Netzwerksicherheit Übung 6 SSL/TLS, OpenSSL



Similar documents
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

, ) I Transport Layer Security

SSL Protect your users, start with yourself

CS 772. Network Security: Concepts, Protocols and Programming Fall 2008 Final Exam Time 2 & 1/2 hours Open Book & Notes.

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Certificates and network security

Encrypted Connections

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

SSL/TLS: The Ugly Truth

SBClient SSL. Ehab AbuShmais

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

[SMO-SFO-ICO-PE-046-GU-

SSL Certificates in IPBrick

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

How To Encrypt Data With Encryption

Using BroadSAFE TM Technology 07/18/05

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Learning Network Security with SSL The OpenSSL Way

Security. Learning Objectives. This module will help you...

X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

Public Key Infrastructure

Web Security: Encryption & Authentication

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Lecture 3 Programming with OpenSSL

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Introduction to Cryptography

Grid Computing - X.509

2014 IBM Corporation

Overview. SSL Cryptography Overview CHAPTER 1

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

SSL/TLS Programming. sslclient.c. /* A simple SSL client. It connects and then forwards data from/to the terminal to/from the server */

Securing Your Condor Pool With SSL. Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison

Security OpenSSL SSL. Roberta Daidone.

Understanding SSL/TLS

Generating and Installing SSL Certificates on the Cisco ISA500

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

SSL/TLS Hands-on Thomas Herlea

Managing SSL certificates in the ServerView Suite

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities

Configuring SSL Termination

Understanding digital certificates

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Network Management Card Security Implementation

CS615 - Aspects of System Administration

Cisco TelePresence VCS Certificate Creation and Use

PowerChute TM Network Shutdown Security Features & Deployment

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Factory Application Certificates and Keys Products: SB700EX, SB70LC

Configuring Secure Socket Layer HTTP

Digital Certificates Demystified

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

An Introduction to Cryptography as Applied to the Smart Grid

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

TLS/SSL in distributed systems. Eugen Babinciuc

OpenSSL (lab notes) Definition: OpenSSL is an open-source library containing cryptographic tools.

Chapter 7 Transport-Level Security

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Cisco Expressway Certificate Creation and Use

McAfee Firewall Enterprise 8.2.1

Communication Systems SSL

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

CHAPTER 7 SSL CONFIGURATION AND TESTING

Is Your SSL Website and Mobile App Really Secure?

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Implementing SSL Security on a PowerExchange Network

Public Key Infrastructure (PKI)

Network Security Essentials Chapter 5

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

Using certificates as authentication method for VPN connections between Netgear ProSafe Routers and the ProSafe VPN Client

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS

Transport Level Security

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Apache Security with SSL Using Ubuntu

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Secure Systems and Networks OpenSSL. Tomasz Surmacz, PhD 25 listopada 2014

Crypto Lab Public-Key Cryptography and PKI

Internet Programming. Security

Automated Vulnerability Scan Results

McAfee Firewall Enterprise 8.3.1

SSL Overview for Resellers

Understanding Digital Certificates on z/os Share Anaheim, CA Session 8349 March 2nd 2011

Implementing Secure Sockets Layer on iseries

Network Security Protocols

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009


Ciphire Mail. Abstract

Implementing Secure Sockets Layer (SSL) on i

Instructions on TLS/SSL Certificates on Yealink Phones

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL.

Cornerstones of Security

Cisco TelePresence VCS Certificate Creation and Use

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

mod_ssl Cryptographic Techniques

SSL Interception on Proxy SG

Transcription:

Netzwerksicherheit Übung 6 SSL/TLS, Thomas Schneider Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 10. 14.12.2007 Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 1 / 18

SSL/TLS Secure Socket Layer / Transport Layer Security (SSL/TLS) TLS 1.0 ˆ= SSL 3.1 SSL/TLS secures TCP connections: Authentication with Certificates (asymm.: RSA, DSA,...) Key-Exchange (asymm.: RSA, DH,...) Data Encryption (symm.: RC4, DES, 3DES, IDEA, AES,...) Data Integrity (symm.: MD5, SHA-1,...) XXXS = XXX over SSL/TLS e.g.: HTTPS(443), IMAPS(993), POP3S(995), FTPS(989,990) Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 2 / 18

Authentication with Certificates Ensures communication with intended communication partner without pre-shared secrets ( asymmetric cryptography): A challenge-response protocol ensures that the communication partner possesses the private key corresponding to a (!!!) public key. A certificate glues the public key +K A of A to her name. This mapping is verified and afterwards guaranteed by a (indirectly) trusted certification authority CA by signing the mapping with the CA s private key CK CA : CA A = Cert CKCA (+K A ) = CA[..., CA,..., A, +K A ] Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 3 / 18

