SlideShare ist ein Scribd-Unternehmen logo

Basics of ssl

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - April 2013 Meet

BildungTechnologie
1 von 59
Downloaden Sie, um offline zu lesen
BASICS OF SSL
AGENDA • SSL Evolution • SSL Handshakes • Man in the Middle: Proxy Tools, SSLStrip • Recent Attacks on SSL • Security guidelines while configuring SSL
SSL EVOLUTION • SSL 1.0 : Developed by Netscape. Never publicly released • SSL 2.0 : Released by Netscape in 1995. Contained lot of security flaws. • SSL 3.0 : Released by Netscape in 1996. Complete redesign of the protocol. Newer versions of SSL/TLS are based on SSL 3.0. • TLS 1.0 : RFC 2246 published by IETF in 1999. Nearly same as SSL 3.0 • TLS 1.1 : RFC 4346 published by IETF in 2006. Protection against CBC attacks (BEAST attack) added. • TLS 1.2 : RFC 5246 published by IETF in 2008. Adds Elliptic Curve CipherSuites to TLS. Removed DES, RC2 and IDEA CipherSuites. SHA-256 hashing used.
• TLS_RSA_WITH_RC4_128_MD5 • TLS_RSA_WITH_RC4_128_SHA • TLS_RSA_WITH_3DES_EDE_CBC_SHA • TLS_RSA_WITH_AES_128_CBC_SHA • TLS_RSA_WITH_AES_128_CBC_SHA256 • TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA SSL HANDSHAKES – CIPHERSUITES
SSL HANDSHAKES – RECORD LAYER HEADER
SSL RECORD LAYER Figure from William Stalling‟s article on “SSL: Foundation for Web Security” (http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html)
SSL HANDSHAKES
SSL HANDSHAKES IN WIRESHARK
SSL HANDSHAKES – CLIENT HELLO
SSL HANDSHAKES – CLIENT HELLO
SSL HANDSHAKES - SERVER HELLO
SSL HANDSHAKES – SERVER HELLO
SSL HANDSHAKES – CERTIFICATE, SERVER HELLO DONE
SSL HANDSHAKES – CERTIFICATE, SERVER HELLO DONE
SSL HANDSHAKES - CLIENT KEY EXCHANGE
SSL HANDSHAKES – CLIENT KEY EXCHANGE
SSL HANDSHAKES – KEY GENERATION
SSL HANDSHAKES – CHANGE CIPHER SPEC, FINISHED
SSL HANDSHAKES – CHANGE CIPHER SPEC, FINISHED
SSL APPLICATION DATA
SSL APPLICATION DATA
MAN IN THE MIDDLE – PROXY TOOL
MAN IN THE MIDDLE – PROXY TOOL
MAN IN THE MIDDLE - WEBSCARAB, ZAP, BURP, CHARLES
MAN IN THE MIDDLE – SSLSTRIP (BEFORE)
MAN IN THE MIDDLE – SSLSTRIP
MAN IN THE MIDDLE – SSLSTRIP (AFTER)
MAN IN THE MIDDLE – SSLSTRIP (AFTER)
MAN IN THE MIDDLE - SSLSTRIP
• Header could be set in the response as below: response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains"); => Tells that the domain and its subdomains should always be on HTTPS till a period of 12 months (31536000 seconds) • The browser caches this information, and always connects to the domain/subdomain on HTTPS • Counter of 12 months is reset every time the browser gets a page with this header from the domain. • Setting this header also throws an error if SSL certificate is untrusted or erroneous, instead of showing a warning that user can override. This adds to the security and prevents hacker from intercepting the SSL requests and seeing the SSL packets in clear using the proxy tools like WebScarab. MAN IN THE MIDDLE – SOLUTION – HSTS (HTTP STRICT TRANSPORT SECURITY)
• BEAST ATTACK • LUCKY 13 ATTACK • CRIME ATTACK • RC4 ATTACK RECENT ATTACKS ON SSL
• Configure all three protocols: TLS 1.0, 1.1 & 1.2 • Choose a strong and secure CipherSuite • Certificate to be signed by Trusted CA like Verisign. • Don‟t configure wild card certificates • Ensure session cookies have “secure=true” flag set, so that it is transmitted only over SSL. • Ensure HSTS header is set for the domain and subdomains. • Run the server through https://www.ssllabs.com/ssltest/ and fix any issues identified. SECURITY GUIDELINES WHILE CONFIGURING SSL ON SERVERS
SECURITY CONSIDERATION WHILE CONFIGURING SSL ON SERVERS
SECURITY CONSIDERATION WHILE CONFIGURING SSL ON SERVERS
THANK YOU SACHIN (sachinraj.shetty@gmail.com)
SSL EVOLUTION Figure from Wikipedia (http://en.wikipedia.org/wiki/Transport_Layer_Security)
BUILDING BLOCKS – SYMMETRIC KEY ENCRYPTION Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
BUILDING BLOCKS – SYMMETRIC KEY ENCRYPTION • Same key used for encryption and Decryption • Algorithms are Fast, but Sharing the key is a challenge. • Stream Cipher : RC4_128 • Block Ciphers : AES_128_CBC, AES_256_CBC, 3DES_EDE_CBC
BUILDING BLOCKS – SYMMETRIC KEY ENCRYPTION Cipher Block Chaining (CBC) Mode Figure from Wikipedia (http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29)
Public Key Encryption BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Public Key Encryption • 2 separate keys used: Public key and Private key • Sender uses Public key (of the receiver) for Encrypting the message. • Receiver uses his Private key for Decrypting the message. • X509 Certificates are carrier of public key, which is shared. • Private key is kept secret and is never shared. • Algorithms are slower compared to symmetric. • Algorithms: RSA, Diffie–Hellman, Elliptic curve
Digital Signature BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Digital Signature • Sender generates Hash of the message and then encrypts the Hash with his Private Key, which is the Digital Signature • Signature is appended to the message and sent to the Receiver. • Receiver reads the Signature and decrypts it with Public Key (of the Sender) to obtain the hash. • Receiver generates the hash of the message and compares the generated hash with that of hash obtained by decrypting Signature. • Signature Algorithms: Sha1withRSA, MD5withRSA
X509 Certificate BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
X509 Certificate Entries BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
X509 Certificate Extensions BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Obtaining CA Signed Certificate Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
Certificate Chaining BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
SSL HANDSHAKES – PRF (PSEUDO RANDOM FUNCTION)
SSL HANDSHAKES – PFS (PERFECT FORWARD SECRECY)
• Prime Numbers shared between Alice and Bob – p, g • Secret number chosen by Alice - a • Secret number chosen by Bob – b • Shared Secret - s SSL HANDSHAKES – PFS – DIFFIE-HELLMAN KEY EXCHANGE Figure from Wikipedia (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)
SSL HANDSHAKES – 2 WAY SSL
SSL HANDSHAKES – SSL RESUMPTION
SSL HANDSHAKES – SSL RESUMPTION
SSL HANDSHAKES – SSL RENEGOTIATION
• Developed by Moxie Marlinspike • SSLStrip capable of logging packets in clear from SSL enabled sites including login credentials passed to the site. • Running SSLStrip (available in BackTrack): -> sslstrip -l 10000 -> tail –f sslstrip.log => Configure browser of any system to redirect the packets through BackTrack (port 10000). Alternatively you could try arpspoof command to convince a host that our MAC address is the router‟s MAC address. • Details in http://www.thoughtcrime.org/software/sslstrip/. MAN IN THE MIDDLE – SSLSTRIP
• Developed by Moxie Marlinspike • Originally written to demonstrate IE„s vulnerability to "basicConstraints" extn - Microsoft fixed this vulnerability. • Currently can be used as a proxy tool to see SSL traffic in clear. The tool generates certs for the domain being accessed on the fly. • SSLSniff also to demonstrate Null-Prefix attacks and OCSP attacks. • Supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. • More Info: http://www.thoughtcrime.org/software/sslsniff MAN IN THE MIDDLE - SSLSNIFF

