1 / 26

CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming. SSL and HTTPS for Secure Communication. Web Security Concerns. Major concerns: Encryption of sensitive data sent between client and server Authentication of server How does client know who they are dealing with? Information integrity

lotte
Download Presentation

CSCI 6962: Server-side Design and Programming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCI 6962: Server-side Design and Programming SSL and HTTPS for Secure Communication

  2. Web Security Concerns Major concerns: • Encryption of sensitive data sent between client and server • Authentication of server • How does client know who they are dealing with? • Information integrity • How do we know third party has not altered data en route? Bob’s web site Alice thinks she is at Bob’s site, but Darth is spoofing it Bob’s web site Address information Change so item shipped to Darth

  3. Encryption • Symmetric key encryption: DES, AES, etc. • Fast • Requires both parties to know same secret key • Public key encryption: RSA, Elliptic Curve, etc. • Sender uses public key of recipient to encrypt data • Recipient uses their private key to decrypt • Impossible to recreate private key from public key • Can be used to uniquely sign a document • Encrypt with private key, decrypt with public key • Slow (impractical to encrypt/decrypt large blocks of data)

  4. Encryption • Use public key encryption to securely send symmetric key • Use a much faster symmetric key algorithm (like AES) to securely transmit the rest of the message E(KS, KPU) Ks Ks E D D E P P E(P, KS)

  5. Hashing Information Integrity • Hashing function H(M, key) creates “fingerprint” of message M • Hashing applied to message by sender and recipient • If no match, message has been tampered with • Darth cannot create own fingerprint of altered message without key H(M, key) H compare M M + H(M, key) M H H(M, key) H(M, key)

  6. Certificates • Public key certificates created by certification authority • Trusted third party (Verisign, Geotrust, Equifax, etc.) • Known public key • Certificate contains user’s info, signed with (one of) CA’s private key • No one else can create the certificate without the private key X.509 Protocol

  7. Certificates • Browser can validate certificate using CA’s public key • Use indicated hash algorithm to create digest from all fields in certificate • Use CA’s public key to decrypt signature and get enclosed digest • If the two match, certificate is valid and has not been tampered with

  8. Certificates • Web sites that deal in ecommerce must have certificates for authentication • Installed at server in keystore • Transmitted to client for authentication • Validated using CA’s public key Server machine CA Client machine Request for secure session Web Container (JSP, ASP) Browser CA public key Keystore Certificatesigned by CA

  9. Certificates • Public keys stored in browser • Can request from other CAs via public key infrastructure as needed

  10. Secure Socket Layer Protocol • Secure Socket Layer protocol for web communication • Latest upgrade: Transport Layer Security (TLS) • Same structure as SSL, somewhat more secure

  11. SSL Protocol: Phase 1 • Client passes preferred algorithms to server via https request • Public key encryption algorithms • Private key encryption algorithms • Hash algorithms • Compression algorithms • Also random number for key generation • Server replies with algorithms that will be used • Also passes own random number

  12. SSL Protocol: Phase 2 Phase 2: Server Identification and Key Exchange • Server passes their certificates to client • Client uses issuer public key to verify identity • Client retrieves server public key from certificate • Server may pass chain of certificates for authentication • Certificates that validate other certificates

  13. SSL Protocol: Phase 3 Phase 3: Client Identification and Key Exchange • Client sends certificate or public key if requested by server

  14. SSL Key Generation • Client generates “pre-master key” • Sends to client encrypted with server public key • Client and server use to generate master key used to create cipher keys • Also use client, server random numbers exchanged in phase 1 • SHA-1 and MD5 hashing used to create “pseudorandom” mappings

  15. Phase 4: Final Handshake Client and server verify protocols and keys • Sender signs/encrypts “finished” message • Receiver decrypts/verifies message to confirm keys

  16. SSL Data Transmission • Message broken into blocks • Block compressed • Compressed block hashed with authentication key to get MAC (message integrity) • Compressed block + MAC encrypted with cipher key • Encrypted block + record protocol header with version/length information sent

  17. Https Protocol • When started, requests secure sessionfrom server • Invokes SSL/TLS protocol • Uses separate port in most servers (8181 in Glassfish) • Must use absolute URLto invoke

  18. Https Protocol • By default future requests will use https: protocol • Https protocol is expensive • Once done with secure transactions, should go back to using non-securechannel

  19. Absolute Redirection in JSF • Must use code in bean to redirect to absolute address • Call from action attribute • Use redirect from external context of current instance

  20. Obtaining Certificates • Must obtain from known public key authority • Not free! (best are thousands of dollars) • Expense depends on strength • 56 bits: inexpensive, but crackable • 128 bits: expensive but more secure • 256 bits: maximum security • Can create “temporary” (self-signed) key for testing • Keytool utility in Java • IIS Management Console for ASP (page 615)

  21. Self-signed Certificates in Tomcat Will automatically generate keys using RSA Password must be “changeit” for Tomcat

  22. Obtaining Certificate In Glassfish • Create a certificate signing request (CSR) for key you have createdkeytool-certreq-alias <your key> -keyalg RSA -keystore<your_keystore_filename> • Will get certreq.csr file • Submit to CA (see CA web site for details) • Get signed certificate in return

  23. Obtaining Certificate in Tomcat • Download and install certificatefrom CA • Replaces your original self-signed one keytool -import -alias <your key>-keystore<your keystore filename> -trustcacerts -file <file from CA>

  24. Self-signed Certificates in IIS • Run IIS Management Console • Included in Windows 7 • May need to enable from Programs and Features • Open server certificates

  25. Self-signed Certificates in IIS • Choose “Create Self-signed Certificate” • Enter a name

  26. Obtaining Certificates in IIS • Can request and install from IIS Management Console

More Related