CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration SSL, SSH Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu http://www.cs.stevens.edu/~jschauma/615/
HW4 CS615 - Aspects of System Administration Slide 2 Anything that can go wrong will go wrong. (Error handling!)
HW4 CS615 - Aspects of System Administration Slide 3 Look Ma, no temporary files! But if you must... use mktemp(3) always remove all temporary files don t assume you can write to the current working directory
HW4 CS615 - Aspects of System Administration Slide 4 1. Sanity Checks 2.??? 3. Profit
HW4 CS615 - Aspects of System Administration Slide 5
CS615 - Aspects of System Administration Slide 6 SSL / TLS Secure Socket Layer / Transport Layer Security
SSL/TLS CS615 - Aspects of System Administration Slide 7 Use of X.509: public key certificates certificate revocation lists (CRLs) certificate path validation under a Public Key Infrastructure (PKI)
SSL/TLS CS615 - Aspects of System Administration Slide 8 CA = Certificate Authority; RA = Registration Authority; VA = Validation Authority
SSL/TLS CS615 - Aspects of System Administration Slide 9 1. User / Company generates a Certificate Signing Request (CSR), containing: identifying information (distinguished name etc.) signature of data by private key chosen public key
SSL/TLS CS615 - Aspects of System Administration Slide 10 1. User / Company generates a Certificate Signing Request (CSR), containing: identifying information (distinguished name etc.) signature of data by private key chosen public key openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
SSL/TLS CS615 - Aspects of System Administration Slide 11 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA)
SSL/TLS CS615 - Aspects of System Administration Slide 12 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA) 3. CA verifies information
SSL/TLS CS615 - Aspects of System Administration Slide 13 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA) 3. CA verifies information 4. CA returns certificate signed with its private key
SSL/TLS CS615 - Aspects of System Administration Slide 14 1. User / Company generates a Certificate Signing Request (CSR) 2. CSR submitted to Certificate Authority (CA) 3. CA verifies information 4. CA returns certificate signed with its private key 5. clients can verify signatures against trusted root CAs
SSL/TLS CS615 - Aspects of System Administration Slide 15 Some sites: https://twitter.com https://www.stevens.edu https://www.google.com
SSL/TLS CS615 - Aspects of System Administration Slide 16
SSL/TLS CS615 - Aspects of System Administration Slide 17
SSL/TLS CS615 - Aspects of System Administration Slide 18 If you challenge the internet... April 11, 2014 04:27AM Can You Get Private SSL Keys Using Heartbleed? (We think not.) http://is.gd/ymleu5
SSL/TLS CS615 - Aspects of System Administration Slide 19 If you challenge the internet... April 11, 2014 04:27AM Can You Get Private SSL Keys Using Heartbleed? (We think not.) http://is.gd/ymleu5 April 11, 2014 16:22PM Uhm. Yeah, you can. http://is.gd/6ry8on
SSL/TLS CS615 - Aspects of System Administration Slide 20 Setting up a Man in the Middle attack site: 1. start instance 2. openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem 3. sudo openssl s server -WWW -accept 443 -cert mycert.pem 4. curl https://www.stevens.edu/sit/ > index.html 4. go to https://<instance>:4433/index.html
SSL/TLS CS615 - Aspects of System Administration Slide 21 Pitfalls with PKI / CA approach: https://bugzilla.mozilla.org/show bug.cgi?id=647959 222 root CAs on this laptop...
CS615 - Aspects of System Administration Slide 22 SSH secure encrypted terminal sessions
SSH CS615 - Aspects of System Administration Slide 23 secure replacement for telnet, rlogin, rsh
SSH CS615 - Aspects of System Administration Slide 24 Components: sshd(8) ssh(1)
SSH CS615 - Aspects of System Administration Slide 25 Components: sshd(8) ssh(1) scp(1) sftp(1) ssh-agent(1) ssh-keygen(1)
SSH CS615 - Aspects of System Administration Slide 26 Authentication done in primarily two modes: password authentication public-key authentication
SSH CS615 - Aspects of System Administration Slide 27 Authentication done in primarily two modes: password authentication public-key authentication Communication always envolves public-key encryption.
SSH CS615 - Aspects of System Administration Slide 28 Authentication done in primarily two modes: password authentication public-key authentication Communication always envolves public-key encryption. Except when it doesn t (cipher:none).
SSH CS615 - Aspects of System Administration Slide 29 SSH hostkeys each host has (at least) one private key upon connection, it is verified against a public key discrepancies are reported (and should be investigated!) server and client perform a challenge-response handshake involving a random number (which becomes the session key) in SSHv1 or via Diffie-Hellman key agreement in SSHv2
SSH CS615 - Aspects of System Administration Slide 30 SSH userkeys used during public-key authentication the user has a private key the remote host has the corresponding public key the private key may be passphrase-protected the passphrase used and the private key itself never leave the local host
SSH CS615 - Aspects of System Administration Slide 31 SSH agents: allow the user to add multiple keys once, then no longer need to provide the passphrases agents can be forwarded communication happens through a unix-domain socket
SSH CS615 - Aspects of System Administration Slide 32...and then there are tunnels...
SSH configuration CS615 - Aspects of System Administration Slide 33 sshd_config(5) ssh_config(5)
Reading CS615 - Aspects of System Administration Slide 34 SSL/TLS http://www.madboa.com/geek/openssl/ https://www.imperialviolet.org/2014/04/19/revchecking.html http://www.vox.com/cards/heartbleed/what-is-the-heartbleed-bug SSH: ssh(1) ssh_config(5) sshd_config(5) sshd(8) RFC4255 SSHFP in DNS