Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Key management: Introduction, How public key distribution done, Diffie Hellman Key Exchage Algorithm,Digital Certificate. Key Management using Digital certificate is done etc. wireshark screenshot showing digital cetificate.
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
Pretty Good Privacy,PGP Confidentiality and Authentication,Secure/Multipurpose Internet Mail Extension (S/MIME),Secure/Multipurpose Internet Mail Extension (S/MIME),Enhanced Security Services,E-mail Threats
This presentation will explain all about why and how email security should be implemented.
> Intro to Email Secuirty
> CIA for Email Security
> Steps to secure mail
> PGP ( All 5 Services)
> S/MIME (With its functions)
It is a presentation on Email Security made to present in one of our PPT lectures during my second year of B.Tech.
Hello People.. Welcome to GURUKULA!!!
Have you ever thought that how the protocols that are required for the effective delivery of the messages from one place to anpther place take place in a real time internet..... This video explains about the concept called PROTOCOL LAYERING, where you can learn the way how the protocols are layered in such a way..
Simple examples are also used to make the concepts clean nd clear.
This video will help you to learn:
What is protocol layering in networks, OSI Model in Computer Networks, Layers of OSI Model, OSI Model, OSI Internet Module, OSI Layers and their Functions, Examples of OSI Models, 7 layers of OSI Models, Principles of Protocol Layering, Why layering the Protocols,
Thanks for Watching, Keep Supporting and Keep Sharing...
Meeting the business and technical challenges of today's organizations requires an architectural approach. The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. It is built on an infrastructure of scalable and resilient hardware and software. Components of the architecture come together to build network systems that span your organization from network access to the cloud. Intelligent network, endpoint, and user services provide the flexibility, speed, and scale to support new devices, applications, and deployment models.
The impact of the consumerization of IT and mobility cannot be understated. The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider's ability to offer services to Enterprises, Governments, and Consumers will be addressed in this webinar. We will talk about the importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting your businesses today. We will also detail service delivery and consumption on the three 'service horizons,' (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud).
Key management: Introduction, How public key distribution done, Diffie Hellman Key Exchage Algorithm,Digital Certificate. Key Management using Digital certificate is done etc. wireshark screenshot showing digital cetificate.
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
Pretty Good Privacy,PGP Confidentiality and Authentication,Secure/Multipurpose Internet Mail Extension (S/MIME),Secure/Multipurpose Internet Mail Extension (S/MIME),Enhanced Security Services,E-mail Threats
This presentation will explain all about why and how email security should be implemented.
> Intro to Email Secuirty
> CIA for Email Security
> Steps to secure mail
> PGP ( All 5 Services)
> S/MIME (With its functions)
It is a presentation on Email Security made to present in one of our PPT lectures during my second year of B.Tech.
Hello People.. Welcome to GURUKULA!!!
Have you ever thought that how the protocols that are required for the effective delivery of the messages from one place to anpther place take place in a real time internet..... This video explains about the concept called PROTOCOL LAYERING, where you can learn the way how the protocols are layered in such a way..
Simple examples are also used to make the concepts clean nd clear.
This video will help you to learn:
What is protocol layering in networks, OSI Model in Computer Networks, Layers of OSI Model, OSI Model, OSI Internet Module, OSI Layers and their Functions, Examples of OSI Models, 7 layers of OSI Models, Principles of Protocol Layering, Why layering the Protocols,
Thanks for Watching, Keep Supporting and Keep Sharing...
Meeting the business and technical challenges of today's organizations requires an architectural approach. The Cisco Borderless Network Architecture is the technical architecture that allows organizations to connect anyone, anywhere, anytime, and on any device - securely, reliably, and seamlessly. It is built on an infrastructure of scalable and resilient hardware and software. Components of the architecture come together to build network systems that span your organization from network access to the cloud. Intelligent network, endpoint, and user services provide the flexibility, speed, and scale to support new devices, applications, and deployment models.
