[SMO-SFO-ICO-PE-046-GU-

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "[SMO-SFO-ICO-PE-046-GU-"

Transcription

1 Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It must be linked with the application. It is composed of two API header files ( <SSL_.h>, <X509_.h>) and a library "SSL _.lib" compiled with the three compilers (GCC, RVD and SDT) supported by the Telium SDK. The package provides all the services to monitor the SSL client facility : SSL connection (simple or double authentication). SSL configuration profile monitoring X509 certificate management //... Developers shall read the [SMO-SFO-ICO-PE-046-GU- EN_PackSSL_SecurityGuidance_UserGuide.pdf] which describes best practises for implementing SSL/TLS enabled applications, according to the requirements of the POS Terminal Security Program (PTS). Be careful, do not forget to load the dynamic SSL library (3620xxxx.LDF/SGN) in your terminal. Each function makes a reset with EXIT_DLL_SSL_NOT_INITIALIZED value if the dynamic SSL library is not loaded in the terminal. Certificates A certificate is a digitally signed statement from an entity certifying that information about an other entity are true. A certificate is an information set, signed by an issuer entity. The signature algorithms are based on asymmetric key cryptography (generally RSA). The issuer entity signs by enciphering the information set with its private key (known only by itself). The other entities can verified the signature by deciphering the information set with the public key of the issuer. SSL uses the certificate principle to operate the authentication of the entities (client and server). These certificates are coded according to the X509 standard. This standard defines what information can contain a certificate, and describes the data format how to write it down. All X.509 certificates contain the following data, in addition to the signature: Version: This identifies which version of the X509 standard is used to code the certificate. It affects mainly what information can be stored in the certificate. Serial Number: This identifies the certificate. It is given by the issuer entity. It serves to distinguish the certificate from the other ones issued by the same issuer entity. This information is used for example when the certificate is revoked ; in this case, its serial number is placed in a Certificate Revocation List (CRL). Signature Algorithm Identifier: This identifies the algorithm used by the issuer entity to sign the certificate. Issuer Name: The name of the issuer entity. Normally, it corresponds to a Certification Authority (CA). Using this certificate implies trusting the entity that issued the certificate.

2 Validity Period: A certificate is valid only for a limited period of time. This period is described by a start date and an end date. The validity period is the expected period that the entities can rely on the information of the certificate. This period is chosen by the issuer. It depends on the strength of the signature algorithm, or mainly the willing of issuer to sell its certificates. Subject Name: The name of the entity whose the certificate identifies. Subject Public Key Information: This is the public key of the subject entity. This information identifies also the cryptographic algorithm associated to the key. The names of the issuer entity and of the subject entity are coded according to the X500 standard. They are intended to be unique across the Internet. A X500 name is composed of fields, for example : "CN=EFT30, OU=DSEC, O=Ingenico France, C=FR" refer respectively to the subject's Common Name, Organisational Unit, Company and Country). There are two ways to generate a certificate: SSL 1. You can create one yourself using special tools (for example those provided with OpenSSL) 2. You can ask a Certification Authority (CA) to get one directly or generate a request (named CSR for Certification Signature Request) and ask the CA for its signature. SSL stands for Secure Socket Layer. The protocol's name is now officially TLS but SSL is still the better known name. SSL was designed to permit applications and servers to exchange sensitive information and prevent programs that could access the network traffic from reading the sensitive data. SSL uses the notion of client and server. Its operational scheme does not require the client and the server to share a secrete key. SSL uses asymmetric encryption algorithms to secure the transaction. These algorithms uses pair of keys (public and private). The public key is freely available and known for anybody. The private key is only known by the entity (the client or the server). These keys have to main properties : 1. Data encrypted by the public key can only decrypted by the private key. As the public is freely known, anybody can transfer secured data to the entity owner of the private key. 2. Data encrypted by the private key can be only decrypted by using the public key. This property is used for authentication. Only the entity owner of the private key is able to generate a message which can be decrypted with the public key. In the SSL scheme, the client contacts the server and sends the first SSL message. This message starts the SSL negotiation : an encryption algorithm is chosen and a secured key is generated to the current connection. After the success of this negotiation, the two entities can exchange secured data at will. The SSL negotiation (named SSL Handshake) involves an authentication process. At least, the server is authenticated by the client (case of simple authentication). The server can also request the client to be authenticated (case of mutual authentication). The SSL authentication scheme is based on the use of certificates.

3 Below is the description of the message sequence to operate the SSL handshake.

4 SSL Message Sequence Diagram

5 Profiles Management The SSL library defines the notion of profile. A profile is a data set which contains all the configuration useful to perform a connection SSL. The library allows to have several profiles. All the profiles are stored in a file in flash.

6 Profiles Management Illustration A profile is identified by a name. This name must be unique for all the profiles in the terminal. A profile contains the list of the enciphering algorithms supported, and the export mode mask. It contains also a list of CA certificates file names. And optionally, a key file name and a client certificate file name (case of mutual authentication). It contains also extra information about the last connection (result, IP address...). Capabilities The SSL library supports the following cipher suites : Cipher Suite Key Exchange Cipher Hash NULL_WITH_NULL_NULL NULL NULL NULL RSA_WITH_NULL_MD5 RSA NULL MD5 RSA_WITH_NULL_SHA RSA NULL SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT RC4_40 MD5 RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5 RSA_WITH_RC4_128_SHA RSA RC4_128 SHA RSA_EXPORT_WITH_RC2_CBC_40_MD5 RSA_EXPORT RC2_CBC_40 MD5 RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_EXPORT DES40_CBC SHA RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CB C SHA DH_DSS_EXPORT_WITH_DES40_CBC_SHA DH_DSS_EXPORT DES40_CBC SHA DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CB C DH_RSA_EXPORT_WITH_DES40_CBC_SHA DH_RSA_EXPORT DES40_CBC DHE_DSS_EXPORT_WITH_DES40_CBC_SH A DHE_DSS_EXPOR T DES40_CBC SHA SHA SHA DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SH A DHE_DSS DHE_RSA_EXPOR T 3DES_EDE_CB C DES40_CBC SHA SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CB C SHA DH_anon_EXPORT_WITH_RC4_40_MD5 DH_anon_EXPORT RC4_40 MD5 DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5 DH_anon_EXPORT_WITH_DES40_CBC_SHA DH_anon DES40_CBC SHA DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CB SHA

