PROVING WHO YOU ARE TLS & THE PKI

Size: px
Start display at page:

Download "PROVING WHO YOU ARE TLS & THE PKI"

Transcription

1 PROVING WHO YOU ARE TLS & THE PKI CMSC 414 MAR

2 RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they were talking to one another. Therefore, they were vulnerable to MITM attacks. Certificates allow us to verify with whom we are communicating. We will solve this by incorporating public key cryptography

3 Back to authentication How can we know it was really who posted PK?

4 Back to authentication Generate public/private key pair (PK,SK); publicize PK How can we know it was really who posted PK?

5 Back to authentication Generate public/private key pair (PK,SK); publicize PK How can we know it was really who posted PK? E(KAT, msg to:bob) E(KBT, msg from:alice) KAT KBT Alice Bob KAT KBT

6 Back to authentication Generate public/private key pair (PK,SK); publicize PK How can we know it was really who posted PK? E(KAT, msg to:bob) E(KBT, msg from:alice) KAT KBT Alice Bob KAT KBT Can we achieve authentication without Trent in the middle of every message?

7 Authentication with public keys Trent (PKT, SKT) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) Alice Bob

8 Authentication with public keys Trent (PKT, SKT) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) Alice PKT Bob PKT

9 Authentication with public keys Trent (PKT, SKT) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) Alice PKT (PKA, SKA) 2. Alice generates a public/private key pair and asks Trent to bind her PKA to her identity Bob PKT

10 Authentication with public keys Trent Alice (PKT, SKT) Trent vets Alice PKT (PKA, SKA) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) 2. Alice generates a public/private key pair and asks Trent to bind her PKA to her identity Bob PKT

11 Authentication with public keys Trent (PKT, SKT) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) Alice Trent vets Alice PKT (PKA, SKA) 2. Alice generates a public/private key pair and asks Trent to bind her PKA to her identity Bob PKT 3. Trent signs a message (with SKT): The owner of the secret key corresponding to PKA is Alice

12 Authentication with public keys Trent (PKT, SKT) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) Alice Trent vets Alice PKT (PKA, SKA) 2. Alice generates a public/private key pair and asks Trent to bind her PKA to her identity Bob PKT 3. Trent signs a message (with SKT): The owner of the secret key corresponding to PKA is Alice This message + sig = Certificate

13 Authentication with public keys Trent (PKT, SKT) 1. Trent s public key is widely disseminated (pre-installed in browsers/operating systems) Alice Bob Trent vets Alice PKT (PKA, SKA) Alice = PKA PKT 2. Alice generates a public/private key pair and asks Trent to bind her PKA to her identity 3. Trent signs a message (with SKT): The owner of the secret key corresponding to PKA is Alice This message + sig = Certificate

14 Authentication with public keys Trent (PKT, SKT) 4. Alice makes her certificate publicly available (or Bob simply asks for it) Alice PKT (PKA, SKA) Alice = PKA Bob PKT

15 Authentication with public keys Trent (PKT, SKT) 4. Alice makes her certificate publicly available (or Bob simply asks for it) Alice PKT (PKA, SKA) Alice = PKA Bob PKT Alice = PKA

16 Authentication with public keys Trent (PKT, SKT) 4. Alice makes her certificate publicly available (or Bob simply asks for it) Alice PKT (PKA, SKA) Alice = PKA 5. Bob verifies the certificate using PKT Bob PKT Alice = PKA

17 Authentication with public keys Trent (PKT, SKT) 4. Alice makes her certificate publicly available (or Bob simply asks for it) Alice PKT (PKA, SKA) Alice = PKA 5. Bob verifies the certificate using PKT If Bob trusts Trent, then Bob trusts that he properly vetted Alice, and thus that her public key is PKA Bob PKT Alice = PKA

18 Authentication with public keys Trent (PKT, SKT) 4. Alice makes her certificate publicly available (or Bob simply asks for it) Alice Bob PKT (PKA, SKA) Alice = PKA PKT Alice = PKA 5. Bob verifies the certificate using PKT If Bob trusts Trent, then Bob trusts that he properly vetted Alice, and thus that her public key is PKA 6. Bob (via hybrid encryption) sends a message to Alice using her public key PKA

