Topic Name of the Trainer/Speaker Professional Position and Name of Organization Email TLS/SSL : Securing your website PGP : Secure your email communication Mohammad Fakrul Alam CTO bdhub Limited fakrul@bdhub.com Ph Biography of Trainer Education Experience Summary Masters in Telecommunication 12+ Years Fakrul Alam is a network engineer of bdhub Limited/dhakaCom Limited, based in Dhaka, Bangladesh. He has been in the networking industry for more than 12 years. Fakrul is a skilled internetwork expert in Routing & Switching; has strong background in Service Provider (SP) networks with exceptional troubleshooting skills and intense interest in designing & deploying large scale ISP and Enterprise Networks. Prior to joining bdhub Limited, Fakrul worked as Senior Manager, Enterprise Network of Brac Bank Limited. In this role he functioned as the team lead and senior engineer focusing on directing and delivering IT Services as well as developing and maintaining technology policies, standards and procedures. His current focus is on network & infrastructure security. Fakrul is founding member of bdcert (Bangladesh Computer Emergency Response Team) and bdnog (Bangladesh Network Operators Group). He is active in speaking at industry conferences and course instruction. Specialties: Routing & Switching, Network Architecture, Network Security, Network Forensics.
NETWORK SECURITY: VULNERABILITIES AND MANAGEMENT FOR CAMPUS NETWORK JUNE 07- JUNE 11, 2015 Cryptography Application PGP Fakrul Alam bdhub Limited fakrul@bdhub.com
Security issues for E-mail Confidentiality Network admin can read your e-mail. Webmail provider can read your e-mail. LAN user may read your e-mail by monitoring tool. Even in some hotel, I could have chance to read other rooms internet traffic. Integrity E-mail contents may be changed by some attacker on the network. Authenticity Easy to set any e-mail headers like From. Any other e-mail headers can be set anything you want. Difficult to know it is true.
Targeted Attack Attacks on information security which seek to affect a specific organization or group, rather than indiscriminately. Some may be customized for a specific target organization or group. An e-mail with suspicious file attached Executable binary Word document file Database application file
Targeted Attack To: your e-mail address From: Fakrul Alam fakrul@dhakacom.com Subject: my request Hello, I have been looking for someone who can answer questions of the attached file. I hope you can do that and reply me. Thanks!
Example of Spoof Mail
Cryptography Symmetric and Asymmetric (public-key) The latter is widely accepted PGP is based on Asymmetric (Public-Key) Encryption
Symmetric Encryption Involves only one key, which is used by both the encrypting and the recipient for decrypting sender for Symmetric algorithms: blowfish, Triple-DES, AES (Advanced Encryption Standard), CAST (Carlisle Adams and Stafford Tavares), IDEA (International Data Encryption Algorithm, legally restricted, but the other algorithms may be freely used) Problem: the means of distributing the key
Asymmetric (Public-Key) Encryption Solves the problem of distributing keys by using one pair of complimentary keys, one public and the other private. Public: freely exchanged to others without fear of compromising security. Private: only you have access, should be carefully protected. A message is encrypted to a recipient using the recipient's public key, and it can only be decrypted using the corresponding private key.
Asymmetric Encryption Refresher One key mathematically related to the other. Public key can be generated from private key. But NOT vice versa. If you encrypt data with the public key, you need to private key to decrypt You can sign data with the private key and verify the signature using the public key
Keys Private key is kept SECRET. You should encrypt your private key with a symmetric passphrase. Public key is distributed. Anyone who needs to send you confidential data can use your public key
Signing & Encrypting Data is encrypted with a public key to be decrypted with the corresponding private key. Data can be signed with the private key to be verified by anyone who has the corresponding public key. Since public keys are data they can be signed too.
How PGP Works
Trust Centralized / hierarchal trust where certain globally trusted bodies sign keys for every one else. Decentralized webs of trust where you pick who you trust yourself, and decide if you trust who those people trust in turn. Which works better for what reasons?
Sample Web of Trust
PGP by GnuPG Create your keys Public key Private key (secret key) Identify key by Key ID (like 0x23AD8EF6) Verify others public key by Key fingerprint Find keys on PGP key servers Like http://pgp.mit.edu
Key Management Using graphical tools based on what you installed above: GPG Keychain Access for OS X Kleopatra or GPA for windows Using the command line: gpg --list-keys
Key Management On printed media: published book or business cards: Digitally in email or using sneaker-net Online using the openpgp key servers. Still does not tell you if you trust the key.
