SlideShare una empresa de Scribd logo

SECURE SOCKET LAYER ( WEB SECURITY )

Descargar como PPTX, PDF
M
Monodip Singha Roy

This slide is all about SSL and TSL with little descirption of WEB SECURITY

Tecnología
1 de 33
WEB SECURITY (SECURE SOCKET LAYER) MONODIP SINGHA ROY M.TECH Dr. B.C.ROY ENGINEERING COLLEGE 2
Contents  WEB SECURITY  WEB SECURITY TERMINOLOGY  SSL ( SECURE SOCKET LAYER )  SSL ARCHITECTURE  TLS ( TRANSPORT LAYER SECURITY )  PROS AND CONS OF SSL/TLS  SUMMARY 3
WEB SECURITY  Almost everything in today’s world relies on computer and internet. ◦ Communications (emails, phones) ◦ Transportation (car engine system, airplane navigation system) ◦ Medicine ( medical records, equipments) ◦ Shopping (online store, online payments) ◦ Entertainment (digital cables) 4
What is WEB SECURITY ?? Web security , also known as “cyber security “ involves protecting the information by protecting , preventing and responding to the attacks. 5
WEB SECURITY: TERMNOLOGY  HACKERS: People who strive to exploit weaknesses in software and computer for their own gain.  VIRUSES: Infects your computer before actually u can do something.  WORMS: Propagates without users intervention.  TROJAN: A software that claims to do something while in fact doing something in background. 6
WEB SECURITY: TERNINOLOGY  RANSOMWARE: ◦ A form of Trojan that has been since 1989, as known as ‘PC CYBORG’ Trojan. ◦ It affects the user computer by encrypting the user’s personal files. ◦ The victim then contacted and offered the decrypt key in exchange of cash. 7
WEB SECURITY: TERMINOLOGY  KEYLOGGERS: ◦ It is an software that monitor users activity such as key typed in keyboard. ◦ KeyLoggers can  Record keystrokes on keyboards.  Record mouse movement and clicks.  Record menus that are invoked.  Takes screenshot of the desktop at pre defined intervals. 8
Web Security  Web now widely used by business, government, individuals  but Internet & Web are vulnerable  have a variety of threats ◦ integrity ◦ confidentiality ◦ denial of service ◦ authentication  need added security mechanisms. 9
What is SSL?  SSL – Secure Socket Layer ƒit provides a secure transport connection between applications (e.g., a web server and a browser)  SSL was developed by Netscape  uses TCP to provide a reliable end-to-end service  SSL has two layers of protocols SSL v3.0 was specified in an Internet Draft (1996) ƒit evolved into RFC 246 and was renamed to TLS (Transport Layer Security)  TLS can be viewed as SSL v3.1 10
SSL Architecture 11
SSL Components SSL HANDSHAKE PROTOCOL SSL RECORD PROTOCOL SSL ALERT PROTOCOL SSL CHANGE CIPHER SPEC PROTOCOL • Negotiation of security algorithms and parameters. • Key exchange. • Server authentication and optionally client authentication. • Fragmentation. • Compression. • Encryption. • Message authentication and integrity protection. • Error message ( fatal alerts and warning ) • A single message that indicates the end of SSL handshake. 12
Sessions and Connections  An SSL session is a connection between client and server.  Sessions are stateful ; the session state includes security algorithm and parameters.  A session may include multiple secure connection between same server and client.  Connections of the same session share the session state.  Sessions are used to avoid expensive negotiation of new security parameters for each state. 13
Session States…  Session state ◦ Session identifier – arbitrary byte sequence chosen by the server to identify the session. ◦ Peer certificate – may be null. ◦ Compression method. ◦ Cipher Spec – bulk data encryption algorithm and MAC algorithm ( eg. DES, MD5 ). ◦ Master key – a 48 byte secret key is used in between client and server. ◦ Resumable – a flag indicating whether the session can be used to initiate new connections. 14
Connection States…  Connection State ◦ Server and client random – random byte sequence is chosen by the client and server for new connection. ◦ Server write MAC secret – secret key is used in MAC operations on data sent by the server. ◦ Client write MAC secret – secret key is used in MAC operations on data sent by the client. ◦ Server write key – secret encryption key for data, encrypted by the server. ◦ Client write key – secret encryption key for data, encrypted by the client. 15
