Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Communication: Usability and Necessity of SSL/TLS

wolfSSL
April 24, 2012
Technology
2
240

Secure Communication: Usability and Necessity of SSL/TLS

Network-related applications and devices often use secure communication. Although keeping network communications safe should be a top priority to all developers and engineers, it often gets left behind due to lack of understanding, insufficient funding, or looming deadlines.

Securing a project with SSL should not have to include a steep learning curve, deep pockets, or an unlimited time frame. By learning a few basics of how things work, where the technology is best used, and what features to look for when trying to choose the right SSL implementation, a developer or engineer can easily, simply, and quickly secure their project - putting both themselves and their employer's minds at ease.

This presentation will introduce SSL - including why secure communication is important, introductory details about SSL, x509, and the underlying cryptography. It will give an overview of where SSL is used today - including Home Energy, Gaming, Databases, Sensors, VoIP, and more. A description of important items to look for when trying to choose an SSL implementation will give developers and engineers a solid foundation to begin securing their projects with SSL and will enable them to have more informed discussions with potential vendors.

Originally presented at Infosecurity Europe 2012 by Chris Conlon.

Learn more at www.yassl.com.

wolfSSL

April 24, 2012
Tweet

More Decks by wolfSSL

See All by wolfSSL
Secure Industrial Device Connectivity with Low-Overhead TLS
wolfssl
1
100
wolfSSL and TLS 1.3
wolfssl
1
280
wolfSSL Year In Review -
wolfssl
0
210
Embedded Security for Devices
wolfssl
1
80
Kerberos + Android: A Tale of Opportunity
wolfssl
1
200
yaSSL 2010-2011 Technical and Community Update
wolfssl
1
58
Securing MySQL with a Focus on SSL
wolfssl
1
79
Securing memcache
wolfssl
1
170

Other Decks in Technology

See All in Technology
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
190
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.2k
JSON攻略法.pdf
miyakemito
8
5k
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.3k
反実仮想機械学習とは何か
usaito
PRO
11
4.6k
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
1
120
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
1
370
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
480
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
400

Featured

See All Featured
Faster Mobile Websites
deanohume
299
30k
Done Done
chrislema
178
15k
Why Our Code Smells
bkeepers
PRO
331
56k
Optimizing for Happiness
mojombo
370
69k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
Writing Fast Ruby
sferik
621
60k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
KATA
mclloyd
15
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k

Transcript

  1. Secure Communication USABILITY AND NECESSITY OF SSL / TLS Slide

    1 / 33 © Copyright 2012 yaSSL

  2. 1.  Why is this important? 2.  What is SSL? 3. 

    Where is SSL being used? 4.  Features: What to look for in an SSL library? © Copyright 2012 yaSSL Slide 2 / 33 We’re going to talk about:

  3. © Copyright 2012 yaSSL Slide 3 / 33 Why is

    This Important? •  Number  of  connected  devices  is  ever  increasing   •  Frequent  Road-­‐blocks:   –  Lack  of  understanding   –  Insufficient  funding   –  Tight  deadlines    

  4. © Copyright 2012 yaSSL Slide 4 / 33 Why is

    This Important? Ivan  Ris)c:  Internet  SSL  Survey  2010   hDp://www.ssllabs.com       •  Alexa  Top  1M  Sites      120,000  Use  SSL  (12%)           Alexa  Top  1M   Use  SSL  –  12%  

  5. © Copyright 2012 yaSSL Slide 5 / 33 What is

    SSL? X509, Encryption, handshakes, and more.

  6. What is SSL? •  Enables  secure  client  /  server  communicaSon,

     providing:             Privacy                  +  Prevent  eavesdropping   Authen)ca)on              +  Prevent  impersonaSon   Integrity                +  Prevent  modificaSon   Slide 6 / 33 © Copyright 2012 yaSSL

  7. Where does SSL fit? •  Layered  between  Transport  and  Applica)on

     layers   Network Access IP TCP SSL Record Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP LDAP, etc. HTTP SMTP, etc. Protocols Secured by SSL/TLS Network Layer Internet Layer Transport Layer Application Layer Slide 7 / 33 © Copyright 2012 yaSSL

  8. SSL: Authentication •  Do  you  really  know  who  you’re  communicaSng

     with?   ? ? Alice   Bob   Slide 8 / 33 © Copyright 2012 yaSSL

  9. SSL: Authentication •  Generate  a  key  pair  (private  and  public

     key)   Alice   Bob   Private   Private   Public   Public   Slide 9 / 33 © Copyright 2012 yaSSL

  10. X509 Cert SSL: Authentication •  X.509  CerSficate  ==  Wrapper  around

     public  key   Alice   Bob   Private   Private   Public   Public   X509 Cert Slide 10 / 33 © Copyright 2012 yaSSL

  11. X509 Cert SSL: X.509 Certificates -----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!

    eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----! Slide 11 / 33 © Copyright 2012 yaSSL

  12. X509 Cert SSL: X.509 Certificates Certificate:! Data:! Version: 3 (0x2)!

    Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ [email protected]! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ [email protected]! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ [email protected]! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8! Slide 12 / 33 © Copyright 2012 yaSSL

  13. X509 Cert CA X509 Cert CA SSL: Authentication •  Alice

     and  Bob  exchange  CA-­‐signed  public  keys   Alice   Bob   Private   Private   Public   Public   Slide 13 / 33 © Copyright 2012 yaSSL