19 Authentication with public keys Trent (PKT, SKT) Properties Trent vets Alice Alice PKT (PKA, SKA) Alice = PKA Bob PKT Alice = PKA

20 Authentication with public keys Trent (PKT, SKT) Properties Alice Trent vets Alice PKT (PKA, SKA) Alice = PKA Trent need be online only when giving out certificates, not any time users want to communicate with one another Bob PKT Alice = PKA

21 Authentication with public keys Trent (PKT, SKT) Properties Alice Bob Trent vets Alice PKT (PKA, SKA) Alice = PKA PKT Alice = PKA Trent need be online only when giving out certificates, not any time users want to communicate with one another Alice and Bob can communicate in an authenticated manner without having to go through Trent

22 Authentication with public keys Trent Alice (PKT, SKT) Trent vets Alice PKT (PKA, SKA) Alice = PKA Trust assumptions from our symmetric key protocol: 1. Do not read messages 2. Do not alter messages 3. Do not forge messages 4. Do not go offline Bob PKT Alice = PKA

23 Authentication with public keys Trent Alice Bob (PKT, SKT) Trent vets Alice PKT (PKA, SKA) Alice = PKA PKT Alice = PKA Trust assumptions from our symmetric key protocol: 1. Do not read messages 2. Do not alter messages 3. Do not forge messages 4. Do not go offline Trust assumptions in this public key protocol: 1. Correctly vet users (Some more in practice )

24 TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication - Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates Predecessor: SSL (secure sockets layer) - TLS was proposed as an upgrade - All versions of SSL are considered insecure (recently, the POODLE padding oracle attack) Host A TCP/IP TLS or SSL Host B TCP/IP: Host A and B can send packets to one another TLS/SSL: operate over TCP/IP to ensure security/authenticity

25 TLS/SSL protocol (high level) Browser (initiates connection) Server (authenticates itself) Compute K based on nonces & PreMaster Client hello Version, crypto options, nonce Server hello + server cert (PKs) Version, crypto options, nonce, Signed certificate containing the server s public key PKs Server key exchange (when using DH) Client key exchange PreMaster secret encrypted with server s PKs ~~~~~~~Switch to negotiated cipher~~~~~~~ Data transmission Compute K based on nonces & PreMaster

26 (Credit: CloudFlare) Only the server with the private key should be able to decrypt

27 (Credit: CloudFlare) Only the server with the private key should be able to sign

28 AUTHENTICATED DIFFIE-HELLMAN Both of these serve as a challenge/response protocol: The client is challenging the server to prove that it knows the secret key corresponding to the public key in the certificate The server is providing a zero-knowledge proof : The server proves that it knows the secret key without having to reveal the secret key itself The key property that makes this work: The only person who knows the secret key is the entity in the certificate

29 Certificate revocation 3. Trent signs a message (with SKT): The owner of the secret key corresponding to PKA is Alice This message + sig = Certificate Put another way: The only person who knows SKA is Alice What happens if Alice s key gets compromised? (Stolen, accidentally revealed, )

30 Certificate revocation Trent (PKT, SKT) Please revoke my certificate (ID #3912 ) Alice

31 Certificate revocation Trent Please revoke my certificate (ID #3912 ) (PKT, SKT) Trent signs a message (with SKT): Certificate ID #3912 is no longer valid, as of April 5, Alice

32 Certificate revocation Trent Please revoke my certificate (ID #3912 ) Alice (PKT, SKT) Trent signs a message (with SKT): Certificate ID #3912 is no longer valid, as of April 5, This message + sig = revocation

33 Certificate revocation Trent Please revoke my certificate (ID #3912 ) Alice (PKT, SKT) Trent signs a message (with SKT): Certificate ID #3912 is no longer valid, as of April 5, This message + sig = revocation Bob obtains revocation information Bob

34 Obtaining revocation data Certificate Revocation Lists (CRLs) A (often large) signed list of revocations Trent Certificate ID #3912 is no longer valid, as of April 5,

35 Obtaining revocation data Certificate Revocation Lists (CRLs) A (often large) signed list of revocations Trent Certificate ID #3912 is no longer valid, as of April 5, Browsers and OSes occasionally download CRLs Bob