Key Management Expiry dates ensure that if your private key is compromised they can only be used till they expire. Can be changed after creating the key. Before expiry, you need to create a new key, sign it with the old one, send the signed new one to everyone in your web of trust asking them to sign your new key.
Key Management - Revocation Used to mark a key as invalid before its expiry date. Always generate a revocation certificate as soon as you create your key. Do not keep your revocation certificate with your private key. gpg --gen-revoke IDENTITY
Key Management - Partying Key signing parties are ways to build webs of trust. Each participant carries identification, as well as a copy of their key fingerprint. (maybe some $ as well J ) Each participant decides if they re going to sign another key based on their personal policy. Keys are easiest kept in a keyring on an openpgp keyserver in the aftermath of the party.
Thank You
LAB :: PGP (Pretty Good Privacy) GnuPG : GnuPG forms the heart of Gpg4win the actual encryption software. Kleopatra : The central certificate administration of Gpg4win, which ensures uniform user navigation for all cryptographic operations. Download Gpg4win (GNU Privacy Guard for Windows) from https://www.gpg4win.org/index.html Install GnuPG & Related application The installation assistant will start and ask you for the language to be used with the installation process: Confirm your language selection with [ OK ] Afterwards you will see this welcome dialog: Close all programs that are running on your computer and click on [ Next ] The next page displays the licensing agreement it is only important if you wish to modify or forward Gpg4win. If you only want to use the software, you can do this right away without reading the license.
Click on [ Next ] On the page that contains the selection of components you can decide which programs you want to install. A default selection has already been made for you. Yo can also install individual components at a later time. Moving your mouse cursor over a component will display a brief description. Another useful feature is the display of required hard drive space for all selected components. Click on [ Next ] The system will suggest a folder for the installation, e.g.: C:\Programme\GNU\GnuPG You can accept the suggestion or select a different folder for installing Gpg4win.
Then click on [ Next ] Now you can decide which links should be installed the system will automatically create a link with the start menu. You can change this link later on using the Windows dashboard settings. Then click on [ Next ] If you have selected the default setting link with start menu you can define the name of this start menu on the next page or simply accept the name.
Then click on [ Install ] During the installation process that follows, you will see a progress bar and information on which file is currently being installed. You can press [ Show details ] at any time to show the installation log. Once you have completed the installation, please click on [ Next ] The last page of the installation process is shown once the installation has been successfully completed:
You have the option of displaying the README file, which contains important information on the Gpg4win version you have just installed. If you do not wish to view this file, deactivate this option. Then click on [ Finish ] In some cases you may have to restart Windows. In this case, you will see the following page: Now you can decide whether Windows should be restarted immediately or manually at a later time. Click on [ Finish ] And that s it! You have successfully installed Gpg4win and are ready to work with the program. Create Certificate Open Kleopatra using the Windows start menu:
You will see the main Kleopatra screen the certificate administration: At the beginning, this overview will be empty, since you have not created or imported any certificates yet. Click on File!New Certificate. In the following dialog you select the format for the certificate. You can choose from the following: OpenPGP (PGP/MIME) or X.509 (S/MIME). click on [ Create personal OpenPGP key pair ]. Now enter your e-mail address and your name in the following window. Name and e-mail address will be made publicly visible later. You also have the option of adding a comment for the key pair. Usually this field stays empty, but if you are creating a key for test purposes, you should enter "test" so you do not forget it is a test key. This comment becomes part of your login name, and will become public just like your name and e-mail
address. If you first wish to test your OpenPGP key pair, you can simply enter any name and fictional e-mail address, e.g.: Your Name and YourName@Domain.com Click on [ Next ] You will see a list of all of the main entries and settings for review purposes. If you are interested in the (default) expert settings, you can view these via the All details option. If everything is correct, click on [ Create key ]. Now to the most important part: entering your passphrase! To create a key pair, you must enter your personal passphrase:
Choose passphrase which is easy-to-remember but hard to break secret passphrase. To make sure that you did not make any typing errors, the system will prompt you to enter your passphrase twice. Always confirm your entry with [ OK ]. Now your OpenPGP key pair is being created: This may take a couple of minutes. You can assist the creation of the required random numbers by entering information in the lower input field. It does not matter what you type, as the characters will not be used, only the time period between each key stroke. You can also continue working with another application on your computer, which will also slightly increase the quality of the new key pair. As soon as the key pair creation has been successful, you will see the following dialog:
The 40-digit fingerprint of your newly generated OpenPGP certificate is displayed in the results text field. This fingerprint is unique anywhere in the world, i.e. no other person will have a certificate with the same fingerprint. Actually, even at 8 digits it would already be quite unlikely that the same sequence would occur twice anywhere in world. For this reason, it is often only the last 8 digits of a fingerprint which are used or shown, and which are described as the key ID. This fingerprint identifies the identity of the certificate as well as the fingerprint of a person. However, you do not need to remember or write down the fingerprint. You can also display it later in Kleopatra s certificate details. Next, you can activate one or more of the following three buttons: 1. Creating a backup copy of your (private) certificate... Enter the path under which your full certificate (which contains your new key pair, hence the private and public key) should be exported: Kleopatra will automatically select the file type and store your certificate as an.asc or.gpg file depending on whether you activate or deactivate the ASCII armor option. For export, click on [ OK ]. You can also create a back-up copy later; to do this, select the following from the Kleopatra main menu: File Export private certificate 2. Sending a certificate via e-mail...
