SSL - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

SSL

Description:

The identity of the CA who issued the certificate. Its expiry date. Digital signature of the CA which issued it. SSL Security. No good attacks are known on SSL ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 22
Provided by: Meh71
Category:
Tags: ssl | theca

less

Transcript and Presenter's Notes

Title: SSL


1
SSL
  • Idris Yildiz
  • Mehmet Bilgin

05.04.2006
2
Outline
  • Public-Key Cryptography
  • SSL
  • SSL Security
  • How to Make Your Application SSL Enabled
  • Limitations of SSL
  • Conclusion

3
Public-Key Cryptography
  • Conventional Cryptography
  • There is only one key both for encryption and
    decryption
  • The key must be known to both the sender and
    receiver and the key must be secret
  • The key should be changed frequently
  • Public-key Cryptography
  • A pair of keys
  • One is used for encryption (private key) and the
    other is used for decryption

4
Encryption
  • Sending a message using asymmetric keys
  • Bob sends public key to Alice
  • Alice encrypts message using Bobs public key
  • Alice sends encrypted message
  • Bob decrypts message using his own private key

Alice
Bob
Kpub
1)
2)
Y eKpub(X)
Y
3)
4)
X dKpr(Y)
5
Digital Signature
  • Bob encrypts the message with his private key
  • Send encrypted message
  • Alice decrypts message with Bobs public key
  • Message is readable by ANYONE with Bobs public
    key
  • Receiver can be confident that only someone with
    Bobs private
  • key could have sent the message

Alice
Bob
1)
Y eKpr(X)
Y
2)
X dKpub(Y)
3)
6
Drawbacks of public-key encryption
  • It is slow
  • RSA is 1000 times slower than some conventional
    encryption algorithms
  • Man-in-the-middle attack

Alice
Bob
Attacker
KPubB
KPubA
1)
2)
Y eKPubA(X)
Y
3)
Z eKPubB(X)
X dKPrA(Y)
4)
Z
5)
X dKPrB(Z)
7
SSL
  • Based on public key encryption
  • 2 phases
  • Handshake
  • Data Transfer
  • Runs above TCP/IP and below higher-level
    protocols

8
SSL Handshake Protocol
  • The client sends a message to the server that
    contains a list of the algorithms it is willing
    to use
  • The server chooses a algorithm out of the list
    and sends it back along with a certificate that
    containing the servers public key
  • The client verifies the servers certificate and
    extracts the servers public key. Then generates
    a random key and encrypts it with the servers
    public key. It sends this encrypted key to the
    user
  • The server takes the message and decrypts it with
    his private key
  • At last both the client and the server send a MAC
    message to each other to finish this handshake
    part

9
Authentication of a Server Certificate
10
X.509 Certificate
  • The certificate contains
  • Your distinguished name
  • Your public key
  • The identity of the CA who issued the certificate
  • Its expiry date
  • Digital signature of the CA which issued it

11
SSL Security
  • No good attacks are known on SSL
  • There are some attacks explained in the papers
  • Not have been used against production servers
  • It is not known that they are practical

12
Timing Cryptanalysis
  • Publicized by Paul Kocher in 1996
  • Based on the observation that cryptographic
    operations take varying amount of time to
    complete depending on the keys that are being
    used
  • To overcome
  • add some random time to all operations
  • make all operations take constant time

13
Million Message Attack
  • Publicized by Daniel Bleichenbacher in 1998
  • By sending a series of chosen ciphertexts to the
    server and observing the responses an attacker to
    get the session key
  • To overcome
  • make some small modification on the SSL protocol

14
How to Make Your Web Application SSL(Https)
Enabled ?
  • The Advantages of SSL for applications
  • Generating Certificates with Java
  • Configuring SSL in Tomcat
  • Configuring SSL in OC4J (Oracle Containers for
    Java)

15
The Advantages of SSL for applications
  • SSL with a certificate will provide the
    followings to your application
  • The website (also customer) really is who it
    claims to be
  • Credit card numbers, are encrypted and cannot be
    intercepted
  • Data sent and received cannot be tampered or
    forged

16
Generating Certificates with Java
  • A keystore (java.security.KeyStore) stores
    certificates
  • An instance of java.security.KeyStore class
  • Stores certificates of all trusted parties
  • Authenticate parties by certificates in keystore
  • Create and manipulate a keystore using the
    keytool utility that is provided with the Sun
    Microsystems JDK
  • keytool is in jdk_home/bin directory like javac
  • keytool -genkey -keyalg "RSA" -keystore
    mykeys.store -storepass mypass -validity 365
  • RSA is the key generation algorithm
  • mykeys.store file is your certificate store
  • mypass is your secret key

17
Entering Certificate Info
  • Keytool will request certificate information
    after the creation command

18
Configuring SSL in Tomcat
  • Providing SSL support is the job of Servers it is
    not related to the the application itself.
  • Application servers handles the https requests
    done to the applications
  • A cerftificate is needed (Assume we have created
    one, in mykeys.store)
  • Copy the mykeys.store file to
    CATALINA_HOME/conf
  • Define a SSL Connector on a port (Default port
    443 requires to be super user)
  • Add the following to CATALINA_HOME/conf/server.xml
  • ltConnector port"8443"       scheme"https"
    secure"true"      clientAuth"false"
    sslProtocol"TLS"       keystoreFile"/conf/
    mykeys.store"      keypassmypass"/gt

19
Configuring SSL in OC4J (Oracle Containers for
Java)
  • The information will be valid for Standalone OC4J
    rather than Oracle Application Server
  • We will use the same key store for Tomcat and it
    should be copied to appropriate place
  • Create secure-web-site.xml
  • Copy http-web-site.xml and rename to
    secure-web-site.xml
  • Set protocol to https by setting secure element
    to true also specify the https port (4443)
  • State the keystore that will be used
  • ltssl-config keystore"mykeys.store"
    keystore-passwordmypass"/gt
  • Change server.xml and add the following to see
    your https settings ltweb-site
    path"./secure-web-site.xml" /gt

20
Limitations of SSL
  • Although SSL is widely it has some limitations
  • SSL is designed to provide point-to-point
    security
  • Incase of multiple intermediary nodes exist
    between the two endpoints, point-to-point
    security fails and end-to-end security is
    required
  • Web Service Scenario SOAP messages route through
    multiple intermediary nodes, those intermediary
    nodes will not be able to participate to
    operations
  • SSL encryption is at the transport level rather
    than at the application.
  • Messages are encrypted only during transmission
    over network
  • Other security mechanisms are required to handle
    security of the messages in an application or
    disk
  • XML-based security schemas are being developed to
    eleminate the limitations of SSL

21
Questions?
  • THANKS A LOT !
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SSL" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!