Network and System Security (TCS619)

B. Tech CSE VI Semester

Instructor:
Dr. Mohammad Wazid

Associate Professor, Department of

CSE
Graphic Era (Deemed to be University), Dehradun, India
Email: wazidkec2005@gmail.com
Homepage: https://sites.google.com/site/mwazidiiith/home
 Transport-Level Security

SSL/TLS, Https
 Web Security
 Web now widely used by business,
government, individuals
 but Internet & Web are vulnerable
 have a variety of threats
 integrity
 confidentiality
 denial of service
 authentication
 need added security mechanisms
Methods used for Web Traffic
Security
 SSL (Secure Socket Layer)
 transport layer security service
 originally developed by Netscape
 version 3 designed with public input
 subsequently became Internet standard
known as TLS (Transport Layer Security)
 uses TCP to provide a reliable end-to-end
service
 SSL has two layers of protocols
SSL Architecture
 SSL Architecture
 SSL connection
 a transient, peer-to-peer, communications link
 associated with 1 SSL session
 SSL session
 an association between client & server
 created by the Handshake Protocol
 define a set of cryptographic parameters
 may be shared by multiple SSL connections
 SSL Record Protocol
Services
 confidentiality
 using symmetric encryption with a shared
secret key defined by Handshake Protocol
 AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
 message is compressed before encryption
 message integrity
 using a MAC with shared secret key
SSL Record Protocol Operation
 SSL Record Protocol Operation
 It takes an application message to be
transmitted, fragments the data into
manageable blocks, optionally compresses
the data, computes and appends a MAC
(using a hash very similar to HMAC),
 Encrypts (using one of the symmetric
algorithms listed on the previous slide),
 SSL Record Protocol Operation
 Adds a header (with details of the SSL
content type, major/minor version, and
compressed length), and transmits the
resulting unit in a TCP segment.
 Received data are decrypted, verified,
decompressed, and reassembled and then
delivered to higher-layer applications.
 SSL Handshake Protocol
 It uses the SSL Record Protocol to
exchange a series of messages
between an SSL-enabled server and an
SSL-enabled client when they first
establish an SSL connection.
 This exchange of messages is designed
to enable the following actions:
 Authenticate the server to the client.
 SSL Handshake Protocol
 Allow the client and server to select
cryptographic algorithms, or ciphers,
they both support.
 Optionally authenticate the client to the
server.
 Use public key encryption to generate
shared secret keys.
 Establish an encrypted SSL connection.
 SSL
Handshake
Protocol
 SSL Change Cipher Spec Protocol
 Change cipher spec protocol is used to
change the encryption being used by the
client and server.
 It is normally used as part of the
handshake process to switch to symmetric
key encryption.
 The CCS protocol is a single message that
tells the peer that the sender wants to
change to a new set of keys, which are
then created from information exchanged
by the handshake protocol.
 SSL Alert Protocol
 It signals problems with an SSL session.
 Alert messages convey the severity of the message and
a description of the alert.
 Upon transmission or receipt of a fatal alert message,
both parties immediately close the connection.
 The client and the server must communicate that the
connection is ending to avoid a truncation attack.
 In a truncation attack, an attacker inserts into a
message a TCP code indicating the message has
finished, thus preventing the recipient picking up the
rest of the message.
 SSL Alert Protocol
 Either party may initiate the exchange of
closing messages.
 Normal termination occurs when the
close_notify message is sent.
 This message notifies the recipient that the
sender will not send any more messages on
this connection.
 TLS (Transport Layer
Security)
 IETF standard RFC 2246 similar to SSLv3
 with minor differences
 in record format version number
 uses HMAC for MAC
 a pseudo-random function expands secrets
• based on HMAC using SHA-1 or MD5
 has additional alert codes
 some changes in supported ciphers
 changes in certificate types & negotiations
 changes in crypto computations & padding
 HTTPS
 HTTPS (HTTP over SSL)
 combination of HTTP & SSL/TLS to secure
communications between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
 use https:// URL rather than http://
 and port 443 rather than 80
 encrypts
 URL, document contents, form data, cookies,
HTTP headers
Fig. HTTPs vs HTTP
 HTTP and HTTPs differences
 HTTPS is HTTP with encryption.
 The only difference between the two
protocols is that HTTPS uses TLS (SSL) to
encrypt normal HTTP requests and
responses.
 As a result, HTTPS is far more secure than
HTTP.
 A website that uses HTTP has http:// in its
URL, while a website that uses HTTPS has
https://.
 HTTP and HTTPs differences
 HTTP (Hypertext Transfer Protocol), is a
protocol which is used for transferring data
over a network.
 Most information that is sent over the Internet,
including website content and API calls, uses
the HTTP protocol.
 There are two main kinds of HTTP messages:
requests and responses.
 HTTP and HTTPs differences
HTTP request and HTTP response
 HTTP requests are generated by a user's
browser as the user interacts with web
properties.
 For example, if a user clicks on a hyperlink, the
browser will send a series of "HTTP GET"
requests for the content that appears on that
page.
 These HTTP requests all go to either an origin
server or a proxy caching server, and that server
will generate an HTTP response.
 HTTP responses are answers to HTTP requests.
 HTTP and HTTPs differences
A typical HTTP request
 An HTTP request is just a series of lines of
text that follow the HTTP protocol. A GET
request might look like this:
GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0
OpenSSL/1.1.l zlib/1.2.11
Host: www.example.com
Accept-Language: en
 HTTP and HTTPs differences
 This section of text, generated by the user's
browser, gets sent across the Internet.
 Problem: In plaintext that anyone monitoring
the connection can read.
 This is especially an issue when users
submit sensitive data via a website or a web
application.
 This could be a password, a credit card
number, or any other data entered into a
form, and in HTTP all this data is sent in
plaintext for anyone to read.
 HTTP and HTTPs differences
 When a user submits a form, the browser
translates this into an HTTP POST request
instead of an HTTP GET request.
 When an origin server receives an HTTP
request, it sends an HTTP response, which is
similar:
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 12:14:39 GMT
Server: Apache
Last-Modified: Mon, 28 Jan 2019 11:17:01 GMT
Accept-Ranges: bytes
Content-Length: 12
Vary: Accept-Encoding
Content-Type: text/plain
Hello World!
 HTTP and HTTPs differences
 If a website uses HTTP instead of HTTPS, all
requests and responses can be read by anyone
who is monitoring the session.
 Essentially, a malicious actor can just read the
text in the request or the response and know
exactly what information someone is asking for,
sending, or receiving.
HTTPS
 The S in HTTPS stands for "secure."
 HTTPS uses TLS (or SSL) to encrypt HTTP
requests and responses,
 HTTP and HTTPs differences