36 Obtaining revocation data Certificate Revocation Lists (CRLs) A (often large) signed list of revocations Trent Certificate ID #3912 is no longer valid, as of April 5, Browsers and OSes occasionally download CRLs Bob Disincentive: CRLs can be large, so it takes time & bandwidth

37 Obtaining revocation data Certificate Revocation Lists (CRLs) A (often large) signed list of revocations Trent Certificate ID #3912 is no longer valid, as of April 5, Browsers and OSes occasionally download CRLs Bob Disincentive: CRLs can be large, so it takes time & bandwidth Result: delayed days/weeks/forever

38 Obtaining revocation data Online Certificate Status Protocol (OCSP) Browsers and OSes perform OCSP checks on-demand (when verifying the certificate) Bob Trent

39 Obtaining revocation data Online Certificate Status Protocol (OCSP) Browsers and OSes perform OCSP checks on-demand (when verifying the certificate) Bob Is certificate ID #3912 still valid? Trent

40 Obtaining revocation data Online Certificate Status Protocol (OCSP) Browsers and OSes perform OCSP checks on-demand (when verifying the certificate) Bob Is certificate ID #3912 still valid? Trent Certificate ID #3912 is still longer valid, as of April 5, SKT

41 Obtaining revocation data Online Certificate Status Protocol (OCSP) Browsers and OSes perform OCSP checks on-demand (when verifying the certificate) Bob Is certificate ID #3912 still valid? Trent Certificate ID #3912 is still longer valid, as of April 5, SKT Disincentive: Still delays the initial validation of the certificate (can increase webpage load time)

42 Obtaining revocation data OCSP Stapling Websites issue OCSP requests, include responses in initial handshake Alice Is certificate ID #3912 still valid? Trent Certificate ID #3912 is still longer valid, as of April 5, SKT Alice forwards this to Bob along with the certificate when they first start to communicate

43 Certificate revocation responsibilities Alice s responsibility: Request revocations Trent s responsibility: Make revocations publicly available Bob s responsibility: Check for revocations

44 Certificates in the wild The lock icon indicates that the browser was able to authenticate the other end, i.e., validate its certificate

45 Certificate chain Subject (who owns the public key) Common name: the URL of the subject Issuer (who verified the identity and signed this certificate)

46 Verifying certificates Browser Certificate I m because says so

47 Verifying certificates Browser Certificate I m because says so Certificate I m because says so

48 Verifying certificates Browser Certificate I m because I say so! Certificate I m because says so Certificate I m because says so

49 Verifying certificates Browser Certificate I m because I say so! Certificate I m because says so Certificate I m because says so

50 Verifying certificates Browser Certificate I m because I say so! Certificate Root key store Every device has one Must not contain malicious certificates I m because says so Certificate I m because says so

51 Verifying certificates Browser Certificate I m because I say so! Certificate I m because says so Certificate I m because says so

52 Verifying certificates Browser Certificate I m because I say so! Certificate I m because says so Certificate I m because says so

53 Verifying certificates Certificate I m because I say so! Browser Certificate I m because says so Certificate I m because says so

54 Verifying certificates Certificate I m because I say so! Browser Certificate I m because says so Certificate I m because says so

55 Verifying certificates Certificate I m because I say so! Certificate I m because says so Browser Certificate I m because says so

56 Verifying certificates Certificate I m because I say so! Certificate I m because says so Browser Certificate I m because says so

57 Serial number: Uniquely identifies this cert with respect to the issuer (look for this in CRLs) Signature algorithm: How the issuer will sign parts of the cert Not valid before/after: When to start and stop believing this cert (start & expiration dates) The public key: And the issuer s signature of the public key

58 Subject Alternate Names: Other URLs for which this cert should be considered valid. (wellsfargo.com is not the same as Can include wildcards, e.g., *.google.com

59 Subject Alternate Names: The spirit is that it represents different domain names of the same entity (google.com, google.co.uk, youtube.com, ) The letter of the rule doesn t say that they need to be the same company or really have anything in common

60 Subject Alternate Names: The spirit is that it represents different domain names of the same entity (google.com, google.co.uk, youtube.com, ) The letter of the rule doesn t say that they need to be the same company or really have anything in common

