• Like

Secure Communication: Usability and Necessity of SSL/TLS

  • 524 views
Uploaded on

Network-related applications and devices often use secure communication. Although keeping network communications safe should be a top priority to all developers and engineers, it often gets left …

Network-related applications and devices often use secure communication. Although keeping network communications safe should be a top priority to all developers and engineers, it often gets left behind due to lack of understanding, insufficient funding, or looming deadlines.

Securing a project with SSL shouldn?t have to include a steep learning curve, deep pockets, or an unlimited time frame. By learning a few basics of how things work, where the technology is best used, and what features to look for when trying to choose the right SSL implementation, a developer or engineer can easily, simply, and quickly secure their project - putting both themselves and their employer?s minds at ease.

This presentation will introduce SSL - including why secure communication is important, introductory details about SSL, x509, and the underlying cryptography. It will give an overview of where SSL is used today - including Home Energy, Gaming, Databases, Sensors, VoIP, and more. A description of important items to look for when trying to choose an SSL implementation will give developers and engineers a solid foundation to begin securing their projects with SSL and will enable them to have more informed discussions with potential vendors.

Learn more at www.yassl.com.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
524
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Secure Communication USABILITY AND NECESSITY OF SSL / TLSSlide 1 / 33 © Copyright 2012 yaSSL
  • 2. We’re going to talk about: 1.  Why is this important? 2.  What is SSL? 3.  Where is SSL being used? 4.  Features: What to look for in an SSL library?Slide 2 / 33 © Copyright 2012 yaSSL
  • 3. Why is This Important? •  Number  of  connected  devices  is  ever  increasing   •  Frequent  Road-­‐blocks:   –  Lack  of  understanding   –  Insufficient  funding   –  Tight  deadlines    Slide 3 / 33 © Copyright 2012 yaSSL
  • 4. Why is This Important? Ivan  Ris)c:  Internet  SSL  Survey  2010   hDp://www.ssllabs.com     Alexa  Top  1M   Use  SSL  –  12%     •  Alexa  Top  1M  Sites      120,000  Use  SSL  (12%)          Slide 4 / 33 © Copyright 2012 yaSSL
  • 5. What is SSL? X509, Encryption, handshakes, and more.Slide 5 / 33 © Copyright 2012 yaSSL
  • 6. What is SSL? •  Enables  secure  client  /  server  communicaSon,  providing:     Privacy                  +  Prevent  eavesdropping     Authen)ca)on              +  Prevent  impersonaSon     Integrity                +  Prevent  modificaSon      Slide 6 / 33 © Copyright 2012 yaSSL
  • 7. Where does SSL fit? •  Layered  between  Transport  and  Applica)on  layers   Protocols Secured by SSL/TLS SSL SSL Change SSL Alert LDAP, Handshake Cipher Spec HTTP Protocol etc. SMTP, Protocol Protocol HTTP etc. SSL Record Layer Application Layer TCP Transport Layer IP Internet Layer Network Access Network LayerSlide 7 / 33 © Copyright 2012 yaSSL
  • 8. SSL: Authentication •  Do  you  really  know  who  you’re  communicaSng  with?   ? ? Alice   Bob  Slide 8 / 33 © Copyright 2012 yaSSL
  • 9. SSL: Authentication •  Generate  a  key  pair  (private  and  public  key)   Private   Public   Public   Private   Alice   Bob  Slide 9 / 33 © Copyright 2012 yaSSL
  • 10. SSL: Authentication •  X.509  CerSficate  ==  Wrapper  around  public  key   X509 X509 Private   Cert Public   Public   Cert Private   Alice   Bob  Slide 10 / 33 © Copyright 2012 yaSSL
  • 11. SSL: X.509 Certificates X509 -----BEGIN CERTIFICATE-----! Cert MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu! eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----!Slide 11 / 33 © Copyright 2012 yaSSL
  • 12. SSL: X.509 Certificates Certificate:! X509 Data:! Cert Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ emailAddress=info@yassl.com! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8!Slide 12 / 33 © Copyright 2012 yaSSL
  • 13. SSL: Authentication •  Alice  and  Bob  exchange  CA-­‐signed  public  keys   X509 X509 Private   Cert CA Public   Public   Cert CA Private   Alice   Bob  Slide 13 / 33 © Copyright 2012 yaSSL
