Programming OpenSSL. The Server Perspective. by Sean Walton. Copyright 2001 Sean Walton



Similar documents
Security OpenSSL SSL. Roberta Daidone.

SSL/TLS Programming. sslclient.c. /* A simple SSL client. It connects and then forwards data from/to the terminal to/from the server */

Writing a C-based Client/Server

Angels (OpenSSL) and D(a)emons. Athula Balachandran Wolfgang Richter

Networking Test 4 Study Guide

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

SSL A discussion of the Secure Socket Layer

Socket Programming. Srinidhi Varadarajan

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Shteryana Shopova, Programming with OpenSSL and libcrypto in examples

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

TLS/SSL in distributed systems. Eugen Babinciuc

Transport Level Security

Objectives of Lecture. Network Architecture. Protocols. Contents

Network Security TCP/IP Refresher

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Operating Systems Design 16. Networking: Sockets

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Network Security Part II: Standards

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Protocol Data Units and Encapsulation

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Packet Sniffing and Spoofing Lab

BASIC ANALYSIS OF TCP/IP NETWORKS

Virtual Private Networks

CS 3251: Computer Networking 1 Security Protocols I

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Linux Network Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

TCP/IP - Socket Programming

CPS221 Lecture: Layered Network Architecture

Chapter 17. Transport-Level Security

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Layered Architectures and Applications

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Secure Sockets Layer

The Secure Sockets Layer (SSL)

ELEN 602: Computer Communications and Networking. Socket Programming Basics

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

Network Programming TDC 561

Implementing Network Software

Socket Programming. Request. Reply. Figure 1. Client-Server paradigm

How do I get to

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Protocol Rollback and Network Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

TLS and SRTP for Skype Connect. Technical Datasheet

Client Server Registration Protocol

Introduction to Socket Programming Part I : TCP Clients, Servers; Host information

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Computer Networks CS321

Network Models OSI vs. TCP/IP

LESSON Networking Fundamentals. Understand TCP/IP

NS3 Lab 1 TCP/IP Network Programming in C

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

Overview. SSL Cryptography Overview CHAPTER 1

Web Security Considerations

Oracle Database Security and Audit

DMZ Network Visibility with Wireshark June 15, 2010

TYLER JUNIOR COLLEGE School of Continuing Studies 1530 SSW Loop 323 Tyler, TX

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Chapter 10. Network Security

Overview of Computer Networks

15-441: Computer Networks Homework 1

CSE 127: Computer Security. Network Security. Kirill Levchenko

CS 416: Opera-ng Systems Design

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

, ) I Transport Layer Security

Transport Layer Protocols

Lab 7. Answer. Figure 1

Network Security Essentials Chapter 5

Security vulnerabilities in the Internet and possible solutions

How Does Ping Really Work?

Mobile IP Network Layer Lesson 01 OSI (open systems interconnection) Seven Layer Model and Internet Protocol Layers

Ethernet. Ethernet. Network Devices

Network Layers. CSC358 - Introduction to Computer Networks

Computer Networks Network architecture

SSL Protect your users, start with yourself

Understanding Layer 2, 3, and 4 Protocols

General Network Security

Netzwerksicherheit: Anwendungen

Chapter 7 Transport-Level Security

Embedded SSL. Christophe Kiennert, Pascal Urien. Embedded SSL - Christophe Kiennert, Pascal Urien 1

Question: 3 When using Application Intelligence, Server Time may be defined as.