61 Subject Alternate Names: Other URLs for which this cert should be considered valid. (wellsfargo.com is not the same as Can include wildcards, e.g., *.google.com CRL & OCSP: Where to go to check if this certificate has been revoked Non-cryptographic checksums

62 Certificate types Certificates can be classified in two broad ways What the certificate can be used for Signing (root and intermediate certs) Encrypting (leaf certs) The type of vetting process used DV (Domain validation) Prove administrative access to the domain, e.g., by uploading a file OV (Organization validation) Prove ownership of the organization that owns the domain EV (Extended validation) More extensive validation ($$)

63 Certificate types Why are these different?

64 Certificate types Why are these different? This is an EV (extended validation) certificate; browsers show the full name for these kinds of certs

65 Proper reaction to Heartbleed 1. Patch the software 2. Reissue a new key (get a new one and load it onto your servers) 3. Revoke the old key

66 Proper reaction to Heartbleed 1. Patch the software 2. Reissue a new key (get a new one and load it onto your servers) 3. Revoke the old key Order matters! If we reissued and then patched, then our new key would be compromised, too. If we revoked first, we d be offline.

67 Heartbleed OpenSSL

68 Heartbleed hi 2 OpenSSL

69 Heartbleed hi 2 hi OpenSSL

70 Heartbleed OpenSSL

71 Heartbleed hi 22 OpenSSL

72 Heartbleed hi 22 hi +20B from memory OpenSSL < 2 16

73 Heartbleed hi 22 hi +20B from memory OpenSSL < 2 16 Potentially reveals user data and private keys Heartbleed exploits were undetectable

74 Why study Heartbleed? Discovered Akamai patched Publicly announced 03/21 04/02 04/07

75 Why study Heartbleed? Discovered Akamai patched Publicly announced 03/21 04/02 04/07 Every vulnerable website should have: 1 Patched 2 Revoked 3 Reissued

76 Why study Heartbleed? Discovered Akamai patched Publicly announced 03/21 04/02 04/07 Every vulnerable website should have: 1 Patched 2 Revoked 3 Reissued Heartbleed is a natural experiment: How quickly and thoroughly do administrators act?

77 Dataset Rapid7 data 22M certs (~1/wk for 6mos)

78 Dataset Rapid7 data 22M certs (~1/wk for 6mos) filter 2.8M certs Alexa Top-1M CAs 9k certs

79 Dataset 2.8M certs Alexa Top-1M Rapid7 data filter validate Leaf Set 22M certs (~1/wk for 6mos) CAs 9k certs 628k certs 165k domains

80 Dataset 2.8M certs Alexa Top-1M Rapid7 data filter validate Leaf Set 22M certs (~1/wk for 6mos) CAs 9k certs 628k certs 165k domains Download CRLs Detect vulnerability Identify Heartbleed-induced reissues & revocations

81 Dataset 2.8M certs Alexa Top-1M Rapid7 data filter validate Leaf Set 22M certs (~1/wk for 6mos) CAs 9k certs 628k certs 165k domains Download CRLs Detect vulnerability Identify Heartbleed-induced reissues & revocations

82 Prevalence and patch rates Fraction of Domains Vulnerable to Heartbleed Was ever vulnerable Still vulnerable Still after vulnerable 3 weeks e+06 Alexa Site Rank (bins of 1000)

83 Prevalence and patch rates Fraction of Domains Vulnerable to Heartbleed Was ever vulnerable Still vulnerable Still after vulnerable 3 weeks e+06 Alexa Site Rank (bins of 1000)

84 Prevalence and patch rates Fraction of Domains Vulnerable to Heartbleed Was ever vulnerable Still vulnerable Still after vulnerable 3 weeks e+06 Alexa Site Rank (bins of 1000) Patching rates are mostly positive Only ~7% had not patched within 3 weeks

85 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date

86 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date

87 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date

88 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal 3 wks Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date

89 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal 3 wks Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked

90 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued /07 04/11 04/15 04/19 04/23 04/27 Date

91 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued 1 Ideal /07 04/11 04/15 04/19 04/23 04/27 Date

92 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked /07 04/11 04/15 04/19 04/23 04/27 Date

93 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out

94 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked

95 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Not revoked /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked

96 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Not revoked /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked

97 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued /07 04/11 04/15 04/19 04/23 04/27 Date

