SlideShare a Scribd company logo

Secure socket layer

Download as PPTX, PDF
Emprovise
Emprovise

Secure socket layer

Software
1 of 26
The primary goal of SSL is to provide privacy and data integrity between two communicating applications over the network The SSL or TLS protocol is layered on top of reliable transport layer protocols such as TCP TLS is defined in RFC 2246, 4346, 5246 SSL is application protocol independent such that higher level protocols can layer on top of it SSL/TLS does not specify how the higher level protocols add security with TLS
SSL 1.0 Developed by Netscape in early 1994 Never released publicly SSL 2.0 Published by Netscape in early 1995 Contained number of security flaws SSL 3.0 Designed to cover previous flaws, released 1996 TLS 1.0 Internet standard based on SSL 3.0, January 1999 Not interoperable with SSL 3.0 (can back down to SSL)
Cryptographic security: provides secure connection Interoperability: enables applications to utilize TLS, independent of their implementation Extensibility: provides a framework to incorporate new encryption methods Relative Efficiency: incorporate an optional session caching scheme to reduce the number of connections that need to be established
TLS allow peers to agree upon security parameters, authenticate themselves and report errors to each other. TLS takes messages to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, and transmits the result. Received data is decrypted, verified, decompressed, and reassembled, then delivered to higher level clients.
TLS Record Protocol provides secure connection using properties such as private and reliable connection encapsulates various high level protocols such as TLS Handshake Protocol TLS Handshake Protocol allows Server-Client to authenticate each other and negotiate keys and cryptographic algorithms before data is transmitted by application protocol
Connection is Private symmetric encryption such as DES or RC4 is used keys generated uniquely for each connection based on secret negotiated by TLS Handshake Protocol can be used without encryption Connection is reliable Message transport includes a message integrity check using a keyed MAC (Message Auth Code) Secure hash function (e.g. SHA, MD5, etc) used for MAC computations can operate without a MAC
Peer's identity can be authenticated using asymmetric, or public key cryptography e.g. RSA, DSS (optional but required for at least a single peer) negotiation of a shared secret is secure and unavailable to eavesdroppers negotiation is reliable with no modification in its communication without being detected
Most of the operations in TLS record and handshake layer require a keyed MAC Secure digest of data is protected by a secret TLS uses HMAC to carry out handshakes with the algorithms MD5 and SHA1 Data expansion function defined as P_hash(secret,seed) = HMAC_hash(secret, A(1) + seed) + HMAC_hash(secret, A(2) + seed) + HMAC_hash(secret, A(3) + seed) + … iterated to produce the required quantity of data
construction required to do expansion of secrets into blocks of data for the purposes of key generation or validation takes as input a secret, seed, and an identifying label and produces an output of arbitrary length PRF is secured by using atleast two hash algorithms TLS's PRF is created by splitting the secret into two halves and using one half to generate data with MD5 and the other half to generate data with SHA-1, then exclusive-o’ring the outputs of these two expansion functions together PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed)
receives uninterpreted data from higher layers and fragments information blocks into TLS- plaintext records carrying data in chunks records are compressed using the compression algorithm defined in the current session state Encryption and MAC functions translate a compressed record into a TLS-cipher text Stream ciphers convert compressed fragments into cipher text fragment structures. MAC is computed before encryption
Message Frag1 Frag2 Frag3 Com1 Com2 Com3 Encrypt2Encrypt1 Encrypt3 Data Stream App Data Record Proto Units Compressed Units MAC Encrypted Units TCP Packet
The Record Protocol requires an algorithm to generate keys, IVs, and MAC secrets from the security parameters provided by the handshake protocol Master secret is hashed into a sequence of secure bytes, which are assigned to the MAC secrets, keys, and non-export IVs required by the current connection state When generating keys and MAC secrets, the master secret is used as an entropy source, and random values provide unencrypted salt material and IVs for exportable ciphers
TLS Record protocol operates using connection states Connection states specifies compression, bulk encryption and MAC algorithms with parameters, MAC secret, bulk encryption keys and IVs for connections in both read and write directions There are 4 connection states (current read and write states, and pending read and write states) records are processed in the current read and write states TLS Handshake protocol can set the security parameters for the pending states and can selectively change pending states to current state