7 C RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA The maximum size of RSA keys for a certificate verification is 4096 bits (public key). The maximum size for the RSA private keys is 2048 bits. The SHA-2 hash algorithm is supported but only for certificate verification. The SSL library does not support this algorithm in cipher suites. Presentation Error codes returned by SSL API functions. Defines #define SSL_EOK 0 No error. #define SSL_EAGAIN -6 Resource temporarily unavailable. #define SSL_EINVAL -26 Invalid Argument. #define SSL_ENOBUFS -39 Out of Resources. #define SSL_ENOENT -41 No such file or directory. #define SSL_ENOMEM -44 Cannot allocate memory. #define SSL_ENOTCONN -50 socket not connected #define SSL_ESSL -500

8 SSL error. #define SSL_EBADFORMAT -501 Define Documentation #define SSL_EOK 0 No error. #define SSL_EAGAIN -6 Resource temporarily unavailable. #define SSL_EINVAL -26 Invalid Argument. #define SSL_ENOBUFS -39 Out of Resources. #define SSL_ENOENT -41 No such file or directory. #define SSL_ENOMEM -44 Cannot allocate memory. #define SSL_ENOTCONN -50 socket not connected #define SSL_ESSL -500 SSL error. #define SSL_EBADFORMAT -501 bad certificate file or ca file format // RSA function error code #define SSL_RSA_EOK 0 /*!< No error*/ #define SSL_RSA_ENOK -1 /*!< RSA error*/ #define SSL_RSA_ENOKEY -2 /*!< Internal Rsa key not yet generated*/ #define SSL_RSA_EEXIST -3 /*!< File exist*/ // Profile function error code #define SSL_PROFILE_EOK 0 /*!< No error*/ #define SSL_PROFILE_EEXIST -1 /*!< Profile already exist*/ #define SSL_PROFILE_ENEXIST -2 /*!< Profile does not exist*/ #define SSL_PROFILE_ETOOMANY -3 /*!< Too many profile are loaded*/ #define SSL_PROFILE_ENOMEM -4 /*!< Allocation error*/ #define SSL_PROFILE_ELOADED -5 /*!< Profile already loaded*/ #define SSL_PROFILE_ENLOADED -6 /*!< Profile not loaded*/ #define SSL_PROFILE_ECAEXIST -7 /*!< ca already exist*/ #define SSL_PROFILE_ECANEXIST -8 /*!< ca does not exist in the profile*/ #define SSL_PROFILE_ECATOOMANY -9 /*!< Too many ca in the profile*/

9 #define SSL_PROFILE_EPARAM -10 /*!< A parameter is wrong*/ #define SSL_PROFILE_ENOCERT -11 /*!< There is no certificate*/ // Error code return by SSL_ProfileGetLastError function // SSL connection error code #define SSL_PROFILE_OK 0 /*!< SSL connection OK */ #define SSL_PROFILE_TCP_CONNECT_FAILED -1 /*!< TCP connection failed */ #define SSL_PROFILE_TCP_CONNECT_TIMEOUT -2 /*!< TCP connection timeout */ #define SSL_PROFILE_TCP_ADDR_NOT_AVAILABLE -3 /*!< TCP address is not reachable */ #define SSL_PROFILE_SSL_HANDSHAKE_FAILURE -4 /*!< SSL handshake failure */ #define SSL_PROFILE_DNS_FAILURE -5 /*!< DNS tranlation failure */ #define SSL_PROFILE_DOMAIN_NAME_FAILURE -6 /*!< Domain name check failure */ #define SSL_PROFILE_SSL_HANDSHAKE_TIMEOUT -7 /*!< SSL handshake timeout */ // Certificate verification error code #define SSL_PROFILE_UNABLE_TO_GET_ISSUER_CERT 2 /*! < Unable to get issuer */ #define SSL_PROFILE_UNABLE_TO_GET_CRL 3 /*!< Unable to get certificate revocation list */ #define SSL_PROFILE_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 /*!< Unable to decrypt certificate signature */ #define SSL_PROFILE_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 /*!< Unable to decrypt certificate revocation list signature */ #define SSL_PROFILE_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 /*!< Unable to decode issuer public key */ #define SSL_PROFILE_CERT_SIGNATURE_FAILURE 7 /*!< Certificate signature verification failure */ #define SSL_PROFILE_CRL_SIGNATURE_FAILURE 8 /*!< Certificate revocation list signature verification failure */ #define SSL_PROFILE_CERT_NOT_YET_VALID 9 /*!< Certificate is not yet valid */ #define SSL_PROFILE_CERT_HAS_EXPIRED 10 /*!< Certificate has expired */ #define SSL_PROFILE_CRL_NOT_YET_VALID 11 /*!< Certificate revocation list is not yet valid*/ #define SSL_PROFILE_CRL_HAS_EXPIRED 12 /*!< Certificate revocation list has expired */ #define SSL_PROFILE_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 /*!< Error in a validity date of certificate */ #define SSL_PROFILE_ERROR_IN_CERT_NOT_AFTER_FIELD 14 /*!< Error in a validity date of certificate*/ #define SSL_PROFILE_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 /*!< Error in a update date of certificate revocation list */ #define SSL_PROFILE_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 /*!< Error in a update date of certificate revocation list */