98 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued 1 Ideal /07 04/11 04/15 04/19 04/23 04/27 Date

99 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date

100 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out

101 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked 27% Reissued

102 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Optimistic Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked 27% Reissued

103 How quickly were certs revoked? Number of Domains/Day /01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date

104 How quickly were certs revoked? Number of Domains/Day /01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly

105 How quickly were certs revoked? Number of Domains/Day /01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly

106 How quickly were certs revoked? Number of Domains/Day Weekends /01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly Security takes the weekends off

107 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued wks Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date

108 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued wks Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date

109 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued wks Not revoked Not reissued /07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked 27% Reissued

110 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date

111 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date

112 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Ideal Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked 27% Reissued

113 Certificate update rates Frac. of Vulnerable Certs not Revoked/Reissued Optimistic Not revoked Not reissued /07 04/11 04/15 04/19 04/23 04/27 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked 27% Reissued

114 Reissue New key? Fraction of New Certificates Reissued with the Same Key All reissues 0 Heartbleed-induced reissues 11/ / / / / / /2014 Date of Birth

115 Reissue New key? Fraction of New Certificates Reissued with the Same Key All reissues 0 Heartbleed-induced reissues 11/ / / / / / /2014 Date of Birth

116 Reissue New key? Fraction of New Certificates Reissued with the Same Key All reissues 0 Heartbleed-induced reissues 11/ / / / / / /2014 Date of Birth Reissuing the same key is common practice 4.1% Heartbleed-induced

117 The ugly truth of revocations 93% Patched 13% Revoked 27% Reissued Security is supposed to be a fundamental design goal, but Administrators trade off security for ease of maintenance/cost Certificate authorities trade off security for profit

118 Can we wait for expiration? CDF Years of Remaining Validity

119 Can we wait for expiration? 1 Vulnerable but not revoked 0.8 CDF Years of Remaining Validity

120 Can we wait for expiration? 1 Vulnerable but not revoked CDF ~40% of vulnerable certs will not expire for over 1 year Years of Remaining Validity

121 Can we wait for expiration? 1 Vulnerable but not revoked CDF ~40% of vulnerable certs will not expire for over 1 year Years of Remaining Validity We may be dealing with Heartbleed for years

122 Testing browser behavior Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root

123 Testing browser behavior Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root Root Intermediate Intermediate Leaf

124 Testing browser behavior Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root Root signs Intermediate Intermediate Leaf

125 Testing browser behavior Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root Root signs Intermediate Intermediate Leaf

126 Testing browser behavior Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root Root signs Intermediate Intermediate Leaf

127 Results across all browsers Passes test Fails test ev Passes for EV certs i Ignores OCSP Staple a Pops up alert to user l/w Passes on Linux/Win.

128 Results across all browsers Chrome Generally, only checks for EV certs ~3% of all certs Allows if revocation info unavailable Supports OCSP stapling Passes test Fails test ev Passes for EV certs i Ignores OCSP Staple a Pops up alert to user l/w Passes on Linux/Win.

129 Results across all browsers Firefox Never checks CRLs Only checks intermediates for EV certs Allows if revocation info unavailable Supports OCSP stapling Passes test Fails test ev Passes for EV certs i Ignores OCSP Staple a Pops up alert to user l/w Passes on Linux/Win.

130 Results across all browsers Safari Checks CRLs and OCSP Allows if revocation info unavailable Except for first intermediate, for CRLs Does not support OCSP stapling Passes test Fails test ev Passes for EV certs i Ignores OCSP Staple a Pops up alert to user l/w Passes on Linux/Win.

131 Results across all browsers Internet Explorer Checks CRLs and OCSP Often rejects if revocation info unavailable Pops up alert for leaf in IE 10+ Supports OCSP stapling Passes test Fails test ev Passes for EV certs i Ignores OCSP Staple a Pops up alert to user l/w Passes on Linux/Win.

132 Results across all browsers Mobile Browsers Uniformly never check Android browsers request Staple and promptly ignore it Passes test Fails test ev Passes for EV certs i Ignores OCSP Staple a Pops up alert to user l/w Passes on Linux/Win.

