COMP 3704 Computer Security



Similar documents
Apache Security with SSL Using Ubuntu

Internet Programming. Security

Enterprise SSL Support

Apache, SSL and Digital Signatures Using FreeBSD

Application Note AN1502

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

SecuritySpy Setting Up SecuritySpy Over SSL

Creating Certificate Authorities and self-signed SSL certificates

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

OpenSSL (lab notes) Definition: OpenSSL is an open-source library containing cryptographic tools.

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

How To Encrypt Data With Encryption

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Securing Your Apache Web Server With a Thawte Digital Certificate

SBClient SSL. Ehab AbuShmais

WiMAX Public Key Infrastructure (PKI) Users Overview

EventTracker Windows syslog User Guide

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

WebApp S/MIME Manual. Release Zarafa BV

How To Encrypt A Traveltrax Report On Gpg On A Pc Or Mac Or Mac (For A Free Download) On A Thumbdrive Or Ipad Or Ipa (For Free) On Pc Or Ipo (For An Ipo)

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

Server Certificate: Apache + mod_ssl + OpenSSL

X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

Understanding digital certificates

Encrypted Connections

Linux Deployment Guide. How to deploy Network Shutdown Module for Linux

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Crypto Lab Public-Key Cryptography and PKI

Encrypting with KMail, Mozilla Thunderbird, and Evolution LOCK AND KEY BY FRAUKE OSTER

Using etoken for SSL Web Authentication. SSL V3.0 Overview

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

SSL Tunnels. Introduction

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

Generating and Installing SSL Certificates on the Cisco ISA500

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Implementing SSL Security on a PowerExchange Network

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

HW/Lab 1: Security with PGP, and Crypto CS 336/536: Computer Network Security DUE 09/28/2015 (11am)

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

e-cert (Server) User Guide For Apache Web Server

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

7 Key Management and PKIs

SSL Certificates HOWTO

SSL Peach Pit User Guide. Peach Fuzzer, LLC. Version

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Biography of Trainer. Education. Experience. Summary. TLS/SSL : Securing your website PGP : Secure your communication. Topic

Using Client Side SSL Certificate Authentication on the WebMux

X.509 Certificate Generator User Manual

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

End User Encryption Key Protection Policy

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Savitribai Phule Pune University

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Building a Secure RedHat Apache Server HOWTO

NetApp Storage Encryption: Preinstallation Requirements and Procedures for SafeNet KeySecure

Yale Software Library

CLIENT DATABASE SECURITY

ERserver. iseries. Securing applications with SSL

LoadMaster SSL Certificate Quickstart Guide

HP LaserJet Pro Devices Installing 2048 bit SSL certificates

GPG Tutorial. 1 Introduction. 2 Creating a signing and encryption keys. 3 Generating a revocation certicate. Andreas Hirt July 12, 2009

SSL/TLS: The Ugly Truth

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Introduction to Cryptography

Encryption Security Recommendations

1.2 Using the GPG Gen key Command

Setting Up CAS with Ofbiz 5

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Cisco TelePresence VCS Certificate Creation and Use

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Signing and Encryption with GnuPG

Overview. SSL Cryptography Overview CHAPTER 1

File and encryption with GPG4win & Enigmail

CA Nimsoft Unified Management Portal

Cisco Expressway Certificate Creation and Use

HTTPS Configuration for SAP Connector

Version Highlights. CertainT 100 SSL Accelerator. Version International. New hardware and software version. North America

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

GT 6.0 GSI C Security: Key Concepts

E-Commerce: Designing And Creating An Online Store

HMRC Secure Electronic Transfer (SET)

Virtual Private Network (VPN) Lab

This section describes how to use SSL Certificates with SOA Gateway running on Linux.


