SSl and certificates
-
Upload
netri -
Category
Technology
-
view
900 -
download
0
description
Transcript of SSl and certificates
![Page 1: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/1.jpg)
Topic:Topic:Implementation of SSL & Implementation of SSL &
TLS for Application serversTLS for Application servers
03/19/08 1
![Page 2: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/2.jpg)
Introduction:
Internet - network for everyone. Everyone and everything open. Highly insecure Internet Thus, Netscape Corporation -protocol
SSL. For secure Transactions.
03/19/08 2
![Page 3: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/3.jpg)
SSL –Secured Socket Layer Protocol for data encryption . Open & nonproprietary protocol .Current implementation-OpenSSLused for:
a. data-encryptionb. server authentication c. data integrity d. client authentication
03
/19
/08
3
![Page 4: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/4.jpg)
Enhance and ensure transactional data
Securing transactions on the Web using Apache-SSL.
Securing user access for remote access
Securing e-mail services (IMAP, POP3)
03/19/08 4
![Page 5: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/5.jpg)
TLS:
Transport Layer Security(TLS)
Provides security at transport layer.
Non –proprietory version of SSL.
Allows two parties to exchange messages in secure environment.
03/19/08 5
![Page 6: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/6.jpg)
Position of TLS:
03/19/08 6
![Page 7: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/7.jpg)
TLS requirementsTLS requirements::
Protocols:Protocols:**entity authentication protocol entity authentication protocol
*message authentication protocol*message authentication protocol
*encryption/decryption protocol*encryption/decryption protocol
Each party uses a predefined function to create session Each party uses a predefined function to create session keys.keys.
Digest calculated & appended to each message .Digest calculated & appended to each message . Message & digest are encrypted using encryption Message & digest are encrypted using encryption
/decryption protocols./decryption protocols. Each party extracts necessary keys and parameters for Each party extracts necessary keys and parameters for
message authentication & encryption/decryptionmessage authentication & encryption/decryption..
03/19/08 7
![Page 8: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/8.jpg)
8
**In Greek means “secret writing.”In Greek means “secret writing.” *Refers to the science and art of transforming *Refers to the science and art of transforming messages to make them secure and immune to messages to make them secure and immune to attacks.attacks.
Types of Cryptography:Types of Cryptography:
Symmetric-Key Cryptography Symmetric-Key Cryptography Asymmetric-Key Cryptography Asymmetric-Key Cryptography
![Page 9: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/9.jpg)
9
Symmetric-key cryptography
![Page 10: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/10.jpg)
Asymmetirc Cryptography:Asymmetirc Cryptography:
Use two keys – public & private key.
keys -completely independent .
a private key cannot be deduced from a public one.
sign a message using public key, only the holder of the private key can read it.
public key is open.Private key is secret.03/19/08 10
![Page 11: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/11.jpg)
11
Asymmetric-key encryption
![Page 12: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/12.jpg)
03/19/08 12
Asymmetric Encryption/Decryption
![Page 13: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/13.jpg)
Asymmetric cryptography Simulate the security properties of a
handwritten signature Two algorithms-
1. for signing which involves the user' private key,
2. for verifying signatures which involves the user's public key.
03/19/08 13
![Page 14: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/14.jpg)
TCP/IP Protocol Suite 14
Hash function
![Page 15: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/15.jpg)
TCP/IP Protocol Suite 15
Sender site
![Page 16: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/16.jpg)
16
Receiver site
![Page 17: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/17.jpg)
03/19/08 17
Your public key:
Your name & e-mail address:
Expiration date of the public key:
Name of the company:
Serial number of the Digital ID
![Page 18: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/18.jpg)
03/19/08 18
Bob’s private key
Bob’s public key
Pat Doug Susan
Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Bob’sCo-workers
![Page 19: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/19.jpg)
03/19/08 19
"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"
HNFmsEm6UnBejhhyCGKOKJUxhiygSBCEiC0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A
HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A
"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"
Susan
Bob
![Page 20: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/20.jpg)
03/19/08 20
Bob prepares a message Digest using Hash function
![Page 21: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/21.jpg)
03/19/08 21
Bob encrypts the digest with his private key.
