Scribd
Upload
7 views

wcs,ssl and tls

The document discusses web security considerations, highlighting the vulnerabilities of web servers and the importance of security protocols like SSL/TLS for secure communication. It explains the architecture and operation of SSL, including the handshake process and the differences between SSL and TLS. Additionally, it covers the use of HTTPS for secure web transactions and the functionality of Secure Shell (SSH) for encrypted data transfer.

Uploaded by

saikarthikreddypalagiri
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
7 views

wcs,ssl and tls

The document discusses web security considerations, highlighting the vulnerabilities of web servers and the importance of security protocols like SSL/TLS for secure communication. It explains the architecture and operation of SSL, including the handshake process and the differences between SSL and TLS. Additionally, it covers the use of HTTPS for secure web transactions and the functionality of Secure Shell (SSH) for encrypted data transfer.

Uploaded by

saikarthikreddypalagiri
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 36

WEB SECURITY

CONSIDERATIONS
The World Wide Web is fundamentally a
client/server application running over theInternet and
TCP/IP intranets.
•1. The Internet is two-way. Unlike traditional
publish in environments—even electronic publishing
systems involving teletext, voice response, or fax-
back—the Web is vulnerable to attacks on the Web
servers over the Internet.
2.The Web is increasingly serving as a highly visible
outlet for corporate and product information
3.Although Web browsers are very easy to use, Web
servers are relatively easy to configure and manage
4.A Web server can be exploited as a launching pad
into the corporation’s or agency’s entire computer
complex.
5.Casual and untrained (in security matters) users are
common clients for Web-based services
Secure Socket Layer (SSL)
• KEY POINTS
• Secure Socket Layer (SSL) provides security services
between TCP and applications that use TCP. The Internet
standard version is called Transport Layer Service (TLS).
• SSL/TLS provides confidentiality using symmetric
encryption and message integrity using a message
authentication code.
• SSL/TLS includes protocol mechanisms to enable two TCP
users to determine the security mechanisms and services
they will use.
• HTTPS (HTTP over SSL) refers to the combination of
HTTP and SSL to implement secure communication
between a Web browser and a Web server.
• Secure Shell (SSH) provides secure remote logon and other
secure client/server facilities.
SSL (Secure Socket Layer)
• SSL designed to make use of transport layer
security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard known as
TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end service
• SSL has two layers of protocols
SSL Architecture
SSL Architecture
• SSL connection
• A connection is a transport (in the OSI layering
model definition) that provides a suitable type of
service. For SSL, such connections are peer-to-peer
relationships. The connections are transient. Every
connection is associated with one session
• SSL session
• an association between client & server
• created by the Handshake Protocol
• define a set of cryptographic parameters
• may be shared by multiple SSL connections
A session state is defined
by the following
parameters.
• Session identifier: An arbitrary byte sequence chosen by the
server to identify an active or resumable session state.
• Peer certificate: An X509.v3 certificate of the peer. This
element of the state may be null.
• Compression method: The algorithm used to compress data
prior to encryption.
• Cipher spec: Specifies the bulk data encryption algorithm
(such as null, AES, etc.) and a hash algorithm (such as MD5
or SHA-1) used for MAC calculation. It also defines
cryptographic attributes such as the hash_size.
• Master secret: 48-byte secret shared between the
client and server. •

resumable: A flag indicating whether the session can


be used to initiate new connections
A connection state is
defined by the following
parameters
• Server and client random: Byte sequences that are chosen
by the server and client for each connection.
• Server write MAC secret: The secret key used in MAC
operations on data sent by the server.
• Client write MAC secret: The secret key used in MAC
operations on data sent by the client.
• Server write key: The secret encryption key for data
encrypted by the server and decrypted by the client.
• Client write key: The symmetric encryption key for data
encrypted by the client and decrypted by the server
• Initialization vectors: When a block cipher in CBC
mode is used,an initialization vector (IV) is
maintained for each key
• Sequence numbers: Each party maintains separate
sequence numbers for transmitted and received
messages for each connection
SSL Record Protocol
Services
confidentiality
• using symmetric encryption with a shared secret key
defined by Handshake Protocol
• AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128
• message is compressed before encryption
message integrity
• using a MAC with shared secret key
• similar to HMAC but with different padding
SSL Record Protocol
Operation
SSL Change Cipher Spec
Protocol
one of 3 SSL specific protocols which use the SSL
Record protocol
•a single message
•causes pending state to become current
•hence updating the cipher suite in use
SSL Alert Protocol
conveys SSL-related alerts to peer entity
severity
• warning or fatal
specific alert
• fatal: unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate
unknown
compressed & encrypted like all SSL data
SSL Handshake Protocol
 allows server & client to:
• authenticate each other
• to negotiate encryption & MAC algorithms
• to negotiate cryptographic keys to be used
 comprises a series of messages in phases
1.Establish Security Capabilities
2.Server Authentication and Key Exchange
3.Client Authentication and Key Exchange
4.Finish
SSL
Handshake
Protocol
Cryptographic
Computations
master secret creation
a one-time 48-byte value
generated using secure key exchange (RSA / Diffie-
Hellman) and then hashing info
generation of cryptographic parameters
client write MAC secret, a server write MAC secret, a
client write key, a server write key, a client write IV, and a
server write IV
 generated by hashing master secret
TRANSPORT LAYER SECURITY(TLS)
Transport layer
security(TLS)

