Certificates and Web of Trust

Certificates and Web of Trust Yousof Alsatom [email_address] Slide

Agenda SSL Certification What is SSL & How it works Certificates Authorities Root Anchors Problems with this hierarchical approach of trust management Possible Alternatives to SSL, PGP Web of Trust Perspective Convergence Slide

History and Definitions http://www.youtube.com/watch?v=zPqtx1J6udc SSL is an acronym for Secure Sockets Layer Standard security technology developed by Netscape in 1994. It creates an encrypted link between a web server and a web browser. The SSL protocol is used by millions of e-Business providers to protect their customers ensuring their online transactions remain confidential. Slide Source

What is SSL & How it works SSL Certificate contains a public and private key pair as well as verified identification information. When a browser (or client) points to a secured domain The server shares the public key with the client to establish an encryption method and a unique session key. The client confirms that it recognizes and trusts the issuer of the SSL Certificate. This process is known as the "SSL handshake" and it can begin a secure session that protects message privacy and message integrity. Slide

Certificate Authority (CA) CA, issues and manages security credentials and public keys for message encryption Slide

Root Anchors CA’s market share declined year-over-year, February Netcraft Survey shows Symantec’s overall unit market share grew to 42.1 percent Symantec has agreed to acquire VeriSign's Identity and Authentication business for an aggregate purchase price of $1.28 billion Slide

Obtaining certificates User generates private key User creates a Certificate Signing Request (CSR) containing user identity domain name public key CA processes the CSR validates user identity validates domain ownership signs and returns the certificate User installs private key and certificate on a web server Slide

SSL Attack SSL can fail in many ways, but there are 3 principal attacks: Passive MITM Session hijacking Active MITM Rogue certificates SSL bypass User attacks (Who read warning anyway) Third-party compromise more : visit https://www.sllabs.com Slide

SSL Threat Model (SSLLabs Amsterdam, 2011 ) Slide

CA & MD5 hash function Slide Normal

CA & MD5 hash function Slide Attack Then a website certificate (the red one in the diagram) bearing the genuine website's identity but another public key is created and signed by the rogue CA. A copy of the genuine website is built, put on another web server, and equipped with the rogue website certificate. A rogue CA certificate is constructed (the black one in the diagram). It bears exactly the same signature as the website certificate. Thus it appears as being issued by the CA, whereas in fact the CA has never even seen it. The user will not mention this because there is a problem in the MD5 hash function

Man In The Middle (MITM) attacks Gmail service in Iran, August 2011 The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate. Slide

State of Art for protection, (SSLLabs Amsterdam, 2011 ) Use an extended validation (EV) certificate (difficult to forge) Configure your SSL server properly: Good key size and coverage of desired domain names Good protocols and 128-bit forward-secrecy cipher suites Patches and workarounds applied Redirect all port 80 traffic to port 443 Use HTTP Strict Transport Security Forces all traffic over SSL, even with HTTP links Can include subdomains to address cookie issues Slide

What is the alternatives? Slide

Before we start Why I Wrote PGP "Whatever you do will be insignificant, but it is very important that you do it.” Mahatma Gandhi. Slide Phil Zimmermann

Pretty Good Privacy Pretty Good Privacy (PGP) Data encryption and decryption computer program Provides cryptographic privacy and authentication for Data communication. PGP is often used for Signing Encrypting and decrypting texts, E-mails, files directories and whole disk partitions to increase the security of e-mail communications. Slide

How PGP works - Encryption PGP creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. Slide

How PGP works - Decryption Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key Slide

Web of Trust The user decide whom trust and whom not. It is thus a cumulative trust model hen any user signs another's key, he or she becomes an introducer of that key. As this process goes on, it establishes a web of trust. Slide Primary Key infrastructure Vs. Web of Trust, Walking the Web of Trust, Germano Caronni, Sun Microsystems Laboratories, IEEE 2000

Other alternatives Convergence “ is something we would add in Chrome.” Moxie Marlinspike Convergence allows you to choose who you want to trust, rather than having someone else's decision forced on you. You can revise your trust decisions at any time, so that you're not locked in to trusting anyone for longer than you want. Slide

Other alternatives, Perspectives Computer Science Department at Carnegie Mellon University Funded by The National Science Foundation (NSF) Carnegie Mellon CyLab Perspectives keeps a record of the keys used by a service over time, then the client can see there is a change in the certificates One use of Perspectives is to provide an additional layer of protection to detect attacks even when the browser trusts the CA that signed the certificate. Slide Wendlandt David G. Andersen Adrian Perrig, Carnegie Mellon University MD5 and Perspectives, 01.01.2009

Conclusion Centralized trust model Public key infrastructure (PKI) which is relay on CA Decentralized trust model (better) PGP WOT One hand doesn’t clap Install WOT and Perspective in your browser Slide

References Ivan Ristic, Michael Small. A Study of What Really Breaks SSL, HITB Amsterdam 2011 Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study, ISBN: 978-1-60558-784-4, 2009 Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing, Dan Wendlandt David G. Andersen Adrian Perrig, Carnegie Mellon University MD5 and Perspectives, 01.01.2009 Walking the Web of Trust, Germano Caronni, Sun Microsystems Laboratories, IEEE 2000 http://www.techthefuture.com/technology/certificate-authority-system-insecure-firefox-add-on-offers-alternative/ http://www.verisign.com/ssl/index.html?tid=gnps http://info.ssl.com/article.aspx?id=10241 http://en.wikipedia.org/wiki/Secure_Sockets_Layer http://en.wikipedia.org/wiki/Certificate_authority https://ssl.trustwave.com/support/support-how-ssl-works.php http://en.wikipedia.org/wiki/Pretty_Good_Privacy http://www.pgpi.org/doc/pgpintro/ http://www.whichssl.com/what_is_ssl.html http://www.symantec.com/about/news/release/article.jsp?prid=20110301_02 http://perspectives-project.org/faq / http://searchsecurity.techtarget.com/definition/certificate-authority Very interesting video, Speaker: MOXIE MARLINSPIKE, 2011 : http://www.youtube.com/watch?feature=player_embedded&v=Z7Wl2FW2TcA# ! Slide

Demo WOT Perspective Convegerence Slide

Certificates and Web of Trust

Recommended

More Related Content

What's hot (20)

Similar to Certificates and Web of Trust (20)

Recently uploaded (20)

Certificates and Web of Trust

Editor's Notes