1 / 21

SSL - PowerPoint PPT Presentation

  • Uploaded on

SSL. İdris Yıldız Mehmet Bilgin. 05.04.2006. Outline. Public-Key Cryptography SSL SSL Security How to Make Your Application SSL Enabled Limitations of SSL Conclusion. Public-Key Cryptography. Conventional Cryptography There is only one key both for encryption and decryption

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' SSL' - trinh

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


İdris Yıldız

Mehmet Bilgin



  • Public-Key Cryptography

  • SSL

  • SSL Security

  • How to Make Your Application SSL Enabled

  • Limitations of SSL

  • Conclusion

Public key cryptography
Public-Key Cryptography

  • Conventional Cryptography

    • There is only one key both for encryption and decryption

    • The key must be known to both the sender and receiver and the key must be secret

    • The key should be changed frequently

  • Public-key Cryptography

    • A pair of keys

    • One is used for encryption (private key) and the other is used for decryption


Sending a message using asymmetric keys

  • Bob sends public key to Alice

  • Alice encrypts message using Bob’s public key

  • Alice sends encrypted message

  • Bob decrypts message using his own private key






Y = eKpub(X)




X = dKpr(Y)

Digital signature
Digital Signature

  • Bob encrypts the message with his private key

  • Send encrypted message

  • Alice decrypts message with Bob’s public key

    Message is readable by ANYONE with Bob’s public key

    Receiver can be confident that only someone with Bob’s private

    key could have sent the message




Y = eKpr(X)




X = dKpub(Y)

Drawbacks of public key encryption
Drawbacks of public-key encryption

  • It is slow

    • RSA is 1000 times slower than some conventional encryption algorithms

  • Man-in-the-middle attack








Y = eKPubA(X)



X = dKPrA(Y)

Z = eKPubB(X)




X = dKPrB(Z)


  • Based on public key encryption

  • 2 phases

    • Handshake

    • Data Transfer

  • Runs above TCP/IP and below higher-level protocols

Ssl handshake protocol
SSL Handshake Protocol

  • The client sends a message to the server that contains a list of the algorithms it is willing to use

  • The server chooses a algorithm out of the list and sends it back along with a certificate that containing the server’s public key

  • The client verifies the server’s certificate and extracts the server’s public key. Then generates a random key and encrypts it with the server’s public key. It sends this encrypted key to the user

  • The server takes the message and decrypts it with his private key

  • At last both the client and the server send a MAC message to each other to finish this handshake part

Authenticat ion of a s erver c ertificate
Authentication of a Server Certificate

X 509 certificate
X.509 Certificate

  • The certificate contains:

    • Your distinguished name

    • Your public key

    • The identity of the CA who issued the certificate

    • Its expiry date

    • Digital signature of the CA which issued it

Ssl security
SSL Security

  • No good attacks are known on SSL

  • There are some attacks explained in the papers

    • Not have been used against production servers

    • It is not known that they are practical

Timing cryptanalysis
Timing Cryptanalysis

  • Publicized by Paul Kocher in 1996

  • Based on the observation that cryptographic operations take varying amount of time to complete depending on the keys that are being used

  • To overcome

    • add some random time to all operations

    • make all operations take constant time

Million message attack
Million Message Attack

  • Publicized by Daniel Bleichenbacherin 1998

  • By sending a series of chosen ciphertexts to the server and observing the responsesan attacker to get the session key

  • To overcome

    • make some small modification on the SSL protocol

How to make your web application ssl https enabled
How to Make Your Web Application SSL(Https) Enabled ?

  • The Advantages of SSL for applications

  • Generating Certificates with Java

  • Configuring SSL in Tomcat

  • Configuring SSL in OC4J (Oracle Containers for Java)

The advantages of ssl for applications
The Advantages of SSL for applications

  • SSL with a certificate will provide the followings to your application:

    • The website (also customer) really is who it claims to be

    • Credit card numbers, are encrypted and cannot be intercepted

    • Data sent and received cannot betampered or forged

Generating certificates with java
Generating Certificates with Java

  • A keystore( stores certificates

    • An instance of class

    • Stores certificates of all trusted parties

    • Authenticate parties by certificates in keystore

  • Create and manipulate a keystore using the keytool utility that is provided with the Sun Microsystems JDK

    • keytool is in jdk_home/bin directory like javac

    • keytool -genkey -keyalg "RSA" -keystore “”-storepass “mypass” -validity 365

    • “RSA” is the key generation algorithm

    • “” file is your certificate store

    • “mypass” is your secret key

Entering certificate info
Entering Certificate Info

  • Keytool will request certificate information after the creation command:

Configuring ssl in tomcat
Configuring SSL in Tomcat

  • Providing SSL support is the job of Servers it is not related to the the application itself.

  • Application servers handles the https requests done to the applications

  • A cerftificate is needed (Assume we have created one, in

    • Copy the “” file toCATALINA_HOME/conf

  • Define a SSLConnector on a port (Default port 443 requires to be super user)

    • Add the following to CATALINA_HOME/conf/server.xml

    • <Connector port="8443"       scheme="https" secure="true"      clientAuth="false" sslProtocol="TLS"       keystoreFile="/conf/"keypass=“mypass"/>

Configuring ssl in oc4j oracle containers for java
Configuring SSL in OC4J (Oracle Containers for Java)

  • The information will be valid for Standalone OC4J rather than Oracle Application Server

  • We will use the same key store for Tomcat and it should be copied to appropriate place

  • Create secure-web-site.xml

    • Copy http-web-site.xml and rename to secure-web-site.xml

    • Set protocol to https by setting secure element to true also specify the https port (4443)

    • State the keystore that will be used :

      <ssl-config keystore="" keystore-password=“mypass"/>

    • Change server.xml and add the following to see your https settings : <web-site path="./secure-web-site.xml" />

Limitations of ssl
Limitations of SSL

  • Although SSL is widely it has some limitations

  • SSL is designed to provide point-to-point security

  • Incase of multiple intermediary nodes exist between the two endpoints, point-to-point security fails and end-to-end security is required

    • Web Service Scenario: SOAP messages route through multiple intermediary nodes, those intermediary nodes will not be able to participate to operations

  • SSL encryption is at the transport level rather than at the application.

    • Messages are encrypted only during transmission over network

    • Other security mechanisms are required to handle security of the messages in an application or disk

  • XML-based security schemas are being developed to eleminate the limitations of SSL