SSL (Secure Socket Layer)

Slides:



Advertisements
Similar presentations
CP3397 ECommerce.
Advertisements

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Certificates, SSL and IPsec Ahmed Muaydh Sara Bin Saif Shi-Jey Chou Advisor:Dr. Leszek Lilien.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Chapter 8 Web Security.
SSL Technology Overview and Troubleshooting Tips.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
1 Lecture 5 George Koutsogiannakis/ Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.
CSCI 6962: Server-side Design and Programming
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Secure Socket Layer (SSL)
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Tunneling and Securing TCP Services Nathan Green.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
SSL/TLS How to send your credit card number securely over the internet.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
The Secure Sockets Layer (SSL) Protocol
TOPIC: HTTPS (Security protocol)
Web Security CS-431.
Web Applications Security Cryptography 1
Secure Sockets Layer (SSL)
Cryptography and Network Security
The Secure Sockets Layer (SSL) Protocol
Unit 8 Network Security.
Cryptography and Network Security
Presentation transcript:

SSL (Secure Socket Layer) SSE USTC Qing Ding

Agenda What is SSL? What is Certificate? Browser and Certificates SSL support in Tomcat Steps of Installation/Configuration of SSL HTTPS Connector over Tomcat

What is SSL?

SSL (Secure Socket Layer)

Secure Socket Layer (SSL) By far, the dominant security technology on the web Transport layer security HTTPS is HTTP over SSL Responsible for the emergence of e-commerce, other security sensitive services on the web Beneficiary of several years of public scrutiny

SSL runs over TCP

Why SSL? SSL Provides ... Confidentiality (Privacy) Data integrity (Tamper-proofing) Server authentication (Proving a server is what it claims it is) Used in typical B2C transaction Optional client authentication Would be required in B2B (or Web services environment in which program talks to program)

SSL and Security Keys Uses public/private key (asymmetric) scheme to create secret key (symmetric) Secret key is then used for encryption of data SSL operation is optimized for performance: Using symmetric key for encryption is a lot faster than using asymmetric keys

SSL Key Exchange (Simplified)

SSL Key Exchange Steps 1. SSL client connects to an SSL server 2. Server then sends its own certificate that contains its public key 3. Client then creates a random key (premaster key) and uses server's public key to encrypt it 4. Client then sends encrypted premaster key to the server 5. Server then decrypts it (only the server that has the matching private key can decrypt it) and uses decrypted premaster key to create secret session key 6. Now both client and server uses secret session key for further communication

Negotiable Encryption Algorithms Not all clients and servers use same encryption and authentication algorithms SSL client and server negotiates encryption and decryption algorithms (cipher suites) during their initial handshake Connection will fail of they do not have common algorithms

SSL Handshake Protocol

SSL and Encryption You need only server's certificate in order to have encrypted data transfer This is the reason why you don't need to install client certificate on your browser in order to send your credit card number securely (with privacy and data integrity)

SSL and Authentication Server authentication Server needs to provide its own certificate to a client in order to authenticate itself to the client A Web server typically has a CA-signed certificate and it provides it to its clients Client authentication Client needs to provide its own certificate to a server in order to authenticate itself to the server Mutual authentication

SSL and Authentication In a typical “browser talking to web server” communication, only server authentication is needed When you send your credit card to a server, you want to make sure the server is who it claims it is In the future of B2B environment, client certification would be also required The server wants to make sure it is talking to a client whose identity is verified

SSL and Web-tier Security Encrypted password move from the browser to the web server Encrypted data move between the browser and the web server Server authentication Done before encrypted data transfer occurs Client Authentication Not used in most cases

Certificates & Keytool Utility

What is a Certificate? A certificate is like digital driver license A certificate is cryptographically signed and is practically impossible for anyone else to forge A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign (for a fee) A certificate can be self-signed when authentication over the internet is not really a concern, that is only data privacy and integrity are important

What is Server Certificate? A certificate that contains information about the server Server's public key Other misc. information Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections HTTP service of Tomcat will not run unless a server certificate has been installed

