SlideShare una empresa de Scribd logo

#Morecrypto 1.8 - with introduction to TLS

Olle E Johansson
Olle E Johansson

We need to protect our Internet communication - from basic web surfing to IP telephony, E-mail and Internet of things. This presentation gives some background and introduces one of the core security protocols - TLS, Transport Layer Security. This presentation is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. Update: See http://www.slideshare.net/oej/morecrypto-with-tis-version-20

TecnologíaEducación
1 de 47
Descargar para leer sin conexión
#MoreCrypto A small step to make it harder to listen to IP based activity. V1.8 TLS - oej@edvina.net - slideshare.net/oej Ⓒ Olle E. Johansson, Stockholm, Sweden 2014. This work is licensed under 2014-02-09
The problem We have built an information network that is too easy to monitor. We simply trusted everyone too much in a naive way. Sadly, we can’t do that any more.
The Internet mirrors society When the Internet was small, there was a select group of people using it. They felt is was a safe place. #MoreCrypto
As the Internet grew and reflects more of society, we forgot to harden it. It’s time now. #MoreCrypto
The engineers are working The IETF is the organisation that defined most of the standards we use today to The IETF recently decided to focus a lot of energy to add more confidentiality and security in general to the technology we use every day. communicate. #MoreCrypto
What’s the problem?
Changing the Internet is too hard. We are not using the security tools we have in the way they are meant to be used today. In some cases, like e-mail and IP telephony, most of us do not use any security tools at all. #MoreCrypto
How do we change? The users must require change. Otherwise, very few things happen. It is up to you and me. #MoreCrypto
What needs to be done? More crypto Easy to use authentication Enhanced privacy Stronger confidentiality A lot of changes needs to be done in how we build services, operate them and use them. #MoreCrypto …and much more
TLS is an important tool #MoreCrypto TLS Transport Layer Security TLS provides confidentiality, identity and integrity to Internet communication. TLS is used in HTTPS:// web pages, but can also be used from applications on a computer as well as a cell phone. TLS is based on SSL, that was a provider-specific technology. TLS is maintained by the IETF and is still being improved. The second part covers this!
Start simple. Use connection encryption wherever possible. Use HTTPS and serve information over HTTPS #MoreCrypto In short: #MoreCrypto
Why? More crypto on the Internet raise the cost of listening in to our information flows, our conversations. It does not solve all the issues, we have a lot of work #MoreCrypto ahead of us. Using more TLS is not very complicated and can be used in most applications today.
Starting points. Enable HTTPS for Facebook, Google and other services when you can. Use EFF HTTPS ANYWHERE in your web browser. If you are a sysadmin, enable TLS and follow new advice on choice of algorithms. #MoreCrypto
What does TLS give you? Browser Confidential path Server Other people in the same network (or IT management) can see where you go (server address), but not what you do. #MoreCrypto Example: Hotel staff can’t see what you write or read on Facebook.
What about VPN tunnelling? Computer Confidential path Example: Other people in the same network (or IT management) can see that you are using a VPN, VPN server #MoreCrypto but not what you do. Web Server Mail Server VPN = Virtual private network On the other side of the VPN server your connections become visible again - unless you are using TLS. Example: Hotel staff can’t see which web sites you are connecting to.
The work continues #MoreCrypto Mobile apps Web IP Telephony E-mail Cloud Services Internet of things The Digital home Chat Video Services Require #MoreCrypto!
NEW! OPPURTUNISTIC SECURITY Secure network traffic, regardless of what the user says. Do whatever you can to make it harder to listen in.
Introduction to TLS Transport Layer Security #MoreCrypto
Security basics. #MoreCrypto Identity Confidentiality Authorization Integrity Non-repudiation
