CS615 - Aspects of System Administration



Similar documents
How To Understand And Understand The Security Of A Key Infrastructure

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 9 Application Security

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Apache Security with SSL Using Ubuntu

SBClient SSL. Ehab AbuShmais

CTS2134 Introduction to Networking. Module Network Security

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

TELE 301 Network Management. Lecture 16: Remote Terminal Services

SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Chapter 17. Transport-Level Security

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Creation and Management of Certificates

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

2014 IBM Corporation

Apache, SSL and Digital Signatures Using FreeBSD

Generating and Installing SSL Certificates on the Cisco ISA500

[SMO-SFO-ICO-PE-046-GU-

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Apache Security with SSL Using Linux

SSH The Secure Shell

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Acano solution. Certificate Guidelines R1.7. for Single Combined Acano Server Deployments. December H

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security Fundamentals

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Configuring Secure Socket Layer (SSL)

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

TELNET CLIENT 5.0 SSL/TLS SUPPORT

Security Policy Revision Date: 23 April 2009

Configuring Digital Certificates

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

WEB SERVICES CERTIFICATE GUIDE

Clearswift Information Governance

Public Key Infrastructure (PKI)

Authenticity of Public Keys

SSL Certificates in IPBrick

Pro OpenSSH. Michael Stahnke. Apress* =# # w^ l&l ## frsft. *,«.,*

Web Security: Encryption & Authentication

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

SSH and FTP on Ubuntu WNYLUG Neal Chapman 09/09/2009

Virtual Private Network (VPN) Lab

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL

Avoid the SSLippery Slope of Default SSL

Exam Questions SY0-401

Cryptography: RSA and Factoring; Digital Signatures; Ssh

LoadMaster SSL Certificate Quickstart Guide

SSH! Keep it secret. Keep it safe

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

Encrypted Connections

Network Security Essentials Chapter 5

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

DANE Secured Demonstration. Wes Hardaker Parsons

Security of information systems secure file transfer

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

Configuring SSH and Telnet

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

CA and SSL Certificates

SSL/TLS: The Ugly Truth

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Grid Computing - X.509

TELSTRA RSS CA Subscriber Agreement (SA)

Integrated SSL Scanning

X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

Cisco Expressway Certificate Creation and Use

Table of Contents GEEK GUIDE APACHE WEB SERVERS AND SSL AUTHENTICATION

SSSD and OpenSSH Integration

Transport Layer Security Protocols

Cisco Expressway Certificate Creation and Use

Displaying SSL Certificate and Key Pair Information

Application Note AN1502

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

McAfee Firewall Enterprise 8.2.1

Generate CSR for Third Party Certificates and Download Unchained Certificates to the WLC

Go to Policy/Global Properties/SmartDashboard Customization, click Configure. In Certificates and PKI properties, change host_certs_key_size to 2048

Creating a Free Trusted SSL Cert with StartSSL for use with Synctuary

Experimental Techniques 8

Secure network protocols: how SSL/TLS, SSH, SFTP and FTPS work

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Enabling SSL and Client Certificates on the SAP J2EE Engine

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Secure Managed File Transfer with Connect:Direct

Securing Your Condor Pool With SSL. Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison

DRAFT Standard Statement Encryption

Savitribai Phule Pune University

Transcription:

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration SSL, SSH Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu http://www.cs.stevens.edu/~jschauma/615/

HW4 CS615 - Aspects of System Administration Slide 2 Anything that can go wrong will go wrong. (Error handling!)

HW4 CS615 - Aspects of System Administration Slide 3 Look Ma, no temporary files! But if you must... use mktemp(3) always remove all temporary files don t assume you can write to the current working directory

HW4 CS615 - Aspects of System Administration Slide 4 1. Sanity Checks 2.??? 3. Profit

HW4 CS615 - Aspects of System Administration Slide 5

CS615 - Aspects of System Administration Slide 6 SSL / TLS Secure Socket Layer / Transport Layer Security

SSL/TLS CS615 - Aspects of System Administration Slide 7 Use of X.509: public key certificates certificate revocation lists (CRLs) certificate path validation under a Public Key Infrastructure (PKI)

SSL/TLS CS615 - Aspects of System Administration Slide 8 CA = Certificate Authority; RA = Registration Authority; VA = Validation Authority

SSL/TLS CS615 - Aspects of System Administration Slide 9 1. User / Company generates a Certificate Signing Request (CSR), containing: identifying information (distinguished name etc.) signature of data by private key chosen public key