Signing and Encryption with GnuPG

9.92 Using HTTPS for building secure web applications v 1.0

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

PGP from: Cryptography and Network Security

Installing Dspace 1.8 on Ubuntu 12.04

Securing the OpenAdmin Tool for Informix web server with HTTPS

Transcription:

COMP 3704 Computer Security Christian Grothoff christian@grothoff.org http://grothoff.org/christian/ 1

Key Size Consider how much the information is worth Even advancements in computing are not going to change energy requirements by more than a few orders of magnitude Assume some weakness in your system (cipher, protocol or key generation) allows adversary to reduce search space from 2 n to 2 n/2 2

Guidelines For symmetric keys, use between 128 and 256 bits For asymmetric keys, use about 8x the size of your symmetric key More important than key size are key generation and key management 3

Key Management If the keys are compromised, even the most secure protocols can be broken Key Management is about generating, protecting and distributing keys 4

Key Generation and Protection Make sure you have enough entropy to actually generate all possible values in the keyspace Example: there are only 2 56 8-character 7-bit passwords Guarding a 256-bit key with an 8-character password makes no sense Use hashing to convert long, low-entropy user input into short, high-entropy keys. 5

Software Key Management Cryptographic methods need keys in plaintext in memory for encyrption and decryption Operating system may write memory with key to disk (swap) Operating system may give pages still containing keys to other applications Protect memory with keys (and intermediate results) from swapping, overwrite with random data before releasing! 6

Key Storage Ideal: dedicated hardware (for example, smart cards) storing the key and providing encryption/decryption functionality Alternative: store keys encrypted with (strong) passphrase on disk Reality: keys stored in plaintext in files protected by OS permissions 7

Key Distribution X.509 PKI A certificate authority (CA) signs a certificate vouching for the relation between a public key and some physical entity Web of trust Users meet and certify (sign) each other s keys together with a confidence rating; trust in validity of a binding is based on confidence on all discovered paths 8

X.509 + accountability + easy to use, widely supported - need to establish identity with CA (costly) - need to trust CAs (check your browser s list!) 9

Web of trust + distributed, cheap + geeky & social 10

Web of trust + distributed, cheap + geeky & social - geeky & social!? - accountability, validation standards hard to enforce - path finding is costly (need to download certificate data) - certificate revocation is difficult to communicate 11

CAcert Web of trust used to associate key and entity CAcert then issues X.509 certificate + free - security disadvantages from both approaches 12

Self-signed certificates Sign your own X.509 certificate No actual authenticiation Allows use of SSL (for encryption) without CA 13

Key revocation Key revocation certificates are used to communicate that a key was compromised Key lifetime limitations (as part of certification) are used to expire keys automatically The more frequently used a key is, the shorter its lifetime should be 14

Cryptography tools OpenSSL gpg 15

OpenSSL Standard library (libcrypto) Provides common cryptographic primitives Provides high-level protocol implementations (X.509, SSL) Binary (openssl) allows command-line access Used by Apache for SSL support 16

OpenSSL usage $ openssl help list commands $ openssl md5 FILENAME MD5 hash of FILENAME $ openssl des -in FILENAME -out FILENAME.enc -e -k foo bar 17

A Self-Certified CA $ wget http://grothoff.org/.../3704/openssl.cnf $ echo 01 > ca.db.serial; mkdir ca.db.certs ca.db.index $ openssl genrsa 2048 > ca.key $ openssl req -new -x509 -key ca.key -out ca.cert -config openssl.cnf $ cat ca.cert ca.key > ca.pem 18

Creating a Certificate $ openssl genrsa 1024 > server.key $ openssl req -new -key server.key -out server.csr -config openssl.cnf $ openssl x509 -in server.csr -out server.cert -req -signkey server.key $ openssl ca -out server.cert -infiles server.csr $ openssl verify -CAfile ca.cert server.cert 19

Configuring Apache to use Certificate SSLEngine on SSLCertificateFile server.cert SSLCertificateKeyFile server.key You need to listen on a port > 1024 $ apache2 -f apache2.conf 20

GnuPG Free version of PGP, with library (libgcrypt) Provides common cryptographic primitives Provides implementation of OpenPGP (RFC 2440) Commonly used for secure E-mail Provides web of trust 21

Using GnuPG $ gpg gen-key $ gpg export $ gpg import FILENAME $ gpg edit-key EMAIL; > fpr > sign > trust $ gpg clearsign FILENAME 22

Questions? 23

Problem You are running the secure webportal for the Denver Credit Union. You are already using SSL and have your certificate signed by major CAs. What else could be done to improve the security of your site? 24

Problem You are running the secure webportal for the Denver Credit Union. Customers are scared to use the Internet for banking. How can you improve their impression of the security of your site to gain more customers? 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information