133 PKI CONCLUSION The PKI is how we know with whom we are communicating online The PKI s job is to bind human-understandable identities (domain names) to cryptographic keys (public keys) The central mechanism for this is certificates: digital signatures from trusted entities that tie domain names and public keys together TLS along with Diffie-Hellman leverages public key crypto to arrive at ephemeral session keys (symmetric keys) There is significant mismanagement in today s PKI: Websites don t revoke or get new certs ( reissue ) when they should Browsers don t check for revocations when they should Websites share their private keys with their hosting providers Improving the web s PKI is an active area of research (securepki.org)

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent

More information

Cryptographic Protocols 1

Cryptographic Protocols 1 Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange

More information

But where'd that extra "s" come from, and what does it mean?

But where'd that extra s come from, and what does it mean? SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying

More information

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures

More information

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm

More information

Crypto meets Web Security: Certificates and SSL/TLS

Crypto meets Web Security: Certificates and SSL/TLS CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment. CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How

More information

Diffie-Hellman. Part 1 Cryptography 136

Diffie-Hellman. Part 1 Cryptography 136 Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for

More information

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously

More information

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson How do we know with whom

More information

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

ICS 180 May 4th, Guest Lecturer: Einar Mykletun ICS 180 May 4th, 2004 Guest Lecturer: Einar Mykletun 1 Symmetric Key Crypto 2 Symmetric Key Two users who wish to communicate share a secret key Properties High encryption speed Limited applications: encryption

More information

Information Security CS 526

Information Security CS 526 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric

More information

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney. Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw

More information

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems

More information

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018 Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to

More information

Securing Internet Communication: TLS

Securing Internet Communication: TLS Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases

More information

CS Computer Networks 1: Authentication

CS Computer Networks 1: Authentication CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores

More information

Proving who you are. Passwords and TLS

Proving who you are. Passwords and TLS Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers

More information

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public

More information

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic. 15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS

More information

UNIT - IV Cryptographic Hash Function 31.1

UNIT - IV Cryptographic Hash Function 31.1 UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service

More information

CS November 2018

CS November 2018 Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University

More information

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1 Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions

More information

E-commerce security: SSL/TLS, SET and others. 4.1

E-commerce security: SSL/TLS, SET and others. 4.1 E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:

More information

Encryption. INST 346, Section 0201 April 3, 2018

Encryption. INST 346, Section 0201 April 3, 2018 Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:

More information

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Data Security and Privacy. Topic 14: Authentication and Key Establishment Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt

More information

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Introduction to SSL. Copyright 2005 by Sericon Technology Inc. Introduction to SSL The cornerstone of e-commerce is a Web site s ability to prevent eavesdropping on data transmitted to and from its site. Without this, consumers would justifiably be afraid to enter

More information

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Also mutual authentication

More information

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Kerberos History: from UNIX to Networks (late

More information

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS

More information

Cryptography (Overview)

Cryptography (Overview) Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography

More information

Digital Certificates Demystified

Digital Certificates Demystified Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates

More information

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted

More information

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin busygin@neobit.ru NeoBIT Notable Private Key Leaks 2010 DigiCert Sdn Bhd. issued certificates with 512-bit keys 2012 Trustwave issued

More information

When HTTPS Meets CDN

When HTTPS Meets CDN When HTTPS Meets CDN A Case of Authentication in Delegated Service Jinjin Liang 1, Jian Jiang 1, Haixin Duan 1, Kang Li 2, Tao Wan 3, Jianping Wu 1 1 Tsinghua University 2 University of Georgia 3 Huawei

More information

CIS 5373 Systems Security

CIS 5373 Systems Security CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate

More information

Key Management and Distribution

Key Management and Distribution Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

Datasäkerhetsmetoder föreläsning 7

Datasäkerhetsmetoder föreläsning 7 Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management

More information

Public-Key Infrastructure NETS E2008

Public-Key Infrastructure NETS E2008 Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key

More information

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7. Lecture 13 Public Key Distribution (certification) 1 PK-based Needham-Schroeder TTP 1. A, B 4. B, A 2. {PKb, B}SKT B}SKs 5. {PK a, A} SKT SKs A 3. [N a, A] PKb 6. [N a, N b ] PKa B 7. [N b ] PKb Here,

