Certificates and Web of Trust

  • 1,438 views
Uploaded on

IT Security and Privacy, PGP, Web of trust, MD5, Certificates

IT Security and Privacy, PGP, Web of trust, MD5, Certificates

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,438
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • The Secure Sockets Layer (SSL) is a security protocol used by Web browsers and Web servers to help users protect their data during transfer. An SSL Certificate contains a public and private key pair as well as verified identification information. When a browser (or client) points to a secured domain, the server shares the public key with the client to establish an encryption method and a unique session key. The client confirms that it recognizes and trusts the issuer of the SSL Certificate. This process is known as the "SSL handshake" and it can begin a secure session that protects message privacy and message integrity.

Transcript

  • 1. Certificates and Web of Trust Yousof Alsatom [email_address] Slide
  • 2. Agenda
    • SSL Certification
      • What is SSL & How it works
      • Certificates Authorities
      • Root Anchors
    • Problems with this hierarchical approach of trust management
    • Possible Alternatives to SSL,
      • PGP
        • Web of Trust
      • Perspective
      • Convergence
    Slide
  • 3. History and Definitions
    • http://www.youtube.com/watch?v=zPqtx1J6udc
    • SSL is an acronym for Secure Sockets Layer
    • Standard security technology developed by Netscape in 1994.
    • It creates an encrypted link between a web server and a web browser.
    • The SSL protocol is used by millions of e-Business providers to protect their customers ensuring their online transactions remain confidential.
    Slide Source
  • 4. What is SSL & How it works
    • SSL Certificate contains a public and private key pair as well as verified identification information.
      • When a browser (or client) points to a secured domain
      • The server shares the public key with the client to establish an encryption method and a unique session key.
      • The client confirms that it recognizes and trusts the issuer of the SSL Certificate.
      • This process is known as the "SSL handshake" and it can begin a secure session that protects message privacy and message integrity.
    Slide
  • 5. Certificate Authority (CA)
    • CA, issues and manages security credentials and public keys for message encryption
    Slide
  • 6. Root Anchors
    • CA’s market share declined year-over-year, February Netcraft Survey shows Symantec’s overall unit market share grew to 42.1 percent
    • Symantec has agreed to acquire VeriSign's Identity and Authentication business for an aggregate purchase price of $1.28 billion
    Slide
  • 7. Obtaining certificates
    • User generates private key
    • User creates a Certificate Signing Request (CSR) containing
      • user identity
      • domain name
      • public key
    • CA processes the CSR
      • validates user identity
      • validates domain ownership
      • signs and returns the certificate
    • User installs private key and certificate on a web server
    Slide
  • 8. Is SSL enough ? Slide
  • 9. SSL Attack
      • SSL can fail in many ways, but there are 3 principal attacks:
      • Passive MITM
        • Session hijacking
      • Active MITM
        • Rogue certificates
        • SSL bypass
        • User attacks (Who read warning anyway)
      • Third-party compromise
      • more : visit https://www.sllabs.com
    Slide
  • 10. SSL Threat Model (SSLLabs Amsterdam, 2011 ) Slide
  • 11. CA & MD5 hash function Slide Normal
  • 12. CA & MD5 hash function Slide Attack Then a website certificate (the red one in the diagram) bearing the genuine website's identity but another public key is created and signed by the rogue CA. A copy of the genuine website is built, put on another web server, and equipped with the rogue website certificate. A rogue CA certificate is constructed (the black one in the diagram). It bears exactly the same signature as the website certificate. Thus it appears as being issued by the CA, whereas in fact the CA has never even seen it. The user will not mention this because there is a problem in the MD5 hash function
  • 13. Man In The Middle (MITM) attacks
    • Gmail service in Iran, August 2011
    • The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).
    • Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.
    Slide
  • 14. State of Art for protection, (SSLLabs Amsterdam, 2011 )