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Transcription:

Programming OpenSSL The Server Perspective by Sean Walton

Host Addressing & Ports Hosts use addresses to interconnect. TCP/IP uses a 4-byte number for Ids. 128.98.2.254 TCP adds ports to addresses for services. Ports can be between 1-65535 System services are between 1-1023 User services are between 1024-65535 198.176.2.45:80 or 12.63.99.240.3246

OSI Model DoD Model 7 Network Models 4 Application Layer Program's API Kernel Drivers Networking API 6 Presentation Layer 5 4 3 2 1 Session Layer Transport Layer Network Layer Datalink Layer Physical Layer Data translation/ conversion Login, security, checkpointing Packet integrity, streaming Routing, addressing, network linking Packaging, data integrity LAN cards, wiring, modem Application Layer 3 Host-to-Host Layer 2 Internetwork Layer 1 Network Access Layer SSL TCP ICMP Raw IP Packet Frames UDP

Basic Client/Server Networked hosts connect through sockets. Servers publish services through ports. Clients connect to the ports. Computer Server Computer

Client Algorithm The Basic Client: Sets up socket. Connects to server. Sends command. Retrieves reply. Closes socket. int sd; struct sockaddr_in addr; sd= socket(pf_inet,sock_stream,0); bzero(&addr, sizeof(addr)); addr.sin_family= AF_INET; addr.sin_port= htons(80); aton( 127.0.0.1, &addr.sin_addr); connect(sd, &addr, sizeof(addr)); send(sd, msg, msglen, 0); recv(sd, reply, replylen, 0); close(sd);

Server Algorithm The Basic Server: Sets up socket. Publishes port. Socket listener. Awaits connection. Gets command. Sends reply. Closes connection. int sd, client; struct sockaddr_in addr; sd= socket(pf_inet,sock_stream,0); bzero(&addr, sizeof(addr)); addr.sin_family= AF_INET; addr.sin_port= htons(80); aton( 127.0.0.1, &addr.sin_addr); bind(sd, &addr, sizeof(addr)); listen(sd, 10); client= accept(sd, 0, 0); recv(client, cmd, cmdlen, 0); send(client, reply, replylen, 0); close(client);

Secure Sockets Building on top of TCP/IP. Using keys and ciphers. Offering certificates. Verifying message with a Message Digest. Extending the handshake.

OpenSSL Sits on Top of TCP/IP Simplifies interface with TCP/IP stack. Simplifies programming. Limits session recoverability. Keeps interface clean and direct.

Keys and Ciphers Ciphers are encryption algorithms. Keys are numbers within a special range. Private-key ciphers Use the same key to encrypt & decrypt data Have highest security Are very fast. Public-key ciphers Require two keys: encryption & decryption Are <25% as secure as private keys Are very slow.

Certificates Solves the Man in the Middle dilemma. Solve the problem of host identification with a trusted third party. Contain information about the server: Who owns the certificate Who issued the certificate Where the owner is located When the certificate will expire.

Message Digest Summarizes the message. Must be irreversible (real data cannot be recovered from digest value). Most message digests are hash functions. Combined with an encryption key yields the Message Authentication Code (MAC).

Different Handshakes TCP offers the Three-Way Handshake. Client extends request (SYN) Server accepts (ACK) and reciprocates (SYN) Client accepts and begins communications

Extending the Handshake Client sends cipher list & random number. Server indicates cipher, sends certificate, public key & random number. Client verifies certificate and sends an encrypted private key with public key. Server accepts private key and sends own private key.

OpenSSL Initialization Build algorithm tables. Load error messages. Select interface methods. Create new context. SSL_METHOD *method; SSL_CTX *ctx; OpenSSL_add_all_algorithms(); SSL_load_error_strings(); method= SSLv2_server_method(); ctx= SSL_CZTX_new(method);

Initialization (cont.) Load certificates file. Load private keys file. Verify private keys. SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx) ) fprintf(stderr, Files don t match! );

Set Up Server Socket Use the same algorithm for setting up server!

Attach Client to SSL Create SSL instance. Attach client to instance. Establish SSL handshake. Commence transactions. SSL *ssl; ssl= SSL_new(ctx); SSL_set_fd(ssl, client); SSL_accept(ssl); SSL_read(ssl, cmd, cmdlen); SSL_write(ssl, reply, replylen);

OpenSSL Features Offers direct development path from sockets. Simplifies interfacing. Can create private certificates. Supports multi-threading. Interfaces directly with off-the-shelf browsers. Supports multiple platforms & OSs. Is GPL!

Q & A www.cs.utah.edu/~swalton