How States changes??  Operating state: current using state  Pending state: state to be used  Operating state < Pending state: at the transmission and reception of change cipher spec message The sending part of the pending state is copied into the sending part of operating state The receiving part of the pending state is copied into the receiving part of operating stateParty A Party B Change Cipher Spec 16
 SSL session ◦ an association between client & server ◦ created by the Handshake Protocol ◦ define a set of cryptographic parameters ◦ may be shared by multiple SSL connections  SSL connection ◦ a transient, peer-to-peer, communications link ◦ associated with 1 SSL session 17
SSL Handshake Protocol  Handshake protocol is used to exchange all the information required by both sides for the exchange of actual application data by the TRANSPORT LAYER SECURITY 18
SSL Record Protocol  confidentiality ◦ using symmetric encryption with a shared secret key defined by Handshake Protocol ◦ IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 ◦ message is compressed before encryption  message integrity ◦ using a MAC with shared secret key ◦ similar to HMAC but with different padding 19
SSL Change Cipher Spec Protocol  one of 3 SSL specific protocols which use the SSL Record protocol  a single message  causes pending state to become current  hence updating the cipher suite in use. 20
SSL Alert Protocol  conveys SSL-related alerts to peer entity  severity  warning or fatal  specific alert  unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter  close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown  compressed & encrypted like all SSL data 21
What is TSL??  Internet Engineering Task Force standard RFC 2246 similar to SSLv3 with minor differences: ◦ In record format version number ◦ Uses HMAC for MAC ◦ Has optional alert code ◦ Some changes in supported ciphers ◦ Change in use of certificate negotiation ◦ Change in use of padding 22
Changes from SSLv3 to TLS…  Fortezza removed  Additional alerts added  Modification of hash calculation  Protocol version 3.1 in client hello, server hello 23
TLS : Privacy  Encrypt message so it cannot be read  Use conventional cryptography with shared key ◦ DES , 3DES ◦ RC2, RC4 ◦ IDEA A (Message) $@#&!@ B(Message) 24
TLS: Key Exchange  Need secure method to exchange key  Use public key encryption for this  Choices are RSA & Diffie-Hellman 25
TLS: Integrity  Compute fixed length message authentication code (MAC) ◦ Includes hash of message ◦ Includes a shared secret key ◦ Includes sequence number ◦ Transmit MAC with message 26
TLS : Authentication  Verify identities of participants  Client authentication is optional  Certificate is used to associate identity with public key and other attributes A B CERTIFICATES 27
TLS: HTTP Application  HTTP is most common TLS application https://  Requires TLS-capable web server  Requires TLS-capable web browser ◦ Netscape navigator ◦ Internet explorer ◦ Cryptozilla 28
Implementation of SSL/TLS  SSL & TLS have widely been implemented ◦ Open source software projects ( openSSL, NSS & GnuTLS) ◦ Microsoft windows : part of its secure channel ◦ Browsers  Apple safari  Internet explorer  Mozilla firefox 29
Pros & Cons of SSL/TLS  Pros : ◦ Customer will trust your website: many visitors are now savvy enough to recognize when a webpage is encrypted and protected by SSL. ◦ Avoid dispute due to credit/debit card frauds: visitors uses their credit/debit cards information's on unprotected servers and faces identity theft. 30
Cons ….  Cons : ◦ Regular renewal : just like website domain and hosting plan, SSL certificates also expires after short period of time ; usually one to five years. ◦ Complex installation : SSL is very difficult to install on websites for those who are unaware of website development. 31
Application of SSL/TLS  On top of the Transport layer protocols ◦ Primarily with TCP ◦ Datagram transport layer security (DTLS) for UDP  Encapsulating the applications protocols ◦ HTTP ◦ Securing WWW traffic ◦ FTP, SMTP, etc 32
SUMMARY  SSL/TLS address the need for security in internet communications ◦ Privacy – conventional encryption ◦ Integrity – message authentication codes ◦ Authentication – X.509  SSL in use today with web browsers and servers. 33
Thank You 34

