Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Communication: Usability and Necessity o...

wolfSSL
April 24, 2012
Technology
2
260

Secure Communication: Usability and Necessity of SSL/TLS

Network-related applications and devices often use secure communication. Although keeping network communications safe should be a top priority to all developers and engineers, it often gets left behind due to lack of understanding, insufficient funding, or looming deadlines.

Securing a project with SSL should not have to include a steep learning curve, deep pockets, or an unlimited time frame. By learning a few basics of how things work, where the technology is best used, and what features to look for when trying to choose the right SSL implementation, a developer or engineer can easily, simply, and quickly secure their project - putting both themselves and their employer's minds at ease.

This presentation will introduce SSL - including why secure communication is important, introductory details about SSL, x509, and the underlying cryptography. It will give an overview of where SSL is used today - including Home Energy, Gaming, Databases, Sensors, VoIP, and more. A description of important items to look for when trying to choose an SSL implementation will give developers and engineers a solid foundation to begin securing their projects with SSL and will enable them to have more informed discussions with potential vendors.

Originally presented at Infosecurity Europe 2012 by Chris Conlon.

Learn more at www.yassl.com.

wolfSSL

April 24, 2012
Tweet

More Decks by wolfSSL

See All by wolfSSL
Secure Industrial Device Connectivity with Low-Overhead TLS
wolfssl
1
110
wolfSSL and TLS 1.3
wolfssl
1
330
wolfSSL Year In Review -
wolfssl
0
290
Embedded Security for Devices
wolfssl
1
86
Kerberos + Android: A Tale of Opportunity
wolfssl
1
220
yaSSL 2010-2011 Technical and Community Update
wolfssl
1
61
Securing MySQL with a Focus on SSL
wolfssl
1
86
Securing memcache
wolfssl
1
190

Other Decks in Technology

See All in Technology
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.2k
Lambdaと地方とコミュニティ
miu_crescent
2
370
Platform Engineering for Software Developers and Architects
syntasso
1
520
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.6k
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
180
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
TypeScript、上達の瞬間
sadnessojisan
46
13k
いざ、BSC討伐の旅
nikinusu
2
780
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
強いチームと開発生産性
onk
PRO
34
11k

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Thoughts on Productivity
jonyablonski
67
4.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Rails Girls Zürich Keynote
gr2m
94
13k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Agile that works and the tools we love
rasmusluckow
327
21k
Building Your Own Lightsaber
phodgson
103
6.1k
Fireside Chat
paigeccino
34
3k
Making Projects Easy
brettharned
115
5.9k
Git: the NoSQL Database
bkeepers
PRO
427
64k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Why Our Code Smells
bkeepers
PRO
334
57k

Transcript

  1. Secure Communication USABILITY AND NECESSITY OF SSL / TLS Slide

    1 / 33 © Copyright 2012 yaSSL

  2. 1.  Why is this important? 2.  What is SSL? 3. 

    Where is SSL being used? 4.  Features: What to look for in an SSL library? © Copyright 2012 yaSSL Slide 2 / 33 We’re going to talk about:

  3. © Copyright 2012 yaSSL Slide 3 / 33 Why is

    This Important? •  Number  of  connected  devices  is  ever  increasing   •  Frequent  Road-­‐blocks:   –  Lack  of  understanding   –  Insufficient  funding   –  Tight  deadlines    

  4. © Copyright 2012 yaSSL Slide 4 / 33 Why is

    This Important? Ivan  Ris)c:  Internet  SSL  Survey  2010   hDp://www.ssllabs.com       •  Alexa  Top  1M  Sites      120,000  Use  SSL  (12%)           Alexa  Top  1M   Use  SSL  –  12%  

  5. © Copyright 2012 yaSSL Slide 5 / 33 What is

    SSL? X509, Encryption, handshakes, and more.

  6. What is SSL? •  Enables  secure  client  /  server  communicaSon,

     providing:             Privacy                  +  Prevent  eavesdropping   Authen)ca)on              +  Prevent  impersonaSon   Integrity                +  Prevent  modificaSon   Slide 6 / 33 © Copyright 2012 yaSSL

  7. Where does SSL fit? •  Layered  between  Transport  and  Applica)on

     layers   Network Access IP TCP SSL Record Layer SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP LDAP, etc. HTTP SMTP, etc. Protocols Secured by SSL/TLS Network Layer Internet Layer Transport Layer Application Layer Slide 7 / 33 © Copyright 2012 yaSSL

  8. SSL: Authentication •  Do  you  really  know  who  you’re  communicaSng

     with?   ? ? Alice   Bob   Slide 8 / 33 © Copyright 2012 yaSSL

  9. SSL: Authentication •  Generate  a  key  pair  (private  and  public

     key)   Alice   Bob   Private   Private   Public   Public   Slide 9 / 33 © Copyright 2012 yaSSL

  10. X509 Cert SSL: Authentication •  X.509  CerSficate  ==  Wrapper  around

     public  key   Alice   Bob   Private   Private   Public   Public   X509 Cert Slide 10 / 33 © Copyright 2012 yaSSL

  11. X509 Cert SSL: X.509 Certificates -----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!

    eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----! Slide 11 / 33 © Copyright 2012 yaSSL

  12. X509 Cert SSL: X.509 Certificates Certificate:! Data:! Version: 3 (0x2)!

    Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ [email protected]! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ [email protected]! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ [email protected]! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8! Slide 12 / 33 © Copyright 2012 yaSSL

  13. X509 Cert CA X509 Cert CA SSL: Authentication •  Alice

     and  Bob  exchange  CA-­‐signed  public  keys   Alice   Bob   Private   Private   Public   Public   Slide 13 / 33 © Copyright 2012 yaSSL