TLS is an important tool #MoreCrypto TLS Transport Layer Security TLS provides confidentiality, identity and integrity to Internet communication. TLS is used in HTTPS:// web pages, but can also be used from applications on a computer as well as a cell phone. TLS is based on SSL, that was a provider-specific technology. TLS is maintained by the IETF and is still being improved.
Encryption SYMMETRIC ASYMMETRIC Using the same key for encryption and decryption Using the different keys for encryption and decryption Simple for the CPU, supports streaming data More computations, easier for data blocks #MoreCrypto
Using a private and a public key • TLS use a keypair to set up a secure connection • Assymetric encryption • The server sends the public key at connection • The client challenges the server • The server responds to the challenge using the server private key • Now the client knows that the server has the private key that matches the public key private
TLS Usage • TLS is used for • authentication of servers and clients • initiating encryption of a session • digital signatures on messages to ensure integrity and provide authentication Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the sender sent
Adding a certificate to the mix • A certificate is nothing more complicated than a passport or an ID card • It contains the public key and some administrative data • And is signed (electronically) by someone you might trust ... or not. • This is part of the complex structure called PKI, which you might want or just disregard • A PKI is not needed to get encryption for the signalling path! • You can however use a PKI to only set up connections that you trust
The X.509v3 certificate • An X.509 certificate is the standardised way to bind a public key to an identity • The certificate is issued by a Certification Authority (CA) • The most important component of the PKI? • An X.509 certificate is an electronic document with a specific layout ! • Standard: documented in IETF PKIX RFC:s Version Serial number Issuer identity Validity period User identity Public key Extension fields
X509.v3 contents • Version number • Certificate serial number Used for validation • Identity of the issuer • Validity period • Identity of the public key owner • Public key • Extension fields • A digital signature, created by the issuer Internet Explorer Certificate Manager
Example: SIP certificates • SubjectAltName contains a list of identities that are valid for this certificate • RFC 5922 outlines a SIP event package to distribute and manage certificates • This is based on the Authentication Service in SIP identity (RFC 4474) • The domain cert is used to sign the NOTIFY payload TLS is more than the world wide web!
x.509 cert for SIP Certificate: Data: Version: 3 (0x2) Serial Number: 01:08:00:79:00:15:00:43 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Sep 16 17:17:00 2009 GMT Not After : Sep 15 17:17:00 2012 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a7:96:65:6e:b6:ba:3a:48:a1:bd:a3:ae:21:dc: a8:92:97:3c:43:ea:24:e6:9f:93:2f:61:7e:d3:2d: 30:1e:21:42:b9:d6:59:87:f1:b1:f8:c8:39:8e:43: 64:9a:31:2c:18:3d:cd:d8:03:64:bb:14:38:44:05: 20:30:d8:e1:db:a7:4d:c3:47:a2:49:73:d1:10:ed: 2f:cf:74:26:57:91:64:af:b0:f2:5d:3f:88:9f:df: 65:6c:ba:65:3f:66:99:52:6b:20:d2:0e:e3:65:18: b1:8e:3d:ca:f2:4a:45:c5:4d:85:ef:82:54:f8:54: 54:db:96:90:9b:c5:1b:2a:1e:60:3c:43:71:55:60: 30:93:8f:fd:d8:d9:3d:a1:32:e3:56:4b:e2:73:b6: cc:18:93:8a:d8:8b:68:81:c7:fd:cd:d5:dc:4c:a2: 86:61:9f:ad:d0:b1:d3:3c:4c:6c:07:54:b2:43:b4: a7:0a:0a:f2:e3:6d:12:43:16:70:63:c9:e9:1a:78: 66:9d:ee:30:94:7b:ab:f2:e9:67:4a:66:6d:8c:ed: a8:a4:98:51:77:0b:a7:60:55:73:85:87:4a:57:6b: 24:fe:27:00:02:79:70:da:5a:45:ad:aa:3d:d5:40: 5b:5c:85:63:93:56:af:c7:e8:e3:b6:1a:25:b6:a2: 2d:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 27:F7:A9:96:F5:B2:8F:0B:5E:A9:C7:F5:0F:AC:3D:AB:3D:8D:F0:30 Signature Algorithm: sha1WithRSAEncryption 1a:fe:1f:af:86:99:82:e5:14:97:8d:64:9a:d1:5c:ea:6c:96: f5:c6:0c:7d:20:5f:4e:70:05:24:3a:de:b5:b9:cf:66:8d:4c: 74:d5:6a:a9:52:74:17:bc:b4:79:a0:58:32:78:a9:70:7c:6a: 15:ac:07:29:77:13:06:55:53:3f:0b:4c:3d:da:55:6e:ad:74: 56:01:55:c8:4c:19:8d:06:0b:f3:4c:04:d5:9a:6f:44:ad:7a: fd:3b:aa:e8:4b:84:6e:f1:c4:34:f4:a0:6a:f6:81:ae:74:b4: 46:6e:b9:2f:a6:59:f1:02:e9:58:7c:a1:8d:08:31:2b:39:ee: eb:7e Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net X509v3 Subject Alternative Name: DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net Notice the URI in the certificate!