Clicking on this button should create a new onee-mail with your new public certificate in the attachment. Your secret Open PGP key will of course not be sent. Enter a recipient e-mail address; you can also add more text to the prepared text for this e-mail. 3. Sending certificates to certificate servers... Your certificate will be uploaded to public key server. Signing message Encrypt Message Few Reference Link: How to: Use PGP for Windows PC (GPG4Win; Mozilla Thunderbird; Enigmail) https://ssd.eff.org/en/module/how-use-pgp-windows-pc
Chrome extension for gmail Mymail- Crypt for Gmail Fakrul Alam fakrul@bdhub.com NETWORK SECURITY: VULNERABILITIES AND MANAGEMENT FOR CAMPUS NETWORK JUNE 07- JUNE 11, 2015
End- To- End is a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP
Chrome Web Store https://chrome.google.com/webstore/category/extensions
Check your plugins chrome://extensions/
Plugins Options
Compose New Mail
Encrypt it.
NETWORK SECURITY: VULNERABILITIES AND MANAGEMENT FOR CAMPUS NETWORK JUNE 07- JUNE 11, 2015 TLS/SSL Securing your web traffic Fakrul Alam bdhub Limited fakrul@bdhub.com
History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent and secure transactions. In 1997 an Open Source version of Netscape s patented version was created, which is now OpenSSL. In 1999 the existing protocol was extended by a version now known as Transport Layer Security (TLS). By convention, the term "SSL" is used even when technically the TLS protocol is being used.
TLS/SSL : What it does Encryption Integrity Authentication
Location of SSL Protocol & TCP Ports
SSL Operations Application calls SSL connect routines to set up channel Public Key cryptography is used during handshake to authenticate parties and exchange session key. Symmetric Key cryptography (using session key) is used to encrypt data.
How SSL Works CLIENT SERVER SSL Handshake Phase Sends Hello Supported algorithms, random number 1 Message Algorithms, random number 2 Authentication Server Generates random value (pre-master secret & encrypts it with the server s public key) 4 Certificate Encrypted pre-master secret 5 6 3 Sends Hello Message Sends Certificates Decrypts to retrieve pre-master secret Calculates Keys 7 7 Calculates Keys Sends finished message 8 8 Sends finished message SSL Data Transfer Phase 9 Data 9
SSL Protocol Building Block Functions
SSL Handshake protocol
SSL Alert Protocol Alert messages communicate the severity of the message and a description of the alert Fatal messages result in connection termination.
SSL ChangeCipherSpec Protocol The ChangeCipherSpec layer is composed of one message that signals the beginning of secure communications between the client and server.
Application Data Protocol Application data messages are carried by the record layer and are fragmented, compressed, and encrypted based on the current connection state. The messages are treated as transparent data to the record layer.