Consists of a suite of three sub-protocols Handshake protocol, Alert protocol and Change Cipher Spec protocol used to allow peers to agree upon security parameters for record layer, authenticate themselves, instantiate negotiated security parameters, and report errors to each other responsible for negotiating a session Many connections can be instantiated using same session through resumption feature of TLS
Used to signal transitions in ciphering strategies Such transitions signals can be sent by both the client and server The receiver on receipt of signals instructs the Record Layer to immediately copy the read pending state into the read current state The sender after sending such signal instructs the Record Layer to make the write pending state the write active state
supported by the TLS Record layer used to convey alert messages with the severity of the message and a description of the alert alert messages are encrypted and compressed Closing alerts client and server must share knowledge that the connection is ending to avoid a truncation attacks Either party may initiate the close by sending close notify alert Error alerts On error detection, the detecting party informs the other party about the error using an error alert
Alerts Level Description bad_record_mac Fatal incorrect MAC decryption_failed Fatal invalid way of ciphertext decryption record_overflow Fatal record length more than 2^14+2048 bytes decompression_failure Fatal Improper input to decompression function handshake_failure Fatal unable to negotiate acceptable security params bad/unsupported_certi Fatal/W certificate of corrupt/unsupported type illegal_parameter Fatal field in handshake was out of range access_denied Fatal sender decided not to proceed with negotiation decode_error Fatal message could not be decoded (incorrect length) decrypt_error Fatal/W handshake cryptographic operation failed export_restriction Fatal negotiation incompliant with export restrictions insufficient_security Fatal server requires more secure ciphers internal_error Fatal Internal error unrelated to peer or protocol no_renegotiation Warn renegotiation is not possible
operates on top of the TLS Record Layer produces cryptographic parameters of the session state Handshake messages are supplied to TLS Record Layer, which are processed and transmitted according to the current active session state. Hello Request message can be sent at any time and not bound by ordering rules, but it should be ignored by the client when it is in the middle of an handshake handshake messages are intended to have transmission precedence over application data
Exchange hello messages to agree on algorithms, exchange random values, and check for session resumption Exchange cryptographic parameters to allow client- server to agree on a premaster secret Exchange certificates and cryptographic info to allow client-server to authenticate themselves Generate a master secret from the premaster secret and exchanged random values Provide security parameters to the record layer Allow the client and server to verify peer calculated security parameters and that the handshake occurred without tampering by an attacker
Selected Cipher Suite Selected Comp Algo Selected Version S X509 Certificate Cryptographic Info SSL Client SSL Server Session ID Random Data Cipher Suite List Compression Algo List Version List CL X509 Certificate Premaster secret ClientHello Certificate ServerKeyExchange CertificateRequest ServerHello ServerHelloDone Certificate ClientKeyExchange CertificateVerify Finished [ChangeCipherSpec] Application Data Finished [ChangeCipherSpec]
Algorithms I Support, My random Number Verify Certificate and extract server’s public key, Encrypt pre-master’s secret with server’s public key Send checksum of handshake messages using secret key Compare checksum on the client side Compute secret key Use these algorithms, My random number, My digital certificate Compare checksum on server side Send checksum of handshake messages using secret key Decrypt pre-master secret key with server’s private key Compute secret key Client Server
ServerHello [ChangeCipherSpec] Finished Application Data SSL Client SSL Server ClientHello [ChangeCipherSpec] Finished Application Data
OpenSource implementation of the SSL and TLS protocols and basic cryptographic functions Provides generic TLS/SSL server and client implementation. Used to create, sign, verify and check certificates. Create a self signed certificate using following commands openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem openssl req -new -x509 -extensions v3_ca -keyout mykey.pem -out mycert.pem -days 365 -config ./openssl.cnf Verify the certificate created: openssl verify mycert.pem Display the X509 certificate: openssl x509 -in mycert.pem -text -noout
Check a Certificate Signing Request (CSR) : openssl req -text -noout -verify -in CSR.csr Check a private key: openssl rsa -in privateKey.key -check Launch secure server using specified certificate: openssl s_server -accept 4433 -cert mycert.pem -key mykey.pem -www -state -debug Launch secure client using SSL/TLS to connect: openssl s_client -connect localhost:4433
Secure socket layer