Process for a server Generate Keys Pack public key in CSR Send CSR to CA CA validate process CA issues Certificate Install cert in server with private key
Client connection Open TCP connection Server sends certificate Client challenge server Server answers challenge Client validates certificate Server can issue cert request Client and server produce session key Symmetric encryption starts
Issues Certificate can validate correctly with the CA store, but still be the wrong certificate. Certificate private key can be copied and certificate revocated. DNS was spoofed, so we reached the wrong service Something new and even more scary than Heartbleed.
Protocol specifics • Given a protocol request - how do we match the request address to a certificate • SIP Uri, E-mail address, HTTPS uri
TLS and SSL SSL v1.0 - 2.0 Created by Netscape Communications Deemed insecure. SSL v3.0 Last version. No support for extensions and not for modern crypto algorithms. Deemed insecure. #MoreCrypto TLS 1.x Open standard defined by the IETF. Keeps being updated. It’s time to try to stop using SSL.
Man in the middle Client MITM Server • How do we prevent and discover TLS proxys? • Quite commonly used
Certificate Fingerprinting Certificates have a fingerprint, a checksum of the cert and key. Embed last, current and next certificate fingerprint in the code Verify that you are talking with the expected server. TLS verification may work with a bad server cert too. Client Server Client MITM Server #MoreCrypto
Trust on first use Save certificate fingerprint on first connection If another certificate shows up, warn the user Don’t block, the first connection could be bad Certificates gets updates so save expiry time and accept new. Client Server Client MITM Server #MoreCrypto
DANE - using DNSsec Save cert in DNS, signed by Client DNS DNS query Client Server #MoreCrypto DNSsec If another certificate shows up, do not continue. Disconnect. Certificates that expired or was revoked has no NS records TLS connection Client MITM Server
User specifics • Which CAs do we trust? • How do we check validity of certificate, even if we trust the CA? • Do we have time for validation?
New solutions • Anchoring the certificate in DNS • Validating the certificate in DNS • No certificate - bare keys • Oppurtunistic Security with TLS DNSsec
Advice: • Use encrypted communication by default • Authenticated sessions are better than non-authenticated • If you really need confidentiality, check ciphers and checksum algorithms #MoreCrypto
Heartbleed • Programming error in OpenSSL • OpenSSL is used in too many places • Opened up for private key distribution and a lot of other in-memory data.
Security is a process • There will be other issues with TLS libraries, protocols and implementations • Having these is better than having no security, integrity, privacy or confidentiality
To-do list Always build secure platforms. Encrypt all communication. 1. Integrate IPv6 in every single project. 2. Sign your DNS data. DNS is the foundation for all of Internet. 3. #MoreCrypto SECURITY: IPv6: DNSsec:
The way forward: #MoreCrypto
More information http://www.internetsociety.org/deploy360/tls/ https://bettercrypto.org http://tools.ietf.org/html/rfc7258 - Internet is under attack. #MoreCrypto
Join us! • IETF peerpass mailing list, UTA working group and more. • Hashtag #MoreCrypto • http://internetsociety.org
#MoreCrypto Feedback? • Feedback and suggestions for improvements to this presentation is more than welcome! Send to oej@edvina.net! • Feel free to use this presentation yourself - Notice the Creative commons license on this presentation! • Please tell me if you use it! It’s always fun to know. Olle E. Johansson Author: oej@edvina.net - slideshare.net/oej Ⓒ Olle E. Johansson, Stockholm, Sweden 2014. This work is licensed under