SSL/TLS CS615 - Aspects of System Administration Slide 10 1. User / Company generates a Certificate Signing Request (CSR), containing: identifying information (distinguished name etc.) signature of data by private key chosen public key openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

SSL/TLS CS615 - Aspects of System Administration Slide 11 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA)

SSL/TLS CS615 - Aspects of System Administration Slide 12 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA) 3. CA verifies information

SSL/TLS CS615 - Aspects of System Administration Slide 13 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA) 3. CA verifies information 4. CA returns certificate signed with its private key

SSL/TLS CS615 - Aspects of System Administration Slide 14 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA) 3. CA verifies information 4. CA returns certificate signed with its private key 5. clients can verify signatures against trusted root CAs

SSL/TLS CS615 - Aspects of System Administration Slide 15 Some sites: https://twitter.com https://www.stevens.edu https://www.google.com

SSL/TLS CS615 - Aspects of System Administration Slide 16

SSL/TLS CS615 - Aspects of System Administration Slide 17

SSL/TLS CS615 - Aspects of System Administration Slide 18 If you challenge the internet... April 11, 2014 04:27AM Can You Get Private SSL Keys Using Heartbleed? (We think not.) http://is.gd/ymleu5

SSL/TLS CS615 - Aspects of System Administration Slide 19 If you challenge the internet... April 11, 2014 04:27AM Can You Get Private SSL Keys Using Heartbleed? (We think not.) http://is.gd/ymleu5 April 11, 2014 16:22PM Uhm. Yeah, you can. http://is.gd/6ry8on

SSL/TLS CS615 - Aspects of System Administration Slide 20 Setting up a Man in the Middle attack site: 1. start instance 2. openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem 3. sudo openssl s server -WWW -accept 443 -cert mycert.pem 4. curl https://www.stevens.edu/sit/ > index.html 4. go to https://<instance>:4433/index.html

SSL/TLS CS615 - Aspects of System Administration Slide 21 Pitfalls with PKI / CA approach: https://bugzilla.mozilla.org/show bug.cgi?id=647959 222 root CAs on this laptop...

CS615 - Aspects of System Administration Slide 22 SSH secure encrypted terminal sessions

SSH CS615 - Aspects of System Administration Slide 23 secure replacement for telnet, rlogin, rsh

SSH CS615 - Aspects of System Administration Slide 24 Components: sshd(8) ssh(1)

SSH CS615 - Aspects of System Administration Slide 25 Components: sshd(8) ssh(1) scp(1) sftp(1) ssh-agent(1) ssh-keygen(1)

SSH CS615 - Aspects of System Administration Slide 26 Authentication done in primarily two modes: password authentication public-key authentication

SSH CS615 - Aspects of System Administration Slide 27 Authentication done in primarily two modes: password authentication public-key authentication Communication always envolves public-key encryption.

SSH CS615 - Aspects of System Administration Slide 28 Authentication done in primarily two modes: password authentication public-key authentication Communication always envolves public-key encryption. Except when it doesn t (cipher:none).

SSH CS615 - Aspects of System Administration Slide 29 SSH hostkeys each host has (at least) one private key upon connection, it is verified against a public key discrepancies are reported (and should be investigated!) server and client perform a challenge-response handshake involving a random number (which becomes the session key) in SSHv1 or via Diffie-Hellman key agreement in SSHv2

SSH CS615 - Aspects of System Administration Slide 30 SSH userkeys used during public-key authentication the user has a private key the remote host has the corresponding public key the private key may be passphrase-protected the passphrase used and the private key itself never leave the local host

SSH CS615 - Aspects of System Administration Slide 31 SSH agents: allow the user to add multiple keys once, then no longer need to provide the passphrases agents can be forwarded communication happens through a unix-domain socket

SSH CS615 - Aspects of System Administration Slide 32...and then there are tunnels...

SSH configuration CS615 - Aspects of System Administration Slide 33 sshd_config(5) ssh_config(5)

Reading CS615 - Aspects of System Administration Slide 34 SSL/TLS http://www.madboa.com/geek/openssl/ https://www.imperialviolet.org/2014/04/19/revchecking.html http://www.vox.com/cards/heartbleed/what-is-the-heartbleed-bug SSH: ssh(1) ssh_config(5) sshd_config(5) sshd(8) RFC4255 SSHFP in DNS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information