The impact of the consumerization of IT and mobility cannot be understated. The impact that these two key business elements have on the evolution of Enterprise Architecture and for Service Provider's ability to offer services to Enterprises, Governments, and Consumers will be addressed in this webinar. We will talk about the importance of the shift and movement of the secure network edge leads to a very close examination of the changing threat vectors and vulnerabilities impacting your businesses today. We will also detail service delivery and consumption on the three 'service horizons,' (Mobile Endpoint and CPE, Virtualized Network Edge/Data Center Edge, and the Cloud).
Hwee Ming Ng, Red Hat, Abhilash Vijayakumary, Red Hat
Telco over Cloud is rapidly changing the telecommunications industry landscape by introducing cloud computing, virtualization paradigms and software approaches already in use and mature in traditional IT environments. While designing the cloud solutions for telco infrastructure understanding its information security risks and mitigation strategies are critical. Legacy approaches are inadequate, this session intends to help the operators to build and approach a telco cloud solution with the right cloud security knowledge.
In this session we intend to explain the principle technologies of telco cloud based systems and strategies for safeguarding/classifying data, ensuring privacy and ensuring compliance with regulatory agencies for telco operators. We will also describe the role of encryption in protecting data and specific strategies for key management as well as how to select an appropriate solution to specific business requirements which are in well alignment with cloud based business continuity / disaster recovery strategies. We will also compare baseline and industry standard best practices by doing risk assessments of existing and proposed cloud-based environments.
Additionally, presentation will focus on specific technologies like virtual firewalls, security zones, virtual tenant networks and their mapping to various use cases/challenges which an operator faces while designing the telco cloud.
Elevate - Three Disciplines of Strategic ThinkingAvirot Mitamura
Elevate - The Three Disciplines of Advanced Strategic Thinking.
Take-Aways
• Strategy is the astute allocation of resources – “time, talent and capital” – in planned
activities to serve customers better than your competitors do.
• Successful businesses are strategic. The right strategy is the best predictor of
profitability. Businesses fail because of bad strategy.
• Many firms treat strategy as perfunctory and occasional, instead of as crucial
and ongoing.
• Leaders often have no time to think, can’t prioritize and end up putting out fires instead
of strategizing long term. Stop and give strategy the time it warrants.
• Sound strategy calls for a big-picture, “elevated” understanding of your business.
• Strategic thinking has three elements: “acumen” for developing valuable insights,
“allocation” for using resources wisely, and “action” for executing strategic plans.
• “Differentiation,” not price-cutting, is the best route to business success.
• Strategy takes three disciplines: First, “coalesce” your best insights.
• Second, “compete” by making the right “trade-offs.” Third, “champion” your strategy.
• A great strategy may fail if your employees don’t understand or don’t rally behind it.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4
SSL & TLS Architecture short
1. SSL & TLS
Architecture
By Avirot M. Liangsiri
Senior Technical Specialist
Professional Computer Co., Ltd.
1
2. Web Security Essential
• Web now widely used by business, government,
individuals for multiple application
• But Internet & Web are vulnerable
• Have a variety of threats
• integrity
• confidentiality
• denial of service
• authentication
• Need added security mechanisms
2
3. Security Architecture
• ITU-T Recommendation X.805 Security architecture for
systems providing end‑to‑end communications had been
developed by ITU-T SG 17 (ITU-T Lead Study Group on
Telecommunication Security) and was published in
October 2003.
• The group has developed a set of the well-recognized
Recommendations on security. Among them are X.800
Series of Recommendations on security and X.509 v3 -
Public-key and Attribute Certificate Frameworks.