10 #define SSL_PROFILE_OUT_OF_MEM 17 /*!< Out of memory */ #define SSL_PROFILE_DEPTH_ZERO_SELF_SIGNED_CERT 18 /*!< Certificate is self signed */ #define SSL_PROFILE_SELF_SIGNED_CERT_IN_CHAIN 19 /*!< Certificate is self signed */ #define SSL_PROFILE_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 /*!< Unable to get issuer */ #define SSL_PROFILE_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 /*!< Unable to verify leaf signature */ #define SSL_PROFILE_CERT_CHAIN_TOO_LONG 22 /*!< Certificate chain is too long */ #define SSL_PROFILE_CERT_REVOKED 23 /*!< Certificate is revoked */ #define SSL_PROFILE_INVALID_CA 24 /*!< Invalid CA */ #define SSL_PROFILE_PATH_LENGTH_EXCEEDED 25 /*!< Path length too long */ #define SSL_PROFILE_INVALID_PURPOSE 26 /*!< Invalid purpose of certificate */ #define SSL_PROFILE_CERT_UNTRUSTED 27 /*!< Untrusted certificate */ #define SSL_PROFILE_CERT_REJECTED 28 /*!< Rejected certificate */ #define SSL_PROFILE_SUBJECT_ISSUER_MISMATCH 29 /*!< Certificate subject mismatch */ #define SSL_PROFILE_AKID_SKID_MISMATCH 30 /*!< AKID SKID mismatch */ #define SSL_PROFILE_AKID_ISSUER_SERIAL_MISMATCH 31 /*!< AKID issuer serial mismatch*/ #define SSL_PROFILE_KEYUSAGE_NO_CERTSIGN 32 /*!< Invalid purpose of certificate */ #define SSL_PROFILE_UNABLE_TO_GET_CRL_ISSUER 33 /*!< Unable to get certificate revocation list issuer */ #define SSL_PROFILE_UNHANDLED_CRITICAL_EXTENSION 34 /*!< Unhandled critical extension */ #define SSL_PROFILE_KEYUSAGE_NO_CRL_SIGN 35 /*!< Issuer can't sign a certificate revocation list */ #define SSL_PROFILE_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /*!< Unhandled critical extension in certificate revocation list */ /** \cond avoid dox documentation */ // SSL Handshake error code #define SSL_PROFILE_E_APP_DATA_IN_HANDSHAKE 100 #define SSL_PROFILE_E_BAD_ALERT_RECORD 101 #define SSL_PROFILE_E_BAD_AUTHENTICATION_TYPE 102 #define SSL_PROFILE_E_BAD_CHANGE_CIPHER_SPEC 103 #define SSL_PROFILE_E_BAD_CHECKSUM 104 #define SSL_PROFILE_E_BAD_HELLO_REQUEST 105

11 #define SSL_PROFILE_E_BAD_DATA_RETURNED_BY_CALLBACK 106 #define SSL_PROFILE_E_BAD_DECOMPRESSION 107 #define SSL_PROFILE_E_BAD_DH_G_LENGTH 108 #define SSL_PROFILE_E_BAD_DH_PUB_KEY_LENGTH 109 #define SSL_PROFILE_E_BAD_DH_P_LENGTH 110 #define SSL_PROFILE_E_BAD_DIGEST_LENGTH 111 #define SSL_PROFILE_E_BAD_DSA_SIGNATURE 112 #define SSL_PROFILE_E_BAD_MAC_DECODE 113 #define SSL_PROFILE_E_BAD_MESSAGE_TYPE 114 #define SSL_PROFILE_E_BAD_PACKET_LENGTH 115 #define SSL_PROFILE_E_BAD_PROTOCOL_VERSION_NUMBER 116 #define SSL_PROFILE_E_BAD_RESPONSE_ARGUMENT 117 #define SSL_PROFILE_E_BAD_RSA_DECRYPT 118 #define SSL_PROFILE_E_BAD_RSA_ENCRYPT 119 #define SSL_PROFILE_E_BAD_RSA_E_LENGTH 120 #define SSL_PROFILE_E_BAD_RSA_MODULUS_LENGTH 121 #define SSL_PROFILE_E_BAD_RSA_SIGNATURE 122 #define SSL_PROFILE_E_BAD_SIGNATURE 123 #define SSL_PROFILE_E_BAD_SSL_FILETYPE 124 #define SSL_PROFILE_E_BAD_SSL_SESSION_ID_LENGTH 125 #define SSL_PROFILE_E_BAD_STATE 126 #define SSL_PROFILE_E_BAD_WRITE_RETRY 127 #define SSL_PROFILE_E_BIO_NOT_SET 128 #define SSL_PROFILE_E_BLOCK_CIPHER_PAD_IS_WRONG 129 #define SSL_PROFILE_E_BN_LIB 130 #define SSL_PROFILE_E_CA_DN_LENGTH_MISMATCH 131 #define SSL_PROFILE_E_CA_DN_TOO_LONG 132 #define SSL_PROFILE_E_CCS_RECEIVED_EARLY 133 #define SSL_PROFILE_E_CERTIFICATE_VERIFY_FAILED 134 #define SSL_PROFILE_E_CERT_LENGTH_MISMATCH 135 #define SSL_PROFILE_E_CHALLENGE_IS_DIFFERENT 136 #define SSL_PROFILE_E_CIPHER_CODE_WRONG_LENGTH 137 #define SSL_PROFILE_E_CIPHER_OR_HASH_UNAVAILABLE 138 #define SSL_PROFILE_E_CIPHER_TABLE_SRC_ERROR 139 #define SSL_PROFILE_E_COMPRESSED_LENGTH_TOO_LONG 140 #define SSL_PROFILE_E_COMPRESSION_FAILURE 141 #define SSL_PROFILE_E_COMPRESSION_LIBRARY_ERROR 142 #define SSL_PROFILE_E_CONNECTION_ID_IS_DIFFERENT 143 #define SSL_PROFILE_E_CONNECTION_TYPE_NOT_SET 144

