Download as pdf or txt
Download as pdf or txt
You are on page 1of 32

Network and System Security (TCS619)

B. Tech CSE VI Semester

Dr. Mohammad Wazid

Associate Professor, Department of

Graphic Era (Deemed to be University), Dehradun, India
Transport-Level Security

SSL/TLS, Https
Web Security
 Web now widely used by business,
government, individuals
 but Internet & Web are vulnerable
 have a variety of threats
 integrity
 confidentiality
 denial of service
 authentication
 need added security mechanisms
Methods used for Web Traffic
SSL (Secure Socket Layer)
 transport layer security service
 originally developed by Netscape
 version 3 designed with public input
 subsequently became Internet standard
known as TLS (Transport Layer Security)
 uses TCP to provide a reliable end-to-end
 SSL has two layers of protocols
SSL Architecture
SSL Architecture
 SSL connection
 a transient, peer-to-peer, communications link
 associated with 1 SSL session
 SSL session
 an association between client & server
 created by the Handshake Protocol
 define a set of cryptographic parameters
 may be shared by multiple SSL connections
SSL Record Protocol
 confidentiality
 using symmetric encryption with a shared
secret key defined by Handshake Protocol
 AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
 message is compressed before encryption
 message integrity
 using a MAC with shared secret key
SSL Record Protocol Operation
SSL Record Protocol Operation
 It takes an application message to be
transmitted, fragments the data into
manageable blocks, optionally compresses
the data, computes and appends a MAC
(using a hash very similar to HMAC),
 Encrypts (using one of the symmetric
algorithms listed on the previous slide),
SSL Record Protocol Operation
 Adds a header (with details of the SSL
content type, major/minor version, and
compressed length), and transmits the
resulting unit in a TCP segment.
 Received data are decrypted, verified,
decompressed, and reassembled and then
delivered to higher-layer applications.
SSL Handshake Protocol
 It uses the SSL Record Protocol to
exchange a series of messages
between an SSL-enabled server and an
SSL-enabled client when they first
establish an SSL connection.
 This exchange of messages is designed
to enable the following actions:
 Authenticate the server to the client.
SSL Handshake Protocol
 Allow the client and server to select
cryptographic algorithms, or ciphers,
they both support.
 Optionally authenticate the client to the
 Use public key encryption to generate
shared secret keys.
 Establish an encrypted SSL connection.
SSL Change Cipher Spec Protocol
 Change cipher spec protocol is used to
change the encryption being used by the
client and server.
 It is normally used as part of the
handshake process to switch to symmetric
key encryption.
 The CCS protocol is a single message that
tells the peer that the sender wants to
change to a new set of keys, which are
then created from information exchanged
by the handshake protocol.
SSL Alert Protocol
 It signals problems with an SSL session.
 Alert messages convey the severity of the message and
a description of the alert.
 Upon transmission or receipt of a fatal alert message,
both parties immediately close the connection.
 The client and the server must communicate that the
connection is ending to avoid a truncation attack.
 In a truncation attack, an attacker inserts into a
message a TCP code indicating the message has
finished, thus preventing the recipient picking up the
rest of the message.
SSL Alert Protocol
 Either party may initiate the exchange of
closing messages.
 Normal termination occurs when the
close_notify message is sent.
 This message notifies the recipient that the
sender will not send any more messages on
this connection.
TLS (Transport Layer
 IETF standard RFC 2246 similar to SSLv3
 with minor differences
 in record format version number
 uses HMAC for MAC
 a pseudo-random function expands secrets
• based on HMAC using SHA-1 or MD5
 has additional alert codes
 some changes in supported ciphers
 changes in certificate types & negotiations
 changes in crypto computations & padding
 combination of HTTP & SSL/TLS to secure
communications between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
 use https:// URL rather than http://
 and port 443 rather than 80
 encrypts
 URL, document contents, form data, cookies,
HTTP headers
Fig. HTTPs vs HTTP
HTTP and HTTPs differences
 HTTPS is HTTP with encryption.
 The only difference between the two
protocols is that HTTPS uses TLS (SSL) to
encrypt normal HTTP requests and
 As a result, HTTPS is far more secure than
 A website that uses HTTP has http:// in its
URL, while a website that uses HTTPS has
HTTP and HTTPs differences
 HTTP (Hypertext Transfer Protocol), is a
protocol which is used for transferring data
over a network.
 Most information that is sent over the Internet,
including website content and API calls, uses
the HTTP protocol.
 There are two main kinds of HTTP messages:
requests and responses.
HTTP and HTTPs differences
HTTP request and HTTP response
 HTTP requests are generated by a user's
browser as the user interacts with web
 For example, if a user clicks on a hyperlink, the
browser will send a series of "HTTP GET"
requests for the content that appears on that
 These HTTP requests all go to either an origin
server or a proxy caching server, and that server
will generate an HTTP response.
 HTTP responses are answers to HTTP requests.
HTTP and HTTPs differences
A typical HTTP request
 An HTTP request is just a series of lines of
text that follow the HTTP protocol. A GET
request might look like this:
GET /hello.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0
OpenSSL/1.1.l zlib/1.2.11
Accept-Language: en
HTTP and HTTPs differences
 This section of text, generated by the user's
browser, gets sent across the Internet.
 Problem: In plaintext that anyone monitoring
the connection can read.
 This is especially an issue when users
submit sensitive data via a website or a web
 This could be a password, a credit card
number, or any other data entered into a
form, and in HTTP all this data is sent in
plaintext for anyone to read.
HTTP and HTTPs differences
 When a user submits a form, the browser
translates this into an HTTP POST request
instead of an HTTP GET request.
 When an origin server receives an HTTP
request, it sends an HTTP response, which is
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2019 12:14:39 GMT
Server: Apache
Last-Modified: Mon, 28 Jan 2019 11:17:01 GMT
Accept-Ranges: bytes
Content-Length: 12
Vary: Accept-Encoding
Content-Type: text/plain
Hello World!
HTTP and HTTPs differences
 If a website uses HTTP instead of HTTPS, all
requests and responses can be read by anyone
who is monitoring the session.
 Essentially, a malicious actor can just read the
text in the request or the response and know
exactly what information someone is asking for,
sending, or receiving.
 The S in HTTPS stands for "secure."
 HTTPS uses TLS (or SSL) to encrypt HTTP
requests and responses,
HTTP and HTTPs differences