3
4. ITU-T X.800 Threat Model
(simplified)
X
1 - Destruction (an attack on availability):
– Destruction of information and/or network
resources
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset
3 - Removal (an attack on availability):
– Theft, removal or loss of information and/or
other resources
4 - Disclosure (an attack on confidentiality):
– Unauthorized access to an asset
5 - Interruption (an attack on availability):
– Interruption of services. Network becomes
unavailable or unusable X 4
4
5. ITU-T X.800 Eight Security Dimensions
Address the Breadth of Network
• Limit & control access to
Vulnerabilities
network elements, services & Access Control
• Provide Proof of Identity
applications
• Examples: shared secret,
• Examples: password, ACL,
firewall
Authentication PKI, digital signature, digital
certificate
• Prevent ability to deny that an
activity on the network Non-repudiation • Ensure confidentiality of data
occurred • Example: encryption
• Examples: system logs,
Data Confidentiality
digital signatures
• Ensure data is received as
• Ensure information only flows Communication Security sent or retrieved as stored
from source to destination • Examples: MD5, digital
• Examples: VPN, MPLS, signature, anti-virus software
L2TP Data Integrity
Availability
• Ensure network elements, • Ensure identification and
services and application network use is kept private
available to legitimate users Privacy • Examples: NAT, encryption 5
• Examples: IDS/IPS, network
redundancy, BC/DR
Eight Security Dimensions applied to each Security Perspective (layer and
5
6. ITU-T X.800 Three Security
Layers
Applications Security
3 - Applications Security Layer:
THREATS
• Network-based applications accessed by
Services Security
Destruction end-users
Corruption
VULNERABILITIES
Removal
• Examples:
Disclosure – Web browsing
Vulnerabilities Can Exist Interruption
In Each Layer Infrastructure Security – Directory assistance
ATTACKS – Email
– E-commerce
1 - Infrastructure Security Layer: 2 - Services Security Layer:
• Fundamental building blocks of networks • Services Provided to End-Users
services and applications • Examples:
• Examples: – Frame Relay, ATM, IP
– Individual routers, switches, servers – Cellular, Wi-Fi,
– Point-to-point WAN links – VoIP, QoS, IM, Location services
– Ethernet links – Toll free call services
• Each Security Layer has unique vulnerabilities, threats 6
• Infrastructure security enables services security enables applications security
6
8. SSL (Secure Socket Layer)
• transport layer security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard known as
TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end service
• SSL has two layers of protocols
9. Where SSL Fits
HTTP SMTP POP3 HTTPS SSMTP SPOP3
80 25 110 443 465 995
Secure Sockets Layer
Transport
Network
Link
10. Uses Public Key Scheme
• Each client-server pair uses
• 2 public keys
• one for client (browser)
• created when browser is installed on client machine
• one for server (http server)
• created when server is installed on server hardware
• 2 private keys
• one for client browser
• one for server (http server)
12. SSL Architecture
• SSL session
• an association between client & server
• created by the Handshake Protocol
• define a set of cryptographic parameters
• may be shared by multiple SSL connections (by using
same session symmetric key)
• SSL connection
• a transient, peer-to-peer, communications link
• associated with 1 SSL session
13. SSL Record Protocol
• confidentiality
• using symmetric encryption with a shared secret key
defined by Handshake Protocol
• IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40,
RC4-128
• message is compressed before encryption
• message integrity
• using a MAC (Message Authentication Code) created
using a shared secret key and a short message
14. SSL Alert Protocol
• conveys SSL-related alerts to peer entity
• severity
• warning or fatal
• specific alert
• unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate
unknown
• compressed & encrypted like all SSL data
15. SSL Handshake Protocol
• allows server & client to:
• authenticate each other
• to negotiate encryption & MAC algorithms
• to negotiate cryptographic keys to be used
• comprises a series of messages in phases
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
• Finish
17. Changes from SSL 3.0 to TLS
• Fortezza removed
• Additional Alerts added
17
• Modification to hash calculations
• Protocol version 3.1 in ClientHello,
ServerHello
18. TLS (Transport Layer
Security)
• IETF standard RFC 2246 similar to SSLv3
• with minor differences
• in record format version number
• uses HMAC for MAC
• a pseudo-random function expands secrets
• has additional alert codes
• some changes in supported ciphers
• changes in certificate negotiations
• changes in use of padding
19. TLS:Key Exchange
• Need secure method to exchange secret key
• Use public key encryption for this
• “key pair” is used - either one can encrypt and
19
then the other can decrypt
• slower than conventional cryptography
• share one key, keep the other private
• Choices are RSA or Diffie-Hellman
20. TLS: Integrity
• Compute fixed-length Message Authentication
Code (MAC)
• Includes hash of message
20
• Includes a shared secret
• Include sequence number
• Transmit MAC with message
21. TLS: Integrity
• Receiver creates new MAC
• should match transmitted MAC
• TLS allows MD5, SHA-1
21
A B
Message Message’ MAC
MAC MAC’ =?
