220 likes | 356 Views
SSL Trust Pitfalls. Prof. Ravi Sandhu. SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA. Handshake Protocol. Record Protocol. CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA. Handshake Protocol. Record Protocol. SINGLE ROOT CA MODEL. Root CA. a. b. c. d. e. f. g. h. i. j. k. l.
E N D
SSL Trust Pitfalls Prof. Ravi Sandhu
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
SINGLE ROOT CA MODEL Root CA a b c d e f g h i j k l m n o p Root CA User
User RA User RA User RA SINGLE ROOT CAMULTIPLE RA’s MODEL Root CA a b c d e f g h i j k l m n o p Root CA
MULTIPLE ROOT CA’s MODEL Root CA Root CA Root CA a b c d e f g h i j k l m n o p Root CA User Root CA User Root CA User
ROOT CA PLUS INTERMEDIATE CA’s MODEL Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL • Essentially the model on the web today • Deployed in server-side SSL mode • Client-side SSL mode yet to happen
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com
SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL Mallory’s Web server www.host.com BIMM Corporation www.host.com
SERVER-SIDE MASQUARADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL BIMM Corporation Mallory’s Web server www.host.com Ultratrust Security Services www.host.com
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA Handshake Protocol Record Protocol
MAN IN THE MIDDLEMASQUARADING PREVENTED Client Side SSL end-to-end Ultratrust Security Services Bob Web browser www.host.com Web server Bob Ultratrust Security Services Client-side SSL Client-side SSL BIMM Corporation BIMM Corporation www.host.com Mallory’s Web server Ultratrust Security Services Ultratrust Security Services www.host.com Bob
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Joe@anywhere Web browser BIMM.com Web server Client-side SSL Ultratrust Security Services Ultratrust Security Services Joe@anywhere BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services Alice@SRPC BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Bob@PPC Web browser BIMM.com Web server Client-side SSL PPC Ultratrust Security Services Bob@PPC BIMM.com
ATTRIBUTE-BASED CLIENT SIDE MASQUARADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services PPC BIMM.com Bob@PPC
PKI AND TRUST • Got to be very careful • Not a game for amateurs • Not many professionals as yet