 So in the example above, instead of the

text, an attacker would see a bunch of
seemingly random characters.
 Instead of:
 GET /hello.txt HTTP/1.1
 User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
 Host: www.example.com
 Accept-Language: en

 The attacker sees something like:

 t8Fw6T8UV81pQfyhDkhebbz7+oiwldr1j2gHBB3L3RFTRsQCpaSnSBZ78Vme+DpDVJPvZ
dZUZHpzbbcqmSW1+3xXGsERHg9YDmpYk0VVDiRvw1H5miNieJeJ/FNUjgH0BmVRWII6
+T4MnDwmCMZUI/orxP3HGwYCSIvyzS3MpmmSe4iaWKCOHQ==
 HTTP and HTTPs differences
 In HTTPS, how does TLS/SSL encrypt HTTP
requests and responses.
 TLS uses a technology called public key
encryption: there are two keys, a public key
and a private key, and the public key is shared
with client devices via the server's SSL
certificate.
 When a client opens a connection with a
server, the two devices use the public and
private key to agree on new keys, called
session keys, to encrypt further
communications between them.
 HTTP and HTTPs differences
 All HTTP requests and responses are then encrypted
with these session keys, so that anyone who
intercepts communications can only see a random
string of characters, not the plaintext.
How does HTTPS help authenticate web servers?
 In HTTP, there is no verification of identity-it's based
on a principle of trust.
 The architects of HTTP did not have priorities for
security. But on the modern Internet, authentication is
essential.
 Just like an ID card confirms a person's identity, a
private key confirms server identity.
 How does HTTPS help authenticate
web servers?
 When a client opens a channel with an origin
server (e.g. when a user navigates to a website),
possession of the private key that matches with the
public key in a website's SSL certificate proves
that the server is actually the legitimate host of the
website.
 This prevents or helps block a number of attacks
for example, man-in-the-middle attacks, DNS
hijacking, BGP hijacking.
 References
 HTTPs information available at:
https://www.cloudflare.com/learning/ssl/why-
is-http-not-secure/
 Cryptography and Network Security:
Principles and Practice text book by William
Stallings