1 / 25

SSL Trust Pitfalls

SSL Trust Pitfalls. Prof. Ravi Sandhu. THE CERTIFICATE TRIANGLE. user. X.509 attribute certificate. X.509 identity certificate. attribute. public-key. SPKI certificate. SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA. Handshake Protocol. Record Protocol.

una
Download Presentation

SSL Trust Pitfalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SSL Trust Pitfalls Prof. Ravi Sandhu

  2. THE CERTIFICATE TRIANGLE user X.509 attribute certificate X.509 identity certificate attribute public-key SPKI certificate

  3. SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol

  4. CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol

  5. SINGLE ROOT CA MODEL Root CA a b c d e f g h i j k l m n o p Root CA User

  6. User RA User RA User RA SINGLE ROOT CAMULTIPLE RA’s MODEL Root CA a b c d e f g h i j k l m n o p Root CA

  7. MULTIPLE ROOT CA’s MODEL Root CA Root CA Root CA a b c d e f g h i j k l m n o p Root CA User Root CA User Root CA User

  8. ROOT CA PLUS INTERMEDIATE CA’s MODEL Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  9. SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Brand Brand Geo-Political Bank Acquirer Customer Merchant

  10. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  11. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  12. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  13. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL • Essentially the model on the web today • Deployed in server-side SSL mode • Client-side SSL mode yet to happen

  14. SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol

  15. SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com

  16. SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL Mallory’s Web server www.host.com BIMM Corporation www.host.com

  17. SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL BIMM Corporation Mallory’s Web server www.host.com Ultratrust Security Services www.host.com

  18. CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol

  19. MAN IN THE MIDDLEMASQUARADING PREVENTED Client Side SSL end-to-end Ultratrust Security Services Bob Web browser www.host.com Web server Bob Ultratrust Security Services Client-side SSL Client-side SSL BIMM Corporation BIMM Corporation www.host.com Mallory’s Web server Ultratrust Security Services Ultratrust Security Services www.host.com Bob

  20. ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Joe@anywhere Web browser BIMM.com Web server Client-side SSL Ultratrust Security Services Ultratrust Security Services Joe@anywhere BIMM.com

  21. ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services Alice@SRPC BIMM.com

  22. ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Bob@PPC Web browser BIMM.com Web server Client-side SSL PPC Ultratrust Security Services Bob@PPC BIMM.com

  23. ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services PPC BIMM.com Bob@PPC

  24. PKI AND TRUST • Got to be very careful • Not a game for amateurs • Not many professionals as yet

  25. REFERENCES • "An overview of PKI trust models" by Perlman, R. IEEE Network, Volume: 13 Issue: 6 , Nov.-Dec. 1999 Page(s): 38-43 • "The problem with multiple roots in Web browsers-certificate masquerading" by Hayes, J.M. Proceedings Seventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, IEEE 1998. (WET ICE '98) 17-19 June 1998 Page(s): 306 -311. • "Restricting access with certificate attributes in multiple root environments - a recipe for certificate masquerading" by Hayes, J.M. Proc. 15th Annual Computer Security Applications Conference, IEEE, 2001, Page(s): 386-390.

More Related