Recomendados

Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)
Suraj Dhalwar
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
Akhil Nadh PC
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
Omar Ghazi
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
Anamika Singh
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITY
The Avi Sharma
 
Wireless network ppt
Wireless network pptWireless network ppt
Wireless network ppt
Basil John
 

Recomendados

Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)
Suraj Dhalwar
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
Akhil Nadh PC
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
Omar Ghazi
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
Anamika Singh
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITY
The Avi Sharma
 
Wireless network ppt
Wireless network pptWireless network ppt
Wireless network ppt
Basil John
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Seminar Report on NFC
Seminar Report on NFCSeminar Report on NFC
Seminar Report on NFC
Touroxy
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
Rana assad ali
 
Future of Wireless Technology
Future of Wireless TechnologyFuture of Wireless Technology
Future of Wireless Technology
Nisha Menon K
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Wireless Application Protocol ppt
Wireless Application Protocol pptWireless Application Protocol ppt
Wireless Application Protocol ppt
go2project
 
Virtual keyboard seminar ppt
Virtual keyboard seminar pptVirtual keyboard seminar ppt
Virtual keyboard seminar ppt
Shruti Maheshwari
 
The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure Protocol
Vlad Petre
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
University of Ontario Institute of Technology (UOIT)
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
Subhash Gupta
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
Sandeep Gupta
 
Polyalphabetic Substitution Cipher
Polyalphabetic Substitution CipherPolyalphabetic Substitution Cipher
Polyalphabetic Substitution Cipher
SHUBHA CHATURVEDI
 
Generations of wireless technologies
Generations of wireless technologiesGenerations of wireless technologies
Generations of wireless technologies
saikiran harinarthini
 
Digital signature
Digital signatureDigital signature
Digital signature
Hossain Md Shakhawat
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
Prabhat Goel
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
patisa
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
IOT gateways.pptx
IOT gateways.pptxIOT gateways.pptx
IOT gateways.pptx
Pratik Gohel
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
SSL
SSLSSL
SSL
theekuchi
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
Nate Lawson
 

Más contenido relacionado

La actualidad más candente

Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
patisa
 

La actualidad más candente (20)

Web Security
Web SecurityWeb Security
Web Security
 
Seminar Report on NFC
Seminar Report on NFCSeminar Report on NFC
Seminar Report on NFC
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
Future of Wireless Technology
Future of Wireless TechnologyFuture of Wireless Technology
Future of Wireless Technology
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Wireless Application Protocol ppt
Wireless Application Protocol pptWireless Application Protocol ppt
Wireless Application Protocol ppt
 
Virtual keyboard seminar ppt
Virtual keyboard seminar pptVirtual keyboard seminar ppt
Virtual keyboard seminar ppt
 
The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure Protocol
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
Polyalphabetic Substitution Cipher
Polyalphabetic Substitution CipherPolyalphabetic Substitution Cipher
Polyalphabetic Substitution Cipher
 
Generations of wireless technologies
Generations of wireless technologiesGenerations of wireless technologies
Generations of wireless technologies
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Kerberos
KerberosKerberos
Kerberos
 
IOT gateways.pptx
IOT gateways.pptxIOT gateways.pptx
IOT gateways.pptx
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
 

Destacado

Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
keithrozario
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Chhatra Thapa
 

Destacado (20)

