PKI and SSL

1
PKI and SSL

• Public key infrastructures, certificate
  authorities
• Secure servers (https, SSL)
• Reading Anderson, chap 19.5

2

• How do we know that the public key is indeed the
  public key of the Bank?

3
A partial solution PKI

• As a means of addressing these problems, the
  general idea of a Public Key Infrastructure was
  born.
• PKI is essentially a way to publish public key
  values in a way that is almost (but not really)
  analogous to a telephone book.

4
How Does PKI Work?

• PKI helps us by providing two things
• Certification The binding of a public key to
  something (person, place or thing)
• Validation The ability to check if such a
  binding is a valid one.

5
Certification Certificates

• A certificate is essentially a set of statements
  about a public key that is sworn to by someone
  we might have faith in.
• The swearing to is done via digital signature.

6
Certificate Authorities

• Authenticate public keys by signing
• Also public database
• Revoke keys (browser may not check)
• Sometimes user can explicitly check
• CA charges a few hundred pounds per year
  (sometimes less) to store a public key

7
What does a certificate look like?
Wellthat depends, but it will likely have the
following fields
8
What if we dont know Frank?

• If we dont have Franks public key we cant
  verify his signature, so this certificate is
  useless to us.
• Unless we know someone who knows Frank

9
What if we dont know Frank?
If we know Lennys key, we can get Franks key
and verify Joes key as real
10
Who certifies the CAs?

• OS and browser ship with keys for trusted root
  CAs pre-installed
• Ie, they are selected by Microsoft
• In XP, Microsoft can dynamically update trusted
  root CAs!
• Do we trust Microsoft to do a good job of
  selecting trustworthy CAs?

11
Webtrust

• Microsoft has delegated to WebTrust the process
  of checking root CAs
• Collective of audit companies, like Ernst and
  Young, who treat this as auditing
• 6 months, 100K
• But can we trust the auditors
• Remember Arthur Anderson

12
Intermediate CAs

• Root CAs can validate Intermediate CAs
• Intermediate CAs arent pre-shipped in IE, dont
  need WebTrust validation
• Just need deal with root CA

13
When good certificates go bad!

• What happens if someone loses their key, or if a
  key is stolen?
• What happens if a CAs key is compromised?
• What if the keyholders information changes?

14
On-Line Validation

• We could just ask the issuing CA if the
  certificate we are looking at is still good.
  This is a lot like credit card approval.
• PRO
• Immediate notification of certificate revocation.
• CON
• Do we really want to ask about every certificate?
• Can the CA handle the onslaught of queries?

15
Revocation Lists

• These are lists of bad certificates that are
  published regularly by the CAs and stored
  locally by the end user.
• Pro
• We dont have to contact the CA to check status.
• Reduces the communications requirements of the CA
• Con
• Certificates can go bad before we get the latest
  list
• These lists can be huge.

16
And now, the bad news

• Do we really know who these CAs are?
• Do you know who CW HKT SecureNet is?
• Or DigiTrust?
• Or PPT Post NL? Or Certiposte? Deutsche Telekom,
  ANX, Equifax, EUNet, FESTE, FNMT, Saunalahden,
  IPS, Belgacom, NetLock Expressz, NetLock
  Kozjegyzoi, NetLock Uzleti, etc.?
• These are all CAs with keys in Internet Explorer
• Why should we trust what these people say?

17
And even more bad news

• How do the CAs verify the identity of their
  applicants?
• Can a random person off the street get a
  certificate claiming to be Microsoft without the
  CA actually checking that he is from Microsoft?
• Has happened
• Does one entity verify identities and fill out a
  certificate then hand it to another entity to
  sign? (The RA CA model)
• Details could be changed in transmission (or
  after transmission if the CA doesnt play nice).

18
CA certification

• http//www.freessl.com/faq.htmlvalidation
• Method 1 fax articles of incorporation, these
  checked by staff
• Slow, expensive, of some use
• Method 2 CA phones and chats to you
• Quick, cheap, useless
• Guess which is most popular

19
How Much Protection Do We Really Get?

• What is stopping amazon.com from getting a
  certificate and spoofing the amazon.com web site?
• If they have a valid certificate, we might never
  notice.

20
Trust

• We still need to trust people
• Trust Microsoft and auditors to properly vet CAs
• Trust the CA to properly vet applicants for
  certificates
• Still need to trust someone!

21
What about the little guy?

• PKI isnt really set up to support individuals
  well
• Less stringent identity verification means less
  trust in the certificate.
• There are 11 Gilbert Bacas in Albuquerque alone.
• How well can you protect your personal key?

22
Secure Socket Layer (SSL)
The Bank
23
SSL (Simplified)
The Bank
Verify Cert.
24
Secure Socket Layer (SSL)

• Protocol that operates between the application
  layer protocols (HTTP, SMTP etc) and TCP/IP.
• Used between browsers, E-commerce servers
  (shttp).
• Main functions of SSL
• SSL server authentication
• Enables a client to confirm the identity of a
  server
• Uses public key cryptography to validate the
  digital certificate of a server and confirm that
  it has been issued by a valid certification
  authority.
• SSL data encryption
• Uses symmetric encryption to send data to/from
  servers/clients.
• SSL client authentication (optional)

25
SSL Server authentication

• SSL enabled browser includes public keys of
  trusted Certification Authorities (CAs).
• Browser requests server certificate, issued by
  trusted CA.
• Browser uses CAs public key to extract servers
  public key from certificate.
• Visit your browsers options menu to see its
  trusted CAs.