Empfohlen

SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 

Empfohlen

SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Dr Anjan Krishnamurthy
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
Mostafa El Lathy
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
davisli
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
Mostafa El Lathy
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Huda Seyam
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Chhatra Thapa
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
Timbal Mayank
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
Sirish Kumar
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Https
HttpsHttps
Https
Bala Bhaskar Karakavalasa
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
amanchaurasia
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
CAS
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
Siddhartha Rao
 
Atrium
AtriumAtrium
Atrium
Sachin Shetty
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
n|u - The Open Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
Chhatra Thapa
 

Was ist angesagt? (20)

11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Https
HttpsHttps
Https
 
Secure shell
Secure shellSecure shell
Secure shell
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
 

Andere mochten auch

Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
Sim Janghoon
 

Andere mochten auch (10)

Atrium
AtriumAtrium
Atrium
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
 
Sdnds tw-meetup-2
Sdnds tw-meetup-2Sdnds tw-meetup-2
Sdnds tw-meetup-2
 
Lesson 1 Linux System Fundamentals
Lesson 1 Linux System Fundamentals Lesson 1 Linux System Fundamentals
Lesson 1 Linux System Fundamentals
 

Ähnlich wie Basics of ssl

Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
ssuserec53e73
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 

Ähnlich wie Basics of ssl (20)

Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
SSL overview
SSL overviewSSL overview
SSL overview
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final project
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 