SSL
SSLSSL
SSL
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
SSL
SSLSSL
SSL
 
web security
web securityweb security
web security
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
PGP Presentation Powerpoint
PGP Presentation PowerpointPGP Presentation Powerpoint
PGP Presentation Powerpoint
 
Overview of SSL & TLS Client-Server Interactions
Overview of SSL & TLS Client-Server InteractionsOverview of SSL & TLS Client-Server Interactions
Overview of SSL & TLS Client-Server Interactions
 
ssl
sslssl
ssl
 
PGP presentation 2014
PGP presentation 2014PGP presentation 2014
PGP presentation 2014
 
PGP Basic Lecture 01
PGP Basic Lecture 01PGP Basic Lecture 01
PGP Basic Lecture 01
 
PGP - Pretty Good Privacy
PGP - Pretty Good PrivacyPGP - Pretty Good Privacy
PGP - Pretty Good Privacy
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Pgp
PgpPgp
Pgp
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Introduction to SSL/TLS
Introduction to SSL/TLSIntroduction to SSL/TLS
Introduction to SSL/TLS
 
Pretty good privacy
Pretty good privacyPretty good privacy
Pretty good privacy
 
Pgp
PgpPgp
Pgp
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 

Similar a SECURE SOCKET LAYER ( WEB SECURITY )

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSL
Sagar Mali
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
limsh
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
Glenn Haley
 

Similar a SECURE SOCKET LAYER ( WEB SECURITY ) (20)

Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
Unit 6
Unit 6Unit 6
Unit 6
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Web security
Web securityWeb security
Web security
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSL
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
Secure Socket Layer.pptx
Secure Socket Layer.pptxSecure Socket Layer.pptx
Secure Socket Layer.pptx
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
Lecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLSLecture #21: HTTPS , SSL & TLS
Lecture #21: HTTPS , SSL & TLS
 
Lecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security BreachLecture #22 : Web Privacy & Security Breach
Lecture #22 : Web Privacy & Security Breach
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 

Más de Monodip Singha Roy

Complementary inverted reactive slot antenna embedded in single
Complementary inverted reactive slot antenna embedded in singleComplementary inverted reactive slot antenna embedded in single
Complementary inverted reactive slot antenna embedded in single
Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 

Más de Monodip Singha Roy (6)

Novel microstrip patch antenna for WLAN and Wi-MAX applications
Novel microstrip patch antenna for WLAN and Wi-MAX applicationsNovel microstrip patch antenna for WLAN and Wi-MAX applications
Novel microstrip patch antenna for WLAN and Wi-MAX applications
 
Complementary inverted reactive slot antenna embedded in single
Complementary inverted reactive slot antenna embedded in singleComplementary inverted reactive slot antenna embedded in single
Complementary inverted reactive slot antenna embedded in single
 
OPTICAL COMMUNICATION
OPTICAL COMMUNICATIONOPTICAL COMMUNICATION
OPTICAL COMMUNICATION
 
CHAOS ANALYSIS OF HRV
CHAOS ANALYSIS OF HRVCHAOS ANALYSIS OF HRV
CHAOS ANALYSIS OF HRV
 
MOBILE Ad-Hoc NETWORK (MANET)
MOBILE Ad-Hoc NETWORK (MANET)MOBILE Ad-Hoc NETWORK (MANET)
MOBILE Ad-Hoc NETWORK (MANET)
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

SECURE SOCKET LAYER ( WEB SECURITY )