12 #define SSL_PROFILE_E_DATA_BETWEEN_CCS_AND_FINISHED 145 #define SSL_PROFILE_E_DATA_LENGTH_TOO_LONG 146 #define SSL_PROFILE_E_DECRYPTION_FAILED 147 #define SSL_PROFILE_E_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_PROFILE_E_DIGEST_CHECK_FAILED 149 #define SSL_PROFILE_E_ENCRYPTED_LENGTH_TOO_LONG 150 #define SSL_PROFILE_E_ERROR_IN_RECEIVED_CIPHER_LIST 151 #define SSL_PROFILE_E_EXCESSIVE_MESSAGE_SIZE 152 #define SSL_PROFILE_E_EXTRA_DATA_IN_MESSAGE 153 #define SSL_PROFILE_E_GOT_A_FIN_BEFORE_A_CCS 154 #define SSL_PROFILE_E_HTTPS_PROXY_REQUEST 155 #define SSL_PROFILE_E_HTTP_REQUEST 156 #define SSL_PROFILE_E_INTERNAL_ERROR 157 #define SSL_PROFILE_E_INVALID_CHALLENGE_LENGTH 158 #define SSL_PROFILE_E_LENGTH_MISMATCH 159 #define SSL_PROFILE_E_LENGTH_TOO_SHORT 160 #define SSL_PROFILE_E_LIBRARY_HAS_NO_CIPHERS 161 #define SSL_PROFILE_E_MISSING_DH_DSA_CERT 162 #define SSL_PROFILE_E_MISSING_DH_KEY 163 #define SSL_PROFILE_E_MISSING_DH_RSA_CERT 164 #define SSL_PROFILE_E_MISSING_DSA_SIGNING_CERT 165 #define SSL_PROFILE_E_MISSING_EXPORT_TMP_DH_KEY 166 #define SSL_PROFILE_E_MISSING_EXPORT_TMP_RSA_KEY 167 #define SSL_PROFILE_E_MISSING_RSA_CERTIFICATE 168 #define SSL_PROFILE_E_MISSING_RSA_ENCRYPTING_CERT 169 #define SSL_PROFILE_E_MISSING_RSA_SIGNING_CERT 170 #define SSL_PROFILE_E_MISSING_TMP_DH_KEY 171 #define SSL_PROFILE_E_MISSING_TMP_RSA_KEY 172 #define SSL_PROFILE_E_MISSING_TMP_RSA_PKEY 173 #define SSL_PROFILE_E_MISSING_VERIFY_MESSAGE 174 #define SSL_PROFILE_E_NON_SSLV2_INITIAL_PACKET 175 #define SSL_PROFILE_E_NO_CERTIFICATES_RETURNED 176 #define SSL_PROFILE_E_NO_CERTIFICATE_ASSIGNED 177 #define SSL_PROFILE_E_NO_CERTIFICATE_RETURNED 178 #define SSL_PROFILE_E_NO_CERTIFICATE_SET 179 #define SSL_PROFILE_E_NO_CERTIFICATE_SPECIFIED 180 #define SSL_PROFILE_E_NO_CIPHERS_AVAILABLE 181 #define SSL_PROFILE_E_NO_CIPHERS_PASSED 182 #define SSL_PROFILE_E_NO_CIPHERS_SPECIFIED 183 #define SSL_PROFILE_E_NO_CIPHER_LIST 184 #define SSL_PROFILE_E_NO_CIPHER_MATCH 185 #define SSL_PROFILE_E_NO_CLIENT_CERT_RECEIVED 186 #define SSL_PROFILE_E_NO_COMPRESSION_SPECIFIED 187

13 #define SSL_PROFILE_E_NO_METHOD_SPECIFIED 188 #define SSL_PROFILE_E_NO_PRIVATEKEY 189 #define SSL_PROFILE_E_NO_PRIVATE_KEY_ASSIGNED 190 #define SSL_PROFILE_E_NO_PROTOCOLS_AVAILABLE 191 #define SSL_PROFILE_E_NO_PUBLICKEY 192 #define SSL_PROFILE_E_NO_SHARED_CIPHER 193 #define SSL_PROFILE_E_NO_VERIFY_CALLBACK 194 #define SSL_PROFILE_E_NULL_SSL_CTX 195 #define SSL_PROFILE_E_NULL_SSL_METHOD_PASSED 196 #define SSL_PROFILE_E_OLD_SESSION_CIPHER_NOT_RETURNED 197 #define SSL_PROFILE_E_PACKET_LENGTH_TOO_LONG 198 #define SSL_PROFILE_E_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 #define SSL_PROFILE_E_PEER_ERROR 200 #define SSL_PROFILE_E_PEER_ERROR_CERTIFICATE 201 #define SSL_PROFILE_E_PEER_ERROR_NO_CERTIFICATE 202 #define SSL_PROFILE_E_PEER_ERROR_NO_CIPHER 203 #define SSL_PROFILE_E_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 #define SSL_PROFILE_E_PRE_MAC_LENGTH_TOO_LONG 205 #define SSL_PROFILE_E_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 #define SSL_PROFILE_E_PROTOCOL_IS_SHUTDOWN 207 #define SSL_PROFILE_E_PUBLIC_KEY_ENCRYPT_ERROR 208 #define SSL_PROFILE_E_PUBLIC_KEY_IS_NOT_RSA 209 #define SSL_PROFILE_E_PUBLIC_KEY_NOT_RSA 210 #define SSL_PROFILE_E_READ_BIO_NOT_SET 211 #define SSL_PROFILE_E_READ_WRONG_PACKET_TYPE 212 #define SSL_PROFILE_E_RECORD_LENGTH_MISMATCH 213 #define SSL_PROFILE_E_RECORD_TOO_LARGE 214 #define SSL_PROFILE_E_REQUIRED_CIPHER_MISSING 215 #define SSL_PROFILE_E_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_PROFILE_E_REUSE_CERT_TYPE_NOT_ZERO 217 #define SSL_PROFILE_E_REUSE_CIPHER_LIST_NOT_ZERO 218 #define SSL_PROFILE_E_SHORT_READ 219 #define SSL_PROFILE_E_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_PROFILE_E_SSL23_DOING_SESSION_ID_REUSE 221 #define SSL_PROFILE_E_SSL3_SESSION_ID_TOO_SHORT 222

