Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 6962: Server-side Design and Programming

Published byEverett West Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCI 6962: Server-side Design and Programming"— Presentation transcript:

1 CSCI 6962: Server-side Design and Programming
SSL and HTTPS for Secure Communication 1

2 Outline Encryption concepts Certificates and certificate authorities
The SSL protocol The https protocol Creating self-signed certificates Obtaining certificates from a certificate authority

3 Web Security Concerns Major concerns:
Encryption of sensitive data sent between client and server Authentication of server How does client know who they are dealing with? Information integrity How do we know third party has not altered data en route? Bob’s web site Alice thinks she is at Bob’s site, but Darth is spoofing it Bob’s web site Address information Change so item shipped to Darth

4 Encryption Symmetric key encryption: DES, AES, etc.
Fast Requires both parties to know same secret key Public key encryption: RSA, Elliptic Curve, etc. Sender uses public key of recipient to encrypt data Recipient uses their private key to decrypt Impossible to recreate private key from public key Can be used to uniquely sign a document Encrypt with private key, decrypt with public key Slow (impractical to encrypt/decrypt large blocks of data)

5 Encryption Use public key encryption to securely send symmetric key Use a much faster symmetric key algorithm (like AES) to securely transmit the rest of the message E(KS, KPU) Ks Ks E D D E P P E(P, KS)

6 Hashing Information Integrity H H
Hashing function H(M, key) creates “fingerprint” of message M Hashing applied to message by sender and recipient If no match, message has been tampered with Darth cannot create own fingerprint of altered message without key H(M, key) H compare M M + H(M, key) M H H(M, key) H(M, key)

7 Certificates Public key certificates created by certification authority Trusted third party (Verisign, Geotrust, Equifax, etc.) Known public key Certificate contains user’s info, signed with (one of) CA’s private key No one else can create the certificate without the private key X.509 Protocol

8 Certificates Browser can validate certificate using CA’s public key
Use indicated hash algorithm to create digest from all fields in certificate Use CA’s public key to decrypt signature and get enclosed digest If the two match, certificate is valid and has not been tampered with

9 Certificate signed by CA
Web sites that deal in ecommerce must have certificates for authentication Installed at server in keystore Transmitted to client for authentication Validated using CA’s public key Server machine CA Client machine Request for secure session Web Container (JSP, ASP) Browser CA public key Keystore Certificate signed by CA

10 Certificates Public keys stored in browser
Can request from other CAs via public key infrastructure as needed

11 Secure Socket Layer Protocol
Secure Socket Layer protocol for web communication Latest upgrade: Transport Layer Security (TLS) Same structure as SSL, somewhat more secure

12 SSL Protocol: Phase 1 Client passes preferred algorithms to server via https request Public key encryption algorithms Private key encryption algorithms Hash algorithms Compression algorithms Also random number for key generation Server replies with algorithms that will be used Also passes own random number

13 SSL Protocol: Phase 2 Phase 2: Server Identification and Key Exchange
Server passes their certificates to client Client uses issuer public key to verify identity Client retrieves server public key from certificate Server may pass chain of certificates for authentication Certificates that validate other certificates

14 SSL Protocol: Phase 3 Phase 3: Client Identification and Key Exchange
Client sends certificate or public key if requested by server

15 SSL Key Generation Client generates “pre-master key”
Sends to client encrypted with server public key Client and server use to generate master key used to create cipher keys Also use client, server random numbers exchanged in phase 1 SHA-1 and MD5 hashing used to create “pseudorandom” mappings

16 Phase 4: Final Handshake
Client and server verify protocols and keys Sender signs/encrypts “finished” message Receiver decrypts/verifies message to confirm keys

17 SSL Data Transmission Message broken into blocks Block compressed
Compressed block hashed with authentication key to get MAC (message integrity) Compressed block + MAC encrypted with cipher key Encrypted block + record protocol header with version/length information sent

18 Https Protocol When started, requests secure session from server
Invokes SSL/TLS protocol Uses separate port in most servers (8181 in Glassfish) Must use absolute URL to invoke

19 Https Protocol By default future requests will use https: protocol
Https protocol is expensive Once done with secure transactions, should go back to using non-secure channel

20 Absolute Redirection in JSF
Must use code in bean to redirect to absolute address Call from action attribute Use redirect from external context of current instance

21 Obtaining Certificates
Must obtain from known public key authority Not free! (best are thousands of dollars) Expense depends on strength 56 bits: inexpensive, but crackable 128 bits: expensive but more secure 256 bits: maximum security Can create “temporary” (self-signed) key for testing Keytool utility in Java IIS Management Console for ASP (page 615)

22 Self-signed Certificates in Tomcat
Will automatically generate keys using RSA Password must be “changeit” for Tomcat

23 Obtaining Certificate In Tomcat
Create a certificate signing request (CSR) for key you have created keytool -certreq -alias <your key> keyalg RSA keystore <your_keystore_filename> Will get certreq.csr file Submit to CA (see CA web site for details) Get signed certificate in return

24 Obtaining Certificate in Tomcat
Download and install certificate from CA Replaces your original self-signed one keytool -import alias <your key> keystore <your keystore filename> trustcacerts file <file from CA>

25 Self-signed Certificates in IIS
Run IIS Management Console Included in Windows 7 May need to enable from Programs and Features Open server certificates

26 Self-signed Certificates in IIS
Choose “Create Self-signed Certificate” Enter a name

27 Obtaining Certificates in IIS
Can request and install from IIS Management Console

Download ppt "CSCI 6962: Server-side Design and Programming"

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
CP3397 ECommerce.

CP3397 ECommerce.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SSL (Secure Socket Layer)

SSL (Secure Socket Layer)
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google