SBClient SSL. Ehab AbuShmais

Transcription

1 SBClient SSL Ehab AbuShmais

2 Agenda SSL Background U2 SSL Support SBClient SSL 2

3 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three security goals Used to secure many internet protocols: HTTP/SMTP/telnet/FTP etc. TLS (Transport Layer Security) IETF standard, improvement on SSLv3 Currently v1 SSL vs. SSH (Secured Shell) Services vs. complexity Authentication: certificate mandated in SSL, optional in SSH U2 is standardized on SSL 3

4 What Is SSL SSL is a protocol layer between a reliable connection-oriented network layer (e.g TCP/IP) and the application protocol layer (e.g. HTTP). Cryptographic technology used by SSL - Encryption for confidentiality - Public Key Cryptography for key establishment - Digital Digests for message integrity - Certificates for mutual authentication 4

5 How SSL works (Handshake) Client Server (1) Hello server! This is Alice

6 How SSL works (Handshake cont.) Client Server (1) Hello server! This is Alice I am Bob,authenticate me (2) 6

7 How SSL works (Handshake cont.) Client Server (1) Hello server! This is Alice I am Bob,authenticate me (2) (3) material for session key preference for cipher suite I am done with handshake

8 How SSL works (Handshake cont.) Client Server (1) Hello server! This is Alice I am Bob,authenticate me (2) (3) material for session key preference for cipher suite I am done with handshake agree on cipher suite/key (4) I am done as well

9 How SSL works (data transfer) Client Server (1) Hello server! This is Alice I am Bob,authenticate me (2) (3) material for session key preference for cipher suite I am done with handshake agree on cipher suite/key (4) I am done as well (5) Secure data transfer (5) 9

10 How SSL works summary Adapted from: Network Security with OpenSSL by John Viega at al. 10

11 Encryption Purpose Provide confidentiality Encryption A process to convert plaintext into cipher text using an algorithm with a key Decryption Convert cipher text back to plaintext Symmetric vs. Asymmetric Encryption Symmetric Algorithm: DES, AES, RC5 etc. Asymmetric Algorithm: RSA, DSA 11

12 Message Digest A cryptographic hash function that Takes an arbitrary length messages as input and Outputs a fixed length string that is characteristic of the original message Irreversibility: impossible to compute original message from its digest Non-collision: no two different messages produce same digest Main Usage digital signature and Message Authentication Code (MAC) Standard algorithms SHA1: 160-bit digest (considered more secure, recommended) MD5: 128-bit digest (more widely used) 12

13 Digital Signature What is a certificate? A block of data that bundles an entity s name with its public key, and Signed by Certificate Authority (CA) Why certificates are needed? Guarantee the public key belongs to the indicated owner A means of public key distribution Protect against man-in-the-middle attack 13

14 Digital Certificates: X.509 X.509 is a primary standard defined by RFC 2459 X.509 certificate contents (some optional) Version/Serial Number Signature algorithm Issuer (signer) Validation period (from to ) Subject (entity, owner of public key) Subject s public key Signature (over the whole data) Other extensions Issuer/Subject are described by Distinguished Names C=US ST=Colorado L=Denver O=MyCom OU=Support [email protected] 14

15 Certificate Authorities (CA) What s a CA? A trusted third-party to vouch for the authenticity of a certificate CA s private key is used to sign each certificate CA s public key is published (in yet another certificate) and should be widely available CAs can form a hierarchy CRL (Certificate Revocation List) PKI (Public Key Infrastructure) 15

16 Certificate Generation Self-signing vs. CA-signing Certificate Authority (CA): trusted entity to sign certs Self-sign: needs own private key CA-sign: needs CA-cert and CA s private key X.509 Extensions (X.509 v3 certificates) Only for CA-signed certs. Self-signed cert always v1. SubjectAltName: to identify cert owner KeyUsage: to restrict cert usage BasicConstraints: to id if it s a CA cert SubjectKeyID: to facilitate cert verification AuthorityKeyID: to facilitate cert verification 16

17 Security Context Record (SCR) Used by U2 secured client/telnet as well A structure holding all U2 SSL related properties SSL/TLS version Sender s Private key and certificate ( self-certificate ) Preferred ciphers suites CA certificates CRL Client authentication flag (for server use) Certificate verification depth Authentication rules Authentication strength Trusted peer names Cert path Random seed file path 17

18 Security Context Record (SCR) Use wizard to create/view/modify SCRs Encrypted and stored in SCR database under %UVHOME% or %UDTHOME% UV: &SECUCTX& UD: _SECUCTX_ Dynamic file, each record is encrypted and protected by a user-supplied pass phrase In-sync with accompanying binary file.bscrfile Copy both hashed and binary file to deploy Server vs. Client SCR Server SCR must have self-cert/private key Server SCR may enable client authentication Client SCR must have CA-cert(s) 18

19 SSL Configuration Through UniAdmin First available in UD 6.0 Improved in UV 10.1/UD 6.1 Wizard-based Tasks performed: Public key-pair generation Certificate Request creation Certificate generation Security Context Record manipulation Secured Telnet/UOJ/JDBC configuration 19