Recommended

Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerPina Parmar
 
security in transport layer ssl
security in transport layer ssl security in transport layer ssl
security in transport layer sslSTUDENT
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityChhatra Thapa
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 

Recommended

Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerPina Parmar
 
security in transport layer ssl
security in transport layer ssl security in transport layer ssl
security in transport layer sslSTUDENT
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityChhatra Thapa
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
ssl
sslssl
sslvivek lohiya
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1Ram Dutt Shukla
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security Ibrahiem Mohammed
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL? Shehzad Imran
 

More Related Content

What's hot

Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 

What's hot (20)

Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
ssl
sslssl
ssl
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 
SSL intro
SSL introSSL intro
SSL intro
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 

Similar to Secure socket layer

Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.pptImXaib
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptSonukumarRawat
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLcscpconf
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocolcsandit
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket LayerDr.Florence Dayana
 

Similar to Secure socket layer (20)

Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Unit 6
Unit 6Unit 6
Unit 6
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
Web Security
Web SecurityWeb Security
Web Security
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocol
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket Layer
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Module 2.pdf
Module 2.pdfModule 2.pdf
Module 2.pdf
 
Module 2.Cryptography and Cryptanalysis
Module 2.Cryptography and CryptanalysisModule 2.Cryptography and Cryptanalysis
Module 2.Cryptography and Cryptanalysis
 
Transportsec
TransportsecTransportsec
Transportsec
 
SSL
SSLSSL
SSL
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 

More from Emprovise

Highlights of AWS ReInvent 2023 (Announcements and Best Practices)
Highlights of AWS ReInvent 2023 (Announcements and Best Practices)Highlights of AWS ReInvent 2023 (Announcements and Best Practices)
Highlights of AWS ReInvent 2023 (Announcements and Best Practices)Emprovise
 
Leadership and Success Lessons for Life/Business
Leadership and Success Lessons for Life/BusinessLeadership and Success Lessons for Life/Business
Leadership and Success Lessons for Life/BusinessEmprovise
 
Effective java
Effective javaEffective java
Effective javaEmprovise
 
EJB3 Advance Features
EJB3 Advance FeaturesEJB3 Advance Features
EJB3 Advance FeaturesEmprovise
 
Enterprise Java Beans 3 - Business Logic
Enterprise Java Beans 3 - Business LogicEnterprise Java Beans 3 - Business Logic
Enterprise Java Beans 3 - Business LogicEmprovise
 
RESTful WebServices
RESTful WebServicesRESTful WebServices
RESTful WebServicesEmprovise
 
J2EE Patterns
J2EE PatternsJ2EE Patterns
J2EE PatternsEmprovise
 
Spring Web Services
Spring Web ServicesSpring Web Services
Spring Web ServicesEmprovise
 
Spring Web Webflow
Spring Web WebflowSpring Web Webflow
Spring Web WebflowEmprovise
 
Spring Web Views
Spring Web ViewsSpring Web Views
Spring Web ViewsEmprovise
 
Enterprise Spring
Enterprise SpringEnterprise Spring
Enterprise SpringEmprovise
 
Spring Basics
Spring BasicsSpring Basics
Spring BasicsEmprovise
 
Apache Struts 2 Advance
Apache Struts 2 AdvanceApache Struts 2 Advance
Apache Struts 2 AdvanceEmprovise
 
