SSL Flashcards
SSL accomplishes two things
Trust and Encryption
Trust - Users have an expectation when using an application
The Reality of Security
- Wireless networks are open to listening
- Network services can be hijacked, or replaced
- Man-in-the-middle attacks are easy.
- SSL vulnerabilites are infamous
What does SSL accomplish?
-
Trust
- SSL proves that server is who they claim to be
-
Encryption
- SSL scrambles data between a server and its users
Encryption
Encryption - is just converting something that you can see into something that you can’t see and then being able to convert it back again.
- Encryption converts something to code
- It can secure important data in transit
SSL
When we are talking about SSL, we’re talking about securing important data acroos a network so that means that that’s doing that in transit.
So we do that in a couple of different ways in SSL.
Symmetric Key Encryption
Public Key Encryption (asymmetric key cryptography)
Symmetric Key Encryption
is the creation of ONE complicated key that could be used to scramble something. You only use that one key to encode and decode information. Both the receiver and the sender have that one key for encryption and decryption.
Public Key Cryptography
(Asymmetric Key Cryptography)
Uses TWO different keys. You have a private key that is always kept in a secure location. It’s never let out of the server that it operates on. And we create a public key that is mathematically linked to the private key. The public key is not identical to the private key. They are different. But because they’re mathematically keyed to one another, when someone gets a hold of the public key which is freely available across the network. All that person has to do is take their content, encode it with the public key, send it to the server and then because the private key is mathematically linked to the public key, it is able to decrypt what was encoded with the public key.
Symmetric Keys
- Symmetric keys are identical at both ends
- Symmetric keys need to be secured
- Symmetric keys can be inconvenient to distribute
Asymmetric Keys
- Asymmetic keys are different at each end
- The private key must be secured
- The public key can be freely distributed
- Only the private key can decrypt public-key encodings
Public and Private SSL
SSL vs TLS vs OpenSSL
Security Standards to encrypt data going accorss a network
SSL is Secured Socket Layer and is a security standard invented in the mid-90’s to secure web traffic for Netscape.
TLS is Transport Layer Security and came after SSL, based upon its success in the late 90’s. Both of them secure network communications with encryption.
OppenSSL was developed as an open source standard that uses SSL and TLS to protect both operating system and programs.
Vunerabilities
HeartBleed
Timing
Denial of Service
OCSP interception
CSS injection