Recomendados

SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87Olle E Johansson
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
Adobe
AdobeAdobe
AdobeLiu Xing
 
The Black List - Vol. 1 - Social Media Masters
The Black List - Vol. 1 - Social Media MastersThe Black List - Vol. 1 - Social Media Masters
The Black List - Vol. 1 - Social Media MastersMichael Street
 
Using GO's to Improve Student Learning
Using GO's to Improve Student LearningUsing GO's to Improve Student Learning
Using GO's to Improve Student LearningJim Ellis
 
Finding Success: Social Media
Finding Success: Social MediaFinding Success: Social Media
Finding Success: Social MediaCraig Daitch
 
Comenius
ComeniusComenius
Comeniuscristiarnau
 

Recomendados

SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87Olle E Johansson
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
Adobe
AdobeAdobe
AdobeLiu Xing
 
The Black List - Vol. 1 - Social Media Masters
The Black List - Vol. 1 - Social Media MastersThe Black List - Vol. 1 - Social Media Masters
The Black List - Vol. 1 - Social Media MastersMichael Street
 
Using GO's to Improve Student Learning
Using GO's to Improve Student LearningUsing GO's to Improve Student Learning
Using GO's to Improve Student LearningJim Ellis
 
Finding Success: Social Media
Finding Success: Social MediaFinding Success: Social Media
Finding Success: Social MediaCraig Daitch
 
Comenius
ComeniusComenius
Comeniuscristiarnau
 
The new framework
The new frameworkThe new framework
The new frameworkiansillett
 
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Tiny
 
Proxecto de recuperación do río Corgo nos Salgueiriños
Proxecto de recuperación do río Corgo nos SalgueiriñosProxecto de recuperación do río Corgo nos Salgueiriños
Proxecto de recuperación do río Corgo nos Salgueiriñosbng.compostela
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
Neal Gafter Java Evolution
Neal Gafter Java EvolutionNeal Gafter Java Evolution
Neal Gafter Java Evolutiondeimos
 
Concierto
ConciertoConcierto
Conciertolaulolis
 
Cicluri
CicluriCicluri
CicluriAlexandru S
 
Clocker 1.0.0 Preview
Clocker 1.0.0 PreviewClocker 1.0.0 Preview
Clocker 1.0.0 PreviewAndrew Kennedy
 
Social purpose
Social purposeSocial purpose
Social purposeCraig Daitch
 
MiT6 - Anne Kustritz
MiT6 - Anne KustritzMiT6 - Anne Kustritz
MiT6 - Anne KustritzJulie Levin Russo
 
資訊作業
資訊作業資訊作業
資訊作業guest12c8b5
 
eTwinning Communications
eTwinning CommunicationseTwinning Communications
eTwinning CommunicationsAlexa Joyce
 
Jardinsde Montreal
Jardinsde MontrealJardinsde Montreal
Jardinsde MontrealDescojonate
 
Strengths In CPDReflect
Strengths In CPDReflectStrengths In CPDReflect
Strengths In CPDReflectCon Morris
 
Presentación sin título
Presentación sin títuloPresentación sin título
Presentación sin títulopacomendoza
 
5 Things
5 Things5 Things
5 ThingsCon Morris
 
Experience Learning Live
Experience Learning LiveExperience Learning Live
Experience Learning Livedarkwing1876
 
Onddoak 1 T
Onddoak 1 TOnddoak 1 T
Onddoak 1 Tikasleak1t
 
Ari Zilka Cluster Architecture Patterns
Ari Zilka Cluster Architecture PatternsAri Zilka Cluster Architecture Patterns
Ari Zilka Cluster Architecture Patternsdeimos
 
Nonprofit Website Basics: A Ten-Point Checklist
Nonprofit Website Basics: A Ten-Point ChecklistNonprofit Website Basics: A Ten-Point Checklist
Nonprofit Website Basics: A Ten-Point ChecklistKivi Leroux Miller
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 

Más contenido relacionado

Destacado

The new framework
The new frameworkThe new framework
The new frameworkiansillett
 
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Tiny
 
Proxecto de recuperación do río Corgo nos Salgueiriños
Proxecto de recuperación do río Corgo nos SalgueiriñosProxecto de recuperación do río Corgo nos Salgueiriños
Proxecto de recuperación do río Corgo nos Salgueiriñosbng.compostela
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
Neal Gafter Java Evolution
Neal Gafter Java EvolutionNeal Gafter Java Evolution
Neal Gafter Java Evolutiondeimos
 
eTwinning Communications
eTwinning CommunicationseTwinning Communications
eTwinning CommunicationsAlexa Joyce
 
