Upload
nisajames
View
217
Download
0
Embed Size (px)
Citation preview
8/2/2019 Server Authentication
1/11
Server Authentication During
SSL Handshake
8/2/2019 Server Authentication
2/11
SSL or TLS?
SSL is the Secure Socket Layer. This is the security system
behind the protocol HTTPS (Hypertext Transfer Protocol
Secure) which was developed by Netscape Communications.
Strictly speaking, SSL no longer exists. After SSL version 3, it
was replaced by the Transport Layer Security (TLS) protocol.However, "SSL" became a generic name for the encryption
system of HTTPS. So, many people refer to SSL when they
really mean TLS.
8/2/2019 Server Authentication
3/11
Function
SSL/TLS is a security system that combines authentication and
encryption. In regular communication over a network, a client
contacts a server with a request. The server replies with a
response. Under SSL, only the client needed to present
authentication. With TLS, both the client and server mustprove their identity. The identification procedure includes an
encryption key, which is used to protect all transmissions once
the connection has been established.
8/2/2019 Server Authentication
4/11
Certificates
The SSL system relies on the user holding a valid certificate.The certificate validates the client or the server by showingtheir address, a validity period and a digital signature.Certificates are issued by Certificate Authorities. When aclient first contacts the server, it presents its certificate. The
server sends its certificate details to the client and checks theclients certificate with the issuing authority. The CertificateAuthority confirms the details of the certificate. If there is adiscrepancy between the details on the certificate sent by theclient and the details held by the certificate authority, the
HTTPS session cannot be established. Similarly, the certificatemust be current. While the server checks the client'scertificate, the client follows the same process to check theserver's certificate.
8/2/2019 Server Authentication
5/11
CAs
Worldwide, the certificate authority business is fragmented, with nationalor regional providers dominating their home market. This is because manyuses of digital certificates, such as for legally binding digital signatures, arelinked to local law, regulations, and accreditation schemes for certificateauthorities.
However, the market for SSL certificates, a kind of certificate used for
website security, is largely held by a small number of multinationalcompanies. This market has significant barriers to entry since newproviders must undergo annual security audits (such as WebTrustforCertification Authorities) to be included in the list ofweb browser trustedauthorities. More than 50 root certificates are trusted in the most popularweb browser versions. A 2009 market share report from Net Craft as of
January of that year determined that VeriSign and its acquisitions (whichinclude Thawte and Geotrust) have a 47.5% share of the certificationservices provider market, followed by GoDaddy (23.4%), and Comodo(15.44%).
http://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Barriers_to_entryhttp://en.wikipedia.org/wiki/Barriers_to_entryhttp://www.webtrust.org/http://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Web_browserhttp://news.netcraft.com/ssl-sample-report/CMatch/certshttp://en.wikipedia.org/wiki/VeriSignhttp://news.netcraft.com/ssl-sample-report/CMatch/certshttp://en.wikipedia.org/wiki/Thawtehttp://en.wikipedia.org/wiki/Geotrusthttp://en.wikipedia.org/wiki/VeriSignhttp://en.wikipedia.org/wiki/Thawtehttp://en.wikipedia.org/wiki/Geotrusthttp://en.wikipedia.org/wiki/GoDaddyhttp://en.wikipedia.org/wiki/Comodohttp://en.wikipedia.org/wiki/GoDaddyhttp://en.wikipedia.org/wiki/Comodohttp://en.wikipedia.org/wiki/Comodohttp://en.wikipedia.org/wiki/GoDaddyhttp://en.wikipedia.org/wiki/Geotrusthttp://en.wikipedia.org/wiki/Thawtehttp://en.wikipedia.org/wiki/VeriSignhttp://news.netcraft.com/ssl-sample-report/CMatch/certshttp://en.wikipedia.org/wiki/Web_browserhttp://www.webtrust.org/http://en.wikipedia.org/wiki/Barriers_to_entryhttp://en.wikipedia.org/wiki/Transport_Layer_Security8/2/2019 Server Authentication
6/11
Enabling SSL
The concept of "SSL Enabled" expresses whether the address
the client or server is using has a valid certificate. Certification
doesn't authenticate the user. This level of security is handled
by other methods, like usernames and passwords. The SSL
Certificate-checking process is usually embedded in thebrowser of clients or in the server software of the server. The
user can enable SSL by looking through the network settings
of his browser. The server software also has an "Enable SSL"
option which the Systems Administrator should activate.