Apache Struts 2 Framework
Apache Struts 2 FrameworkApache Struts 2 Framework
Apache Struts 2 FrameworkEmprovise
 
Java Servlets
Java ServletsJava Servlets
Java ServletsEmprovise
 
Java Advance Concepts
Java Advance ConceptsJava Advance Concepts
Java Advance ConceptsEmprovise
 

More from Emprovise (20)

Highlights of AWS ReInvent 2023 (Announcements and Best Practices)
Highlights of AWS ReInvent 2023 (Announcements and Best Practices)Highlights of AWS ReInvent 2023 (Announcements and Best Practices)
Highlights of AWS ReInvent 2023 (Announcements and Best Practices)
 
Leadership and Success Lessons for Life/Business
Leadership and Success Lessons for Life/BusinessLeadership and Success Lessons for Life/Business
Leadership and Success Lessons for Life/Business
 
Effective java
Effective javaEffective java
Effective java
 
EJB3 Advance Features
EJB3 Advance FeaturesEJB3 Advance Features
EJB3 Advance Features
 
Enterprise Java Beans 3 - Business Logic
Enterprise Java Beans 3 - Business LogicEnterprise Java Beans 3 - Business Logic
Enterprise Java Beans 3 - Business Logic
 
EJB3 Basics
EJB3 BasicsEJB3 Basics
EJB3 Basics
 
RESTful WebServices
RESTful WebServicesRESTful WebServices
RESTful WebServices
 
J2EE Patterns
J2EE PatternsJ2EE Patterns
J2EE Patterns
 
Spring JMS
Spring JMSSpring JMS
Spring JMS
 
JMS
JMSJMS
JMS
 
Spring Web Services
Spring Web ServicesSpring Web Services
Spring Web Services
 
Spring Web Webflow
Spring Web WebflowSpring Web Webflow
Spring Web Webflow
 
Spring Web Views
Spring Web ViewsSpring Web Views
Spring Web Views
 
Spring MVC
Spring MVCSpring MVC
Spring MVC
 
Enterprise Spring
Enterprise SpringEnterprise Spring
Enterprise Spring
 
Spring Basics
Spring BasicsSpring Basics
Spring Basics
 
Apache Struts 2 Advance
Apache Struts 2 AdvanceApache Struts 2 Advance
Apache Struts 2 Advance
 
Apache Struts 2 Framework
Apache Struts 2 FrameworkApache Struts 2 Framework
Apache Struts 2 Framework
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
 
Java Advance Concepts
Java Advance ConceptsJava Advance Concepts
Java Advance Concepts
 