14 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_PROFILE_E_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_PROFILE_E_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 #define SSL_PROFILE_E_SSL_HANDSHAKE_FAILURE 229 #define SSL_PROFILE_E_SSL_LIBRARY_HAS_NO_CIPHERS 230 #define SSL_PROFILE_E_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_PROFILE_E_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 #define SSL_PROFILE_E_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 #define SSL_PROFILE_E_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 #define SSL_PROFILE_E_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 #define SSL_PROFILE_E_UNABLE_TO_DECODE_DH_CERTS 236 #define SSL_PROFILE_E_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 #define SSL_PROFILE_E_UNABLE_TO_FIND_DH_PARAMETERS 238 #define SSL_PROFILE_E_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 #define SSL_PROFILE_E_UNABLE_TO_FIND_SSL_METHOD 240 #define SSL_PROFILE_E_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 #define SSL_PROFILE_E_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 #define SSL_PROFILE_E_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 #define SSL_PROFILE_E_UNEXPECTED_MESSAGE 244 #define SSL_PROFILE_E_UNEXPECTED_RECORD 245 #define SSL_PROFILE_E_UNKNOWN_ALERT_TYPE 246 #define SSL_PROFILE_E_UNKNOWN_CERTIFICATE_TYPE 247 #define SSL_PROFILE_E_UNKNOWN_CIPHER_RETURNED 248 #define SSL_PROFILE_E_UNKNOWN_CIPHER_TYPE 249 #define SSL_PROFILE_E_UNKNOWN_KEY_EXCHANGE_TYPE 250 #define SSL_PROFILE_E_UNKNOWN_PKEY_TYPE 251 #define SSL_PROFILE_E_UNKNOWN_PROTOCOL 252

15 #define SSL_PROFILE_E_UNKNOWN_REMOTE_ERROR_TYPE 253 #define SSL_PROFILE_E_UNKNOWN_SSL_VERSION 254 #define SSL_PROFILE_E_UNKNOWN_STATE 255 #define SSL_PROFILE_E_UNSUPPORTED_CIPHER 256 #define SSL_PROFILE_E_UNSUPPORTED_COMPRESSION_ALGORITHM 257 #define SSL_PROFILE_E_UNSUPPORTED_PROTOCOL 258 #define SSL_PROFILE_E_UNSUPPORTED_SSL_VERSION 259 #define SSL_PROFILE_E_WRITE_BIO_NOT_SET 260 #define SSL_PROFILE_E_WRONG_CIPHER_RETURNED 261 #define SSL_PROFILE_E_WRONG_MESSAGE_TYPE 262 #define SSL_PROFILE_E_WRONG_NUMBER_OF_KEY_BITS 263 #define SSL_PROFILE_E_WRONG_SIGNATURE_LENGTH 264 #define SSL_PROFILE_E_WRONG_SIGNATURE_SIZE 265 #define SSL_PROFILE_E_WRONG_SSL_VERSION 266 #define SSL_PROFILE_E_WRONG_VERSION_NUMBER 267 #define SSL_PROFILE_E_X509_LIB 268 #define SSL_PROFILE_E_X509_VERIFICATION_SETUP_PROBLEMS 269 #define SSL_PROFILE_E_PATH_TOO_LONG 270 #define SSL_PROFILE_E_BAD_LENGTH 271 #define SSL_PROFILE_E_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 #define SSL_PROFILE_E_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 #define SSL_PROFILE_E_LIBRARY_BUG 274 #define SSL_PROFILE_E_UNINITIALIZED 276 #define SSL_PROFILE_E_SESSION_ID_CONTEXT_UNINITIALIZED 277 #define SSL_PROFILE_E_INVALID_PURPOSE 278 #define SSL_PROFILE_E_INVALID_TRUST 279 #define SSL_PROFILE_E_INVALID_COMMAND 280 #define SSL_PROFILE_E_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 #define SSL_PROFILE_E_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_PROFILE_E_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_PROFILE_E_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_PROFILE_E_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 #define SSL_PROFILE_E_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_PROFILE_E_SSLV3_ALERT_NO_CERTIFICATE 1041 #define SSL_PROFILE_E_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_PROFILE_E_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 #define SSL_PROFILE_E_SSLV3_ALERT_CERTIFICATE_REVOKED 1044

