Professional Documents
Culture Documents
4.1 SCS10NetSec2
4.1 SCS10NetSec2
4.1 SCS10NetSec2
: . -
: SSL/TLS
SSL - Secure Sockets Layer
Netspace 1990-
SSLv2 (
!!!), SSLv3
TLS - Transport Layer Security
IETF- SSL
TLS 1.0 - SSLv3 RFC 2246 (1999)
TLS 1.1 - TLS 1.0 + RFC 4346 (2006)
TLS 1.2 - TLS 1.1 + RFC 5246 (2008)
, , ,
DTLS (Datagram TLS) TLS UDP
: SSL/TLS
:
Internet
Internet
- TCP (
HTTP)
PKI
(
, RC4)
(-) JKBob ?
JKCA
Verify
cert
(PK,JK)
JKCA
JK
CA
JK
I am Bob
Cert PKCA :
check
proof
JK
Cert ( , )
PKCA
:
:
Common Name :
,
ugd.edu.mk,
CAs
SSL/TLS
HTTP HTTPS
web
proxy
web
server
-
:
CONNECT domain-name
client-hello
:
IP .
TLS 1.1 (RFC 4366)
client_hello_extension: server_name=cnn.com
FF2 IE7 (vista)
443 HTTPS
client-hello
server-cert ???
web
server
certCNN
certFOX
HTTPS
-?
-
ISP HTTPS
-
( )
TLS
1.
2.
3.
:
(ciphersuit)
Handshake Protocol
Record Protocol
Handshake .
TLS
Handshake
Protocol
Change Cipher
Spec Protocol
Alert
Protocol
Record Protocol
TCP
HTTP
.
TLS ciphersuits
TLS TCP .
TLS
.
.
200+ ciphersuits
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_NULL_WITH_NULL_NULL
20
21
22
23
(Major version, 8 )
. SSLv3 3.
(Minor version, 8 ) -
SSLv3 0.
(Compressed length,
16 ) .
TLS Record
Protocol Handshake Protocol
TLS,
MAC
,
Handshake Protocol
.
Handshake Protocol
,
-
/ Record Protocol
SSL/TLS
Lock :
SSL
page origin
lock ?
HTTPS
:
HTTPS CA
HTTPS ( , )
Common Name URL
Lock UI:
CA
wildcard ( *.ugd.edu.mk )
:
www.bankofthevvest.com
HTTPS-EV HTTPS
HTTPS :
HTTP:
HTTP
URL
Google
HTTP
<form method="post"
action="https://onlineservices.wachovia.com/..."
HTTPS :
:
http://login.site.com
Redirect: https://login.site.com
HTTPS Lock
1. HTTP HTTPS
2.
3. :
HTTP HTTPS
4. HTTPS ?
: ,
TLS
BEAST (2011), CRIME (2012), Lucky 13, RC4 (2013),
Renegotiation Attack (2009), Triple Handshake Attack (2014)
(
):
Why Eve and Mallory Love Android (2012)
The most dangerous code in the world (2012)
Apple goto fail (2013)
OpenSSL CCS (2014)
Frankencerts (2014)
Heartbleed (2014)
IP: IPSec
IPSec
IPSec
a -
TCP :
IPSec : IPSEC IP
http://www.tcpipguide.com/free/t_IPSecModesTransportandTunnel.htm
IPSec : IPSEC + IP
IPSec
AH
ESP
ESP +
replay
Authentication Header (AH)
replay (
)
MAC;
Encapsulated Security Payload (ESP)
IPSec
- SA
IPsec
SA :
SA , SA
IPsec .
SA
SA
IPSec
- SA)
Internet Key Exchange (IKE IKEv2) Kerberized
Internet Negotiation of Keys (KINK) SA
IPsec.
Oakley
SKEME ISAKMP (Internet Security Association and
Key Management Protocol) .
Diffie-Hellman
.
X.509
IKE IPSEC
m1
A, (ga mod p)
m2
signA(m1,m2)
: A B gab mod p
: SSH
Secure Shell, TCP 22
( , FTP)
SSH
(rcp)
ftp (sftp)
(rsync)
(sshfs)
SSH