TLS/SSL PROTOCOL

BY:KRUTHI BHARADWAJKEERTHANA R

TLS PROTOCOL

•The Transport Layer Security (TLS) protocol was released in January 1999

•Allows client/server applications to communicate without eavesdropping, tampering or Message forgery

DEFINITION:

WHY DO WE NEED TLS PROTOCOL? Protecting sensitive or private data is serious business. Specially, in cases like credit card transactions. Hence, to encrypt the data being exchanged, we use TLS protocol.

GOALS OF TLS:•To securely encrypt data being exchanged•To guarantee the identity of one or both parties•To prevent data tampering•To prevent replay attacks

• A common misconception is is that encryption is the core goal and the others are non-essential.• Encryption of the data being transmitted requires that the other party to be capable of decrypting the data. This is possible because the client and the server will agree on an encryption key for a secure connection.• A Man-In-The-Middle (MitM) Attack might be possible.•This would allow the attacker to decrypt all data sent by the client.

SOLUTION:•Ability to verify the identity of the server that the client is communicating with.•Without that verification check, we have no way of telling the difference.

TRANSPORT LAYER VULNERABILITY:EXAMPLE:

•Data that goes through SSL protocols is encrypted with a key that will not reveal its secrets unless it detects the secure server •This interaction is called a "handshake”

CONVENTIONAL CRYPTOGRAPHY

•Symmetric cryptography•Requires the sender and receiver to share a key• As long as this key is kept secret, nobody other than the sender or recipient can read the message.

PUBLIC KEY CRYPTOGRAPHY

•Asymmetric cryptography, solves the key exchange problem by an algorithm which uses two keys• If one key is used to encrypt a message then the other must be used to decrypt it

WORKING PRINCIPLE:

SERVERCLIENT

CLIENT

CLIENT SERVER

SERVER

VERIFICATION CERTIFICATE SENT BY THE SERVER TO THE CLIENT:

ADVANTAGES:

• TLS is probably the most used security on the internet.• Do not need any Operating system support.• When messages are exchanged over the Internet, they are checked while transmitting from one computer to another. Hence, reliable.• TLS protocol stops a third party access unless, authenticated by authorized users• TLS is in use by most web browsers

APPLICATIONS OF TLS:

• LDAP (Lightweight Directory Access Protocol): software protocol for enabling anyone to locate organizations, individuals (public Internet or on a corporate intranet)

• SASL (Simple Authentication and Security Layer): framework for authentication and data security in Internet protocols

• BEEP (Blocks Extensible Exchange Protocol): authentication for connection and message-oriented peer-to-peer (P2P) protocols • SMTP (Simple Mail Transfer Protocol):• IMAP (Internet Message Access Protocol):• POP3 (Post Office Protocol 3):(Most recent version. E-mail is received and held for you by your Internet server)

is a TCP/IP protocol used in sending and receiving e-mail

The Secure Sockets Layer (SSL) Protocol

Overview

• What is SSL?• How does SSL work?• How to implement SSL?• Summary

What is SSL?

• A protocol developed by Netscape. • It is a whole new layer of protocol which

operates above the Internet TCP protocol and below high-level application protocols.

What Can SSL Do?

• SSL uses TCP/IP on behalf of the higher-level protocols.

• Allows an SSL-enabled server to authenticate itself to an SSL-enabled client;

• Allows the client to authenticate itself to the server;

• Allows both machines to establish an encrypted connection.

•SSL server authentication.•SSL client authentication. (optional)•An encrypted SSL connection or Confidentiality. This protects against electronic eavesdropper.•Integrity. This protects against hackers.•SSL includes two sub-protocols: the SSL Record Protocol and the SSL Handshake Protocol.•Record Protocol -- defines the format used to transmit data.•Handshake Protocol -- using the Record protocol to exchange messages b/t an SSL-enable server and an SSL-enable client.

Two Useful Terms

1.A certificate.• A certificate has the following content:

1. The certificate issuer’s name 2. The entity for whom the certificate is being issued . 3. The public key of the subject 4. Some time stamps

2. A digital signature -- A message digest derived from the original one, has following important properties:1. The digest is difficult to reverse2. It is hard to find a different message that computed to the same digest value.

SSL Architecture

SSL Working

• A client and a server create a secure connection

• The SSL protocol uses RSA public key cryptography for Internet Security.

• Public key encryption uses a pair of asymmetric keys for encryption and decryption.

Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely; the private key is always kept secret.Data encrypted with the public key can be decrypted only with the private key, and vice versa.

Advantages of SSL:

• Encrypts information• Authentication-improves customers trust• Guards against phishing attacks• Better search engine rankings

Summary

• SSL -- the Record Protocol and the Handshake Protocol.

• How to create a secure connection b/w a client and a server.

Thank you!