16 #define SSL_PROFILE_E_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 #define SSL_PROFILE_E_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 #define SSL_PROFILE_E_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_PROFILE_E_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_PROFILE_E_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_PROFILE_E_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_PROFILE_E_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_PROFILE_E_TLSV1_ALERT_EXPORT_RESTRICTION 1060 #define SSL_PROFILE_E_TLSV1_ALERT_PROTOCOL_VERSION 1070 #define SSL_PROFILE_E_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_PROFILE_E_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_PROFILE_E_TLSV1_ALERT_USER_CANCELLED 1090 #define SSL_PROFILE_E_UNSUPPORTED_OPTION 1091 #define SSL_PROFILE_E_ERROR_GENERATING_TMP_RSA_KEY 1092 #define SSL_PROFILE_E_RECORD_TOO_SMALL 1093 #define SSL_PROFILE_E_TLSV1_ALERT_NO_RENEGOTIATION 1100 #define SSL_PROFILE_E_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109 #define SSL_PROFILE_E_ILLEGAL_PADDING 1110 #define SSL_PROFILE_E_MESSAGE_TOO_LONG 1111 #define SSL_PROFILE_E_KEY_ARG_TOO_LONG 1112 #define SSL_PROFILE_E_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_PROFILE_E_SSL2_CONNECTION_ID_TOO_LONG 1114 /** \endcond */

17

Configuring SSL Termination

Configuring SSL Termination CHAPTER 4 This chapter describes the steps required to configure a CSS as a virtual SSL server for SSL termination. It contains the following major sections: Overview of SSL Termination Creating an SSL

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Some solutions commonly used in order to guarantee a certain level of safety and security are:

Some solutions commonly used in order to guarantee a certain level of safety and security are: 1. SSL UNICAPT32 1.1 Introduction The following introduction contains large excerpts from the «TCP/IP Tutorial and Technical Overview IBM Redbook. Readers already familiar with SSL may directly go to section

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Certificate Management. PAN-OS Administrator s Guide. Version 7.0 Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-layer protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

SBClient SSL. Ehab AbuShmais

SBClient SSL. Ehab AbuShmais SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure

More information

TLS and SRTP for Skype Connect. Technical Datasheet

TLS and SRTP for Skype Connect. Technical Datasheet TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Internet Mail Client Control Library SSL Supplement

Internet Mail Client Control Library SSL Supplement Codestone Ltd Internet Mail Client Control Library SSL Supplement Codestone Ltd 2004 Page 1 / 22 Welcome to the Internet Mail Client Control Library SSL Supplement we hope you will find the library to

More information

SSL Protect your users, start with yourself

SSL Protect your users, start with yourself SSL Protect your users, start with yourself Kulsysmn 14 december 2006 Philip Brusten Overview Introduction Cryptographic algorithms Secure Socket Layer Certificate signing service

More information

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Network Layer: IPSec Transport Layer: SSL/TLS Chapter 4: Security on the Application Layer Chapter 5: Security

More information

Integrated SSL Scanning

Integrated SSL Scanning Software Version 9.0 Copyright Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive

More information

SSL/TLS: The Ugly Truth

SSL/TLS: The Ugly Truth SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography

More information

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https

More information

Configuring Secure Socket Layer HTTP

Configuring Secure Socket Layer HTTP Finding Feature Information, page 1 Prerequisites for Configuring the Switch for Secure Sockets Layer HTTP, page 1 Restrictions for Configuring the Switch for Secure Sockets Layer HTTP, page 2 Information

More information

Displaying SSL Certificate and Key Pair Information

Displaying SSL Certificate and Key Pair Information CHAPTER6 Displaying SSL Certificate and Key Pair Information This chapter describes how to use the available show commands to display SSL-related information, such as the certificate and key pair files

More information

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2 Contents Introduction--1 Content and Purpose of This Guide...........................1 User Management.........................................2 Types of user accounts2 Security--3 Security Features.........................................3

More information

IBM i Version 7.3. Security Digital Certificate Manager IBM

IBM i Version 7.3. Security Digital Certificate Manager IBM IBM i Version 7.3 Security Digital Certificate Manager IBM IBM i Version 7.3 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information

More information

Integrated SSL Scanning

Integrated SSL Scanning Version 9.2 SSL Enhancements Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive

More information

Encrypted Connections

Encrypted Connections EMu Documentation Encrypted Connections Document Version 1 EMu Version 4.0.03 www.kesoftware.com 2010 KE Software. All rights reserved. Contents SECTION 1 Encrypted Connections 1 How it works 2 Requirements

More information

Web Security: Encryption & Authentication

Web Security: Encryption & Authentication Web Security: Encryption & Authentication Arnon Rungsawang fenganr@ku.ac.th Massive Information & Knowledge Engineering Department of Computer Engineering Faculty of Engineering Kasetsart University, Bangkok,

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol SSL/TLS TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol HTTPS SSH SSH Protocol Architecture SSH Transport Protocol Overview SSH User Authentication Protocol SSH Connection Protocol

More information

Key Management Interoperability Protocol (KMIP)

Key Management Interoperability Protocol (KMIP) (KMIP) Addressing the Need for Standardization in Enterprise Key Management Version 1.0, May 20, 2009 Copyright 2009 by the Organization for the Advancement of Structured Information Standards (OASIS).