  • 1. WEB SECURITY (SECURE SOCKET LAYER) MONODIP SINGHA ROY M.TECH Dr. B.C.ROY ENGINEERING COLLEGE 2
  • 2. Contents  WEB SECURITY  WEB SECURITY TERMINOLOGY  SSL ( SECURE SOCKET LAYER )  SSL ARCHITECTURE  TLS ( TRANSPORT LAYER SECURITY )  PROS AND CONS OF SSL/TLS  SUMMARY 3
  • 3. WEB SECURITY  Almost everything in today’s world relies on computer and internet. ◦ Communications (emails, phones) ◦ Transportation (car engine system, airplane navigation system) ◦ Medicine ( medical records, equipments) ◦ Shopping (online store, online payments) ◦ Entertainment (digital cables) 4
  • 4. What is WEB SECURITY ?? Web security , also known as “cyber security “ involves protecting the information by protecting , preventing and responding to the attacks. 5
  • 5. WEB SECURITY: TERMNOLOGY  HACKERS: People who strive to exploit weaknesses in software and computer for their own gain.  VIRUSES: Infects your computer before actually u can do something.  WORMS: Propagates without users intervention.  TROJAN: A software that claims to do something while in fact doing something in background. 6
  • 6. WEB SECURITY: TERNINOLOGY  RANSOMWARE: ◦ A form of Trojan that has been since 1989, as known as ‘PC CYBORG’ Trojan. ◦ It affects the user computer by encrypting the user’s personal files. ◦ The victim then contacted and offered the decrypt key in exchange of cash. 7
  • 7. WEB SECURITY: TERMINOLOGY  KEYLOGGERS: ◦ It is an software that monitor users activity such as key typed in keyboard. ◦ KeyLoggers can  Record keystrokes on keyboards.  Record mouse movement and clicks.  Record menus that are invoked.  Takes screenshot of the desktop at pre defined intervals. 8
  • 8. Web Security  Web now widely used by business, government, individuals  but Internet & Web are vulnerable  have a variety of threats ◦ integrity ◦ confidentiality ◦ denial of service ◦ authentication  need added security mechanisms. 9
  • 9. What is SSL?  SSL – Secure Socket Layer ƒit provides a secure transport connection between applications (e.g., a web server and a browser)  SSL was developed by Netscape  uses TCP to provide a reliable end-to-end service  SSL has two layers of protocols SSL v3.0 was specified in an Internet Draft (1996) ƒit evolved into RFC 246 and was renamed to TLS (Transport Layer Security)  TLS can be viewed as SSL v3.1 10
  • 11. SSL Components SSL HANDSHAKE PROTOCOL SSL RECORD PROTOCOL SSL ALERT PROTOCOL SSL CHANGE CIPHER SPEC PROTOCOL • Negotiation of security algorithms and parameters. • Key exchange. • Server authentication and optionally client authentication. • Fragmentation. • Compression. • Encryption. • Message authentication and integrity protection. • Error message ( fatal alerts and warning ) • A single message that indicates the end of SSL handshake. 12
  • 12. Sessions and Connections  An SSL session is a connection between client and server.  Sessions are stateful ; the session state includes security algorithm and parameters.  A session may include multiple secure connection between same server and client.  Connections of the same session share the session state.  Sessions are used to avoid expensive negotiation of new security parameters for each state. 13
  • 13. Session States…  Session state ◦ Session identifier – arbitrary byte sequence chosen by the server to identify the session. ◦ Peer certificate – may be null. ◦ Compression method. ◦ Cipher Spec – bulk data encryption algorithm and MAC algorithm ( eg. DES, MD5 ). ◦ Master key – a 48 byte secret key is used in between client and server. ◦ Resumable – a flag indicating whether the session can be used to initiate new connections. 14
  • 14. Connection States…  Connection State ◦ Server and client random – random byte sequence is chosen by the client and server for new connection. ◦ Server write MAC secret – secret key is used in MAC operations on data sent by the server. ◦ Client write MAC secret – secret key is used in MAC operations on data sent by the client. ◦ Server write key – secret encryption key for data, encrypted by the server. ◦ Client write key – secret encryption key for data, encrypted by the client. 15