Check if SSL is enabled in your browser!!!
8/2/2019 Server Authentication
7/11
Server SSL
For domestic users, the certification process is handled by the
user's browser. For a server, the process is a little more
complicated. The server should have a certificate database
and needs to obtain a certificate from a trusted Certificate
Authority. After the certificate has been downloaded into thedatabase, it
8/2/2019 Server Authentication
8/11
Server Authentication During SSL
Handshake
SSL-enabled client software always requires serverauthentication, or cryptographic validation by a client ofthe servers identity. The server sends the client acertificate to authenticate itself. The client uses the
certificate to authenticate the identity the certificateclaims to represent.
To authenticate the binding between a public key and theserver identified by the certificate that contains the
public key, an SSL-enabled client must receive a yesanswer to the four questions shown in the followingfigure.
8/2/2019 Server Authentication
9/11
8/2/2019 Server Authentication
10/11
Public-key cryptography can be used to encrypt data communicated between two parties.This can typically happen when a user logs on to any site that implements the HTTP Secureprotocol. In this example let us suppose that the user logs on to his bank's homepagewww.bank.example to do online banking. When the user opens www.bank.examplehomepage, he receives a public key along with all the data that his web-browser displays.
When the user enters some information to the bank's page and submits the page (sends theinformation back to the bank) then the data the user has entered to the page will beencrypted by his web browser using the public key that was issued by www.bank.example.The key that can be used to decrypt the information is called the private key and it is onlyknown to the bank. Therefore, even if someone can access the (encrypted) data that wascommunicated from the user to www.bank.example, the (unencrypted) data that the userhas entered can only be decrypted by the bank, as only the bank knows the private key.
This mechanism is only safe if the user can be sure that it is the bank that he sees in his web
browser. If the user types in www.bank.example, but his communication is hi-jacked and afake web-site (that pretends to be the bank web-site) sends the page information back to theuser's browser, the fake web-page can send a fake public key to the user. The user will fill theform with his personal data and will submit the page which will be encrypted by the fakepublic key. The fake web-page will get access to the user's data since the fake web-page ownsthe fake private key.
A certificate authority is an organization that stores public keys and their owners and everyparty in a communication trusts this organization. When the user's web browser receives the
public key from www.bank.example it can contact the certificate authority to ask whether thepublic key does really belong to www.bank.example. Since www.bank.example uses a publickey that the certification authority certifies, a fake www.bank.example can only use the samepublic key. Since the fake www.bank.example does not know the corresponding private key, itcannot decrypt the user's answer.
http://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptography8/2/2019 Server Authentication
11/11
PKI Framework
Central to the growth of e-commerce and e-governance is the issue of trust inelectronic environment. The future of e-commerce and e-governance depends on thetrust that the transacting parties place in the security of transmission and the contentof communication.
Creating trust in electronic environment involves assuring the transacting parties aboutthe integrity and confidentiality of the content of documents along with authenticationof the sending and receiving parties in a manner that ensures that both the partiescannot repudiate the transaction. The paper based concepts of identification,declaration and proof are carried through the use of digital signatures in electronicenvironment. Digital signatures, a form of electronic signatures, are created and verified
using Public Key Cryptography that is based on the concept of a key pair generated by amathematical algorithm, the public and private keys.
The Information Technology Act, 2000 provides the required legal sanctity to the digitalsignatures based on asymmetric cryptosystems. The digital signatures are now acceptedat par with handwritten signatures and the electronic documents that have beendigitally signed are treated at par with paper documents.
The IT Act provides for the Controller of Certifying Authorities(CCA) to license and
regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issuedigital signature certificates for electronic authentication of users.
The CCA certifies the public keys of CAs using its own private key, which enables users inthe cyberspace to verify that a given certificate is issued by a licensed CA. For thispurpose it operates, the Root Certifying Authority of India(RCAI). The CCA alsomaintains the National Repository of Digital Certificates(NRDC), which contains all thecertificates issued by all the CAs in the country.
http://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.dohttp://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.dohttp://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.do