20 SBClient SSL SSL support in SBClient is created by U2 engineers, and based on the OpenSSL libraries. The same functionality will be used by all U2 clients with the benefits of a common interface and easier debugging of any issues. The following U2 database releases support SSL and are the minimum recommendation: UniVerse 10.1 and later UniData 6.1 and later 20

21 SBClient SSL Property List An SSL property list defines the characteristics and behaviors of a secure connection. Use the Configure SSL Property List dialog box to create a new SSL property list or access an existing SSL property list. To create or access an SSL property list, enter information to identify the property list as detailed on the next slide: 21

22 SBClient SSL To access this dialog box from the main menu, choose Setup > Configure SSL Property List. 22

23 SBClient SSL This box allows you to create a new list or access an existing list. For a new SSL property list, enter a unique name for the list. For an existing SSL property list, select the list name. Password is Optional. Enter the password for the new or existing SSL property list. Otherwise, if the SSL property list does not have a password, leave this box blank. 23

24 SBClient SSL OK to close the dialog box. Edit to create or edit an SSL property list. Delete to delete the selected SSL property list. A dialog box appears, confirming that you want to delete the SSL property list. To cancel deletion of the list, click No. Otherwise, to confirm deletion of the list, click Yes. If you are creating a new list, a message dialog box states that the new list has been created. Note: that the list is not stored until you enter properties and save it. 24

25 SBClient SSL 25

26 SBClient SSL SSL Version SBClient supports two versions of Secure Sockets Layer: SSL version 3 and TLS version 1. Select the version of the protocol to be used for this secure connection: SSLv3 - This is the default setting. It is the most widely used protocol. TLSv1 - This is the newer protocol. Most new applications support, but some older applications may not. 26

27 SBClient SSL Certificate Store Type: The type of certificate stores to be used for all certificates issued for this secure connection: U2 This is the default setting. Use this setting if all certificates that apply to this secure connection are PEM or DER format OS-level files. Windows All certificates for this connection are looked up from the native Windows certificate store. Generally a CA Certificate is looked up from Windows CA and ROOT stores, while My Certificate is looked up from MY stores. In Microsoft s terminology, these certificate stores are system stores: a collection of physical certificate stores that reside in the Windows Registry. SBClient looks up these stores from both of the following Registry locations: CERT_SYSTEM_STORE_CURRENT_USER CERT_SYSTEM_STORE_LOCAL_MACHINE 27

28 SBClient SSL CA Certificate If applicable, enter the path of the file to contain a Certificate Authority (CA) certificate for this secure connection. See specifics for the certificate store type: U2 certificate store type Specify the path of the certificate file that is used as a CA certificate. The format of the certificate can be either PEM or DER. With the U2 type, you can specify multiple certificate paths, separating each with a semicolon (;). If a CA certificate chain is required, you have the choice of specifying multiple certificate files, separating each with a semicolon (;), or for PEM-format certificates, concatenating the certificate files into one single file (using an OS-level editor or command line) and specifying the concatenated file. 28

29 SBClient SSL CA Certificate Windows certificate store type Specify the same "friendly name" or "Common name" that is used for the certificate in the certificate store. With the Windows type, specify only one certificate, generally the most immediate CA certificate (the one used directly to sign the certificate to which authentication is to be performed). A certificate chain is automatically established and used in an SSL session. Note that the above description is based on the assumption that a correct and complete trust relationship exists in the Windows certificate store for the certificate involved. If a complete chain cannot be formed, an error is reported. This also applies to other certificate-related properties. 29

30 SBClient SSL My Certificate Optional. Enter the path for your certificate for this secure connection. See specifics for the certificate store type: U2 certificate store type The format of the certificate can be either PEM or DER. Windows certificate store type Specify the same "friendly name" or "Common name" that is used for the certificate in the certificate store. 30

31 SBClient SSL My Private Key Applicable to U2 certificate store type only. Required if you entered a value in My Certificate. Enter the path for the file that contains the private key associated with My Certificate. The format of the key file can be either PEM or DER. When an SSL property list is created, the private key is loaded into memory and validated against its corresponding certificate (My Certificate). If it passes validation, the key is stored with the SSL property list. This validation feature is designed to enhance the security and protection of the user s private key. After the SSL property list has been created, you do not need to keep the private key file on your hard drive. You can store the key file safely on external media until you want to edit the SSL property list. 31

32 SBClient SSL Private Key Password Applicable to U2 certificate store type only. Enter the password for the private key file. Certificate Revocation List Optional. Enter the path of a certificate revocation list (CRL) to be used for this secure connection. You can specify multiple CRL paths, separating each with a semicolon (;). The CRL is a special certificate published by the certificate authority (CA), containing the serial numbers of certificates that the CA has revoked. If an incoming server certificate is specified, it is checked against the CRL to verify that the certificate has not been revoked before other verification is performed. 32