Trusted vs Non Trusted Certificate
Certificate Authority
Thank You
LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate In this example we are using df-h.net as domain name. # super user command. $ normal user command. X replace with your group no. Topology [ca.df-h.net] [192.168.30.10] [group1.df-h.net] [192.168.30.11] [group2.df-h.net] [192.168.30.12] [group3.df-h.net] [192.168.30.13] [group4.df-h.net] [192.168.30.14] [group5.df-h.net] [192.168.30.15] [group6.df-h.net] [192.168.30.16] [group7.df-h.net] [192.168.30.17] [group8.df-h.net] [192.168.30.18] [group9.df-h.net] [192.168.30.19] [group10.df-h.net] [192.168.30.20] [group11.df-h.net] [192.168.30.21] [group12.df-h.net] [192.168.30.22] [group13.df-h.net] [192.168.30.23] [group14.df-h.net] [192.168.30.24] [group15.df-h.net] [192.168.30.25] [group16.df-h.net] [192.168.30.26] [group17.df-h.net] [192.168.30.27] [group18.df-h.net] [192.168.30.28] [group19.df-h.net] [192.168.30.29] [group20.df-h.net] [192.168.30.30] In this lab we wll generate SSL certificated, signed it with our own CA server. Step 1: Generate Your Certificate Signing Request (CSR) Step 2: Send the CSR to the CA. CA will sign the CSR and generate certficate Step 3: Enable SSL and configure Apache with the certificate Requirements 1. Your laptop can properly resolve groupx.df-h.net 2. Check apache server is installed and configured. please try browsing groupx.df-h.net 3. Check openssl installed and check it s version # openssl version
Step 1 Generate Certificate Signing Request (CSR) To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt {please replace X with your group no}: # cd /etc/ssl # sudo openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/groupx.df -h.net.key -out /etc/ssl/groupx.df-h.net.csr This will ask for few question: Country Name (2 letter code) [AU]: BD State or Province Name (full name) [Some- State]: DHAKA Locality Name (eg, city) [ ]: DHAKA Organization Name (eg, company) [Internet Widgits Pty Ltd]: DF- H Organizational Unit Name (eg, section) [ ]: TECHNICAL Common Name (e.g. server FQDN or YOUR name) [ ]: groupx.df- h.net Email Address [ ]: groupx@df- h.net A challenge password [ ]: An optional company name []: You can now enter your passphrase. For best security, it should at least contain eight characters. Also remember that your passphrase is case-sensitive. You can keep An optional company name []: blank. Once you have re-typed it correctly, the server key is generated and stored in the two file in /etc/ssl/ folder. # ls -alh /etc/ssl/ groupx.df-h.net.csr groupx.df-h.net.key groupx.df-h.net.csr is the CSR file which we will send to CA. groupx.df-h.net.key the private key. Step 2 Send the groupx.df-h.net.csr file for CA. Wait for CA to reply back the signed certificate. Ask your instructor for the email address. Instructor will sign your CSR and send you the certificate. Step 3 Put the certificate file in /etc/ssl folder which has been send by CA.
Enable SSL in APACHE # sudo a2enmod ssl # vi /etc/apache2/sites-available/default-ssl.conf SSLEngine on # disable existing demo certificate # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateFile /etc/ssl/groupx.df-h.net.crt SSLCertificateKeyFile /etc/ssl/groupx.df-h.net.key [replace X with your group no] Copy default-ssl.conf file to /etc/apache2/sites-enabled/ # cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/ Restart Apache server. # /etc/init.d/apache2 restart Now try to browse https://groupx.df-h.net. This will give you an error that certificate is not tursted. We need to import CA server root certificate. Step 4 Ask your instructor to provide you the CA server root certificate. Step 5 Import Certificate: 1. Internet Explorer: a. Run IE 9 and click the "Options" > "Internet Options" menu. The Internet Options dialog box shows up.
b. Click the "Content" tab and the "Certificates" button. The Certificates dialog box shows up.
c. Click the "Trusted Root Certification Authorities" tab, and click the "Import..." button. The Certificate Import Wizard shows up. d. Click the "Next" button. The File to Import step shows up.
e. Use the "Browse" button to find and select cacert.pem. Then click the "Next" button. The Certificate Store step shows up. f. Keep the default certificate store selection: "Trusted Root Certificate Authorities", and click the "Next" button. The confirmation step shows up. g. Click the "Yes" button. My self-signed certificate will be installed as a trusted root certificate.
2. Mozilla Firefox: a. 1. Run Mozilla Firefox and click the "Preference" menu. The Preferiece Options dialog box shows up. b. Click the "Advanced" > "Certificates" tab. The Certificates dialog box shows up. c. Click the "View Certificates" > "Authorities".
d. Use the "Import" button to find and select cacert.pem. Then click the "Next" button. The Certificate Store step shows up. e. Select "Trust this CA to identify websites" and click ok. Try to browse the site over https. Now it should not give any certificate error as you trust the CA.