 So in the example above, instead of the

text, an attacker would see a bunch of
seemingly random characters.
 Instead of:
 GET /hello.txt HTTP/1.1
 User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
 Host:
 Accept-Language: en

 The attacker sees something like:

 t8Fw6T8UV81pQfyhDkhebbz7+oiwldr1j2gHBB3L3RFTRsQCpaSnSBZ78Vme+DpDVJPvZ
HTTP and HTTPs differences
 In HTTPS, how does TLS/SSL encrypt HTTP
requests and responses.
 TLS uses a technology called public key
encryption: there are two keys, a public key
and a private key, and the public key is shared
with client devices via the server's SSL
 When a client opens a connection with a
server, the two devices use the public and
private key to agree on new keys, called
session keys, to encrypt further
communications between them.
HTTP and HTTPs differences
 All HTTP requests and responses are then encrypted
with these session keys, so that anyone who
intercepts communications can only see a random
string of characters, not the plaintext.
How does HTTPS help authenticate web servers?
 In HTTP, there is no verification of identity-it's based
on a principle of trust.
 The architects of HTTP did not have priorities for
security. But on the modern Internet, authentication is
 Just like an ID card confirms a person's identity, a
private key confirms server identity.
How does HTTPS help authenticate
web servers?
 When a client opens a channel with an origin
server (e.g. when a user navigates to a website),
possession of the private key that matches with the
public key in a website's SSL certificate proves
that the server is actually the legitimate host of the
 This prevents or helps block a number of attacks
for example, man-in-the-middle attacks, DNS
hijacking, BGP hijacking.
 HTTPs information available at:
 Cryptography and Network Security:
Principles and Practice text book by William

You might also like