1 / 21

SSL

SSL. İdris Yıldız Mehmet Bilgin. 05.04.2006. Outline. Public-Key Cryptography SSL SSL Security How to Make Your Application SSL Enabled Limitations of SSL Conclusion. Public-Key Cryptography. Conventional Cryptography There is only one key both for encryption and decryption

trinh
Télécharger la présentation

SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SSL İdris Yıldız Mehmet Bilgin 05.04.2006

  2. Outline • Public-Key Cryptography • SSL • SSL Security • How to Make Your Application SSL Enabled • Limitations of SSL • Conclusion

  3. Public-Key Cryptography • Conventional Cryptography • There is only one key both for encryption and decryption • The key must be known to both the sender and receiver and the key must be secret • The key should be changed frequently • Public-key Cryptography • A pair of keys • One is used for encryption (private key) and the other is used for decryption

  4. Encryption Sending a message using asymmetric keys • Bob sends public key to Alice • Alice encrypts message using Bob’s public key • Alice sends encrypted message • Bob decrypts message using his own private key Alice Bob Kpub 1) 2) Y = eKpub(X) Y 3) 4) X = dKpr(Y)

  5. Digital Signature • Bob encrypts the message with his private key • Send encrypted message • Alice decrypts message with Bob’s public key Message is readable by ANYONE with Bob’s public key Receiver can be confident that only someone with Bob’s private key could have sent the message Alice Bob 1) Y = eKpr(X) Y 2) 3) X = dKpub(Y)

  6. Drawbacks of public-key encryption • It is slow • RSA is 1000 times slower than some conventional encryption algorithms • Man-in-the-middle attack Alice Attacker Bob KPubA KPubB 1) 2) Y = eKPubA(X) Y 3) X = dKPrA(Y) Z = eKPubB(X) 4) Z 5) X = dKPrB(Z)

  7. SSL • Based on public key encryption • 2 phases • Handshake • Data Transfer • Runs above TCP/IP and below higher-level protocols

  8. SSL Handshake Protocol • The client sends a message to the server that contains a list of the algorithms it is willing to use • The server chooses a algorithm out of the list and sends it back along with a certificate that containing the server’s public key • The client verifies the server’s certificate and extracts the server’s public key. Then generates a random key and encrypts it with the server’s public key. It sends this encrypted key to the user • The server takes the message and decrypts it with his private key • At last both the client and the server send a MAC message to each other to finish this handshake part

  9. Authentication of a Server Certificate

  10. X.509 Certificate • The certificate contains: • Your distinguished name • Your public key • The identity of the CA who issued the certificate • Its expiry date • Digital signature of the CA which issued it

  11. SSL Security • No good attacks are known on SSL • There are some attacks explained in the papers • Not have been used against production servers • It is not known that they are practical

  12. Timing Cryptanalysis • Publicized by Paul Kocher in 1996 • Based on the observation that cryptographic operations take varying amount of time to complete depending on the keys that are being used • To overcome • add some random time to all operations • make all operations take constant time

  13. Million Message Attack • Publicized by Daniel Bleichenbacherin 1998 • By sending a series of chosen ciphertexts to the server and observing the responsesan attacker to get the session key • To overcome • make some small modification on the SSL protocol

  14. How to Make Your Web Application SSL(Https) Enabled ? • The Advantages of SSL for applications • Generating Certificates with Java • Configuring SSL in Tomcat • Configuring SSL in OC4J (Oracle Containers for Java)

  15. The Advantages of SSL for applications • SSL with a certificate will provide the followings to your application: • The website (also customer) really is who it claims to be • Credit card numbers, are encrypted and cannot be intercepted • Data sent and received cannot betampered or forged

  16. Generating Certificates with Java • A keystore(java.security.KeyStore) stores certificates • An instance of java.security.KeyStore class • Stores certificates of all trusted parties • Authenticate parties by certificates in keystore • Create and manipulate a keystore using the keytool utility that is provided with the Sun Microsystems JDK • keytool is in jdk_home/bin directory like javac • keytool -genkey -keyalg "RSA" -keystore “mykeys.store”-storepass “mypass” -validity 365 • “RSA” is the key generation algorithm • “mykeys.store” file is your certificate store • “mypass” is your secret key

  17. Entering Certificate Info • Keytool will request certificate information after the creation command:

  18. Configuring SSL in Tomcat • Providing SSL support is the job of Servers it is not related to the the application itself. • Application servers handles the https requests done to the applications • A cerftificate is needed (Assume we have created one, in mykeys.store) • Copy the “mykeys.store” file toCATALINA_HOME/conf • Define a SSLConnector on a port (Default port 443 requires to be super user) • Add the following to CATALINA_HOME/conf/server.xml • <Connector port="8443"       scheme="https" secure="true"      clientAuth="false" sslProtocol="TLS"       keystoreFile="/conf/ mykeys.store"keypass=“mypass"/>

  19. Configuring SSL in OC4J (Oracle Containers for Java) • The information will be valid for Standalone OC4J rather than Oracle Application Server • We will use the same key store for Tomcat and it should be copied to appropriate place • Create secure-web-site.xml • Copy http-web-site.xml and rename to secure-web-site.xml • Set protocol to https by setting secure element to true also specify the https port (4443) • State the keystore that will be used : <ssl-config keystore="mykeys.store" keystore-password=“mypass"/> • Change server.xml and add the following to see your https settings : <web-site path="./secure-web-site.xml" />

  20. Limitations of SSL • Although SSL is widely it has some limitations • SSL is designed to provide point-to-point security • Incase of multiple intermediary nodes exist between the two endpoints, point-to-point security fails and end-to-end security is required • Web Service Scenario: SOAP messages route through multiple intermediary nodes, those intermediary nodes will not be able to participate to operations • SSL encryption is at the transport level rather than at the application. • Messages are encrypted only during transmission over network • Other security mechanisms are required to handle security of the messages in an application or disk • XML-based security schemas are being developed to eleminate the limitations of SSL

  21. Questions? • THANKS A LOT !

More Related