2

I am taking a course on security next month. As the concepts of SSL/TSL are bit hard. I am looking for a nice way of presenting it to my students. They are Compsci undergrads.

It would be nice to have a reaal life one on its working. I think people here could help me in this

user2315
  • 453
  • 1
  • 5
  • 11

3 Answers3

3

SSL is a very cool protocol. Refined, very secure and its no accident that its so widely used.

I liked reading The First Few Milliseconds of an HTTPS connection, and I recommend it to others. The best part is that you can follow along with wireshark and a browser.

On a side note I can't believe OpenSSL library is now 1.0.0! I thought that would never happen. The latest version introduced negotiation for SPDY (Which is exciting even if its only currently used by chrome when connecting to gmail XD). Check out chrome://net-internals/#spdy in chrome.

rook
  • 46,916
  • 10
  • 92
  • 181
3

To introduce the topic, I would start off with these points:

  • SSL/TLS usage patterns: how it's used to secure other protocols (e.g. HTTP -> HTTPS, SMTP -> SMTPS or SMTP+STARTTLS). I find that the distinction between SSL and TLS is often misunderstood to be a distinction between SSL/TLS from the start v.s. SSL/TLS after a STARTTLS-like command within the application protocol (thanks to a number of popular e-mail clients for promoting this confusion...). I would either start with SSL/TLS within the context of HTTPS and keep this for the very end. It's not the "hard" part of SSL/TLS, but it helps to know how they're used within the rest of the picture (the networking layers). This should put the discussion into context for students with a networking background who wouldn't necessarily know much about cryptography or security.

  • Some background on public key/asymmetric cryptography, as well as some background on shared key/symmetric cryptography. I'm not sure whether you'd want to go in the mathematical details, but it's good to know what the types of keys are, and what they're used for. (Usually, both are used during an SSL/TLS connection.)

Then, while going through an example of SSL/TLS handshake:

  • Authentication within SSL/TLS: why do we (tend to) rely on certificates when using SSL/TLS. This will almost inevitably lead you to explain a few points about X.509 certificates, PKIs and CAs. This topic is somewhat orthogonal to SSL/TLS, but the vast majority of SSL/TLS connections rely on it, and that's an essential component for securing the connection. I wouldn't necessarily expand too much on client certificate authentication, but that's at least useful for server certificates. (PKI failures tend to give SSL/TLS a bad name in the news.)

  • Diffie–Hellman key exchange.

  • Distinction between cipher suites. This can lead to heavier cryptography discussions. How far you want to go with this will depend on the time and background of your students.

  • Showing the other types of SSL/TLS records and the purpose of some alerts.

You can also talk about the differences between SSLv3, TLSv1.0, v1.1 and v1.2 a little. Too much on this could lead to very specific discussions, though.

From a practical point of view, you could try a few things:

  • Install a tool such as cURL and try to get an HTTPS page of your choice while monitoring the network traffic with Wireshark.
  • Make sure the version of cURL you get is as it comes by default, without a preconfigured set of CAs. cURL will complain it can't verify the server certificate without a bundle of trusted CA certificates: this will be a good opportunity to talk about authentication and explain what CAs are for. (Install some CA certs for the rest of the exercise.)
  • If you can, install your own test server and give students the private key (or do the demo yourself), to decipher the SSL/TLS encryption with Wireshark, using the server's private key. Make sure you disable Ephemeral Diffie-Hellman cipher suites (DHE/EDH) for this, otherwise it won't work.
  • Still using Wireshark, look at the behaviour of other clients. E-mail clients such as Thunderbird can be good for this. A number of SMTP servers (Gmail included now, I believe) are configured for SMTPS and SMTP+STARTTLS (same for IMAP). You can play with both modes and, if you go in Thunderbird's advanced configuration options, you can turn on/off certain versions of SSL/TLS and choose certain cipher suites. It can be interesting to look at how the negotiation differs.
  • Experimenting with openssl s_connect (perhaps in conjunction with s_server, but not necessarily) can lead to interesting practical exercises too.
Bruno
  • 10,765
  • 1
  • 39
  • 59
2

As a student I had problem understanding SSL. These helped me understand:

Videos:

  1. SSL explained
  2. What is HTTPS?

Read:

  1. All the answers of How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?
  2. Then read, The First Few Milliseconds of an HTTPS connection which explains how the packets of HTTPS look on wire using wireshark (A popular packet sniffer). Also, if possible demonstrate this in your class.
  3. Now read, All the questions with SSL tag & voted above 10 on this site and try to incorporate them into your teaching. (May be as FAQ or as discussion or as part of the lecture itself)
claws
  • 2,145
  • 5
  • 19
  • 22