Jardinsde Montreal
Jardinsde MontrealJardinsde Montreal
Jardinsde MontrealDescojonate
 
Strengths In CPDReflect
Strengths In CPDReflectStrengths In CPDReflect
Strengths In CPDReflectCon Morris
 
Presentación sin título
Presentación sin títuloPresentación sin título
Presentación sin títulopacomendoza
 
Experience Learning Live
Experience Learning LiveExperience Learning Live
Experience Learning Livedarkwing1876
 
Ari Zilka Cluster Architecture Patterns
Ari Zilka Cluster Architecture PatternsAri Zilka Cluster Architecture Patterns
Ari Zilka Cluster Architecture Patternsdeimos
 
Nonprofit Website Basics: A Ten-Point Checklist
Nonprofit Website Basics: A Ten-Point ChecklistNonprofit Website Basics: A Ten-Point Checklist
Nonprofit Website Basics: A Ten-Point ChecklistKivi Leroux Miller
 

Destacado (20)

The new framework
The new frameworkThe new framework
The new framework
 
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
 
Proxecto de recuperación do río Corgo nos Salgueiriños
Proxecto de recuperación do río Corgo nos SalgueiriñosProxecto de recuperación do río Corgo nos Salgueiriños
Proxecto de recuperación do río Corgo nos Salgueiriños
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
 
Neal Gafter Java Evolution
Neal Gafter Java EvolutionNeal Gafter Java Evolution
Neal Gafter Java Evolution
 
Concierto
ConciertoConcierto
Concierto
 
Cicluri
CicluriCicluri
Cicluri
 
Clocker 1.0.0 Preview
Clocker 1.0.0 PreviewClocker 1.0.0 Preview
Clocker 1.0.0 Preview
 
Social purpose
Social purposeSocial purpose
Social purpose
 
MiT6 - Anne Kustritz
MiT6 - Anne KustritzMiT6 - Anne Kustritz
MiT6 - Anne Kustritz
 
資訊作業
資訊作業資訊作業
資訊作業
 
eTwinning Communications
eTwinning CommunicationseTwinning Communications
eTwinning Communications
 
Jardinsde Montreal
Jardinsde MontrealJardinsde Montreal
Jardinsde Montreal
 
Strengths In CPDReflect
Strengths In CPDReflectStrengths In CPDReflect
Strengths In CPDReflect
 
Presentación sin título
Presentación sin títuloPresentación sin título
Presentación sin título
 
5 Things
5 Things5 Things
5 Things
 
Experience Learning Live
Experience Learning LiveExperience Learning Live
Experience Learning Live
 
Onddoak 1 T
Onddoak 1 TOnddoak 1 T
Onddoak 1 T
 
Ari Zilka Cluster Architecture Patterns
Ari Zilka Cluster Architecture PatternsAri Zilka Cluster Architecture Patterns
Ari Zilka Cluster Architecture Patterns
 
Nonprofit Website Basics: A Ten-Point Checklist
Nonprofit Website Basics: A Ten-Point ChecklistNonprofit Website Basics: A Ten-Point Checklist
Nonprofit Website Basics: A Ten-Point Checklist
 

Similar a #Morecrypto 1.8 - with introduction to TLS

#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
Morecrypto in the world of SIP - the Session Initiation Protocol
Morecrypto in the world of SIP - the Session Initiation ProtocolMorecrypto in the world of SIP - the Session Initiation Protocol
Morecrypto in the world of SIP - the Session Initiation ProtocolOlle E Johansson
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
kerb.ppt
kerb.pptkerb.ppt
kerb.pptJdQi
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedinovia
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere générationSylvain Maret
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 

Similar a #Morecrypto 1.8 - with introduction to TLS (20)

#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
Morecrypto in the world of SIP - the Session Initiation Protocol
Morecrypto in the world of SIP - the Session Initiation ProtocolMorecrypto in the world of SIP - the Session Initiation Protocol
Morecrypto in the world of SIP - the Session Initiation Protocol
 
#MoreCrypto
#MoreCrypto #MoreCrypto
#MoreCrypto
 
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
kerb.ppt
kerb.pptkerb.ppt
kerb.ppt
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
PKI & SSL
PKI & SSLPKI & SSL
PKI & SSL
 
