tls/ssl - wiki.apnictraining.nettls/ssl 1 25-29 june 2018 pacnog 22, honiara, solomon islands...
TRANSCRIPT
![Page 1: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/1.jpg)
6/19/18
1
Issue Date:
Revision:
TLS/SSL
1
25-29 June 2018PacNOG 22, Honiara, Solomon IslandsSupported by:
History
• Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent and secure transactions.
• In 1997 an Open Source version of Netscape’s patented version was created, which is now OpenSSL.
• In 1999 the existing protocol was extended by a version now known as Transport Layer Security (TLS).
• By convention, the term "SSL" is used even when technically the TLS protocol is being used.
2This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
![Page 2: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/2.jpg)
6/19/18
2
Location of SSL Protocol & TCP Ports
3
TLS/SSL: What it does
• Confidentiality– Encryption
• Integrity– Keyed hash (HMAC): TLS (authentication!)– Hash (MAC): SSL
• Authentication– Certificates
4
![Page 3: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/3.jpg)
6/19/18
3
SSL/TLS Operations
• Client connects to the server– To access a resource
• Public Key cryptography is used during handshake to authenticate parties and exchange session key.– PKI (X.509 Certificates)
• Symmetric Key cryptography to encrypt and hash data.– M aster secret (shared secret) generated
– Separate Encryption and H ashing keys from the m aster secret
5
How SSL/TLS Works – Part 1
6
![Page 4: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/4.jpg)
6/19/18
4
PKI – public key infra
• Digital (X.509) certificates– associa tes a public key w ith an ind iv idual or organization– public key of the subject!
7
PKI – Chain of Trust
• Root CA– Self-s igned– Issue and sign IC A’s
certifica te
• Intermediate CA– Issue and sign EE
certifica te
• End Entity
8This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
![Page 5: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/5.jpg)
6/19/18
5
PKI - Example
• Client (browser) sends https request to google.com– brow sers have trusted C A certificates stored
• Web server sends back google.com’scertificate– S igned by G oogle IC A , p lus
– G oogle IC A’s certificate s igned by root C A(G eoTrust)
• Verify the certificates up the chain of trust– O nce successfu lly verified, use the public
key
9This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
How SSL/TLS Works – Part 2
10
![Page 6: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/6.jpg)
6/19/18
6
Symmetric Encryption
• Once the server’s public key is verified up the chain of trust– The client generates a pre-m aster secret
• C-random & S-random– Sends to the server encrypted w ith server ’s public key
• Both client and server generates the Master Secret– U ses the pre-m aster secret, C -random , and S -random w ith the
agreed key exchange cipher (eg: D H )
• Separate Encryption and Hashing keys generated from the Master secret– A ll fu ture com m unication hashed and encrypted using the sym m etric
keys
11
SSL Protocol Building Blocks
SSL is a Combination of a Primary Record Protocolwith Four ‘Client’ Protocols
SSLChange Cipher
Spec Protocol
SSL Alert
Protocol
SSLHandshake
Protocol
ApplicationData
Protocol
SSL Record Protocol
12
![Page 7: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/7.jpg)
6/19/18
7
SSL Protocol Building Block Functions
SSLAlert
Protocol
Ind icates error or the end of a session
SSLChange Cipher
Spec Protocol
Used to Signal Transition to New Cipherand Keys Generally Towards the End of a
Handshake Negotiation
SSLRecord
Protocol
Ind icates which encryption andintegrity protection is applied
to the data
SSL Handshake
Protocol
Negotiates crypto algorithm s and keys
13
Trusted vs Non Trusted Certificate
14
![Page 8: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/8.jpg)
6/19/18
8
Certificate Authority
15
Chinese CA WoSign faces revocation after issuing fake certificates of Github, Microsoft and Alibaba
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
16
![Page 9: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/9.jpg)
6/19/18
9
Introducing Let’sEncrypt
https://letsencrypt.org/
17
Introducing Let’sEncrypt
18
• Which browsers and operating systems support Let’s Encrypt– https://com m unity.le tsencrypt.org/t/w hich-brow sers-and-operating-
system s-support-le ts-encrypt/4394
• Check your browser– https://w ik i.apnictra in ing.net
![Page 10: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/10.jpg)
6/19/18
10
When were different SSL versions created?• SSL 3.0 in 1996
• TLS 1.0 in 1990
• TLS 1.1 in 2006
• TLS 1.2 in 2008
19This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
SSLLabs – Handson
• Do People Configure TLS/SSL (HTTPS) Correctly?
• 1. Go to https://www.ssllabs.com/ssltest/
• 2. Insert URL
• 3. What grade did you get and why?
• 4. How do we fix it?
20
![Page 11: TLS/SSL - wiki.apnictraining.netTLS/SSL 1 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: History • Secure Sockets Layer was developed by Netscape in 1994 as a](https://reader034.vdocument.in/reader034/viewer/2022051923/601140e911ca271c4e031758/html5/thumbnails/11.jpg)
6/19/18
11
Recommended References
• 1. Better Crypto– https://w w w.bettercrypto.org
• 2. Bulletproof SSL & TLS– https://w w w.fe istyduck.com /books/bu lle tproof-ssl-and-tls/
21
LAB
22