Why Server Certificate is Needed? Enables server authentication Verifies the server's identity to the client Client would need to have an access to the server certificate Server sends server certificate as part of SSL key handshake HTTPS service of Tomcat would not work unless a server certificate is installed

keytool Utility of JDK A key and certificate management utility Enables users to create and administer their own public/private key pairs and associated certificates Ships with JDK (Uses RSA-based JCE provider as default) Allows users to cache the public keys (in the form of certificates) of their communicating peers Stores the keys and certificates in a so-called keystore

Browser & Certificates

Netscape: Certificates of CA's

Netscape: Certificates of Websites

Netscape: Certificates of Other People

Netscape: Certificates of Yourself

JSSE

What is JSSE? Java API for Secure Sockets Layer (SSL) Now standard part of J2SE 1.4 SSL 3.0 and TLS 1.0 Supports Encryption Server authentication Optional client authentication Data integrity

Why JSSE? 100% pure Java implementation Abstracts the complex underlying cryptographic algorithms and thus minimizes the risk of creating subtle and dangerous security vulnerabilities Uses algorithms, keys transparently Simple to use to create secure application

JSSE Framework Supplements java.security and java.net packages Provides javax.net and javax.net.ssl packages Extends networking socket classes, trust and key managers, and a socket factory framework for encapsulating socket creation behavior

SunJSSE Provider JSSE provider that comes with JDK 1.4.1 Installed and pre-registered with the Java Cryptography Architecture Supplies implementations of the SSL v3.0 and TLS v1.0 as well as most common SSL and TLS cipher suites getSupportedCipherSuites getEnabledCipherSuites setEnabledCipherSuites

JSSE Programming: Server Side

JSSE Programming: Client Side

SSL Support in Tomcat

SSL on Tomcat You need the following modules JSSE (Java Secure Socket Extension) Server certificate keystore An HTTPS connector You have to install and configure SSL HTTPS connector over Tomcat

JSSE Included in Java WSDP <JWSDP-Install>/common/jsse.jar Provides Java packages that support SSL/TLS (jsse.jar) SSL supports Encryption, server authentication, message integrity over TCP/IP Data over any application level protocol (HTTP, FTP, Telnet, ...) can be securely protected Based on Certificate-based (Public and Private key) security scheme

Steps of Installing and Configuring SSL over Tomcat

1. Generate a key pair and a self-signed Server certificate keytool -genkey -keyalg RSA -alias tomcat -keystore <keystore_filename> Enter password, fully-qualified name of your server, organizational unit, organization, etc. Tomcat is looking for the keystore to have the name .keystore in the home directory of the machine on which Tomcat is running as a default

1.1 Example: keytool usage C:\>keytool -genkey -keyalg RSA -alias tomcat -keystore \tmp\keyfile.keystore Enter keystore password: changeit What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: sun What is the name of your organization? [Unknown]: mde What is the name of your City or Locality? [Unknown]: burlington What is the name of your State or Province? [Unknown]: ma What is the two-letter country code for this unit? [Unknown]: us Is CN=localhost, OU=sun, O=mde, L=burlington, ST=ma, C=us correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password):

2. Configure SSL Connector & Restart Tomcat By default, SSL HTTPS is not enabled in Tomcat You enable and configure an SSL HTTPS Connector on port 8443 in one of two methods via Admintool Modify (actually uncomment SSL connector element) <JWSDP_HOME>/conf/server.xml as described in <JWSDP_HOME>/docs/tutorial/doc/WebAppSecurity6.html#68482 Restart Tomcat

2.1 Admintool

2.2 SSL Connector Element in server.xml

3. Verify SSL Support From the browser, go to https://localhost:8443/ Port 8443 is where SSL connector is created

3.1 Example: Verify SSL Support

3.2 Example: Verify SSL Support

3.3 Example: Verify SSL Support

3.4 Example: Verify SSL Support

3.5 Example: Verify SSL Support