Vpn 2
Vpn 2Vpn 2
Vpn 2
 
Vpn 3
Vpn 3Vpn 3
Vpn 3
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 

Más de Olle E Johansson

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTNOlle E Johansson
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffOlle E Johansson
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack networkOlle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeOlle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 

Más de Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 

Último

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 

#Morecrypto 1.8 - with introduction to TLS

  • 1. #MoreCrypto A small step to make it harder to listen to IP based activity. V1.8 TLS - oej@edvina.net - slideshare.net/oej Ⓒ Olle E. Johansson, Stockholm, Sweden 2014. This work is licensed under 2014-02-09
  • 2. The problem We have built an information network that is too easy to monitor. We simply trusted everyone too much in a naive way. Sadly, we can’t do that any more.
  • 3. The Internet mirrors society When the Internet was small, there was a select group of people using it. They felt is was a safe place. #MoreCrypto
  • 4. As the Internet grew and reflects more of society, we forgot to harden it. It’s time now. #MoreCrypto
  • 5. The engineers are working The IETF is the organisation that defined most of the standards we use today to The IETF recently decided to focus a lot of energy to add more confidentiality and security in general to the technology we use every day. communicate. #MoreCrypto
  • 7. Changing the Internet is too hard. We are not using the security tools we have in the way they are meant to be used today. In some cases, like e-mail and IP telephony, most of us do not use any security tools at all. #MoreCrypto
  • 8. How do we change? The users must require change. Otherwise, very few things happen. It is up to you and me. #MoreCrypto
  • 9. What needs to be done? More crypto Easy to use authentication Enhanced privacy Stronger confidentiality A lot of changes needs to be done in how we build services, operate them and use them. #MoreCrypto …and much more
  • 10. TLS is an important tool #MoreCrypto TLS Transport Layer Security TLS provides confidentiality, identity and integrity to Internet communication. TLS is used in HTTPS:// web pages, but can also be used from applications on a computer as well as a cell phone. TLS is based on SSL, that was a provider-specific technology. TLS is maintained by the IETF and is still being improved. The second part covers this!
  • 11. Start simple. Use connection encryption wherever possible. Use HTTPS and serve information over HTTPS #MoreCrypto In short: #MoreCrypto
  • 12. Why? More crypto on the Internet raise the cost of listening in to our information flows, our conversations. It does not solve all the issues, we have a lot of work #MoreCrypto ahead of us. Using more TLS is not very complicated and can be used in most applications today.
  • 13. Starting points. Enable HTTPS for Facebook, Google and other services when you can. Use EFF HTTPS ANYWHERE in your web browser. If you are a sysadmin, enable TLS and follow new advice on choice of algorithms. #MoreCrypto
  • 14. What does TLS give you? Browser Confidential path Server Other people in the same network (or IT management) can see where you go (server address), but not what you do. #MoreCrypto Example: Hotel staff can’t see what you write or read on Facebook.
  • 15. What about VPN tunnelling? Computer Confidential path Example: Other people in the same network (or IT management) can see that you are using a VPN, VPN server #MoreCrypto but not what you do. Web Server Mail Server VPN = Virtual private network On the other side of the VPN server your connections become visible again - unless you are using TLS. Example: Hotel staff can’t see which web sites you are connecting to.
  • 16. The work continues #MoreCrypto Mobile apps Web IP Telephony E-mail Cloud Services Internet of things The Digital home Chat Video Services Require #MoreCrypto!
  • 17. NEW! OPPURTUNISTIC SECURITY Secure network traffic, regardless of what the user says. Do whatever you can to make it harder to listen in.
  • 18. Introduction to TLS Transport Layer Security #MoreCrypto