  14. SSL: Authentication •  How  do  you  get  a  CA-­‐signed  cert?

      Buy   VeriSign, DigiCert, Comodo, etc. -  Costs $$$ -  Trusted Create     Created yourself (self-sign) -  Free! -  Trusted (if you control both sides) Slide 14 / 33 © Copyright 2012 yaSSL

  15. •  Uses  a  variety  of  encrypSon  algorithms  to  secure  data

      Hashing  Func)ons   Block  and  Stream  Ciphers   Public  Key  Op)ons   MD4, MD5, SHA … DES, 3DES, AES, ARC4 … RSA, DSS … CIPHER  SUITE   SSL: Encryption Slide 15 / 33 © Copyright 2012 yaSSL

  16. •  A  common  CIPHER  SUITE  is  negoSated   Protocol_keyexchange_WITH_bulkencrypSon_mode_messageauth  

    SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL: Encryption Slide 16 / 33 © Copyright 2012 yaSSL

  17. SSL: Handshake Client Hello Cryptographic Info (SSL version, supported ciphers,

    etc.) Client Server Server Hello Cipher Suite Server Certificate Server Key Exchange (public key) ( Client Certificate Request ) Server Hello Done Client Key Exchange ( Certificate Verify ) ( Client Certificate ) Change Cipher Spec Client Finished Change Cipher Spec Server Finished Exchange Messages (Encrypted) 1 2 3 4 5 6 7 8 Verify server cert, check crypto parameters Verify client cert (if required) Slide 17 / 33 © Copyright 2012 yaSSL

  18. © Copyright 2012 yaSSL Slide 18 / 39 Where is

    SSL used? Everywhere!

  19. SSL: Where is it used? •  Energy  Monitoring   • 

    Gaming   •  Databases   •  Sensors   •  VoIP   •  M2M  communicaSon   •  And  much  more...     Slide 19 / 33 © Copyright 2012 yaSSL

  20. © Copyright 2012 yaSSL Slide 20 / 33 What to

    look for? When shopping for an SSL stack.

  21. 1: Protocols •  Support  for  current  protocols?   SSL  2.0

      SSL  3.0     TLS  1.0   TLS  1.1   TLS  1.2     DTLS  1.2   1995   1996     1999   2006   2008     2012   DTLS  1.0   Notes:     •  SSL  2.0  is  insecure   •  SSL  =  “Secure  Sockets  Layer”   •  TLS  =  “Transport  Layer  Security”   •  DTLS  =  “Datagram  TLS”   Slide 21 / 33 © Copyright 2012 yaSSL

  22. 2: Ciphers •  Support  for  needed  cipher  suites?   Block

     /  Stream   Public  Key   Hash   RSA,  DSS,  DH,   NTRU   …   DES,  3DES,   AES,  ARC4,   RABBIT,   HC-­‐128   …   MD2,  MD4,   MD5,   SHA-­‐128,   SHA-­‐256,   RIPEMD   …   TLS_RSA_WITH_AES_128_CBC_SHA Ex:   Slide 22 / 33 © Copyright 2012 yaSSL

  23. 3: Memory Usage •  ROM  /  RAM  usage   30

      1,200   0   200   400   600   800   1000   1200   1400   ROM  (kB)   3   150   0   20   40   60   80   100   120   140   160   RAM  (kB)   Slide 23 / 33 © Copyright 2012 yaSSL

  24. 4: Simple to Use •  Learning  curve?   •  Myth:

     EncrypSon  is  too  hard  to  use.   Slide 24 / 33 © Copyright 2012 yaSSL

  25. 5: Portability •  OS  support  out-­‐of-­‐the-­‐box?   •  Customizable?  

    Slide 25 / 33 © Copyright 2012 yaSSL

  26. 6: Hardware Acceleration •  Support  for  hardware  acceleraSon?   • 

    Assembly  code  opSmizaSons   Slide 26 / 33 © Copyright 2012 yaSSL

  27. 7: License •  Flexible  license  model?   •  Does  it

     meet  your  license  needs?   GPLv2  /  Commercial   Commercial   MIT   GPL   LGPL   Proprietary   BSD   Slide 27 / 33 © Copyright 2012 yaSSL

  28. 8: Maturity •  Track  record?   •  Code  origin?  

    •  AcSvely  developed?   Slide 28 / 33 © Copyright 2012 yaSSL

  29. 9: Compatibility •  Is  interoperability  tesSng  being  conducted?   • 

    What  browsers  is  the  library  acSvely  tested  against?   Slide 29 / 33 © Copyright 2012 yaSSL

  30. 10: Crypto Access •  Direct  access  to  crypto?    

    Many  reasons:   -­‐  Direct  encrypSon   -­‐  Code  Signing   -­‐  Verifying  hashes,  etc.   Slide 30 / 33 © Copyright 2012 yaSSL

  31. 11: Support •  What  happens  if:     –  Something

     goes  wrong   –  You  can’t  get  it  to  work  on  your  system   –  New  vulnerability  comes  out   –  You  need  a  new  cipher/feature   •  Is  there  support  available  to  help  you  out?   Slide 31 / 33 © Copyright 2012 yaSSL

  32. SSL: Shopping List 1.  Protocols   2.  Ciphers   3. 

    Memory  Usage   4.  Simple  to  Use   5.  Portability   6.  Hardware  AcceleraSon   7.  License   8.  Maturity   9.  CompaSbility   10.  Crypto  Access   11.  Support   Slide 32 / 33 © Copyright 2012 yaSSL

  33. Thanks! www.yassl.com [email protected] [email protected] © Copyright 2012 yaSSL Slide 33

    / 33