More information

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted

More information

Lecture Notes 14 : Public-Key Infrastructure

Lecture Notes 14 : Public-Key Infrastructure 6.857 Computer and Network Security October 24, 2002 Lecture Notes 14 : Public-Key Infrastructure Lecturer: Ron Rivest Scribe: Armour/Johann-Berkel/Owsley/Quealy [These notes come from Fall 2001. These

More information

SSL Report: bourdiol.xyz ( )

SSL Report: bourdiol.xyz ( ) Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > bourdiol.xyz > 217.70.180.152 SSL Report: bourdiol.xyz (217.70.180.152) Assessed on: Sun Apr 19 12:22:55 PDT 2015 HIDDEN

More information

T Cryptography and Data Security

T Cryptography and Data Security T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use

More information

Kurose & Ross, Chapters (5 th ed.)

Kurose & Ross, Chapters (5 th ed.) Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and

More information

Lecture 2 Applied Cryptography (Part 2)

Lecture 2 Applied Cryptography (Part 2) Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2

More information

Chapter 9: Key Management

Chapter 9: Key Management Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange

More information

Key Management and Distribution

Key Management and Distribution 2 and Distribution : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 css441y15s2l10, Steve/Courses/2015/s2/css441/lectures/key-management-and-distribution.tex,

More information

SSL Report: printware.co.uk ( )

SSL Report: printware.co.uk ( ) 1 of 5 26/06/2015 14:27 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > printware.co.uk SSL Report: printware.co.uk (194.143.166.5) Assessed on: Fri, 26 Jun 2015 12:53:08

More information

L13. Reviews. Rocky K. C. Chang, April 10, 2015

L13. Reviews. Rocky K. C. Chang, April 10, 2015 L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing

More information

Lecture 15 Public Key Distribution (certification)

Lecture 15 Public Key Distribution (certification) 0 < i < 2 n = N X i,y i random secret keys index i = random (secret) value Merkle s Puzzles (1974) Puzzle P i = {index i,x i,s} Y i S fixed string, e.g., " Alice to Bob" { P 0 < i < 2 i n } Pick random

More information

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh Computer Security Course. Dawn Song Public Key Crypto Slides credit: Dan Boneh Administra>ve Issues Security is a fast- changing field We cover a broad spectrum of areas in computer security Hence, there

More information

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic

More information

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas

More information

HTTPS is Fast and Hassle-free with Cloudflare

HTTPS is Fast and Hassle-free with Cloudflare HTTPS is Fast and Hassle-free with Cloudflare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their

More information

Configuring SSL CHAPTER

Configuring SSL CHAPTER 7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section

More information

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005 Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric

More information

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER 7 CHAPTER This topic describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section are:

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust

More information

SSL/TLS. How to send your credit card number securely over the internet

SSL/TLS. How to send your credit card number securely over the internet SSL/TLS How to send your credit card number securely over the internet The security provided by SSL SSL is implemented at level 4 The transport control layer In practice, SSL uses TCP sockets The underlying

More information

Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14 Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture

More information

Key Agreement Schemes

Key Agreement Schemes Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish

More information

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

TLS. RFC2246: The TLS Protocol. (c) A. Mariën - TLS RFC2246: The TLS Protocol What does it achieve? Confidentiality and integrity of the communication Server authentication Eventually: client authentication What is does not do Protect the server Protect

More information

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight

More information

CSC 482/582: Computer Security. Security Protocols

CSC 482/582: Computer Security. Security Protocols Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption

More information

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols Cryptographic Protocols Topics 1. Dramatis Personae and Notation 2. Session and Interchange Keys 3. Key Exchange 4. Key Generation 5. Cryptographic Key Infrastructure 6. Storing and Revoking Keys 7. Digital

More information

Server-based Certificate Validation Protocol

Server-based Certificate Validation Protocol Server-based Certificate Validation Protocol Digital Certificate and PKI a public-key certificate is a digital certificate that binds a system entity's identity to a public key value, and possibly to additional

More information

Certificates, Certification Authorities and Public-Key Infrastructures

Certificates, Certification Authorities and Public-Key Infrastructures (Digital) Certificates Certificates, Certification Authorities and Public-Key Infrastructures We need to be sure that the public key used to encrypt a message indeed belongs to the destination of the message

