Professional Documents
Culture Documents
Instructor:
Dr. Mohammad Wazid
SSL/TLS, Https
Web Security
Web now widely used by business,
government, individuals
but Internet & Web are vulnerable
have a variety of threats
integrity
confidentiality
denial of service
authentication
need added security mechanisms
Methods used for Web Traffic
Security
SSL (Secure Socket Layer)
transport layer security service
originally developed by Netscape
version 3 designed with public input
subsequently became Internet standard
known as TLS (Transport Layer Security)
uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
SSL Architecture
SSL Architecture
SSL connection
a transient, peer-to-peer, communications link
associated with 1 SSL session
SSL session
an association between client & server
created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections
SSL Record Protocol
Services
confidentiality
using symmetric encryption with a shared
secret key defined by Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
message is compressed before encryption
message integrity
using a MAC with shared secret key
SSL Record Protocol Operation
SSL Record Protocol Operation
It takes an application message to be
transmitted, fragments the data into
manageable blocks, optionally compresses
the data, computes and appends a MAC
(using a hash very similar to HMAC),
Encrypts (using one of the symmetric
algorithms listed on the previous slide),
SSL Record Protocol Operation
Adds a header (with details of the SSL
content type, major/minor version, and
compressed length), and transmits the
resulting unit in a TCP segment.
Received data are decrypted, verified,
decompressed, and reassembled and then
delivered to higher-layer applications.
SSL Handshake Protocol
It uses the SSL Record Protocol to
exchange a series of messages
between an SSL-enabled server and an
SSL-enabled client when they first
establish an SSL connection.
This exchange of messages is designed
to enable the following actions:
Authenticate the server to the client.
SSL Handshake Protocol
Allow the client and server to select
cryptographic algorithms, or ciphers,
they both support.
Optionally authenticate the client to the
server.
Use public key encryption to generate
shared secret keys.
Establish an encrypted SSL connection.
SSL
Handshake
Protocol
SSL Change Cipher Spec Protocol
Change cipher spec protocol is used to
change the encryption being used by the
client and server.
It is normally used as part of the
handshake process to switch to symmetric
key encryption.
The CCS protocol is a single message that
tells the peer that the sender wants to
change to a new set of keys, which are
then created from information exchanged
by the handshake protocol.
SSL Alert Protocol
It signals problems with an SSL session.
Alert messages convey the severity of the message and
a description of the alert.
Upon transmission or receipt of a fatal alert message,
both parties immediately close the connection.
The client and the server must communicate that the
connection is ending to avoid a truncation attack.
In a truncation attack, an attacker inserts into a
message a TCP code indicating the message has
finished, thus preventing the recipient picking up the
rest of the message.
SSL Alert Protocol
Either party may initiate the exchange of
closing messages.
Normal termination occurs when the
close_notify message is sent.
This message notifies the recipient that the
sender will not send any more messages on
this connection.
TLS (Transport Layer
Security)
IETF standard RFC 2246 similar to SSLv3
with minor differences
in record format version number
uses HMAC for MAC
a pseudo-random function expands secrets
• based on HMAC using SHA-1 or MD5
has additional alert codes
some changes in supported ciphers
changes in certificate types & negotiations
changes in crypto computations & padding
HTTPS
HTTPS (HTTP over SSL)
combination of HTTP & SSL/TLS to secure
communications between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
use https:// URL rather than http://
and port 443 rather than 80
encrypts
URL, document contents, form data, cookies,
HTTP headers
Fig. HTTPs vs HTTP
HTTP and HTTPs differences
HTTPS is HTTP with encryption.
The only difference between the two
protocols is that HTTPS uses TLS (SSL) to
encrypt normal HTTP requests and
responses.
As a result, HTTPS is far more secure than
HTTP.
A website that uses HTTP has http:// in its
URL, while a website that uses HTTPS has
https://.
HTTP and HTTPs differences
HTTP (Hypertext Transfer Protocol), is a
protocol which is used for transferring data
over a network.
Most information that is sent over the Internet,
including website content and API calls, uses
the HTTP protocol.
There are two main kinds of HTTP messages:
requests and responses.
HTTP and HTTPs differences
HTTP request and HTTP response
HTTP requests are generated by a user's
browser as the user interacts with web
properties.
For example, if a user clicks on a hyperlink, the
browser will send a series of "HTTP GET"
requests for the content that appears on that
page.
These HTTP requests all go to either an origin
server or a proxy caching server, and that server
will generate an HTTP response.
HTTP responses are answers to HTTP requests.
HTTP and HTTPs differences
A typical HTTP request
An HTTP request is just a series of lines of
text that follow the HTTP protocol. A GET
request might look like this:
GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0
OpenSSL/1.1.l zlib/1.2.11
Host: www.example.com
Accept-Language: en
HTTP and HTTPs differences
This section of text, generated by the user's
browser, gets sent across the Internet.
Problem: In plaintext that anyone monitoring
the connection can read.
This is especially an issue when users
submit sensitive data via a website or a web
application.
This could be a password, a credit card
number, or any other data entered into a
form, and in HTTP all this data is sent in
plaintext for anyone to read.
HTTP and HTTPs differences
When a user submits a form, the browser
translates this into an HTTP POST request
instead of an HTTP GET request.
When an origin server receives an HTTP
request, it sends an HTTP response, which is
similar:
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 12:14:39 GMT
Server: Apache
Last-Modified: Mon, 28 Jan 2019 11:17:01 GMT
Accept-Ranges: bytes
Content-Length: 12
Vary: Accept-Encoding
Content-Type: text/plain
Hello World!
HTTP and HTTPs differences
If a website uses HTTP instead of HTTPS, all
requests and responses can be read by anyone
who is monitoring the session.
Essentially, a malicious actor can just read the
text in the request or the response and know
exactly what information someone is asking for,
sending, or receiving.
HTTPS
The S in HTTPS stands for "secure."
HTTPS uses TLS (or SSL) to encrypt HTTP
requests and responses,
HTTP and HTTPs differences