More information

Ciphire Mail. Abstract

Ciphire Mail. Abstract Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the

More information

X.509 Certificate Generator User Manual

X.509 Certificate Generator User Manual X.509 Certificate Generator User Manual Introduction X.509 Certificate Generator is a tool that allows you to generate digital certificates in PFX format, on Microsoft Certificate Store or directly on

More information

Understanding digital certificates

Understanding digital certificates Understanding digital certificates Mick O Brien and George R S Weir Department of Computer and Information Sciences, University of Strathclyde Glasgow G1 1XH mickobrien137@hotmail.co.uk, george.weir@cis.strath.ac.uk

More information

Communication Systems SSL

Communication Systems SSL Communication Systems SSL Computer Science Organization I. Data and voice communication in IP networks II. Security issues in networking III. Digital telephony networks and voice over IP 2 Network Security

More information

Chapter 7 Managing Users, Authentication, and Certificates

Chapter 7 Managing Users, Authentication, and Certificates Chapter 7 Managing Users, Authentication, and Certificates This chapter contains the following sections: Adding Authentication Domains, Groups, and Users Managing Certificates Adding Authentication Domains,

More information

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series User Guide Supplement S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series SWD-292878-0324093908-001 Contents Certificates...3 Certificate basics...3 Certificate status...5 Certificate

More information

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

More information

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1 PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption

More information

Web Security. Mahalingam Ramkumar

Web Security. Mahalingam Ramkumar Web Security Mahalingam Ramkumar Issues Phishing Spreading misinformation Cookies! Authentication Domain name DNS Security Transport layer security Dynamic HTML Java applets, ActiveX, JavaScript Exploiting

More information

SSL A discussion of the Secure Socket Layer

SSL A discussion of the Secure Socket Layer www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 Spirent Abacus SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 1 1. TLS Interview (Transport Layer Security Protocol) (1) TLS Feature Introduction: 1. TLS is a successor of Secure Sockets Layer (SSL), a cryptographic

More information

mod_ssl Cryptographic Techniques

mod_ssl Cryptographic Techniques mod_ssl Overview Reference The nice thing about standards is that there are so many to choose from. And if you really don t like all the standards you just have to wait another year until the one arises

More information

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1 Chapter 4 Authentication Applications COSC 490 Network Security Annie Lu 1 OUTLINE Kerberos X.509 Authentication Service COSC 490 Network Security Annie Lu 2 Authentication Applications authentication

More information

Real-Time Communication Security: SSL/TLS. Guevara Noubir noubir@ccs.neu.edu CSU610

Real-Time Communication Security: SSL/TLS. Guevara Noubir noubir@ccs.neu.edu CSU610 Real-Time Communication Security: SSL/TLS Guevara Noubir noubir@ccs.neu.edu CSU610 1 Some Issues with Real-time Communication Session key establishment Perfect Forward Secrecy Diffie-Hellman based PFS

More information

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler Certificates Noah Zani, Tim Strasser, Andrés Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate

More information

Implementing Secure Sockets Layer on iseries

Implementing Secure Sockets Layer on iseries Implementing Secure Sockets Layer on iseries Presented by Barbara Brown Alliance Systems & Programming, Inc. Agenda SSL Concepts Digital Certificate Manager Local Certificate Authority Server Certificates

More information

Factory Application Certificates and Keys Products: SB700EX, SB70LC

Factory Application Certificates and Keys Products: SB700EX, SB70LC Factory Application Certificates and Keys Products: SB700EX, SB70LC 1 Contents 1 Overview... 3 2 Certificates and Keys... 3 2.1 What is in a Certificate?... 4 3 SSL Certificates and Keys... 6 3.1 NetBurner

More information

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings. Secure Socket Layer Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings. Abstraction: Crypto building blocks NS HS13 2 Abstraction: The secure channel 1., run a key-exchange

More information

Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

More information

Enabling SSL and Client Certificates on the SAP J2EE Engine

Enabling SSL and Client Certificates on the SAP J2EE Engine Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs SAP AG 1 Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine

More information

Network Security Essentials Chapter 5

Network Security Essentials Chapter 5 Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got

More information

Communication Security for Applications

Communication Security for Applications Communication Security for Applications Antonio Carzaniga Faculty of Informatics University of Lugano March 10, 2008 c 2008 Antonio Carzaniga 1 Intro to distributed computing: -server computing Transport-layer

More information

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS Security Engineering Part III Network Security Security Protocols (I): SSL/TLS Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer Science,

More information

HMRC Secure Electronic Transfer (SET)

HMRC Secure Electronic Transfer (SET) HM Revenue & Customs HMRC Secure Electronic Transfer (SET) Installation and key renewal overview Version 3.0 Contents Welcome to HMRC SET 1 What will you need to use HMRC SET? 2 HMRC SET high level diagram

More information

2014 IBM Corporation

2014 IBM Corporation 2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session

More information

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP) Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic

More information

SSL BEST PRACTICES OVERVIEW

SSL BEST PRACTICES OVERVIEW SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%

More information

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER Table of Contents About VMware View.... 3 Changes in VMware View 5.1.... 3 SSL Authentication Mechanism.... 4 X.509

More information

Cleaning Encrypted Traffic

Cleaning Encrypted Traffic Optenet Documentation Cleaning Encrypted Traffic Troubleshooting Guide iii Version History Doc Version Product Date Summary of Changes V6 OST-6.4.300 01/02/2015 English editing Optenet Documentation

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication

More information

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Understanding Digital Certificates and Secure Sockets Layer (SSL) Understanding Digital Certificates and Secure Sockets Layer (SSL) Author: Peter Robinson January 2001 Version 1.1 Copyright 2001-2003 Entrust. All rights reserved. Digital Certificates What are they?

