SSL
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

SSL PowerPoint PPT Presentation


  • 114 Views
  • Uploaded on
  • Presentation posted in: General

SSL. İdris Yıldız Mehmet Bilgin. 05.04.2006. Outline. Public-Key Cryptography SSL SSL Security How to Make Your Application SSL Enabled Limitations of SSL Conclusion. Public-Key Cryptography. Conventional Cryptography There is only one key both for encryption and decryption

Download Presentation

SSL

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ssl

SSL

İdris Yıldız

Mehmet Bilgin

05.04.2006


Outline

Outline

  • Public-Key Cryptography

  • SSL

  • SSL Security

  • How to Make Your Application SSL Enabled

  • Limitations of SSL

  • Conclusion


Public key cryptography

Public-Key Cryptography

  • Conventional Cryptography

    • There is only one key both for encryption and decryption

    • The key must be known to both the sender and receiver and the key must be secret

    • The key should be changed frequently

  • Public-key Cryptography

    • A pair of keys

    • One is used for encryption (private key) and the other is used for decryption


Encryption

Encryption

Sending a message using asymmetric keys

  • Bob sends public key to Alice

  • Alice encrypts message using Bob’s public key

  • Alice sends encrypted message

  • Bob decrypts message using his own private key

Alice

Bob

Kpub

1)

2)

Y = eKpub(X)

Y

3)

4)

X = dKpr(Y)


Digital signature

Digital Signature

  • Bob encrypts the message with his private key

  • Send encrypted message

  • Alice decrypts message with Bob’s public key

    Message is readable by ANYONE with Bob’s public key

    Receiver can be confident that only someone with Bob’s private

    key could have sent the message

Alice

Bob

1)

Y = eKpr(X)

Y

2)

3)

X = dKpub(Y)


Drawbacks of public key encryption

Drawbacks of public-key encryption

  • It is slow

    • RSA is 1000 times slower than some conventional encryption algorithms

  • Man-in-the-middle attack

Alice

Attacker

Bob

KPubA

KPubB

1)

2)

Y = eKPubA(X)

Y

3)

X = dKPrA(Y)

Z = eKPubB(X)

4)

Z

5)

X = dKPrB(Z)


Ssl

SSL

  • Based on public key encryption

  • 2 phases

    • Handshake

    • Data Transfer

  • Runs above TCP/IP and below higher-level protocols


Ssl handshake protocol

SSL Handshake Protocol

  • The client sends a message to the server that contains a list of the algorithms it is willing to use

  • The server chooses a algorithm out of the list and sends it back along with a certificate that containing the server’s public key

  • The client verifies the server’s certificate and extracts the server’s public key. Then generates a random key and encrypts it with the server’s public key. It sends this encrypted key to the user

  • The server takes the message and decrypts it with his private key

  • At last both the client and the server send a MAC message to each other to finish this handshake part


Authenticat ion of a s erver c ertificate

Authentication of a Server Certificate


X 509 certificate

X.509 Certificate

  • The certificate contains:

    • Your distinguished name

    • Your public key

    • The identity of the CA who issued the certificate

    • Its expiry date

    • Digital signature of the CA which issued it


Ssl security

SSL Security

  • No good attacks are known on SSL

  • There are some attacks explained in the papers

    • Not have been used against production servers

    • It is not known that they are practical


Timing cryptanalysis

Timing Cryptanalysis

  • Publicized by Paul Kocher in 1996

  • Based on the observation that cryptographic operations take varying amount of time to complete depending on the keys that are being used

  • To overcome

    • add some random time to all operations

    • make all operations take constant time


Million message attack

Million Message Attack

  • Publicized by Daniel Bleichenbacherin 1998

  • By sending a series of chosen ciphertexts to the server and observing the responsesan attacker to get the session key

  • To overcome

    • make some small modification on the SSL protocol


How to make your web application ssl https enabled

How to Make Your Web Application SSL(Https) Enabled ?

  • The Advantages of SSL for applications

  • Generating Certificates with Java

  • Configuring SSL in Tomcat

  • Configuring SSL in OC4J (Oracle Containers for Java)


The advantages of ssl for applications

The Advantages of SSL for applications

  • SSL with a certificate will provide the followings to your application:

    • The website (also customer) really is who it claims to be

    • Credit card numbers, are encrypted and cannot be intercepted

    • Data sent and received cannot betampered or forged


Generating certificates with java

Generating Certificates with Java

  • A keystore(java.security.KeyStore) stores certificates

    • An instance of java.security.KeyStore class

    • Stores certificates of all trusted parties

    • Authenticate parties by certificates in keystore

  • Create and manipulate a keystore using the keytool utility that is provided with the Sun Microsystems JDK

    • keytool is in jdk_home/bin directory like javac

    • keytool -genkey -keyalg "RSA" -keystore “mykeys.store”-storepass “mypass” -validity 365

    • “RSA” is the key generation algorithm

    • “mykeys.store” file is your certificate store

    • “mypass” is your secret key


Entering certificate info

Entering Certificate Info

  • Keytool will request certificate information after the creation command:


Configuring ssl in tomcat

Configuring SSL in Tomcat

  • Providing SSL support is the job of Servers it is not related to the the application itself.

  • Application servers handles the https requests done to the applications

  • A cerftificate is needed (Assume we have created one, in mykeys.store)

    • Copy the “mykeys.store” file toCATALINA_HOME/conf

  • Define a SSLConnector on a port (Default port 443 requires to be super user)

    • Add the following to CATALINA_HOME/conf/server.xml

    • <Connector port="8443"       scheme="https" secure="true"      clientAuth="false" sslProtocol="TLS"       keystoreFile="/conf/ mykeys.store"keypass=“mypass"/>


Configuring ssl in oc4j oracle containers for java

Configuring SSL in OC4J (Oracle Containers for Java)

  • The information will be valid for Standalone OC4J rather than Oracle Application Server

  • We will use the same key store for Tomcat and it should be copied to appropriate place

  • Create secure-web-site.xml

    • Copy http-web-site.xml and rename to secure-web-site.xml

    • Set protocol to https by setting secure element to true also specify the https port (4443)

    • State the keystore that will be used :

      <ssl-config keystore="mykeys.store" keystore-password=“mypass"/>

    • Change server.xml and add the following to see your https settings : <web-site path="./secure-web-site.xml" />


Limitations of ssl

Limitations of SSL

  • Although SSL is widely it has some limitations

  • SSL is designed to provide point-to-point security

  • Incase of multiple intermediary nodes exist between the two endpoints, point-to-point security fails and end-to-end security is required

    • Web Service Scenario: SOAP messages route through multiple intermediary nodes, those intermediary nodes will not be able to participate to operations

  • SSL encryption is at the transport level rather than at the application.

    • Messages are encrypted only during transmission over network

    • Other security mechanisms are required to handle security of the messages in an application or disk

  • XML-based security schemas are being developed to eleminate the limitations of SSL


Questions

Questions?

  • THANKS A LOT !


  • Login