22. TLS: Authentication
• Verify identities of participants
• Client authentication is optional
• Certificate is used to associate identity with
22
public key and other attributes
A B
Certificate
Certificate
23. TLS: Overview
• Establish a session
• Agree on algorithms
• Share secrets
23
• Perform authentication
• Transfer application data
• Ensure privacy and integrity
24. TLS: Architecture
• TLS defines Record Protocol to transfer
application and TLS information
• A session is established using a Handshake
24
Protocol
Handshake Change Alert
Protocol Cipher Spec Protocol
TLS Record Protocol
26. TLS: Handshake
• Negotiate Cipher-Suite Algorithms
• Symmetric cipher to use
• Key exchange method
26
• Message digest function
• Establish and share master secret
• Optionally authenticate server and/or client
27. Handshake Phases
• Hello messages
• Certificate and Key Exchange messages
• Change CipherSpec and Finished messages
27
28. TLS: Hello
• Client “Hello” - initiates session
• Propose protocol version
• Propose cipher suite
28
• Server chooses protocol and suite
• Client may request use of cached session
• Server chooses whether to honor request
29. TLS: Key Exchange
• Server sends certificate containing public key
(RSA) or Diffie-Hellman parameters
• Client sends encrypted “pre-master” secret to
29
server using Client Key Exchange message
• Master secret calculated
• Use random values passed in Client and Server
Hello messages
30. Public Key Certificates
• X.509 Certificate associates public key with
identity
• Certification Authority (CA) creates certificate
30
• Adheres to policies and verifies identity
• Signs certificate
• User of Certificate must ensure it is valid
31. Validating a Certificate
• Must recognize accepted CA in certificate chain
• One CA may issue certificate for another CA
• Must verify that certificate has not been revoked
31
• CA publishes Certificate Revocation List (CRL)
32. X.509: Certificate Content
• Version • Subject X.500 name
• Serial Number • Subject Public Key
• Signature Algorithm Identifier • Algorithm
• Object Identifier (OID) • Value
32
• e.g. id-dsa: {iso(1) member-
body(2) us(840) x9-57 (10040) • Issuer Unique Id (Version 2 ,3)
x9algorithm(4) 1} • Subject Unique Id (Version
• Issuer (CA) X.500 name 2,3)
• Validity Period (Start,End) • Extensions (version 3)
• optional
• CA digital Signature
33. Subject Names
• X.500 Distinguished Name (DN)
• Associated with node in hierarchical directory
(X.500)
33
• Each node has Relative Distinguished Name
(RDN)
• Path for parent node
• Unique set of attribute/value pairs for this
node
34. Example Subject Name
• Country at Highest Level (e.g. US)
• Organization typically at next level (e.g. CertCo)
• Individual below (e.g. Common Name
34
“Elizabeth” with Id = 1)
DN = {
• C=US;
• O=CertCo;
• CN=Elizabeth, ID=1}
35. Version 3 Certificates
• Version 3 X.509 Certificates support alternative
name formats as extensions
• X.500 names
35
• Internet domain names
• e-mail addresses
• URLs
• Certificate may include more than one name
36. Certificate Signature
• RSA Signature
• Create hash of certificate
• Encrypt using CA’s private key
36
• Signature verification
• Decrypt using CA’s public key
• Verify hash
40. TLS: Change Cipher Spec,
Finished
Client Server
[ChangeCipherSpec]
Finished
40
[ChangeCipherSpec]
Finished
Application Data Application Data
41. TLS: Change Cipher
Spec/Finished
• Change Cipher Spec
• Announce switch to negotiated algorithms and
values
41
• Finished
• Send copy of handshake using new session
• Permits validation of handshake
42. TLS: Using a Session
Client Server
ClientHello (Session #)
ServerHello (Session #)
42
[ChangeCipherSpec]
Finished
[ChangeCipherSpec]
Finished
Application Data Application Data
43. TLS: HTTP Application
• HTTP most common TLS application
• https://
• Requires TLS-capable web server
43
• Requires TLS-capable web browser
• Netscape Navigator
• Internet Explorer
• Cryptozilla