X.509 Certificates RFC 3280: Internet X.509 Public Key Infrastructure, Certificate and Certificate Revocation List (CRL) Profile http://tools.ietf.org/html/rfc3280 Certificate Contents and Format 203,4)5 6789:&);#<)=#>$:?:&@$#A %:GD@$7># F9GC>:$HE 6#>:CQ)C? B@9:Q:$< %78L#&$RA 6789:&) ;#<)ID?C B#>A:CD =#>$:?:&@$# %#>:@9)"7E8#> F9GC>:$HE)IJ 6@>@E#$#>A IAA7#>)"@E# "C$)K#?C># "C$)F?$#> %78L#&$)"@E# F9GC>:$HE)IJ 6@>@E#$#>A ;#< IAA7#>)MD:N7#)IJ %78L#&$)MD:N7#)IJ OP$#DA:CDA %:GD@$7># B#>A:CD)1 B#>A:CD)+ B#>A:CD)S F99)B#>A:CDA Certificate:! F)!"#$%&'()*'&)+,%-%&.,) Data: :A) Version: 1 (0x0) ACE#)AC>$)C?))T@AATC>$() Serial Number: 3 (0x3) &#>$:?<:DG)$H@$)@)T789:&)U#<) 8#9CDGA)$C)@)AT#&:?:&)D@E# Validity! =#>$:?:&@$#A)@>#):AA7#Q)8<) &)+,%-%&.,%/0'.",1/+%,%)2'3456! CN=localhost I?)@99)7A#>A)UDCV)?C>)A7>#)$H#) Subject Public Key Info: T789:&)U#<)C?)$H#)=F()#W#><) 7A#>)&@D)&H#&U)#W#><) RSA Public Key: (512 bit) Modulus (512 bit): &#>$:?:&@$#):AA7#Q)8<)$H:A)=F! =#>$:?:&@$#A)&@D)@WC:Q) CD9:D#XT@>$:&:T@$:CD)C?)@)YY6) d5:b1:e6:14:75! YH#)A#&7>:$<)C?)$H#)T>:W@$#) Exponent: 65537 (0x10001) U#<)C?)$H#)=F):A)&>7&:@9)$C) $H#)A#&7>:$<)C?)@99)7A#>AZ Signature Algorithm: sha1withrsaencryption Issuer: C=DE, ST=Bavaria, L=Erlangen, O=FAU, OU=CS 7 / NetSec, CN=NetSec CA/emailAddress=thomas.schneider@informatik.stud.uni-erlangen.de Not Before: Nov 30 08:54:42 2007 GMT Not After : Nov 29 08:54:42 2008 GMT Subject: C=DE, ST=Bavaria, L=Erlangen, O=FAU, OU=CS 7 / NetSec, Public Key Algorithm: rsaencryption 00:e5:fc:b2:0a:76:58:ce:44:e9:c7:5a:4e:4e:ac: 87:85:13:3e:1d:7f:7e:60:4c:ba:dd:56:1d:f7:dc: ce:9b:f4:24:5e:b8:e7:da:45:4e:17:b2:81:d5:d3: 35:f7:4e:19:a7:b8:c2:d3:60:d7:91:a8:ce:68:43: Signature Algorithm: sha1withrsaencryption 90:50:56:16:4f:94:16:54:f1:42:a0:fe:1b:79:35:5e:e4:fe: 7e:fa:ce:f8:6d:c9:ce:50:a6:68:39:4f:02:58:63:f2:dd:3d: f5:c3:7d:52:b5:97:0d:1e:38:dd:62:8f:cd:fa:d0:c0:4e:49: 1a:b8:a5:1a:ab:f5:35:20:e1:50 Thomas Schneider:!"#$%#&'()*%)+,,-.+,,/ Netzwerksicherheit Übung 6 SSL/TLS, -0+1 4 / 18

Certificate Hierarchy Self Signed Root Certificate (Issuer=Subject) Certificate Request Certificate Request: Data: Version: 0 (0x0) Subject: C=DE, ST=Bavaria, L=Erlangen, O=FAU, OU=CS 7 / NetSec, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (512 bit) Modulus (512 bit): 00:e5:fc:b2:0a:76:58:ce:44:e9:c7:5a:4e:4e:ac: 87:85:13:3e:1d:7f:7e:60:4c:ba:dd:56:1d:f7:dc: ce:9b:f4:24:5e:b8:e7:da:45:4e:17:b2:81:d5:d3: 35:f7:4e:19:a7:b8:c2:d3:60:d7:91:a8:ce:68:43: d5:b1:e6:14:75 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1withrsaencryption a7:c5:e2:96:51:0b:53:c3:bb:f5:4e:35:7e:c1:50:62:83:48: 9a:75:90:fe:d1:12:71:31:0d:43:83:36:34:67:c4:2a:9f:99: 41:22:4f:de:fb:15:cb:10:ab:ea:d1:9c:e1:de:1a:6b:f8:00: ca:59:bf:1f:4a:ed:fd:06:06:90 Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 5 / 18