Kürzlich hochgeladen (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 

Basics of ssl

  • 2. AGENDA • SSL Evolution • SSL Handshakes • Man in the Middle: Proxy Tools, SSLStrip • Recent Attacks on SSL • Security guidelines while configuring SSL
  • 3. SSL EVOLUTION • SSL 1.0 : Developed by Netscape. Never publicly released • SSL 2.0 : Released by Netscape in 1995. Contained lot of security flaws. • SSL 3.0 : Released by Netscape in 1996. Complete redesign of the protocol. Newer versions of SSL/TLS are based on SSL 3.0. • TLS 1.0 : RFC 2246 published by IETF in 1999. Nearly same as SSL 3.0 • TLS 1.1 : RFC 4346 published by IETF in 2006. Protection against CBC attacks (BEAST attack) added. • TLS 1.2 : RFC 5246 published by IETF in 2008. Adds Elliptic Curve CipherSuites to TLS. Removed DES, RC2 and IDEA CipherSuites. SHA-256 hashing used.
  • 4. • TLS_RSA_WITH_RC4_128_MD5 • TLS_RSA_WITH_RC4_128_SHA • TLS_RSA_WITH_3DES_EDE_CBC_SHA • TLS_RSA_WITH_AES_128_CBC_SHA • TLS_RSA_WITH_AES_128_CBC_SHA256 • TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA SSL HANDSHAKES – CIPHERSUITES
  • 5. SSL HANDSHAKES – RECORD LAYER HEADER
  • 6. SSL RECORD LAYER Figure from William Stalling‟s article on “SSL: Foundation for Web Security” (http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html)
  • 8. SSL HANDSHAKES IN WIRESHARK
  • 9. SSL HANDSHAKES – CLIENT HELLO
  • 10. SSL HANDSHAKES – CLIENT HELLO
  • 11. SSL HANDSHAKES - SERVER HELLO
  • 12. SSL HANDSHAKES – SERVER HELLO
  • 13. SSL HANDSHAKES – CERTIFICATE, SERVER HELLO DONE
  • 14. SSL HANDSHAKES – CERTIFICATE, SERVER HELLO DONE
  • 15. SSL HANDSHAKES - CLIENT KEY EXCHANGE
  • 16. SSL HANDSHAKES – CLIENT KEY EXCHANGE
  • 17. SSL HANDSHAKES – KEY GENERATION
  • 18. SSL HANDSHAKES – CHANGE CIPHER SPEC, FINISHED
  • 19. SSL HANDSHAKES – CHANGE CIPHER SPEC, FINISHED
  • 22. MAN IN THE MIDDLE – PROXY TOOL
  • 23. MAN IN THE MIDDLE – PROXY TOOL
  • 24.
  • 25. MAN IN THE MIDDLE - WEBSCARAB, ZAP, BURP, CHARLES
  • 26. MAN IN THE MIDDLE – SSLSTRIP (BEFORE)
  • 27. MAN IN THE MIDDLE – SSLSTRIP
  • 28. MAN IN THE MIDDLE – SSLSTRIP (AFTER)
  • 29.
  • 30. MAN IN THE MIDDLE – SSLSTRIP (AFTER)
  • 31. MAN IN THE MIDDLE - SSLSTRIP
  • 32. • Header could be set in the response as below: response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains"); => Tells that the domain and its subdomains should always be on HTTPS till a period of 12 months (31536000 seconds) • The browser caches this information, and always connects to the domain/subdomain on HTTPS • Counter of 12 months is reset every time the browser gets a page with this header from the domain. • Setting this header also throws an error if SSL certificate is untrusted or erroneous, instead of showing a warning that user can override. This adds to the security and prevents hacker from intercepting the SSL requests and seeing the SSL packets in clear using the proxy tools like WebScarab. MAN IN THE MIDDLE – SOLUTION – HSTS (HTTP STRICT TRANSPORT SECURITY)
  • 33. • BEAST ATTACK • LUCKY 13 ATTACK • CRIME ATTACK • RC4 ATTACK RECENT ATTACKS ON SSL
  • 34. • Configure all three protocols: TLS 1.0, 1.1 & 1.2 • Choose a strong and secure CipherSuite • Certificate to be signed by Trusted CA like Verisign. • Don‟t configure wild card certificates • Ensure session cookies have “secure=true” flag set, so that it is transmitted only over SSL. • Ensure HSTS header is set for the domain and subdomains. • Run the server through https://www.ssllabs.com/ssltest/ and fix any issues identified. SECURITY GUIDELINES WHILE CONFIGURING SSL ON SERVERS
  • 35. SECURITY CONSIDERATION WHILE CONFIGURING SSL ON SERVERS
  • 36. SECURITY CONSIDERATION WHILE CONFIGURING SSL ON SERVERS
  • 38. SSL EVOLUTION Figure from Wikipedia (http://en.wikipedia.org/wiki/Transport_Layer_Security)
