Upload File

ssl/tls

12
SSL/TLS

Upload: sirish-kumar

Post on 19-Jun-2015

156 views

Category:

Technology


0 download

Report

Tags:

TRANSCRIPT

Page 1: SSL/TLS

SSL/TLS

Page 2: SSL/TLS

Agenda

• History• Lifecycle of a web request• HTTP Request Handshake• Encryption• What is SSL/TLS• Certificate Authorities• TLS Resumption• How it works• Vulnerabilities

Page 3: SSL/TLS

History

• The SSL protocol was originally developed at Netscape.• To enable ecommerce transaction security on the web, which

required • Encryption to protect customer's personal data • Authentication • Integrity guarantees to ensure a safe transaction.

• Evolved from SSL 1.0,2.0,3.0 in to TLS• When SSL protocol is standardized by IETF, it was renamed to

Transport Layer Security(TLS). TLS 1.0 is an upgrade to SSL 3.0

Page 4: SSL/TLS
Page 5: SSL/TLS

HTTP Request Handshake• SYN - (Synchronize) Initiates a connection• FIN - (Final) Cleanly terminates a connection• ACK – Acknowledges received data

Problems : • Clear text• Unsecured

• No encryption• No certificates required

Page 6: SSL/TLS
Page 7: SSL/TLS

Message Authentication Code

Page 8: SSL/TLS

What is SSL

• Intermediate layer between transport and security• It provides following services• Encryption• Authentication• Integrity

Page 9: SSL/TLS

Certificate Authorities

• A certificate authority (CA) is a trusted third party that is trusted by both the subject(owner) of the certificate and the party relying upon the certificate.

• The browser specifies which CAs to trust (root CAs), and the burden is then on the CAs toverify each site they sign, and to audit and verify that these certificates are not misusedor compromised. If the security of any site with the CA’s certificate is breached, then itis also the responsibility of that CA to revoke the compromised certificate.

Page 10: SSL/TLS

How it works

Before the client and the server can begin exchanging application data over TLS, the encrypted tunnel must be negotiated, the client and server must agree on

• The version of the TLS protocol• Choose Cipher suite• Verify certificate if necessary

Page 11: SSL/TLS

TLS Session Resumption• TLS provides an ability to resume or

share the same negotiated secret key data between multiple connections.

• This is achieved by using session identifier created in earlier TLS handshake.

• Client sends the session identifier to server in ClientHello message. If server recognizes the client session Id, previous cipher suite and MAC can be reused.

• Stateless Resumption : Session tickets can be generated by the server with all session information and can be sent to client during TLS handshake.

Page 12: SSL/TLS

Vulnerabilities

• Man in the middle attack(MITM)• DNS Hijacking• CA Private Key is compromised


The OpenSSL 1.1 Audit · 2017. 9. 6. · GCM AUTH ECDSA RSA . Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish

SSL & TLS Essentials -

SSL/TLS and MITM attacks - Uppsala University · 2009. 12. 14. · SSL/TLS – Background SSL/TLS – Secure Socket Layer/Transport Layer Security (rfc 2246) Originally developed

TLS SSL DUsec mehaoua - helios.mi.parisdescartes.frhelios.mi.parisdescartes.fr/~mea/cours/DU/TLS_SSL_DUsec.pdf · TLS SSL Transport Layer Security Protocols • Connectionless and

SSL and TLS Essentials

Buyer’s Guide SSL/TLS Buyer’s Guide - 101domain · 2. YOUR SSL/TLS PROVIDER MATTERS. The certificate authority that issues your SSL/ TLS certificate is just as important as the

SSL/TLS Communication in OpenEdge

Certificados Digitales SSL y TLS

Unit 9 ssl and tls

Transport Level Securityict.siit.tu.ac.th/...Transport-Level-Security.pdf · Transport Security Web Security TLS/SSL HTTPS SSH SSL and TLS I Secure Sockets Layer (SSL) originated

Network Security: TLS/SSL

“El Cifrado Web (SSL TLS)”

SSL/TLS (ch 19)

SSL/TLS CONT. Lecture 11a

SSL/TLS FOR MORTALS - RainFocus · SSL/TLS FOR MORTALS ... at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ... Using SSL/TLS correctly is oen hard to achie ve

SSL TLS Primer-TIBCOmmunity

DB2 for z/OS: Configuring TLS/SSL for Secure Client/Server ... · SSL and TLS protocols (SSL V2, SSL V3, TLS V1.0, TLS V1.1, and TLS V1.2 as of this writing) including a robust set

TLS/SSL Protocol Design

Web security: SSL and TLS. 2 What are SSL and TLS? SSL – Secure Socket Layer TLS – Transport Layer Security both provide a secure transport connection

Cenni su SSL/TLS Heartbleed

SSl/TLS Analysis

SSL/TLS Communication - Progress.com

TLS/SSL Internet Security Talk

AN3967 Application note - STMicroelectronics · Note: The “SSL/TLS” protocols is referred to as “SSL” throughout this document. 3.3 SSL / TLS sub-protocols The SSL protocol

Real-world cryptography – SSL/TLS

Understanding SSL TLS

Best Practices and Applications of TLS/SSLhosteddocs.ittoolbox.com/symantecvsbestpracticesand... · 2013-11-13 · Best Practices and Applications of TLS/SSL 4 TLS vs. SSL TLS is

TLS and SSL v3 vulnerabilities

CONIKS (KEY TRANSPARENCY)cs261/fa18/slides/keytransp.pdf · SSL/TLS HTTP + SSL/TLS Certificate Authority SSL/TLS Certificate: (foo.com, PK f) Attack: Hackers ... PGP Key Servers Email

All About SSL/TLS

F5 TLS & SSL Practices

SSL & TLS Architecture short

T-110 4206 Lecture Slides for Ssl Tls.4200 Tls-ssl (5)

Ssl and tls

SSL / TLS Case Study