• Netscape Mozilla sources with SSLeay
44. X.509 Certificate Issues
• Certificate Administration is complex
• Hierarchy of Certification Authorities
• Mechanisms for requesting, issuing, revoking
44
certificates
• X.500 names are complicated
• Description formats are cumbersome (ASN.1)
45. X.509 Alternative: SDSI
• SDSI: Simple Distributed Security Infrastructure
(Rivest, Lampson)
• Merging with IETF SPKI: Simple Public-Key
45
Infrastructure in SDSI 2.0
• Eliminate X.500 names - use DNS and text
• Everyone is their own CA
• Instead of ASN.1 use “S-expressions” and simple
syntax
• Name and Authorization certificates
46. TLS “Alternatives”
• S-HTTP: secure HTTP protocol, shttp://
• IPSec: secure IP
• SET: Secure Electronic Transaction
46
• Protocol and infrastructure for bank card
payments
• SASL: Simple Authentication and Security Layer
(RFC 2222)
47. Summary
• SSL/TLS addresses the need for security in
Internet communications
• Privacy - conventional encryption
47
• Integrity - Message Authentication Codes
• Authentication - X.509 certificates
• SSL in use today with web browsers and servers
• Equivalent to TLS
Editor's Notes
ITU-T X.800 Threat Model Confidential Issue Availability Issue Integrity Issue
SSL probably most widely used Web security mechanism. Its implemented at the Transport layer; cf IPSec at Network layer; or various Application layer mechanisms eg. S/MIME & SET (later).
Stallings Fig 17-2.
SSL Record Protocol defines these two services for SSL connections.
Stallings Fig 17-6.
Hash includes Finished and CertificateVerify messages following client cert types removed: rsa_ephemeral_dh dss_ephemeral_dh fortezza_dms SSL 2 -> SSL 3.0 major changes
Secret is used so that someone cannot replace both message and MAC, putting a new matching MAC in place of the original
Operational and pending states
Currently no compression defined but could be client boundaries are not preserved 2^14 bytes or less in protocol unit md5, sha-1, none MAC des, 3des, des40, rc2, rc4, idea none encryption
Encryption mac key exchange Des/3des/des40 md5, sha1, none rsa, dh rc2 rc4 idea none
Server “ Hello Request ”- ask client to restart hello includes some random data for creating the master secret
Client generates 48-byte secret random # , encrypts using server’s public key, sends to server if diffie-hellman, p,g
PKCS standards from RSA for RSA certificates PKCS #10 cert requests PKCS #9 cert attributes PKCS #7 cert chain format application/x-pkcs7-mime used to load CA chain into browser
Possible to have more than one DN for an entry
DSS digital signature standard also
Certificate specifies public key must be appropriate for key exchange algorithm required for non-anonymous key exchange includes certificate chain - certs which verify previous ones in the chain PKCS#7 is not used since defined in sets rather than sequences
Certificate request is optional specifies list of acceptable certificate authorities specifies types of certificates requested (e.g. RSA, dh)
See next slide
Change Cipher Spec not part of handshake
Server can refuse to use session by not including session # in server hello keys for session are calculated fresh using shared master secret and new random numbers from Hello messages
Mention different kinds of certificates identity encryption etc
S-HTTP inter-operates with http signature authentication encryption public key key exchange, & externally arranged Secure * Secure-HTTP/1.4 : Request URI Secure-HTTP/1.4 200 OK response header lines convey information e.g. Certificate-Info: has cert, Encryption-Identity: x500 name ------------ IPSec RFC 1825-1829 required for IPv6, optional for IPv4 transport mode - protect contents of IP packet tunnel mode - protect entire IP packet encryption, MAC SASL Means to add authentication to connection-based protocol Variety of mechanisms Kerberos V4, GSSAPI, “External” Allows separation of authorization identity from client identity in credentials Permits authenticated state in protocol