  • 19. Security basics. #MoreCrypto Identity Confidentiality Authorization Integrity Non-repudiation
  • 20. TLS is an important tool #MoreCrypto TLS Transport Layer Security TLS provides confidentiality, identity and integrity to Internet communication. TLS is used in HTTPS:// web pages, but can also be used from applications on a computer as well as a cell phone. TLS is based on SSL, that was a provider-specific technology. TLS is maintained by the IETF and is still being improved.
  • 21. Encryption SYMMETRIC ASYMMETRIC Using the same key for encryption and decryption Using the different keys for encryption and decryption Simple for the CPU, supports streaming data More computations, easier for data blocks #MoreCrypto
  • 22. Using a private and a public key • TLS use a keypair to set up a secure connection • Assymetric encryption • The server sends the public key at connection • The client challenges the server • The server responds to the challenge using the server private key • Now the client knows that the server has the private key that matches the public key private
  • 23. TLS Usage • TLS is used for • authentication of servers and clients • initiating encryption of a session • digital signatures on messages to ensure integrity and provide authentication Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the sender sent
  • 24. Adding a certificate to the mix • A certificate is nothing more complicated than a passport or an ID card • It contains the public key and some administrative data • And is signed (electronically) by someone you might trust ... or not. • This is part of the complex structure called PKI, which you might want or just disregard • A PKI is not needed to get encryption for the signalling path! • You can however use a PKI to only set up connections that you trust
  • 25. The X.509v3 certificate • An X.509 certificate is the standardised way to bind a public key to an identity • The certificate is issued by a Certification Authority (CA) • The most important component of the PKI? • An X.509 certificate is an electronic document with a specific layout ! • Standard: documented in IETF PKIX RFC:s Version Serial number Issuer identity Validity period User identity Public key Extension fields
  • 26. X509.v3 contents • Version number • Certificate serial number Used for validation • Identity of the issuer • Validity period • Identity of the public key owner • Public key • Extension fields • A digital signature, created by the issuer Internet Explorer Certificate Manager
  • 27. Example: SIP certificates • SubjectAltName contains a list of identities that are valid for this certificate • RFC 5922 outlines a SIP event package to distribute and manage certificates • This is based on the Authentication Service in SIP identity (RFC 4474) • The domain cert is used to sign the NOTIFY payload TLS is more than the world wide web!
  • 28. x.509 cert for SIP Certificate: Data: Version: 3 (0x2) Serial Number: 01:08:00:79:00:15:00:43 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Sep 16 17:17:00 2009 GMT Not After : Sep 15 17:17:00 2012 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a7:96:65:6e:b6:ba:3a:48:a1:bd:a3:ae:21:dc: a8:92:97:3c:43:ea:24:e6:9f:93:2f:61:7e:d3:2d: 30:1e:21:42:b9:d6:59:87:f1:b1:f8:c8:39:8e:43: 64:9a:31:2c:18:3d:cd:d8:03:64:bb:14:38:44:05: 20:30:d8:e1:db:a7:4d:c3:47:a2:49:73:d1:10:ed: 2f:cf:74:26:57:91:64:af:b0:f2:5d:3f:88:9f:df: 65:6c:ba:65:3f:66:99:52:6b:20:d2:0e:e3:65:18: b1:8e:3d:ca:f2:4a:45:c5:4d:85:ef:82:54:f8:54: 54:db:96:90:9b:c5:1b:2a:1e:60:3c:43:71:55:60: 30:93:8f:fd:d8:d9:3d:a1:32:e3:56:4b:e2:73:b6: cc:18:93:8a:d8:8b:68:81:c7:fd:cd:d5:dc:4c:a2: 86:61:9f:ad:d0:b1:d3:3c:4c:6c:07:54:b2:43:b4: a7:0a:0a:f2:e3:6d:12:43:16:70:63:c9:e9:1a:78: 66:9d:ee:30:94:7b:ab:f2:e9:67:4a:66:6d:8c:ed: a8:a4:98:51:77:0b:a7:60:55:73:85:87:4a:57:6b: 24:fe:27:00:02:79:70:da:5a:45:ad:aa:3d:d5:40: 5b:5c:85:63:93:56:af:c7:e8:e3:b6:1a:25:b6:a2: 2d:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 27:F7:A9:96:F5:B2:8F:0B:5E:A9:C7:F5:0F:AC:3D:AB:3D:8D:F0:30 Signature Algorithm: sha1WithRSAEncryption 1a:fe:1f:af:86:99:82:e5:14:97:8d:64:9a:d1:5c:ea:6c:96: f5:c6:0c:7d:20:5f:4e:70:05:24:3a:de:b5:b9:cf:66:8d:4c: 74:d5:6a:a9:52:74:17:bc:b4:79:a0:58:32:78:a9:70:7c:6a: 15:ac:07:29:77:13:06:55:53:3f:0b:4c:3d:da:55:6e:ad:74: 56:01:55:c8:4c:19:8d:06:0b:f3:4c:04:d5:9a:6f:44:ad:7a: fd:3b:aa:e8:4b:84:6e:f1:c4:34:f4:a0:6a:f6:81:ae:74:b4: 46:6e:b9:2f:a6:59:f1:02:e9:58:7c:a1:8d:08:31:2b:39:ee: eb:7e Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net X509v3 Subject Alternative Name: DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net Notice the URI in the certificate!
