The SSL and TLS protocols are critical to online security and performance. This session discusses how the SSL and TLS protocols work and how they are integrated with many AWS services such as Amazon CloudFront, Elastic Load Balancing, and Amazon S3. Learn how technologies such as Perfect Forward Secrecy and HSTS can be used to protect end-user data, and why browsers and servers are now removing support for version 3 of the SSL protocol, SHA-1 signatures and some encryption algorithms such as RC4. By the end of the session you'll be able to understand each of these technologies and how to adapt to the changing security landscape.
13. 2Use public/private
keys to authenticate
and to establish a
shared secret
3Use the shared
secret to encrypt
and decrypt data
1Say hello and agree
on the algorithms to
use
18. Client protocol version, client time, 28 bytes of randomly generated data,
Client choice of Cipher Suites (in order of preference)
Server Name Indicator field
Cached Session ID / Cached Session Ticket
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data
21. Protocol version to use, server time, 28 bytes of randomly generated data,
The Cipher Suite to use
Session ID / Session Ticket
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data
28. O C S P
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data
29. Used for Perfect Forward Secrecy
A Diffie-Hellman public parameter is generated and sent to the client
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data
30. Perfect forward secrecy version:
Client sends another Diffie-Hellman parameter, encrypted using the server’s
public key
Legacy version:
Client sends a secret, encrypted using the server’s public key
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data
31. We’re finished and ready to send encrypted data.
There’s also a “Change cipher suite” message to initiate encryption.
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data
32. GET / HTTP/1.1
Host: aws.amazon.com
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Client
Hello
Server
Hello
Server
Cert
Server
Key
Client
Key
Client
Finished
Server
Finished
App
Data
App
Data