Agenda

• Transaction security on the Internet
• Which problems does SSL target
• Objectives for SSL
• The SSL protocol in detail
• Other Internet security issues
• Future directions for SSL

---

Transaction Security on the Internet

• Privacy
  • Encryption of data
• Authentication
  • Client and server authentication
  • Proof of authorship
  • User authentication and non-repudiation
• Integrity
  • Guard against tampering with data on the network

---

Privacy

• Data encryption is required for privacy applications
• Ensure data only readable by intended recipient -- not necessarily the first recipient

---

Authentication

• Client authentication to the server, and server authentication to the client to create an authenticated channel
  • System function at connection time
  • Should be independent of the application or the application protocol
• Digital signatures for proof of authorship
  • Authorize financial transactions
• Signatures on receipts and other data for non-repudiation purposes
  • Application specific in general

---

Integrity

• Ensure non-tampering of the data either intentionally or unintentionally

---

Which Problems Does SSL Target

• Authenticating the client and the server to each other
• Securing the traffic over the communications channel
• Ensuring data integrity

---

SSL -- Design Objectives and Constraints

• Support many applications and protocols
• Use available TCP/IP based networks
• Requires a reliable transport layer (e.g. TCP)
• Applications (and developers) need to support SSL, but do not need to worry about key generation and negotiation techniques

---

SSL in Detail

     _________________________________________________
    |                                                 |
    |              Application Layers                 |
    |_________________________________________________|
     ______   ______    ______                  ______
    |      | |      |  |      |                |      |
    |      | |      |  |      |                |      |
    | HTTP | | NNTP |  | FTP  | . . .          | SHTTP|
    |      | |      |  |      |                |      |
    |______| |______|  |______|                |______|
     _________________________________________________
    |                      SSL                        |
    |_________________________________________________|
     _________________________________________________
    |                                                 |
    |                    TCP/IP                       |
    |                                                 |
    |_________________________________________________|

---

SSL -- Negotiation Phase

• The client initiates the session
• The server responds and sends its certificate
• The client generates the master key and sends it encrypted using the server's public key
• Requires a server certificate but does not require a client certificate
• Requires a certain level of trust in the server's certificate
• Optional client certificate can be used to authenticate the client to the server

---

SSL -- Negotiation Phase

   __________                          _______________
  |          |                        |               |
  |  Client  |                        |     Server    |
  |__________|                        |_______________|
                    start session
             -------------------------->
                     certificate 
             <--------------------------
                  encrypted master key
             -------------------------->
                  Session established,
             <--------------------------
                      request cert

              certificate and other data
             --------------------------->

                  data encrypted with
             <-------------------------->
                     session key

---

SSL -- Supported Methods

• Symmetric Ciphers
  • DES, RC2, RC4, IDEA and Triple DES
  • 40-bit exportable versions of RC2, RC4
• Public-key Ciphers
  • RSA for key encryption and digital certificates
• Certificates
  • X.509 certificate support
• Message Digests
  • MD5 used for MAC computation

---

SSL -- Privacy

• Master key established by the client using the server's public key
• Master key used to generate two session keys (one for each direction)
• Once the session keys are established, all traffic is "transparently" encrypted in both directions
• All operations can happen transparently from the user's (and higher layer protocols) point of view

---

SSL -- Authentication and Integrity

• Server certificate is required to authenticate the server
• Client certificate is optional
• MAC computed for each record using MD5
• Uses a record sequence number to ensure record freshness

---

SSL -- Efficiency Issues

• Master key can be used for multiple sessions -- reduce the overhead of private key encryption operations
• Session key generation uses MD5 -- very fast
• Two session keys for RC4 support

---

SSL Exportability

• Supports 40-bit RC2 and RC4 for bulk encryption
• Supports 512-bit RSA keys for digital certificates

---

SSL Availability

• Informational RFC
• Reference implementation available
• SSLREF 1.1 is almost complete, full source in ANSI C
• Protocol spec available

---

Other Internet Security Issues

• Access control and authorization schemes
• Digital signatures
  • Proof of origination
• Non-repudiation
  • Proof of receipt

---

SSL -- Future Directions

• Key Negotiation
  • Diffie-Hellman
• Improved Certificate Management
  • Certificate chains
  • Longer RSA keys for server certificates
  • PKCS #7, PEM certificate formats
• Other implementation items
• Solicit input from standard bodies and other interested groups
• Work with other standards efforts to establish common standards for security issues in different applications and protocols