Recently uploaded

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

Secure socket layer

  • 1.
  • 2. The primary goal of SSL is to provide privacy and data integrity between two communicating applications over the network The SSL or TLS protocol is layered on top of reliable transport layer protocols such as TCP TLS is defined in RFC 2246, 4346, 5246 SSL is application protocol independent such that higher level protocols can layer on top of it SSL/TLS does not specify how the higher level protocols add security with TLS
  • 3. SSL 1.0 Developed by Netscape in early 1994 Never released publicly SSL 2.0 Published by Netscape in early 1995 Contained number of security flaws SSL 3.0 Designed to cover previous flaws, released 1996 TLS 1.0 Internet standard based on SSL 3.0, January 1999 Not interoperable with SSL 3.0 (can back down to SSL)
  • 4. Cryptographic security: provides secure connection Interoperability: enables applications to utilize TLS, independent of their implementation Extensibility: provides a framework to incorporate new encryption methods Relative Efficiency: incorporate an optional session caching scheme to reduce the number of connections that need to be established
  • 5. TLS allow peers to agree upon security parameters, authenticate themselves and report errors to each other. TLS takes messages to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, and transmits the result. Received data is decrypted, verified, decompressed, and reassembled, then delivered to higher level clients.
  • 6. TLS Record Protocol provides secure connection using properties such as private and reliable connection encapsulates various high level protocols such as TLS Handshake Protocol TLS Handshake Protocol allows Server-Client to authenticate each other and negotiate keys and cryptographic algorithms before data is transmitted by application protocol
  • 7. Connection is Private symmetric encryption such as DES or RC4 is used keys generated uniquely for each connection based on secret negotiated by TLS Handshake Protocol can be used without encryption Connection is reliable Message transport includes a message integrity check using a keyed MAC (Message Auth Code) Secure hash function (e.g. SHA, MD5, etc) used for MAC computations can operate without a MAC
  • 8. Peer's identity can be authenticated using asymmetric, or public key cryptography e.g. RSA, DSS (optional but required for at least a single peer) negotiation of a shared secret is secure and unavailable to eavesdroppers negotiation is reliable with no modification in its communication without being detected
  • 9. Most of the operations in TLS record and handshake layer require a keyed MAC Secure digest of data is protected by a secret TLS uses HMAC to carry out handshakes with the algorithms MD5 and SHA1 Data expansion function defined as P_hash(secret,seed) = HMAC_hash(secret, A(1) + seed) + HMAC_hash(secret, A(2) + seed) + HMAC_hash(secret, A(3) + seed) + … iterated to produce the required quantity of data
  • 10. construction required to do expansion of secrets into blocks of data for the purposes of key generation or validation takes as input a secret, seed, and an identifying label and produces an output of arbitrary length PRF is secured by using atleast two hash algorithms TLS's PRF is created by splitting the secret into two halves and using one half to generate data with MD5 and the other half to generate data with SHA-1, then exclusive-o’ring the outputs of these two expansion functions together PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed)
  • 11. receives uninterpreted data from higher layers and fragments information blocks into TLS- plaintext records carrying data in chunks records are compressed using the compression algorithm defined in the current session state Encryption and MAC functions translate a compressed record into a TLS-cipher text Stream ciphers convert compressed fragments into cipher text fragment structures. MAC is computed before encryption
  • 12. Message Frag1 Frag2 Frag3 Com1 Com2 Com3 Encrypt2Encrypt1 Encrypt3 Data Stream App Data Record Proto Units Compressed Units MAC Encrypted Units TCP Packet
  • 13. The Record Protocol requires an algorithm to generate keys, IVs, and MAC secrets from the security parameters provided by the handshake protocol Master secret is hashed into a sequence of secure bytes, which are assigned to the MAC secrets, keys, and non-export IVs required by the current connection state When generating keys and MAC secrets, the master secret is used as an entropy source, and random values provide unencrypted salt material and IVs for exportable ciphers
  • 14. TLS Record protocol operates using connection states Connection states specifies compression, bulk encryption and MAC algorithms with parameters, MAC secret, bulk encryption keys and IVs for connections in both read and write directions There are 4 connection states (current read and write states, and pending read and write states) records are processed in the current read and write states TLS Handshake protocol can set the security parameters for the pending states and can selectively change pending states to current state
  • 15. Consists of a suite of three sub-protocols Handshake protocol, Alert protocol and Change Cipher Spec protocol used to allow peers to agree upon security parameters for record layer, authenticate themselves, instantiate negotiated security parameters, and report errors to each other responsible for negotiating a session Many connections can be instantiated using same session through resumption feature of TLS
