Information Protection and Authentication

To make an environment secure, you must be sure that any communication is with "trusted" sites whose identity you can be sure of. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP). This presentation will provide an overview of the history/development of the protocol, applications that are used, the security measures including overview of TLS handshakes, implementations, and recent security issues with the protocol.

SSL can provide powerful security when configured correctly, but errors and laziness are frighteningly common. Thanks to a project of the EFF (Electronic Frontier Foundation) we can see which errors are most common. They scanned the Internet for SSL certificates and examined them. Many servers use weak or broken keys. Many had invalid signatures from certificate authorities. Some signed invalid host names. Quite a few were expired. Errors such as these could mean weakened protection for your site and your users. They could cause errors on the user end and engender distrust. Learn from these examples how to do SSL right.

Identification and Authentication (I&A) methods and activities have dramatically expanded over the past 5 years, after being relatively the same for the previous 15 years. We examine the basics of I&A and see what is new in the field in this talk.