Digital Signature Created
![Page 22: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/22.jpg)
03/19/08 22
Digital Signature Appended to the Original document &Sent to Susan
![Page 23: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/23.jpg)
03/19/08 23
Separates Original Document & Digital signature
![Page 24: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/24.jpg)
TCP/IP Protocol Suite 24
Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption
must be applied.
Note:Note:
![Page 25: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/25.jpg)
Important tools:1.GNUPG:Stands for GNU privacy guard.Used for: * encrypt data *create digital signatures *help authenticating using Secure
Shell * provide a framework for public
key cryptography.
03/19/08 25
![Page 26: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/26.jpg)
OpenPGP part of the GNU Privacy Guard (GnuPG).
provide digital encryption and signing services using
the OpenPGP standard.
2
03/19/08 26
![Page 27: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/27.jpg)
03/19/08
Standard sponsored by Standard sponsored by ITUITU
International standard International standard for for digital certificates digital certificates
used to used to authenticate digital authenticate digital signatures.signatures.
X.509:X.509:
27
![Page 28: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/28.jpg)
2828
X.509 fieldsX.509 fields
![Page 29: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/29.jpg)
03/19/08 29
Certificate:
body of data placed in a message to serve as Proof of the sender’s authenticity. consists of encrypted information that associates a public key with the true identity of an individual
Includes the identification and electronic signature of Certificate Authority (CA).
Includes serial number and period of time when the certificate is Valid
![Page 30: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/30.jpg)
Why do I need Digital certificate?
AuthenticationPrivacyIntegrityNonrepudiation
03/19/08 30
![Page 31: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/31.jpg)
Certificate Signing Request: Request made to a CA from an organization to obtain a digital certificate.
Requesting party includes information that proves its identity and digitally signs the CSR with the private key.
03/19/08 31
![Page 32: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/32.jpg)
03/19/0803/19/08 3232
Certificate Authority :
trusted organization that issues certificates for both servers and clients.
create digital certificates that securely bind the names of users to their public keys.
Two types of CA:
* Commercial CA* Self-certified private CA
![Page 33: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/33.jpg)
COMMERCIAL CA:
JOB - TO VERIFY THE AUTHENTICITY OFOTHER COMPANIES’ MESSAGES ON THE INTERNETEXAMPLE:VERISIGN,THAWTE.
03
/19
/08
33
![Page 34: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/34.jpg)
Self-certified CA:
Root-level commercial CA: It’s self-certified.
Typically used in a LAN or WAN environment
03/19/08 34
![Page 35: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/35.jpg)
Public-key infrastructure(PKI)
provides public-key encryption & digital signature services.
Manage keys and certificates- organization establishes and maintains a trustworthy networking environment.
03/19/08 35
![Page 36: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/36.jpg)
E-mail server security:
Biggest problem- unsolicited mail or spam.
Simple Mail Transport Protocol (SMTP) -simple & insecure.
biggest abuse of e-mail service- open mail relay.
03/19/08 36
![Page 37: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/37.jpg)
.
03/19/08 37
Open mail Relay:
• send unwanted emails to people
• Waste resources.
legal problems for companies that leave their email system open.
![Page 38: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/38.jpg)
Web-server security
The Web site hacked because holes in applications or scripts are exploited.
protecting Web site - understanding & identifying security risks.
03/19/08 38
![Page 39: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/39.jpg)
ConclusionConclusion Secure Digital transactions- an Secure Digital transactions- an
important part of electronic commerce important part of electronic commerce in the future.in the future.
Privacy of transactions, and Privacy of transactions, and authentication of all parties, is authentication of all parties, is important for achieving the level of important for achieving the level of trust. trust.
encryption algorithms and key-sizes encryption algorithms and key-sizes must be robust enough to prevent must be robust enough to prevent observation by hostile entitiesobservation by hostile entities03/19/08 39
![Page 40: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/40.jpg)
Thank you
![Page 41: SSl and certificates](https://reader035.fdocuments.net/reader035/viewer/2022081413/546739b8af7959ba5e8b6e17/html5/thumbnails/41.jpg)
41