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

CSE/EE 461 Lecture 23

CSE/EE 461 Lecture 23 CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data

More information

Digital Certificates Demystified

Digital Certificates Demystified Digital Certificates Demystified Alyson Comer IBM Corporation System SSL Development Endicott, NY Email: comera@us.ibm.com February 7 th, 2013 Session 12534 (C) 2012, 2013 IBM Corporation Trademarks The

More information

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc. Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0 Accellion, Inc. December 24, 2009 Copyright Accellion, Inc. 2009. May be reproduced only in its original entirety

More information

WEB Security: Secure Socket Layer

WEB Security: Secure Socket Layer WEB Security: Secure Socket Layer Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP581 - L22 1 Outline of this Lecture Brief Information on SSL and TLS Secure Socket Layer (SSL) Transport Layer Security

More information

, ) I Transport Layer Security

, ) I Transport Layer Security Secure Sockets Layer (SSL, ) I Transport Layer Security _ + (TLS) Network Security Products S31213 UNCLASSIFIED Location of SSL -L Protocols TCP Ethernet IP SSL Header Encrypted SSL data= HTTP " Independent

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

Securing Service Access with Digital Certificates

Securing Service Access with Digital Certificates Securing Service Access with Digital Certificates Jovana Palibrk, AMRES NA3 T2, Tbilisi, December 2013. Agenda Theory Cryptographic Protocols and Techniques Public Key Infrastructure TERENA Certificate

More information

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 16 th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 1 25 Organization Welcome to the New Year! Reminder: Structure of Communication Systems lectures

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013 USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security

More information

Apache Security with SSL Using Ubuntu

Apache Security with SSL Using Ubuntu Apache Security with SSL Using Ubuntu These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Some SSL background

More information

Apache, SSL and Digital Signatures Using FreeBSD

Apache, SSL and Digital Signatures Using FreeBSD Apache, SSL and Digital Signatures Using FreeBSD AfNOG 2007 Unix System Administration April 26, 2007 Hervey Allen Network Startup Resource Center Some SSL background Invented by Netscape for secure commerce.

More information

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Socket Layer (SSL) and Transport Layer Security (TLS) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Configuring Digital Certificates

Configuring Digital Certificates CHAPTER 36 This chapter describes how to configure digital certificates and includes the following sections: Information About Digital Certificates, page 36-1 Licensing Requirements for Digital Certificates,

More information

ERserver. iseries. Secure Sockets Layer (SSL)

ERserver. iseries. Secure Sockets Layer (SSL) ERserver iseries Secure Sockets Layer (SSL) ERserver iseries Secure Sockets Layer (SSL) Copyright International Business Machines Corporation 2000, 2002. All rights reserved. US Government Users Restricted

More information

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn.

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn. CSC 490 Special Topics Computer and Network Security Key Management Dr. Xiao Qin Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn.edu Slide 09-1 Overview Key exchange Session vs. interchange

More information

Websense Content Gateway HTTPS Configuration

Websense Content Gateway HTTPS Configuration Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco

More information

Transport Layer Security Protocols

Transport Layer Security Protocols SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known

More information

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0 DEFENSE INFORMATION SYSTEMS AGENCY JOINT INTEROPERABILITY TEST COMMAND FORT HUACHUCA, ARIZONA DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

More information

Grid Computing - X.509

Grid Computing - X.509 Grid Computing - X.509 Sylva Girtelschmid October 20, 2009 Public Key Infrastructure - PKI PKI Digital Certificates IT infrastructure that provides means for private and secure data exchange By using cryptographic

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Web Security Considerations

Web Security Considerations CEN 448 Security and Internet Protocols Chapter 17 Web Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

Application Note: Onsight Device VPN Configuration V1.1

Application Note: Onsight Device VPN Configuration V1.1 Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1

More information

Security. Learning Objectives. This module will help you...

Security. Learning Objectives. This module will help you... Security 5-1 Learning Objectives This module will help you... Understand the security infrastructure supported by JXTA Understand JXTA's use of TLS for end-to-end security 5-2 Highlights Desired security

More information

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Secure Socket Layer/ Transport Layer Security (SSL/TLS) Secure Socket Layer/ Transport Layer Security (SSL/TLS) David Sánchez Universitat Pompeu Fabra World Wide Web (www) Client/server services running over the Internet or TCP/IP Intranets nets widely used

More information

This section includes troubleshooting topics about certificates.

This section includes troubleshooting topics about certificates. This section includes troubleshooting topics about certificates. Cannot Remove or Overwrite Existing, page 1 Cannot Remove an SSO IdP Certificate, page 2 Certificate Chain Error, page 2 Certificate Does

More information

HTTPS is Fast and Hassle-free with CloudFlare

HTTPS is Fast and Hassle-free with CloudFlare HTTPS is Fast and Hassle-free with CloudFlare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their

More information

Authentication Applications

Authentication Applications Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos a private-key authentication service

More information

SSL Handshake Analysis

SSL Handshake Analysis SSL Handshake Analysis Computer Measurement Group Webinar Nalini Elkins Inside Products, Inc. nalini.elkins@insidethestack.com Inside Products, Inc. (831) 659-8360 www.insidethestack.com www.ipproblemfinders.com

More information

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc. OpenADR 2.0 Security Jim Zuber, CTO QualityLogic, Inc. Security Overview Client and server x.509v3 certificates TLS 1.2 with SHA256 ECC or RSA cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256

More information

Security Protocols/Standards

Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity

More information

You re FREE Guide SSL. (Secure Sockets Layer) webvisions www.webvisions.com +65 6868 1168 sales@webvisions.com

You re FREE Guide SSL. (Secure Sockets Layer) webvisions www.webvisions.com +65 6868 1168 sales@webvisions.com SSL You re FREE Guide to (Secure Sockets Layer) What is a Digital Certificate? SSL Certificates, also known as public key certificates or Digital Certificates, are essential to secure Internet browsing.

More information

Client Error Messages

Client Error Messages Junos Pulse Client Error Messages Release 5.0 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net December 2013 Juniper Networks, Junos,

More information

Protocol Rollback and Network Security

Protocol Rollback and Network Security CSE 484 / CSE M 584 (Spring 2012) Protocol Rollback and Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,

More information