33 SBClient SSL Authentication Depth Enter the level at which to stop SBClient s verification process in authentication processing. The default setting is 5, which is a sufficient depth in most cases. If you set the depth for fewer levels of authentication than actually employed for the certificate, the certificate will not pass authentication. 33

34 SBClient SSL Authentication Strength Select the appropriate option for this secure connection: STRICT This is the default setting. Strict authentication requires that the following conditions be met: The incoming server certificate is a well-formed X.509 certificate. A valid CA certificate exists and verifies the incoming server certificate. Peer name checking (if specified) is performed. GENEROUS This authentication strength requires only that the incoming server certificate is a well-formed X.509 certificate. Note that generous authentication is not highly secure. We recommend using it in test environments only. 34

35 Trusted Peer Name SBClient SSL Enter the name of a trusted peer as detailed below. This property tells SBClient that additional checking must be performed in authenticating the incoming certificate. If you leave this box blank, the incoming certificate is considered valid when the CA certificate has verified it. However, if you specify a trusted peer name, a further check is performed to verify that the incoming certificate s SubjectAltName extension or CommonName subject field matches that of the trusted peer. 35

36 Trusted Peer Name SBClient SSL The trusted peer name can be either a fully specified name (such as [email protected]) or a wildcard name. Two wildcard characters are supported: % Match any character string _ Match one character For example, %@us.xyz.com matches both [email protected] and [email protected], while [email protected]@us.xyz.com only. You can enter the names of multiple trusted peers, separating each with a semicolon (;). 36

37 SBClient SSL Certificate Path Applicable to U2 certificate store type only. Optional. When you specify a certificate by the CA Certificate, My Certificate, or CRL property, the value for that property is registered internally. When the certificate is loaded into memory to establish an SSL connection, SBClient uses this registered path by default to retrieve the certificate. The Certificate Path property allows you to specify different locations in which to search the certificates. Note that this property applies to all certificates in the file. Enter one of the following values: 37

38 Certificate Path SBClient SSL DEFAULT Specifies the default behavior, as described on the pervious slide. RELATIVE SBClient looks for the certificate in the current directory under which the client process is running. 38

39 Certificate Path SBClient SSL ENV=[environment_variable] In this phrase, substitute the environment variable name. With this option, the value of the environment variable is used as the path in which to load the certificates. SBClient looks up the environment variable for a client process only the first time the process makes an SSL connection; the value of the environment variable is cached for later reference by that process. PATH=[path] In this phrase, substitute the path for loading certificates specified in this property list. This can be either an absolute path or a relative path. The default path is C:\IBM\UniDK\certs. With this path, the behavior is the same as that of the DEFAULT option. 39

40 SBClient SSL Cipher Suite Optional. Specify a suite of ciphers to be used in a specific order in the SSL handshake. If you make no entry, the default of all ciphers supported by the OpenSSL open source library applies. 40

41 SBClient SSL To access this dialog box: Select the session in the main window. From the main menu, choose Setup > Communication. In the Network Communication Setup dialog box, click Advanced. In the Telnet Advanced Configuration dialog box, click SSL Setup. 41

42 SBClient SSL Select the SSL property list to be used for the secure connection. Enter the password for the SSL property list. Otherwise, if the SSL property list does not have a password, leave this box blank. OK to assign the selected SSL property list to the secure connection. Cancel to close the dialog box without making changes. 42

43 SBClient SSL SSL telnet port is 992. If you are using a nonstandard port, type the port number instead of selecting a ssl_telnet protocol setting from the list. Note: The setup under Advanced must be cleared out if not intended for SSL session 43

44 Troubleshooting SSL Most problems with U2 SSL occur during initial connection. It is important to check both ends of a connection. The basic requirements for a successful connection between server and client using SSL and Telnet are: 1. A server computer with an SSL Telnet server process. 2. A server digital certificate. 3. A client computer with a U2 SSL client application. 4. A means of authenticating a server certificate by the client. 5. An optional client certificate. 44

45 Troubleshooting SSL Whenever there is a problem, turn on logging first SBClient logging Use prototollogging( x.log, ON,8) for UniBasic programs Turn on server debug flags (file/registry) for servers Common Problems Wrong SSL port Missing or incorrect setting in.unisecurity Ill-configured SCR Certs/cert path/peer name/ Wrong CA cert/chain Failed authentication due to invalid certificate 45

46 Troubleshooting SSL SBClient will produce client side log. There is also a server side log. Make sure to turn off logging when done as it will consume large amount of disk space. This check box enables a log to capture commands and data transferred in secure transactions. The log file is named SSL.LOG and is stored in the log directory. 46

47 SSL Resources SSL was first developed by Netscape The Internet Engineering Task Force maintain the specification for the TLS protocol VeriSign is a popular Certificate Authority and source of digital certificates. RSA Security developed some of the encryption technology used in SSL. OpenSSL: the Open Source toolkit for SSL/TLS. This is the basis for the U2 SSLcommunications In the Help and Support section, search for SSL, and Server Certificate. 47

48 SBClient SSL Ehab AbuShmais Thank You! 48