26
History of SSL/TLS
27
TLS? Whats That?

• Transaction Layer Security
• SSL 3.0 is the basis for this IETF standard
• Gets the protocol out of the hands of a single
  vendor
• Deployed in near all web browsers/servers

28
The Lock SymbolWhat It Meansand What It Doesnt

• The protocol the browser and server will use to
  communicate all data is SSL Secure Socket
  Layer.
• All data transmitted in either direction will be
  encrypted so as to prevent any nefarious
  eavesdropper.
• Your browser recognizes the authority of and has
  the public key of the certificate authority that
  issued and signed the servers certificate.
• The web domain of the server has been registered
  with the certificate authority and is indeed a
  legitimately registered web domain

29
https//www.llbean.com/cgi-bin/ncommerce3/OrderIte
mDisplay

• Users browser accesses a secure site one that
  begins with https instead of http ?

• Browser sends the server its SSL version number
  and cipher settings ?

The Lock Symbol How It Works

• Server responds with the sites SSL certificate
  along with servers SSL version number and cipher
  settings ?

• Browser examines servers certificate and
  verifies
• Certificate is valid and has a valid date,
• CA that signed the certificate is a trusted CA
  built into the browser
• Issuing CAs public key built into browser
  validates issuers digital signature
• Domain name in certificate matches the domain
  name the browser is currently visiting

30
https//www.llbean.com/cgi-bin/ncommerce3/OrderIte
mDisplay

• Browser generates a unique session key to encrypt
  all communications

• Browser encrypts session key with the sites
  public key and sends it to the server ?

• Server decrypts session key using its own private
  key

The Lock Symbol How It Works

• Browser and server each generate message to the
  other informing that messages will hereon be
  encrypted ??

• SSL session is established and all messages are
  sent using symmetric encryption (faster than
  Public Key encryption)

31
However

• Despite all this, we may still be giving our
  credit card details to a different company than
  we think..

32
Example I want to book and buy a ticket on line.
Standard way to access a Web site via non-secure
connection.
If anyone ever checked, the site business
identity cannot be verified.
No lock symbol means no security and no
encryption.No one knows to click here.
33
OK, Im ready to purchase and give my credit card
to United right? It really is United right?
Click-1 shows that this certificate was issued
to www.itn.net. Who is this? And what do they
have to do with United Airlines? Click on the
Details tab to dig deeper.
Lock symbol appears because I am about to enter
credit card info but unbeknownst to almost
anyone, it is clickable
34
You have to dig really deeply into
crypto-arcanery to get to the identity
information such as it is.
Click-2 gives access to the contents of the
servers digital certificate. The site business
identity is still not available. Click on the
Subject field to dig deeper.
35
We learn the hard way that this is actually not
United at all. The Web pages still say United
and yet its not United. How often is that going
on? A lot!
Finally, after 3 clicks, the authenticated
identity of the site business owner is available.
It is right after the O and in this case
it is GetThere.com, Inc. Intuitive and
accessible NOT. Really usable identity
informationNOT. AND IT IS NOT EVEN UNITED
AIRLINES THAT I AM ABOUT TO GIVE MY CREDIT CARD
TO.
36
The SSL process

• Phase 1 Handshake using SSL Handshake Protocol
• To authenticate server
• To authenticate client
• To agree secret keys and algorithms for part 2.
• Phase 2 Data transfer using SSL Record Protocol
• SSL uses public key cryptography for the
  handshake, i.e.
• To authenticate client server
• To establish keys and algorithms for encryption
  of data transfer.
• SSL uses symmetric key cryptography for
• Encryption and decryption of data in the data
  transfer.

37
SSL Handshake Protocol
Used for Authentication and Key exchange
SSL Handshake Protocol Summary
38
SSL Cipher Negotiation

• SSL protocol accepts 31 (!) Cipher Suites
• Each suite is defined by
• its key exchange method
• the cipher for data transfer
• a message digest

39
SSL Key Exchange Negotiation

• SSL 2.0 supports only RSA key exchange
• SSL 3.0 supports
• RSA key exchange when certificates are used
• Diffie-Hellman key exchange when there has been
  no prior communication between client and server

40
SSL Symmetric Cipher Selection

• Conventional symmetric cipher is used
• Nine choices
• no encryption
• stream ciphers (RC4 40-bit and 128-bit)
• block ciphers (including DES40 3DES IDEA)

41
SSL Digest Function Choice

• Supports three choices
• no digest
• MD5
• SHA-1
• Used to create a Message Authentication Code
  (MAC) for every message to provide integrity

42
SSL Record Protocol
Provides confidentiality and message integrity
abcdefghijk . . .
Application layer
fragmentation
abcd
efgh
ijkl
Record protocol units
Compression for each unit
Compressed unit
Message Digest (MAC)
Encryption
Encrypted payload for TCP packet
43
Performance Degradation due to SSL

• Degradation of 50 is sometimes cited compared
  with sending in the clear
• Result of public key encryption and decryption
  required to initialize session
• Overhead of encryption using RC2/RC4/DES is
  practically noise

44
Enabling SSL at the Client

• Clients allow choice . . .
• Can turn off SSL at the client (!)
• An important consideration
• IE 4.0 example

45
Microsoft and SSL SChannel.dll

• Internet Security Provider DLL
• Implements SSL 2, TLS (SSL 3), PCT 1
• Server and Client

46
Key Points

• SSL encrypts e-commerce data
• Depends on certificates, cert auth
• Can we trust CAs, auditors, Microsoft?
• Can we trust the user?