  • 29. Process for a server Generate Keys Pack public key in CSR Send CSR to CA CA validate process CA issues Certificate Install cert in server with private key
  • 30. Client connection Open TCP connection Server sends certificate Client challenge server Server answers challenge Client validates certificate Server can issue cert request Client and server produce session key Symmetric encryption starts
  • 31. Issues Certificate can validate correctly with the CA store, but still be the wrong certificate. Certificate private key can be copied and certificate revocated. DNS was spoofed, so we reached the wrong service Something new and even more scary than Heartbleed.
  • 32. Protocol specifics • Given a protocol request - how do we match the request address to a certificate • SIP Uri, E-mail address, HTTPS uri
  • 33. TLS and SSL SSL v1.0 - 2.0 Created by Netscape Communications Deemed insecure. SSL v3.0 Last version. No support for extensions and not for modern crypto algorithms. Deemed insecure. #MoreCrypto TLS 1.x Open standard defined by the IETF. Keeps being updated. It’s time to try to stop using SSL.
  • 34. Man in the middle Client MITM Server • How do we prevent and discover TLS proxys? • Quite commonly used
  • 35. Certificate Fingerprinting Certificates have a fingerprint, a checksum of the cert and key. Embed last, current and next certificate fingerprint in the code Verify that you are talking with the expected server. TLS verification may work with a bad server cert too. Client Server Client MITM Server #MoreCrypto
  • 36. Trust on first use Save certificate fingerprint on first connection If another certificate shows up, warn the user Don’t block, the first connection could be bad Certificates gets updates so save expiry time and accept new. Client Server Client MITM Server #MoreCrypto
  • 37. DANE - using DNSsec Save cert in DNS, signed by Client DNS DNS query Client Server #MoreCrypto DNSsec If another certificate shows up, do not continue. Disconnect. Certificates that expired or was revoked has no NS records TLS connection Client MITM Server
  • 38. User specifics • Which CAs do we trust? • How do we check validity of certificate, even if we trust the CA? • Do we have time for validation?
  • 39. New solutions • Anchoring the certificate in DNS • Validating the certificate in DNS • No certificate - bare keys • Oppurtunistic Security with TLS DNSsec
  • 40. Advice: • Use encrypted communication by default • Authenticated sessions are better than non-authenticated • If you really need confidentiality, check ciphers and checksum algorithms #MoreCrypto
  • 41. Heartbleed • Programming error in OpenSSL • OpenSSL is used in too many places • Opened up for private key distribution and a lot of other in-memory data.
  • 42. Security is a process • There will be other issues with TLS libraries, protocols and implementations • Having these is better than having no security, integrity, privacy or confidentiality
  • 43. To-do list Always build secure platforms. Encrypt all communication. 1. Integrate IPv6 in every single project. 2. Sign your DNS data. DNS is the foundation for all of Internet. 3. #MoreCrypto SECURITY: IPv6: DNSsec:
  • 44. The way forward: #MoreCrypto
  • 45. More information http://www.internetsociety.org/deploy360/tls/ https://bettercrypto.org http://tools.ietf.org/html/rfc7258 - Internet is under attack. #MoreCrypto
  • 46. Join us! • IETF peerpass mailing list, UTA working group and more. • Hashtag #MoreCrypto • http://internetsociety.org
  • 47. #MoreCrypto Feedback? • Feedback and suggestions for improvements to this presentation is more than welcome! Send to oej@edvina.net! • Feel free to use this presentation yourself - Notice the Creative commons license on this presentation! • Please tell me if you use it! It’s always fun to know. Olle E. Johansson Author: oej@edvina.net - slideshare.net/oej Ⓒ Olle E. Johansson, Stockholm, Sweden 2014. This work is licensed under