  • 15. How States changes??  Operating state: current using state  Pending state: state to be used  Operating state < Pending state: at the transmission and reception of change cipher spec message The sending part of the pending state is copied into the sending part of operating state The receiving part of the pending state is copied into the receiving part of operating stateParty A Party B Change Cipher Spec 16
  • 16.  SSL session ◦ an association between client & server ◦ created by the Handshake Protocol ◦ define a set of cryptographic parameters ◦ may be shared by multiple SSL connections  SSL connection ◦ a transient, peer-to-peer, communications link ◦ associated with 1 SSL session 17
  • 17. SSL Handshake Protocol  Handshake protocol is used to exchange all the information required by both sides for the exchange of actual application data by the TRANSPORT LAYER SECURITY 18
  • 18. SSL Record Protocol  confidentiality ◦ using symmetric encryption with a shared secret key defined by Handshake Protocol ◦ IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 ◦ message is compressed before encryption  message integrity ◦ using a MAC with shared secret key ◦ similar to HMAC but with different padding 19
  • 19. SSL Change Cipher Spec Protocol  one of 3 SSL specific protocols which use the SSL Record protocol  a single message  causes pending state to become current  hence updating the cipher suite in use. 20
  • 20. SSL Alert Protocol  conveys SSL-related alerts to peer entity  severity  warning or fatal  specific alert  unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter  close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown  compressed & encrypted like all SSL data 21
  • 21. What is TSL??  Internet Engineering Task Force standard RFC 2246 similar to SSLv3 with minor differences: ◦ In record format version number ◦ Uses HMAC for MAC ◦ Has optional alert code ◦ Some changes in supported ciphers ◦ Change in use of certificate negotiation ◦ Change in use of padding 22
  • 22. Changes from SSLv3 to TLS…  Fortezza removed  Additional alerts added  Modification of hash calculation  Protocol version 3.1 in client hello, server hello 23
  • 23. TLS : Privacy  Encrypt message so it cannot be read  Use conventional cryptography with shared key ◦ DES , 3DES ◦ RC2, RC4 ◦ IDEA A (Message) $@#&!@ B(Message) 24
  • 24. TLS: Key Exchange  Need secure method to exchange key  Use public key encryption for this  Choices are RSA & Diffie-Hellman 25
  • 25. TLS: Integrity  Compute fixed length message authentication code (MAC) ◦ Includes hash of message ◦ Includes a shared secret key ◦ Includes sequence number ◦ Transmit MAC with message 26
  • 26. TLS : Authentication  Verify identities of participants  Client authentication is optional  Certificate is used to associate identity with public key and other attributes A B CERTIFICATES 27
  • 27. TLS: HTTP Application  HTTP is most common TLS application https://  Requires TLS-capable web server  Requires TLS-capable web browser ◦ Netscape navigator ◦ Internet explorer ◦ Cryptozilla 28
  • 28. Implementation of SSL/TLS  SSL & TLS have widely been implemented ◦ Open source software projects ( openSSL, NSS & GnuTLS) ◦ Microsoft windows : part of its secure channel ◦ Browsers  Apple safari  Internet explorer  Mozilla firefox 29
  • 29. Pros & Cons of SSL/TLS  Pros : ◦ Customer will trust your website: many visitors are now savvy enough to recognize when a webpage is encrypted and protected by SSL. ◦ Avoid dispute due to credit/debit card frauds: visitors uses their credit/debit cards information's on unprotected servers and faces identity theft. 30
  • 30. Cons ….  Cons : ◦ Regular renewal : just like website domain and hosting plan, SSL certificates also expires after short period of time ; usually one to five years. ◦ Complex installation : SSL is very difficult to install on websites for those who are unaware of website development. 31
  • 31. Application of SSL/TLS  On top of the Transport layer protocols ◦ Primarily with TCP ◦ Datagram transport layer security (DTLS) for UDP  Encapsulating the applications protocols ◦ HTTP ◦ Securing WWW traffic ◦ FTP, SMTP, etc 32
  • 32. SUMMARY  SSL/TLS address the need for security in internet communications ◦ Privacy – conventional encryption ◦ Integrity – message authentication codes ◦ Authentication – X.509  SSL in use today with web browsers and servers. 33