    • Use an extended validation (EV) certificate (difficult to forge)
    • Configure your SSL server properly:
      • Good key size and coverage of desired domain names
      • Good protocols and 128-bit forward-secrecy cipher suites
      • Patches and workarounds applied
    • Redirect all port 80 traffic to port 443
    • Use HTTP Strict Transport Security
    • Forces all traffic over SSL, even with HTTP links
    • Can include subdomains to address cookie issues
    Slide
  • 15. What is the alternatives? Slide
  • 16. First solution Slide
  • 17. Before we start
    • Why I Wrote PGP
      • "Whatever you do will be insignificant, but it is very important that you do it.”
    • Mahatma Gandhi.
    Slide Phil Zimmermann
  • 18. Pretty Good Privacy
    • Pretty Good Privacy (PGP)
    • Data encryption and decryption computer program
    • Provides cryptographic privacy and authentication for Data communication.
    • PGP is often used for
      • Signing
      • Encrypting and decrypting texts, E-mails, files directories and whole disk partitions to increase the security of e-mail communications.
    Slide
  • 19. How PGP works - Encryption
    • PGP creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type.
    Slide
  • 20. How PGP works - Decryption
    • Decryption works in the reverse.
    • The recipient's copy of PGP uses his or her private key to recover the temporary session key
    Slide
  • 21. Web of Trust
    • The user decide whom trust and whom not.
    • It is thus a cumulative trust model
    • hen any user signs another's key, he or she becomes an introducer of that key. As this process goes on, it establishes a web of trust.
    Slide Primary Key infrastructure Vs. Web of Trust, Walking the Web of Trust, Germano Caronni, Sun Microsystems Laboratories, IEEE 2000
  • 22. Other alternatives
    • Convergence
      • “ is something we would add in Chrome.” Moxie Marlinspike
      • Convergence allows you to choose who you want to trust, rather than having someone else's decision forced on you. You can revise your trust decisions at any time, so that you're not locked in to trusting anyone for longer than you want.
    Slide
  • 23. Other alternatives, Perspectives
    • Computer Science Department at Carnegie Mellon University
      • Funded by
        • The National Science Foundation (NSF)
        • Carnegie Mellon CyLab
      • Perspectives keeps a record of the keys used by a service over time, then the client can see there is a change in the certificates
      • One use of Perspectives is to provide an additional layer of protection to detect attacks even when the browser trusts the CA that signed the certificate.
    Slide Wendlandt David G. Andersen Adrian Perrig, Carnegie Mellon University MD5 and Perspectives, 01.01.2009
  • 24. Conclusion
    • Centralized trust model
      • Public key infrastructure (PKI) which is relay on CA
    • Decentralized trust model (better)
      • PGP
        • WOT
    • One hand doesn’t clap
    • Install WOT and Perspective in your browser
    Slide
  • 25. References
    • Ivan Ristic, Michael Small. A Study of What Really Breaks SSL, HITB Amsterdam 2011
    • Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study, ISBN: 978-1-60558-784-4, 2009
    • Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing, Dan Wendlandt David G. Andersen Adrian Perrig, Carnegie Mellon University
    • MD5 and Perspectives, 01.01.2009
    • Walking the Web of Trust, Germano Caronni, Sun Microsystems Laboratories, IEEE 2000
    • http://www.techthefuture.com/technology/certificate-authority-system-insecure-firefox-add-on-offers-alternative/
    • http://www.verisign.com/ssl/index.html?tid=gnps
    • http://info.ssl.com/article.aspx?id=10241
    • http://en.wikipedia.org/wiki/Secure_Sockets_Layer
    • http://en.wikipedia.org/wiki/Certificate_authority
    • https://ssl.trustwave.com/support/support-how-ssl-works.php
    • http://en.wikipedia.org/wiki/Pretty_Good_Privacy
    • http://www.pgpi.org/doc/pgpintro/
    • http://www.whichssl.com/what_is_ssl.html
    • http://www.symantec.com/about/news/release/article.jsp?prid=20110301_02
    • http://perspectives-project.org/faq /
    • http://searchsecurity.techtarget.com/definition/certificate-authority
    • Very interesting video, Speaker: MOXIE MARLINSPIKE, 2011 : http://www.youtube.com/watch?feature=player_embedded&v=Z7Wl2FW2TcA# !
    Slide
  • 26. Demo
    • WOT
    • Perspective
    • Convegerence
    Slide