SSL/TLS

Rebecca Meritz / @rmeritz

What is SSL/TLS?

Tool for making the internet more secure
Internet is insecure by default
TLS + HTTP = HTTPS

Clarifications

SSL vs. TLS
Not just the web

Cryptographic Protcol

Cryptography

Practice and study of techniques for secure communication in the presence of third parties

www.cse.iitd.ac.in

What is secure communication?

Confidentiality (Keeping secrets)
Authenticity (Verifying identities)
Integrity (Ensuring safe transport)

Protocol

A system of rules that explain the correct conduct and procedures to be followed in a situation

simcoemuskokahealth.org

TLS Protocol

Handshake
Data Exchange
Shutdown

How does the TLS protocol provide cryptographic security?

TLS Protocol

Handshake
Data Exchange
Shutdown

Problem 1: Confidentiality

citizenmag.com

Solution 1: Symmetric Encryption

Private Key Cryptography

Bulletproof SSL and TLS (Ivan Ristić)

Subsitution Cipher

wikimedia.org

Problem 2: Confidentiality

How do the client and the server get the same keys?

Solution 2: Asymmetric Encryption

Public Key Cryptography

Bulletproof SSL and TLS (Ivan Ristić)

Problem 3: Confidentiality / Authenticity

Where are the public keys?

How do I know I have the correct public key?

Solution 3: Public Key Infrastructure (PKI)

wikimedia.org

Problem 4: Confidentiality

But asymmetric encryption is slow and expensive.

Solution 4: Handshake

Handshake
Data Exchange
Shutdown

rhsecurity.wordpress.com

Problem 5: Integrity

Tampering

labelswest.com

Solution 5: Hashing Function (Hash)

Converts input into a fixed length
Another message doesn't have the same hash
Fingerprint
Infeasible to find original message
Keyed Hash Message Authentication Code (HMAC)

blog.varonis.com

Problem 6: Integrity

Dropping or Replay

Solution 6: Sequence Code

Bulletproof SSL and TLS (Ivan Ristić)

Problem 7: Integrity

Truncation (dropping the last message)

Solution 7: Shutdown

Handshake
Data Exchange
Shutdown

TLS Protcol

Handshake:
- Asymmetric Encryption (Confidentiality)
- Public Key Infrastructure (Confidentiality / Authentication)
Data Exchange:
- Symmetric Encryption (Confidentiality)
- Hashing (Integrity)
- Sequence codes (Integrity)
Shutdown (Integrity)

SSL/TLS

What is SSL/TLS?

Clarifications

Cryptographic Protcol

Cryptography

What is secure communication?

Protocol

TLS Protocol

How does the TLS protocol provide cryptographic security?

TLS Protocol

Problem 1: Confidentiality

Solution 1: Symmetric Encryption

Private Key Cryptography

Subsitution Cipher

Problem 2: Confidentiality

How do the client and the server get the same keys?

Solution 2: Asymmetric Encryption

Public Key Cryptography

Problem 3: Confidentiality / Authenticity

Where are the public keys?

How do I know I have the correct public key?

Solution 3: Public Key Infrastructure (PKI)

Problem 4: Confidentiality

But asymmetric encryption is slow and expensive.

Solution 4: Handshake

Problem 5: Integrity

Tampering

Solution 5: Hashing Function (Hash)

Problem 6: Integrity

Dropping or Replay

Solution 6: Sequence Code

Problem 7: Integrity

Truncation (dropping the last message)

Solution 7: Shutdown

TLS Protcol

What can I do?

For internet users

SSL Client Test

For developers or sysadmins

SSL Server Test

@rmeritz

http://rebecca.meritz.com/ggm15

https://meritz.rocks