  14. SSL: Authentication •  How  do  you  get  a  CA-­‐signed  cert?

      Buy   VeriSign, DigiCert, Comodo, etc. -  Costs $$$ -  Trusted Create     Created yourself (self-sign) -  Free! -  Trusted (if you control both sides) Slide 14 / 33 © Copyright 2012 yaSSL

  15. •  Uses  a  variety  of  encrypSon  algorithms  to  secure  data

      Hashing  Func)ons   Block  and  Stream  Ciphers   Public  Key  Op)ons   MD4, MD5, SHA … DES, 3DES, AES, ARC4 … RSA, DSS … CIPHER  SUITE   SSL: Encryption Slide 15 / 33 © Copyright 2012 yaSSL

  16. •  A  common  CIPHER  SUITE  is  negoSated   Protocol_keyexchange_WITH_bulkencrypSon_mode_messageauth  

    SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL: Encryption Slide 16 / 33 © Copyright 2012 yaSSL

  17. SSL: Handshake Client Hello Cryptographic Info (SSL version, supported ciphers,

    etc.) Client Server Server Hello Cipher Suite Server Certificate Server Key Exchange (public key) ( Client Certificate Request ) Server Hello Done Client Key Exchange ( Certificate Verify ) ( Client Certificate ) Change Cipher Spec Client Finished Change Cipher Spec Server Finished Exchange Messages (Encrypted) 1 2 3 4 5 6 7 8 Verify server cert, check crypto parameters Verify client cert (if required) Slide 17 / 33 © Copyright 2012 yaSSL

  18. © Copyright 2012 yaSSL Slide 18 / 39 Where is

    SSL used? Everywhere!

  19. SSL: Where is it used? •  Energy  Monitoring   • 

    Gaming   •  Databases   •  Sensors   •  VoIP   •  M2M  communicaSon   •  And  much  more...     Slide 19 / 33 © Copyright 2012 yaSSL

  20. © Copyright 2012 yaSSL Slide 20 / 33 What to

    look for? When shopping for an SSL stack.

  21. 1: Protocols •  Support  for  current  protocols?   SSL  2.0

      SSL  3.0     TLS  1.0   TLS  1.1   TLS  1.2     DTLS  1.2   1995   1996     1999   2006   2008     2012   DTLS  1.0   Notes:     •  SSL  2.0  is  insecure   •  SSL  =  “Secure  Sockets  Layer”   •  TLS  =  “Transport  Layer  Security”   •  DTLS  =  “Datagram  TLS”   Slide 21 / 33 © Copyright 2012 yaSSL

  22. 2: Ciphers •  Support  for  needed  cipher  suites?   Block

     /  Stream   Public  Key   Hash   RSA,  DSS,  DH,   NTRU   …   DES,  3DES,   AES,  ARC4,   RABBIT,   HC-­‐128   …   MD2,  MD4,   MD5,   SHA-­‐128,   SHA-­‐256,   RIPEMD   …   TLS_RSA_WITH_AES_128_CBC_SHA Ex:   Slide 22 / 33 © Copyright 2012 yaSSL

  23. 3: Memory Usage •  ROM  /  RAM  usage   30

      1,200   0   200   400   600   800   1000   1200   1400   ROM  (kB)   3   150   0   20   40   60   80   100   120   140   160   RAM  (kB)   Slide 23 / 33 © Copyright 2012 yaSSL

  24. 4: Simple to Use •  Learning  curve?   •  Myth:

     EncrypSon  is  too  hard  to  use.   Slide 24 / 33 © Copyright 2012 yaSSL

  25. 5: Portability •  OS  support  out-­‐of-­‐the-­‐box?   •  Customizable?  

    Slide 25 / 33 © Copyright 2012 yaSSL

  26. 6: Hardware Acceleration •  Support  for  hardware  acceleraSon?   • 

    Assembly  code  opSmizaSons   Slide 26 / 33 © Copyright 2012 yaSSL

  27. 7: License •  Flexible  license  model?   •  Does  it

     meet  your  license  needs?   GPLv2  /  Commercial   Commercial   MIT   GPL   LGPL   Proprietary   BSD   Slide 27 / 33 © Copyright 2012 yaSSL

  28. 8: Maturity •  Track  record?   •  Code  origin?  

    •  AcSvely  developed?   Slide 28 / 33 © Copyright 2012 yaSSL

  29. 9: Compatibility •  Is  interoperability  tesSng  being  conducted?   • 

    What  browsers  is  the  library  acSvely  tested  against?   Slide 29 / 33 © Copyright 2012 yaSSL

  30. 10: Crypto Access •  Direct  access  to  crypto?    

    Many  reasons:   -­‐  Direct  encrypSon   -­‐  Code  Signing   -­‐  Verifying  hashes,  etc.   Slide 30 / 33 © Copyright 2012 yaSSL

  31. 11: Support •  What  happens  if:     –  Something

     goes  wrong   –  You  can’t  get  it  to  work  on  your  system   –  New  vulnerability  comes  out   –  You  need  a  new  cipher/feature   •  Is  there  support  available  to  help  you  out?   Slide 31 / 33 © Copyright 2012 yaSSL

  32. SSL: Shopping List 1.  Protocols   2.  Ciphers   3. 

    Memory  Usage   4.  Simple  to  Use   5.  Portability   6.  Hardware  AcceleraSon   7.  License   8.  Maturity   9.  CompaSbility   10.  Crypto  Access   11.  Support   Slide 32 / 33 © Copyright 2012 yaSSL

  33. Thanks! www.yassl.com [email protected] [email protected] © Copyright 2012 yaSSL Slide 33

    / 33