  • 39. BUILDING BLOCKS – SYMMETRIC KEY ENCRYPTION Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
  • 40. BUILDING BLOCKS – SYMMETRIC KEY ENCRYPTION • Same key used for encryption and Decryption • Algorithms are Fast, but Sharing the key is a challenge. • Stream Cipher : RC4_128 • Block Ciphers : AES_128_CBC, AES_256_CBC, 3DES_EDE_CBC
  • 41. BUILDING BLOCKS – SYMMETRIC KEY ENCRYPTION Cipher Block Chaining (CBC) Mode Figure from Wikipedia (http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29)
  • 42. Public Key Encryption BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
  • 43. BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Public Key Encryption • 2 separate keys used: Public key and Private key • Sender uses Public key (of the receiver) for Encrypting the message. • Receiver uses his Private key for Decrypting the message. • X509 Certificates are carrier of public key, which is shared. • Private key is kept secret and is never shared. • Algorithms are slower compared to symmetric. • Algorithms: RSA, Diffie–Hellman, Elliptic curve
  • 44. Digital Signature BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
  • 45. BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Digital Signature • Sender generates Hash of the message and then encrypts the Hash with his Private Key, which is the Digital Signature • Signature is appended to the message and sent to the Receiver. • Receiver reads the Signature and decrypts it with Public Key (of the Sender) to obtain the hash. • Receiver generates the hash of the message and compares the generated hash with that of hash obtained by decrypting Signature. • Signature Algorithms: Sha1withRSA, MD5withRSA
  • 46. X509 Certificate BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
  • 47. X509 Certificate Entries BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
  • 48. X509 Certificate Extensions BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
  • 49. BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI) Obtaining CA Signed Certificate Figure from MSDN site: (http://msdn.microsoft.com/en-us/library/ff647097.aspx)
  • 50. Certificate Chaining BUILDING BLOCKS – PUBLIC KEY INFRASTRUCTURE (PKI)
  • 51. SSL HANDSHAKES – PRF (PSEUDO RANDOM FUNCTION)
  • 52. SSL HANDSHAKES – PFS (PERFECT FORWARD SECRECY)
  • 53. • Prime Numbers shared between Alice and Bob – p, g • Secret number chosen by Alice - a • Secret number chosen by Bob – b • Shared Secret - s SSL HANDSHAKES – PFS – DIFFIE-HELLMAN KEY EXCHANGE Figure from Wikipedia (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)
  • 54. SSL HANDSHAKES – 2 WAY SSL
  • 55. SSL HANDSHAKES – SSL RESUMPTION
  • 56. SSL HANDSHAKES – SSL RESUMPTION
  • 57. SSL HANDSHAKES – SSL RENEGOTIATION
  • 58. • Developed by Moxie Marlinspike • SSLStrip capable of logging packets in clear from SSL enabled sites including login credentials passed to the site. • Running SSLStrip (available in BackTrack): -> sslstrip -l 10000 -> tail –f sslstrip.log => Configure browser of any system to redirect the packets through BackTrack (port 10000). Alternatively you could try arpspoof command to convince a host that our MAC address is the router‟s MAC address. • Details in http://www.thoughtcrime.org/software/sslstrip/. MAN IN THE MIDDLE – SSLSTRIP
  • 59. • Developed by Moxie Marlinspike • Originally written to demonstrate IE„s vulnerability to "basicConstraints" extn - Microsoft fixed this vulnerability. • Currently can be used as a proxy tool to see SSL traffic in clear. The tool generates certs for the domain being accessed on the fly. • SSLSniff also to demonstrate Null-Prefix attacks and OCSP attacks. • Supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. • More Info: http://www.thoughtcrime.org/software/sslsniff MAN IN THE MIDDLE - SSLSNIFF