◦IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128

◦message is compressed before encryption

message integrity◦using a MAC with shared secret key◦similar to HMAC but with different

padding

19

SSL Change Cipher Spec Protocol

one of 3 SSL specific protocols which use the SSL Record protocol

a single messagecauses pending state to become

currenthence updating the cipher suite

in use.

20

SSL Alert Protocolconveys SSL-related alerts to peer

entityseverity

warning or fatalspecific alert

unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter

close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown

compressed & encrypted like all SSL data

21

What is TSL??Internet Engineering Task Force

standard RFC 2246 similar to SSLv3 with minor differences:◦In record format version number◦Uses HMAC for MAC◦Has optional alert code◦Some changes in supported ciphers◦Change in use of certificate

negotiation ◦Change in use of padding

22

Changes from SSLv3 to TLS…Fortezza removedAdditional alerts addedModification of hash calculationProtocol version 3.1 in client

hello, server hello

23

TLS : PrivacyEncrypt message so it cannot be

readUse conventional cryptography

with shared key◦DES , 3DES◦RC2, RC4◦IDEA

A (Message) $@#&!@ B(Message)

24

TLS: Key Exchange

Need secure method to exchange key

Use public key encryption for this

Choices are RSA & Diffie-Hellman

25

TLS: Integrity

Compute fixed length message authentication code (MAC)◦Includes hash of message◦Includes a shared secret key◦Includes sequence number◦Transmit MAC with message

26

TLS : AuthenticationVerify identities of participantsClient authentication is optionalCertificate is used to associate

identity with public key and other attributes

A B

CERTIFICATES

27

TLS: HTTP ApplicationHTTP is most common TLS

application https://Requires TLS-capable web serverRequires TLS-capable web

browser◦Netscape navigator◦Internet explorer◦Cryptozilla

28

Implementation of SSL/TLSSSL & TLS have widely been

implemented◦Open source software projects

( openSSL, NSS & GnuTLS)◦Microsoft windows : part of its secure

channel◦Browsers

Apple safari Internet explorer Mozilla firefox

29

Pros & Cons of SSL/TLSPros :

◦Customer will trust your website: many visitors are now savvy enough to recognize when a webpage is encrypted and protected by SSL.

◦Avoid dispute due to credit/debit card frauds: visitors uses their credit/debit cards information's on unprotected servers and faces identity theft.

30

Cons ….Cons :

◦Regular renewal : just like website domain and hosting plan, SSL certificates also expires after short period of time ; usually one to five years.

◦Complex installation : SSL is very difficult to install on websites for those who are unaware of website development.

31

Application of SSL/TLSOn top of the Transport layer

protocols◦Primarily with TCP◦Datagram transport layer security

(DTLS) for UDPEncapsulating the applications

protocols◦HTTP◦Securing WWW traffic◦FTP, SMTP, etc

32

SUMMARYSSL/TLS address the need for

security in internet communications◦Privacy – conventional encryption◦Integrity – message authentication

codes◦Authentication – X.509

SSL in use today with web browsers and servers.

33

Thank You