Understanding SSL

Download Report

Transcript Understanding SSL

Understanding Secure Socket Layer (SSL)
Advisor
Prof. Tzonelih Hwang
Presenter
Prosanta Gope
1
Flash Back
2
Agenda
• SSL Basics
• Authentication in SSL
3
SSL Usage
• Authenticate the server to the client
• Allow the client and server to select cryptographic
algorithms, or ciphers, that they both support using
CipherSuites in Hello message
E.g. SSL_RSA_With_RC4_128_MD5
• Optionally authenticate the client to the server
• Use public key encryption techniques to generate
shared secret
• Establish an encrypted SSL connection
4
Secure Socket Layer
SSL is a secure protocol which runs above TCP/IP
and allows users to encrypt data and authenticate
servers/vendors identity securely
HTTPS
FTPS
SMTPS
Application
layer
SECURE SOCKET LAYER
TCP/IP layer
Transport
layer
5
SSL Stack
6
SSL Handshake
SSL handshake verifies the server and allows
client and server to agree on an encryption set
before any data is sent out
7
SSL Handshake
8
Understanding the Concept
of
Public Key Certificate
9
Public Key Certificates
10
SSL Handshake
Server
Public
key
Private
key
Client
request
Client
Public key
11
Precisely
12
SSL Handshake
Server
Private
key
Public
key
SSL version number client supported
(v2, v3)
SSL version number server picked
(v2, v3)
Ciphers supported client
(DES, RC2, RC4)
Ciphers server picked
(DES, RC2, RC4)
Client Random Number
Server Random Number
Certificate
Client
Public key
13
Verify Certificate
Server
Private
key
Public
key
Certificate is Good and Valid
Server/vendor has been verified and authenticated
Client
request
Certificate
Client has vendor’s public key and
can now encrypt pre-master to send
to server/vendor
Valid
Checking
Client
Public key
Certificate
14
Verify Server Certificate
15
Not-recognizable Certificate
16
SSL Session Key
Server
Private
key
Public
key
PreMaster
Session key
PreMaster
Client
Public key
Pre-Master
Session key
17
Secure Data on Network
Server
Private
key
Public
key
Session
key
Data
Session key
Data
Data
Client
Data
Session key
Data
18
SSL Handshake - details
Client
Generate Challenge
Verify server
certificate
Generates pre-master session key
Encyrpt:
pre-master session key
Decrypt and verify challenge phrase
Server
Hello, Challenge
Server Cert
{pre-master
session Key}
Server's public
key
Return Server Certificate
Decrypt pre-master session key
Encrypt random challenge phrase
{Client's
Challenge}sessionKey
Server Authentication
Client Authentication
Client
Decrypt challenge
Calculate message digest
on Challenge and Server
certificate
Done
Server
(Challenge phrase)
Server private key
[Message Digest ]
Client private key
Client Certificate
(Session Identifier)
sessionKey
Generate new challenge
Requests Client
certificate
Decrypt Message Digest
Verify Client certificate and
recompute message digest
SSL Handshake
Client Certificate (optional)
Client only sends a certificate upon the receipt of
a certificate request
– Sends after receiving server hello done
– If the client does not have a suitable
certificate, it sends a no certificate alert
• Server will respond with a fatal handshake failure
if a client certificate is necessary
21
Verify Client Certificate
22
SSL Architecture
23
Change Cipher Spec Protocol
• The change cipher spec protocol is used to
change the encryption being used by the client
and server. It is normally used as part of
the handshake process to switch to symmetric
key encryption.
• Before the Finished message
24
SSL Architecture
25
Alert Layer
• Explain severity of the message and a description
–fatal
•Immediate termination
•Other connections in session may continue
•Session ID invalidated to prevent failed session to open new
sessions
• Alerts are compressed same as other data
26
SSL Architecture
27
SSL Record Protocol Operation
28
Record Layer
• Compression and decompression
• A MAC is applied to each record using the MAC
algorithm defined in the current cipher spec
• Encryption occurs after compression
• May need fragmentation
29
Review the SSL Handshake
30
SSL Handshake
Client hello
Server hello
Present Server Certificate
*Request Client Certificate
Server Key Exchange
Client
Client Finish
*Present Client Certificate
Client Key Exchange
*Certificate Verify
Change Cipher Spec
Server Finish
Change Cipher Spec
Server
Application Data
31
For any Query
Please email me:
[email protected]
32
Privacy
Integrity
Authentication
Authentication
古早密碼學
資安號
古典密碼學
Network Security
Services
33
Thanks!
34