Secure Socket Layer

Department of Computer Science G.C. University Lahore

2

SSL/Secure Sockets Layer


3

Presented To:

Network

Security

Mrs. Asma


4

Atif Naveed BSCS-04-B-020

Kinnan Nawaz BSCS-05-B-011

Qaiser Abbas BSCS-06-B-086

Group Members


5

Contents

• “Overview” of Secure Socket Layer (SSL) • Introduction to ”SSL” Secure Socket Layer• How SSL ”Works”?• “Benefits and Limitation” of SSL• “Advance Concepts” of SSL• Related Protocols• Introduction to TLS Transport Layer Security• “Importance” of TLS• “Benefits” of TLS• Summary


6

Overview of Secure Socket Layer (SSL)


7

Secure connection is an encrypted exchange of information

Information cannot be tampered while being sent, but it's possible to crack the

encryption.

Golden Lock icon in Status bar. (if IE)

Certificate used to encrypt connection also contains information about identity of website

owner or organization

What is a secure connection?


8

Validation SSL & Security Status Bar


9

Extended Validation (EV) SSL Certificates


10

• Certificate is out of date, invalid, or has an error, phishing. Red

• Certification authority that issued it cannot be verified. Yellow

• The certificate has normal validation, no personal information. White

• The certificate uses extended validation.Green

Why different colors in the Status bar?


11



12



13



14

What about other browsers?

Opera

Safari


15

What about other browsers?

Firefox


16

Introduction to SSL Secure Socket Layer

Department of Computer Science G.C. University Lahore 17

Introduction to SSL Secure Socket Layer

SSL is the most widely known Protocol.

SSL offers privacy and good reliability for Client-Server communication.

SSL negotiates the Cryptography algorithms and keys between two sides of a communication.

SSL establishes an Encrypted tunnel through which other protocols (like HTTP) can be transported.

SSL can also Authenticate both sides of communication through the use of Certificates (Optionally).


Sub-Protocols of SSL


19

How SSL Works


20

How SSL works


SSL Handshake

• (3)• Verify server

certificate. • Check

Cryptographic Parameter

• (6)• Verify Client

Certificate• (if required)

(1) Client Hello

Cryptographic information

(2) Server Hello

Cipher Suite Server certificateClient certificate request (Optional)

(4) Client Key exchange

Send secret key information (encrypted with sever public Key)(5) Send Client Certificate

(8) Server Finished

(encrypted with shared secret Key)

(9) Exchange Messages

(7) Client Finished


22

Microsoft Internet Explorer, Firefox, Opera

Netscape Navigator and on most operating systems and Web servers

Microsoft Windows operating system

UNIX

Novell

Apache (version 1.3 and later)

Netscape Enterprise Server

Sun Solaris

It is often integrated in news readers

Variety of other applications

Web browsers & Operating Systems


23

Benefits of TLS/SSL

Strong authentication

Message privacy, and integrity

TLS/SSL can help to secure transmitted data using encryption.

TLS/SSL also authenticates servers.

Authenticates clients to prove identities of parties engage (Optionally).

It also provides data integrity through an integrity check value.

In addition to protecting against data disclosure.


24

TLS/SSL security protocol protect against masquerade attacks

Man-in-the-middle or bucket brigade attacks

Rollback attacks

Replay attacks.

Interoperability

Algorithm flexibility

Ease of deployment

Ease of use

Benefits of TLS/SSL


25

TLS/SSL provides options forAuthentication mechanisms

Encryption algorithms

Hashing algorithms that are used during the secure session

Benefits of TLS/SSL


26

Limitations of TLS/SSL

Increased Processor Load

• This is the most significant limitation to implementing TLS/SSL.

• Cryptography, specifically public key operations, is CPU-intensive. As a result, performance varies when you are using SSL. Unfortunately, there is no way to know how much performance you will lose.

• The performance varies, depending on how often connections are established and how long they last.

• TLS uses the greatest resources while it is setting up connections.

Administrative Overhead

• A TLS/SSL environment is complex and requires maintenance; the system administrator must configure the system and manage certificates.


27

Advance Concepts of SSL


28

• SSL-secured transactions with an e-commerce Web site• Authenticated client access to an SSL-secured Web site• Remote access• SQL access• E-mail

Common TLS/SSL Scenarios

Many people think of TLS and SSL as protocols that are used with Web browsers to browse the Internet more securely.

However, they are also general purpose protocols that can be used whenever authentication and data protection are necessary.

For example, you can use TLS/SSL for:


29

• This situation is a typical use of SSL between a browser and a Web server. • An example is an e-commerce shopping site where clients need to provide

their credit card numbers. • The protocol first confirms that the certificate of the Web site is valid, and

then sends the client’s credit card information as cipher text. • For this type of transaction, where the server’s certificate comes from a

trusted source, authentication only occurs for the server. • TLS/SSL must be enabled for the Web page, such as an order form, where

the data transactions occur.


SSL-secured transactions with an e-commerce Web site


30


• Both the client and server need certificates from a mutually-trusted certification authority (CA).

• With Schannel, client certificates can be mapped on a one-to-one or many-to-one basis to their Windows Server 2003 user or computer accounts, and they can be managed by Active Directory Users and Computers.

• Users can then be authenticated to a Web site without needing to supply a password.• Many-to-one mapping has several uses. For example, if you want to give several users

access to confidential material, you can create a group, map the users’ certificates to the group, and give the group the necessary permissions to the material.

• In one-to-one mapping, the server has a copy of the client’s certificate; whenever the client logs in; the server verifies that they are identical. This one-to-one mapping is typically used for private material, such as a banking Web site where only one individual has the right to view a personal account.

Authenticated client access to an SSL-secured Web site


31

• In this situation, telecommuting is a common use for Schannel. You can use this technology to provide authentication and data protection when users remotely log in to Windows-based systems or networks.