  • 14. SSL: Authentication •  How  do  you  get  a  CA-­‐signed  cert?   Buy   Create     VeriSign, DigiCert, Comodo, etc. Created yourself (self-sign) -  Costs $$$ -  Free! -  Trusted -  Trusted (if you control both sides)Slide 14 / 33 © Copyright 2012 yaSSL
  • 15. SSL: Encryption •  Uses  a  variety  of  encrypSon  algorithms  to  secure  data   Hashing  Func)ons   MD4, MD5, SHA … Block  and  Stream  Ciphers   DES, 3DES, AES, ARC4 … Public  Key  Op)ons   RSA, DSS … CIPHER  SUITE  Slide 15 / 33 © Copyright 2012 yaSSL
  • 16. SSL: Encryption •  A  common  CIPHER  SUITE  is  negoSated   Protocol_keyexchange_WITH_bulkencrypSon_mode_messageauth   SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHASlide 16 / 33 © Copyright 2012 yaSSL
  • 17. SSL: Handshake Client Server 1 Client Hello Cryptographic Info (SSL version, supported ciphers, etc.) 2 3 Server Hello Cipher Suite Verify server cert, Server Certificate check crypto Server Key Exchange (public key) parameters ( Client Certificate Request ) Server Hello Done 4 Client Key Exchange 5 ( Certificate Verify ) Verify client cert ( Client Certificate ) (if required) 6 Change Cipher Spec Client Finished 7 Change Cipher Spec Server Finished 8 Exchange Messages (Encrypted)Slide 17 / 33 © Copyright 2012 yaSSL
  • 18. Where is SSL used? Everywhere!Slide 18 / 39 © Copyright 2012 yaSSL
  • 19. SSL: Where is it used? •  Energy  Monitoring   •  Gaming   •  Databases   •  Sensors   •  VoIP   •  M2M  communicaSon   •  And  much  more...    Slide 19 / 33 © Copyright 2012 yaSSL
  • 20. What to look for? When shopping for an SSL stack.Slide 20 / 33 © Copyright 2012 yaSSL
  • 21. 1: Protocols •  Support  for  current  protocols?   1995   SSL  2.0   Notes:   1996   SSL  3.0         •  SSL  2.0  is  insecure   1999   TLS  1.0   •  SSL  =  “Secure  Sockets  Layer”   2006   TLS  1.1   DTLS  1.0   •  TLS  =  “Transport  Layer  Security”   2008   TLS  1.2   •  DTLS  =  “Datagram  TLS”       2012   DTLS  1.2  Slide 21 / 33 © Copyright 2012 yaSSL
  • 22. 2: Ciphers •  Support  for  needed  cipher  suites?   Public  Key   Block  /  Stream   Hash   RSA,  DSS,  DH,   DES,  3DES,   MD2,  MD4,   NTRU   AES,  ARC4,   MD5,   …   RABBIT,   SHA-­‐128,   HC-­‐128   SHA-­‐256,   …   RIPEMD   …   Ex:   TLS_RSA_WITH_AES_128_CBC_SHASlide 22 / 33 © Copyright 2012 yaSSL
  • 23. 3: Memory Usage •  ROM  /  RAM  usage   1400   160   150   1,200   1200   140   120   1000   100   800   ROM  (kB)   RAM  (kB)   80   600   60   400   40   200   20   30   3   0   0  Slide 23 / 33 © Copyright 2012 yaSSL
  • 24. 4: Simple to Use •  Learning  curve?   •  Myth:  EncrypSon  is  too  hard  to  use.  Slide 24 / 33 © Copyright 2012 yaSSL
  • 25. 5: Portability •  OS  support  out-­‐of-­‐the-­‐box?   •  Customizable?  Slide 25 / 33 © Copyright 2012 yaSSL
  • 26. 6: Hardware Acceleration •  Support  for  hardware  acceleraSon?   •  Assembly  code  opSmizaSons  Slide 26 / 33 © Copyright 2012 yaSSL
  • 27. 7: License •  Flexible  license  model?   •  Does  it  meet  your  license  needs?   GPLv2  /  Commercial   Commercial   MIT   GPL   Proprietary   BSD   LGPL  Slide 27 / 33 © Copyright 2012 yaSSL
  • 28. 8: Maturity •  Track  record?   •  Code  origin?   •  AcSvely  developed?  Slide 28 / 33 © Copyright 2012 yaSSL
  • 29. 9: Compatibility •  Is  interoperability  tesSng  being  conducted?   •  What  browsers  is  the  library  acSvely  tested  against?  Slide 29 / 33 © Copyright 2012 yaSSL
  • 30. 10: Crypto Access •  Direct  access  to  crypto?     Many  reasons:   -­‐  Direct  encrypSon   -­‐  Code  Signing   -­‐  Verifying  hashes,  etc.  Slide 30 / 33 © Copyright 2012 yaSSL
  • 31. 11: Support •  What  happens  if:     –  Something  goes  wrong   –  You  can’t  get  it  to  work  on  your  system   –  New  vulnerability  comes  out   –  You  need  a  new  cipher/feature   •  Is  there  support  available  to  help  you  out?  Slide 31 / 33 © Copyright 2012 yaSSL
  • 32. SSL: Shopping List 1.  Protocols   2.  Ciphers   3.  Memory  Usage   4.  Simple  to  Use   5.  Portability   6.  Hardware  AcceleraSon   7.  License   8.  Maturity   9.  CompaSbility   10.  Crypto  Access   11.  Support  Slide 32 / 33 © Copyright 2012 yaSSL
  • 33. Thanks! www.yassl.com chris@yassl.com info@yassl.comSlide 33 / 33 © Copyright 2012 yaSSL