1ECE 646 Project AS-2 COMPARISON OF PROTOCOLS FOR SECURE WWW, SSL AND WTLS, ANALYSIS OF THEIR EXISTING IMPLEMENTATIONS By: Ashwini Koppula & Kiranmayi Kadambari2CONTENTS 1. Introduction 2 2. SSL (Secure Sockets Layer) 2 Security services provided by SSL 4 Ciphers used with SSL 8 Export restrictions on SSL 12 Servers supporting SSL 13 Browsers supporting SSL 13 Attacks on SSL 13 SSL accelerators 15 Implementations of SSL 16 3. Demand for Mobility 19 4. WTLS (Wireless Transport Layer Security) 20 Why use WTLS when we have SSL 22 WAP GAP 27 WTLS accelerators 28 Implementations of WTLS 31 Vulnerabilities in WTLS 32 5. Comparisons Wired compared with wireless 34 Wired versus wireless security 34 Comparing SSL and WTLS 35 Popularity of protocols 41 6. Conclusions 42 7. References 433INTRODUCTION This is an analytical project on “Comparison of Protocols for secure WWW, SSL and WTLS and analysis of existing implementations”. This document will clearly give us an understanding of the two protocols and how they differ from one another. With the growth of the Internet and digital data transmission, many applications need to securely transmit data to remote applications and computers. SSL was designed to solve this problem in an open standard. SSL is analogous to a secure "telephone call" between two computers on any network including the Internet. In SSL, a connection is made, parties authenticated, and data securely exchanged. The latest enhancement of SSL is called Transport Layer Security (TLS). Also Wireless applications are increasing in popularity, as more people want to carry on business as usual on the golf course or by the pool. The biggest advantage of wireless technology is, of course, the mobility it affords the end user. This is quite useful for people who are constantly on the move, or at locations where it is not practical to run cable. It's also a great time saver to receive critical information without having to call in to a home office. The point to remember, though, is that it's not always practical or advisable for more complex applications. Hence there is a need for security for wireless devices as well. Wireless Transport Layer Security, the security layer in WAP (Wireless Transport Layer Security) has been designed to provide security in Wireless Application Environment. WAP is an open industry-established global standard that empowers mobile users with wireless devices to easily access and interact with the information available on the Internet. SECURE SOCKETS LAYER (SSL) The Secure Sockets Layer (SSL) is an open, nonproprietary protocol, developed by Netscape to provide security during sensitive communications. It is accepted as the Web standard for authenticated and encrypted client-server communication and is typically used between browsers and servers. It layers on top of any reliable transport protocol such as TCP/IP and can run under application protocols such as HTTP, FTP, LDAP and Telnet. It is secure, fast and easily adapted to other Web protocols. The figure shown below (Fig. 1) gives us a picture of the SSL Protocol Stack. SSL runs above TCP/IP and below high-level application protocols ………….. Application Layer Network Layer HTTP LDAP IMAP Secure Sockets Layer TCP/IP layer4 SSL Timeline July 1994 – SSL Initial Protocol Design version 1.0 October 1994 – Initial SSL RFC publication December 1994 – SSL version 2.0 First Product Ships Throughout 1994 – SSL Numerous Implementations February 1995 – SSL RFC accepted after five revisions November 1995 – SSL Version 3.0 Ships January 1999 – RFC for TLS version 1 One point to be noted is that although SSL version 3 and TLS version 1 are extremely similar they do not interoperate, although TSL version 1 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0. The four "cornerstones" of a PKI are confidentiality, authentication, integrity and non-repudiation. SSL provides three of these in the form of encrypted connections, server authentication, and message integrity. SSL 1.0 does not support authentication; it only supports encryption and message integrity. SSL 2.0 supports server authentication only, while SSL 3.0 supports both client and server authentication. Security services provided by SSL SSL sets out to fill the following criteria that would make it acceptable for use in the transmission of even the most sensitive of transactions. The application can choose to utilize all or only a fraction of these criteria depending on the type and nature of the transactions it will be processing. • Privacy Let's say that a messages is to be coded for transmission from A to B. A uses Bs public key to encrypt the message. In this way B will be the only person who can decode and read this message using his private key. We cannot however be sure that A is the person who he claims to be. • Authenticity In order to guarantee authenticity a slightly more complex coding system is required. In this case A's message to B is first encrypted with A's private key and then with B's public key. B now has to decrypt it first with his private key and then with A's public key. Now B can be sure that A is who he claims to be as no one else could create a message encrypted with his private key. SSL achieves this with the use of certificates (usually confirming to an X.509 standard). A certificate is issued by a third party,5usually a certificate issuing authority and includes in addition to the public key of the certified party, information that can be used to check the validity of the same certificate. Such information can for example include a time stamp. • Integrity In SSL, integrity is guaranteed by using a MAC (Message Authentication Code) with the necessary hash table functions. On generation of a message the MAC is obtained by applying the hash table functions and it is encoded into the message. After the message has been received its validity can then be checked by comparing the MAC with the result obtained by reversing the hash functions. This would prevent messages that have been altered by a third party from slipping through unnoticed. • Nonrepudiation The security of a transaction is dependent on its encryption key. Should this key fall into the wrong hands then the perpetrator can easily
View Full Document
Unlocking...