More information

Spring 2010: CS419 Computer Security

Spring 2010: CS419 Computer Security Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics

More information

SSL/TLS Server Test of

SSL/TLS Server Test of SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE

More information

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign

More information

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

ח'/סיון/תשע א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,

More information

CS 494/594 Computer and Network Security

CS 494/594 Computer and Network Security CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers

More information

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE http://asecuritysite.com/crypto06 http://asecuritysite.com/encryption Identity on the Internet

More information

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography Chapter 7: Network security 15-441 Computer Networking Network Security: Cryptography, Authentication, Integrity Foundations: what is security? cryptography authentication message integrity key distribution

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 8: Protocols for public-key management Ion Petre Department of IT, Åbo Akademi University 1 Key management two problems

More information

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS COSC 301 Network Management Lecture 15: SSL/TLS and HTTPS Zhiyi Huang Computer Science, University of Otago COSC301 Lecture 15: SSL/TLS and HTTPS 1 Today s Focus WWW WWW How to secure web applications?

More information

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER CHAPTER 8 Date: 4/23/09 This topic describes the steps required to configure your ACE (both the ACE module and the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.

More information

SSL Report: ( )

SSL Report:   ( ) Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:

More information

SSL Report: cartridgeworld.co.uk ( )

SSL Report: cartridgeworld.co.uk ( ) 1 of 5 26/06/2015 14:21 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > cartridgeworld.co.uk SSL Report: cartridgeworld.co.uk (95.138.147.104) Assessed on: Fri, 26 Jun

More information

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

More information

Most Common Security Threats (cont.)

Most Common Security Threats (cont.) Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?

More information

Chapter 4: Securing TCP connections

Chapter 4: Securing TCP connections Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section

More information

Displaying SSL Configuration Information and Statistics

Displaying SSL Configuration Information and Statistics CHAPTER 7 Displaying SSL Configuration Information and Statistics This chapter describes the show commands available for displaying CSS SSL configuration information and statistics and an explanation of

More information

Transport Level Security

Transport Level Security 2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,

More information

Chapter 8 Web Security

Chapter 8 Web Security Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client

More information

Progressively Securing RIOT-OS!

Progressively Securing RIOT-OS! + Progressively Securing RIOT-OS! USABILITY AND NECESSITY OF SSL / TLS Slide 1 / 33 We re going to talk about: 1. Why is security important? 2. What is SSL? 3. Where is SSL being used? 4. Features: What

More information

Fall 2010/Lecture 32 1

Fall 2010/Lecture 32 1 CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol

More information

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any

More information

Introduction to Cryptography. Ramki Thurimella

Introduction to Cryptography. Ramki Thurimella Introduction to Cryptography Ramki Thurimella Encryption & Decryption 2 Generic Setting 3 Kerckhoff s Principle Security of the encryption scheme must depend only on The secret key NOT on the secrecy of

More information

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger

SSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)

More information

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3 Fall 2016: Question 2 You have access to a file of class enrollment lists. Each line contains {course_number, student_id}. Distributed Systems 2017 Pre-exam 3 review Selected questions from past exams

More information

ECE 646 Lecture 3. Key management

ECE 646 Lecture 3. Key management ECE 646 Lecture 3 Key management Required Reading Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E Chapter 14 Key Management and Distribution Using the same key for multiple

More information

CS Certificates, part 2. Prof. Clarkson Spring 2017

CS Certificates, part 2. Prof. Clarkson Spring 2017 CS 5430 Certificates, part 2 Prof. Clarkson Spring 2017 Review: Certificates Digital certificate is a signature binding together: identity of principal public key of that principal (might be encryption

More information

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010 Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange

More information

SSL/TLS Server Test of grupoconsultorefe.com

SSL/TLS Server Test of grupoconsultorefe.com SSL/TLS Server Test of grupoconsultorefe.com Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. GRUPOCONSULTOREFE.COM FINAL

More information

SSL/TLS FOR MORTALS.

SSL/TLS FOR MORTALS. SSL/TLS FOR MORTALS maartenm@infosupport.com @mthmulders Exception in thread "main" javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: PKIX path building failed: sun at sun.security.ssl.alerts.getsslexception(alerts.java:192)

More information