SSL/TLS implementations (open source: implementation in C + console tools) FIPS 140-2 (Level 1) certified http://www.openssl.org Examples http://www.rtfm.com/openssl-examples/ man openssl(1), ssl(3) Java TM Secure Socket Extension (JSSE) Reference Guide http://java.sun.com/j2se/1.4.2/docs/guide/ security/jsse/jsserefguide.html Secure Your Sockets with JSSE http://www.onjava.com/pub/a/onjava/2001/05/ 03/java_security.html Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 6 / 18

: Certificate Mini-HOWTO Generate symmetrically encrypted 1024 bit RSA key pair: openssl genrsa -aes128 -out CAkey.pem 1024 Show RSA key: openssl rsa -text < CAkey.pem Generate self-signed root certificate for RSA key: openssl req -new -x509 -key CAkey.pem -out CAcert.pem Show certificate: openssl x509 -text < CAcert.pem Generate certificate request (CR) for key: openssl req -new -key key.pem -out req.pem Show certificate request: openssl req -text < req.pem Issue certificate by signing CR with CA certificate: openssl x509 -req -in req.pem -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out cert.pem Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 7 / 18

Code IT! Extension of a given HTTPS client and server from http://www.rtfm.com/openssl-examples/ HTTPS (RFC 2818): http://www.ietf.org/rfc/rfc2818.txt Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 8 / 18

SSL initialization (common.c) SSL_CTX* initialize_ctx(char* keyfile, char* pwd){... // Global system initialization SSL_library_init(); SSL_load_error_strings(); // An error write context bio_err=bio_new_fp(stderr,bio_noclose); // Create our context meth=sslv23_method(); ctx=ssl_ctx_new(meth); // Load our keys and certificates if(!(ssl_ctx_use_certificate_chain_file(ctx, keyfile))) berr_exit("can t read certificate file"); Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 10 / 18

// Password callback pass=pwd; SSL_CTX_set_default_passwd_cb(ctx, password_cb); // Private key file if(!(ssl_ctx_use_privatekey_file(ctx, keyfile, SSL_FILETYPE_PEM))) berr_exit("can t read key file"); // Load the CAs we trust if(!(ssl_ctx_load_verify_locations(ctx,ca_list, 0))) berr_exit("can t read CA list"); #if (OPENSSL_VERSION_NUMBER < 0x00905100L) SSL_CTX_set_verify_depth(ctx,1); #endif return ctx; } // initialize_ctx Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 12 / 18

SSL client (wclient.c)... // Build our SSL context ctx=initialize_ctx(keyfile,password); // Connect the TCP socket sock=tcp_connect(host,port); // Connect the SSL socket ssl=ssl_new(ctx); sbio=bio_new_socket(sock,bio_noclose); SSL_set_bio(ssl,sbio,sbio); if(ssl_connect(ssl)<=0) berr_exit("sslconnect error" if(require_server_auth) check_cert(ssl,host); // make HTTP request... Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 14 / 18

Check certificate correctness (client.c) // Check that common name matches host name void check_cert(ssl *ssl, char *host) {... // Verify certificate chain if(ssl_get_verify_result(ssl)!=x509_v_ok) berr_exit("certificate doesn t verify"); } // Check the common name peer=ssl_get_peer_certificate(ssl); X509_NAME_get_text_by_NID(X509_get_subject_name (peer),nid_commonname, peer_cn, 256); if(strcasecmp(peer_cn,host)) err_exit("common name doesn t match hostname"); Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 16 / 18

Server (wserver.c) // Build our SSL context ctx=initialize_ctx(keyfile,password); load_dh_params(ctx,dhfile); sock=tcp_listen(); while(1){ if((s=accept(sock,0,0))<0)err_exit("accept err"); if((pid=fork())) close(s); else { sbio=bio_new_socket(s,bio_noclose); ssl=ssl_new(ctx); SSL_set_bio(ssl,sbio,sbio); if((r=ssl_accept(ssl)<=0)) berr_exit("ssl accept error."); http_serve(ssl,s); exit(0); }}... Thomas Schneider: Netzwerksicherheit Übung 6 SSL/TLS, 18 / 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information