TLS is an IETF standardization initiative whose goal


is to produce an Internet standard version of SSL.
•Transport Layer Security, or TLS, is a widely adopted
security protocol designed to facilitate privacy and data
security for communications over the Internet.
•A primary use case of TLS is encrypting the communication
between web applications and servers, such as web browsers
loading a website.
•TLS can also be used to encrypt other communications such
as email, messaging, and voice over IP (VoIP). In this article
we will focus on the role of TLS in web application security.
Version Number
The TLS Record Format is the same as that of the SSL Record
Format(Figure), and the fields in the header have the same
meanings.
•The one difference is in version values. For the current
version of TLS, the major version is 3 and the minor version is
3.

Fig :SSL/TLS RECORD FORMAT


Message Authentication Code

•There are two differences between the SSLv3 and


TLS MAC schemes: the actual algorithm and the
scope of the MAC calculation. TLS makes use of the
HMAC algorithm defined in RFC 2104
• HMAC is defined as
• Pseudorandom Function

• TLS makes use of a pseudorandom function


referred to as PRF to expand secrets into blocks of
data for purposes of key generation or validation.

• The objective is to make use of a relatively small


shared secret value but to generate longer blocks of

data in a way that is secure from the kinds of attacks


made on hash functions and MACs.The PRF is
based on the data expansion function
Differences between SSL
and TLS
• The main differences between Secure Socket Layer
and Transport Layer Security is that. In SSL (Secure
Socket Layer), Message digest is used to create
master secret and It provides the basic security
services which
are Authentication and confidentiality.
• while In TLS (Transport Layer Security), Pseudo-
random function is used to create master secret.
Summary TLS
(Transport Layer
Security)
• IETF standard RFC 2246 similar to SSLv3
• with minor differences
• in record format version number
• uses HMAC for MAC
• a pseudo-random function expands secrets
• based on HMAC using SHA-1 or MD5
• has additional alert codes
• some changes in supported ciphers
• changes in certificate types & negotiations
• changes in crypto computations & padding
HTTPS
HTTPS (HTTP over SSL)
combination of HTTP & SSL/TLS to secure communications
between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
use https:// URL rather than http://
and port 443 rather than 80
encrypts
URL, document contents, form data, cookies, HTTP
headers
HTTPS Use
• connection initiation
• TLS handshake then HTTP request(s)
• connection closure
• have “Connection: close” in HTTP record
• TLS level exchange close_notify alerts
• can then close TCP connection
• must handle TCP close before alert exchange sent or
completed
Secure Shell
• SSH(Secure Shell) is access credential that is used in the SSH
Protocol. In other words, it is a cryptographic network
protocol that is used for transferring encrypted data over
network. It allows you to connect to a server, or multiple
servers, without having you to remember or enter your
password for each system that is to login remotely from one
system into another.
It always comes in key pair:

• Public key – Everyone can see it, no need to protect it. (for
encryption function)
• Private key – Stays in computer, must be protected. (for
decryption function)
Key pairs can be of the following types:

•User Key – If public key and private key remain with the user.
•Host Key – If public key and private key are on a remote system.
•Session key – Used when large amount of data is to be transmitted.
How SSH Works ?
Public keys from the local computers (system) are passed to the server which is to
be accessed.
Server then identifies if the public key is registered.
If so, the server then creates a new secret key and encrypts it with the public key
which was send to it via local computer.This encrypted code is send to the local
computer.
Summary
• have considered:
• need for web security
• SSL/TLS transport layer security protocols
• HTTPS
• secure shell (SSH)

You might also like