  • 16. Used to signal transitions in ciphering strategies Such transitions signals can be sent by both the client and server The receiver on receipt of signals instructs the Record Layer to immediately copy the read pending state into the read current state The sender after sending such signal instructs the Record Layer to make the write pending state the write active state
  • 17. supported by the TLS Record layer used to convey alert messages with the severity of the message and a description of the alert alert messages are encrypted and compressed Closing alerts client and server must share knowledge that the connection is ending to avoid a truncation attacks Either party may initiate the close by sending close notify alert Error alerts On error detection, the detecting party informs the other party about the error using an error alert
  • 18. Alerts Level Description bad_record_mac Fatal incorrect MAC decryption_failed Fatal invalid way of ciphertext decryption record_overflow Fatal record length more than 2^14+2048 bytes decompression_failure Fatal Improper input to decompression function handshake_failure Fatal unable to negotiate acceptable security params bad/unsupported_certi Fatal/W certificate of corrupt/unsupported type illegal_parameter Fatal field in handshake was out of range access_denied Fatal sender decided not to proceed with negotiation decode_error Fatal message could not be decoded (incorrect length) decrypt_error Fatal/W handshake cryptographic operation failed export_restriction Fatal negotiation incompliant with export restrictions insufficient_security Fatal server requires more secure ciphers internal_error Fatal Internal error unrelated to peer or protocol no_renegotiation Warn renegotiation is not possible
  • 19. operates on top of the TLS Record Layer produces cryptographic parameters of the session state Handshake messages are supplied to TLS Record Layer, which are processed and transmitted according to the current active session state. Hello Request message can be sent at any time and not bound by ordering rules, but it should be ignored by the client when it is in the middle of an handshake handshake messages are intended to have transmission precedence over application data
  • 20. Exchange hello messages to agree on algorithms, exchange random values, and check for session resumption Exchange cryptographic parameters to allow client- server to agree on a premaster secret Exchange certificates and cryptographic info to allow client-server to authenticate themselves Generate a master secret from the premaster secret and exchanged random values Provide security parameters to the record layer Allow the client and server to verify peer calculated security parameters and that the handshake occurred without tampering by an attacker
  • 21. Selected Cipher Suite Selected Comp Algo Selected Version S X509 Certificate Cryptographic Info SSL Client SSL Server Session ID Random Data Cipher Suite List Compression Algo List Version List CL X509 Certificate Premaster secret ClientHello Certificate ServerKeyExchange CertificateRequest ServerHello ServerHelloDone Certificate ClientKeyExchange CertificateVerify Finished [ChangeCipherSpec] Application Data Finished [ChangeCipherSpec]
  • 22. Algorithms I Support, My random Number Verify Certificate and extract server’s public key, Encrypt pre-master’s secret with server’s public key Send checksum of handshake messages using secret key Compare checksum on the client side Compute secret key Use these algorithms, My random number, My digital certificate Compare checksum on server side Send checksum of handshake messages using secret key Decrypt pre-master secret key with server’s private key Compute secret key Client Server
  • 23. ServerHello [ChangeCipherSpec] Finished Application Data SSL Client SSL Server ClientHello [ChangeCipherSpec] Finished Application Data
  • 24. OpenSource implementation of the SSL and TLS protocols and basic cryptographic functions Provides generic TLS/SSL server and client implementation. Used to create, sign, verify and check certificates. Create a self signed certificate using following commands openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem openssl req -new -x509 -extensions v3_ca -keyout mykey.pem -out mycert.pem -days 365 -config ./openssl.cnf Verify the certificate created: openssl verify mycert.pem Display the X509 certificate: openssl x509 -in mycert.pem -text -noout
  • 25. Check a Certificate Signing Request (CSR) : openssl req -text -noout -verify -in CSR.csr Check a private key: openssl rsa -in privateKey.key -check Launch secure server using specified certificate: openssl s_server -accept 4433 -cert mycert.pem -key mykey.pem -www -state -debug Launch secure client using SSL/TLS to connect: openssl s_client -connect localhost:4433

Editor's Notes

  1. Session ID is transmitted without encryption or immediate MAC protection content of the handshake protected by Finished messages at the end When the server receives an incorrectly formatted RSA block it generates a random 48-byte value and proceeds using it as the premaster secret Fatal error if a finished message is not preceded by a change cipher spec message Change cipher spec messages, alerts and any other record types are not handshake messages