• Users can more securely access their e-mail or enterprise applications from home or while traveling, reducing the risk of exposure of the information to anyone on the Internet.


Remote access

• With Microsoft SQL Server, you can require authentication of the client when connecting to the server running SQL Server.

• Either the client or server can be configured to require encryption of the data that is transferred between them. Very sensitive information, such as financial or medical databases, can be protected to prevent unauthorized access and disclosure of information about the network.

SQL access


32

• When using Exchange servers, you can use Schannel to help protect data as it moves from server to server on the intranet or Internet.

• Full end-to-end security might require the use of Secure/Multipurpose Internet Mail Extensions (S/MIME);

• however, helping to protect data in a server-to-server exchange allows companies to use the Internet to securely transfer e-mail among divisions within the same company, subsidiaries, and partners. This can be done regardless of whether S/MIME is used.


E-mail


33

• In the Windows Server 2003 operating system, the Schannel Security Support Provider SSP authentication protocol suite contains TLS. The following diagram shows where Schannel fits among these and other technologies in Windows Server 2003. Client applications or server applications use Secur32.dll by way of SSPI calls to communicate with the Local Security Authority Subsystem (LSASS).

Technologies Related to Schannel


34

Technologies Related to Schannel


35

Component Description

Schannel.dll The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) authentication protocol. This protocol provides authentication over an encrypted channel instead of a less-secure clear channel.

Lsasrv.dll The LSA Server service, which both enforces security policies and acts as the security package manager for the LSA.

Netlogon.dll TLS-relevant services that the Net Logon service performs: Net Logon passes the user’s certificate information through an SSL-secured channel

to the domain controller to map the user certificate to a user account.

Secur32.dll The multiple authentication provider that implements SSPI.

Ntdsa.dll The directory service module, which supports the Windows Server 2003 and Windows 2000 replication protocol and LDAP, and manages partitions of data.

Security Subsystem Components used in TLS/SSL Authentication


36

Related Protocols


37

SSL, PCT, TLS and WTLS

SSL v2.0 (1994)

PCT v1.0 (1995)

SSL v3.0 (1996)

TLS v1.0/ SSL v3.1 (1999)

WTLS


38

Released by Netscape Communications in 1994.

The main goal of this protocol was to provide security for transactions over the World Wide Web.

Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use:

weak MAC construction

possibility of forcing parties to use weaker encryption

no protection for handshakes

possibility of an attacker performing truncation attacks

SSL v2.0


39

Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0

and was aimed to replace SSL.

However, this protocol has never gained as much popularity as SSL v3.0.

PCT v1.0


40

Released in 1996 by Netscape Communications. SSL v3.0

solved most of the SSL v2.0 problems,

and incorporated many of the features of PCT.

Pretty quickly become the most popular protocol for securing communication over WWW

SSL v3.0


41

Published by IETF in 1999.

This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches.

It is important to note that although TLS is based on SSL,

it is not a 100% backward compatible with its predecessor.

IETF did some security improvements, such as using HMAC instead of MAC, using a different calculation of the master secret and key material, adding additional alert codes, no support for Fortezza cipher suites, and so on.

The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.

TLS v1.0


42

"Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier.

It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices.

WTLS was introduced with the WAP 1.1 protocol, and was released by the WAP Forum.

However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol,

which is much more secure -- mainly because there is no need for decryption and re-encryption of the traffic at the WAP gateway.

WTLS


43

Introduction to TLS Transport Layer Security


44

An acronym for Transport Layer Security, is a feature of mail servers designed to secure the transmission of electronic mail from one server to another using encryption technology.

TLS can reduce the risk of eavesdropping

Tampering

Message forgery mail communications.

TLS is a security protocol from the Internet Engineering Task Force (IETF) that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape.

Introduction to TLS Transport Layer Security

The TLS protocol is made up of two layers

The TLS record protocol is designed to protect confidentiality by using symmetric data encryption.

The TLS handshake protocol allows authentication between the server and client

The negotiation of an encryption algorithm and cryptographic keys before the application protocol transmits or receives any data.

TLS Protocols Layers


TLS is the successor to Secure Sockets Layer (SSL).

SSL and TLS are frameworks that include cryptographic protocols

which are intended to provide secure communications on the Internet.

Is TLS something new?


When TLS is enabled on the mail servers of both the sender and the receiver of the e-mail, Information exchanged between the servers is encrypted in a format that encodes plain text into non-readable form. Mail servers use Simple Mail Transfer Protocol (SMTP) to send and receive messages.

Enable TLS communications for SMTP traffic

The sending party checks whether TLS services are offered

The server sends its TLS certificate to the client

The TLS session starts, and the SMTP message is transmitted

How TLS works


Sending unencrypted messages increases the risk that messages can be intercepted or altered.

TLS security technology automatically encrypts e-mail messages between servers thereby reducing the risk of eavesdropping, interception, and alteration.

Importance of TLS


Protection

Every e-mail sent and received is encrypted

E-mail encryption is transparent

TLS is globally accepted

Industry Standard

E-mail can be easily inspected for viruses

Reduced cost

No overhead for end-users.

Rapid deployment

Benefits of TLS



50

• “Overview” of Secure Socket Layer (SSL) • Introduction to ”SSL” Secure Socket Layer• How SSL ”Works”?• “Benefits and Limitation” of SSL• “Advance Concepts” of SSL• Related Protocols• Introduction to TLS Transport Layer Security• “Importance” of TLS• “Benefits” of TLS

Summary


51


52

THANKS TO BEAR WITH

US…

Secure Socket Layer

Education

computer accounts

university lahore19

university lahore10

university lahore11

university lahore12

university lahore13

university lahore20

university lahore7