Encryption, SSL and CertificatesBY JOSHUA COX AND RACHAEL MEAD

Outline Cryptography

Encryption SSL

Overview Keys Statistics

Certificates Explanation of certificates MITM attacks with keys

Disadvantages

Encryption Type of Cryptography

The practice and study of techniques for secure communication in the presence of third parties.

The process of encoding messages so that only authorized parties can read it. Use of encryption keys to encrypt and decrypt the

message. Used in military communications in the past. Primarily

used for protecting computer data nowadays.

SSLWhat is SSL? 

SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client

First SSL Certificate was created in 1994 by Netscape Communications

SSL Certificate issuers are called Certificate Authority or CA’s

SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely

Required by the Payment Card Industry (PCI) to have an SSL Certificate

Main component of SSL Certificates are keys which are the Public and Private key

SSLKeys Public Key –Encryption Private Key –Decryption Session Key- Temporary key shared by

sever and browser

SSL

Asymmetric encryption or public-key cryptography uses a separate key for encryption and decryption

Only the intended receiver can decrypt the message Asymmetric keys are typically 1024 or 2048 bits. 2048 bit contains 617 digits of encryption code. 14 Billion years to crack. Video

Asymmetric Encryption

SSL

Symmetric encryption uses a single key to both encrypt and decrypt data.

Both the sender and the receiver need the same key to communicate

Symmetric key sizes are typically 128 or 256 bits—the larger the key size, the harder the key is to crack

Symmetric Encryption

SSLSymmetric vs. Asymmetric 

Symmetric keys have a major disadvantage because the same key is used for symmetric encryption and decryption.

Asymmetric encryption doesn’t have this problem. As long as you keep your private key secret, no one can

decrypt your messages. Only the person with the private key can decrypt it, which

makes Asymmetric stronger.

SSLSSL Handshake/ Example

Connection between Browser and Server is known as the “SSL Handshake”.

Class activity!

SSLStatistics 55.9% of websites do not

use SSL Certificate 11.3% use self signed

certificates Out of the 32.8% who use

SSL Certificate Authorities. 38.3% use Symantec

Owns Verisign, and Geotrust among others

Sources: w3techs.com, sslshopper

Certificates

Certificates and What They do? Electronic Credentials

Think of a passport or an ID

Help to prevent MITM attacks

Help preserve data integrity

Certificates

Man in the Middle Attacks Someone is intercepting

and modifying communications

Make new public keys and can eavesdrop on messages.

Capable of impersonating official websites

Suppose Alice is your grandmother and Bob is her banker. Then Mallory is intercepting their messages.

CertificatesHow to Solve MITM Attacks

Certificates wrap the keys and other identifying information, and encrypt them.

Certificate is signed by a trusted Certificate Authority. This is what allows you to host a secure website (https)

Certificate Authorities range from 60$ a year to 500$ a year

Source: whichssl.com

Can make your own Certificate, is not trusted.

Certificate Example: tldp.org

Disadvantages of SSL and Certificates

Certificate Authorities security can be breached Diginotar. In July 2011 a man was able to make a near perfect google

replica. Diginotar certificates are now banned from most browsers.

Trustwave, an international Certificate Authority sold the trusted root certificates to unknown client. There is reason to believe Trustwave is not the only CA to do this.

HeartBleed Bug heartbleed.com

There are Patented interception taps: patent Governments, and Vendors use interception taps.