Presentation is loading. Please wait.

Presentation is loading. Please wait.

Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)

Published byDina Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)"— Presentation transcript:

1 Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd) Advanced Technical Support Gaithersburg, MD

2 Washington System Center © 2005 IBM Corporation 2August 25, 2005 Purpose Provide a communication protocol ●allows a session to be established between two parties, a client and a server  provide privacy (encryption), authentication of the communicating partner and data integrity of the information exchanged on the connection ♦ security is based on negotiated agreement between these two parties ●may be used on an application-by-application basis

3 Washington System Center © 2005 IBM Corporation 3August 25, 2005 Server 1. provides information and data to the client at the client's request 2. decides what data should be protected 3. is usually an application written to provide data services outbound 4. has the responsibility to protect its identity (will prove its identity via a certificate) 1. initiates the communications 2. generally selects the data to be provided by the Server 3. most are browsers but not necessarily 4. can prove its identity by also having a certificate Client SSL/TLS : Functions

4 Washington System Center © 2005 IBM Corporation 4August 25, 2005 The SSL/TLS Session Client Hello, my cipher info, etc. Server Hello, my cipher info, key exchange, etc. Client response: key exchange, ciphers, etc. Server response: change cipher and finish Server/Client: Encrypted data SSL Handshake or Hello Phase SSL Session

5 Washington System Center © 2005 IBM Corporation 5August 25, 2005 Certificates Certificates are a way of securely identifying someone ●most are based on the standard structure X.509 v3 ●certificates are encoded using DER rules (X.209) ●Contains;  Owner’s distinguished name  Owner’s public key ♦ Signature algorithm with which the public key is used  issuers distinguished name ♦ issuers signature V#, SN, CA's signature, sgn-alg Issuer name: CAxyz Validity Dates and Time type Subject name: Greg Subject's Public Key, AlgoID SignAlgo: RSA with SHA-1 Extensions

6 Washington System Center © 2005 IBM Corporation 6August 25, 2005 Certificate Authorities Certificate authorities are trusted organizations who vouch for public keys ●a CA is an entity trusted by both the client and the owner ●CA issues a credential (a certificate) to the owner, that associates the owner’s name with the owner’s public key  client trusts that the CA will not issue a certificate to an imposter  public keys are delivered via certificates, which are signed with the private key of the certificate authority ● client can validate the certificate at any time  validating a certificate proves that it’s authentic and has not been modified. (to be signed)

7 Washington System Center © 2005 IBM Corporation 7August 25, 2005 Public Key Cryptography – Mathematically Related Generate 2 prime numbersP = 7Q = 17 (each over 100 digits long) Multiply primes to get modulus, NN = 7 x 17 = 119 Select odd number, E, that will E = 5 be the second part of the public key Public Key (N E)119 5 Compute second part of private key, D (P-1) x (Q-1) x (E-1)(7-1) x (17-1) x (5-1) = 384 Add 1 to result384 + 1 = 385 Divide by E to get DD = 385/5 = 77 Private Key (N D)119 77

8 Washington System Center © 2005 IBM Corporation 8August 25, 2005 Encipher Message – ‘SELL’ P = 7; Q = 17; N = 119; E = 5; D = 77 Public Key (N E)119 5 Private Key (N D)119 77 Convert characters to numeric ●E.g. a=1, b=2, c=3 …. ●Plaintext ‘SELL’ becomes 19 5 12 12 Raise that character value to power E (‘S’ => 19**5 => 2476099) Divide by first part of Public Key2476099 / 119 = 20807 And get the remainder66 = eKP(S) Ciphertext 66 31 3 3

9 Washington System Center © 2005 IBM Corporation 9August 25, 2005 Decipher Message – ’66 31 3 3’ P = 7; Q = 17; N = 119; E = 5; D = 77 Public Key (N E)119 5 Private Key (ND) 119 77 Raise to power D66 ** 77 = 1273….. Divide result by modulus N1273….. / 119 = 1069 And get remainder 19 Remainder is numeric equivalent of19 = “S” character sent Plaintext 19 5 12 12 or C’S E L L’

10 Washington System Center © 2005 IBM Corporation 10August 25, 2005 Functionz800/z900z890/z990z9 109 Handshake Phase CSNDPKD – Public Key Decrypt PCICA, PCICC, CCFPCICA, Crypto Express2, Software Crypto Express2 (Accelerator/Coprocessor), Software CSNDPKE – Public Key Encrypt PCICC, CCFPCICA, Crypto Express2, Software Crypto Express2 (Accelerator/Coprocessor), Software CSNDDSV – Digital Signature Verify PCICC, CCFPCICA, Crypto Express2, PCIXCC, Crypto Express2 (Accelerator/Coprocessor), Software Record Layer DES/TDESCCFCPACF or Software AESSoftware Software or CPACF with z/OS V1R8 RC2 or RC4Software SHA-1 (Hash)SoftwareCPACF MD5 (Hash)Software Where are the SSL functions executed? Could be lots of different places

11 Washington System Center © 2005 IBM Corporation 11August 25, 2005 Hardware Decisions Some IBM product code that can take advantage of cryptographic hardware includes a software crypto engine. If the hardware is not properly installed and setup the software will be used to perform the encryption. ●code is written to detect whether there is crypto hardware and if ICSF is active  check is done at session startup time  when base hardware crypto and ICSF conditions are met, an indicator is set ♦ examples of products; IBM WebSphere, System SSL, TN3270 Products that optionally allow cryptographic functions usually do not provide a software crypto engine and require the presence of active IBM base crypto and ICSF ●example: VTAM Session Level Encryption

12 Washington System Center © 2005 IBM Corporation 12August 25, 2005 SSL Exploiters CICS LDAP Firewall Technologies WebSphere MQ Series Tivoli Access Manager for Business Integration Host Edition Policy Director Authorization Services Secure TN3270 IMS PKI Services EIM Sendmail Secure FTP IBM HTTP Server

13 Washington System Center © 2005 IBM Corporation 13August 25, 2005 References SSL, Secure Sockets Layer http://wp.netscape.com/eng/ssl3/draft302.txt TLS, Transport Layer Security http://www.ietf.org/rfc/rfc2246.txt Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile (RFC 3279) http://www.faqs.org/rfcs/rfc3279.html X.509 certificate, certificate revocation list, and certificate extensions http://www.ietf.org/rfc/rfc2469.txt Signatures ●http://www.itl.nist.gov/div897/pubs/fip186.htm (DSS) ●http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/index.html (RSA) Hashing ●http://www.itl.nist.gov/fipspubs/fip180-1.htm (SHA-1) ●http://www.ietf.org/rfc/rfc1321.txt?number=1321 (MD5) Key Exchange ●http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-08.txt

14 Washington System Center © 2005 IBM Corporation 14August 25, 2005 Questions

Download ppt "Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Web security: SSL and TLS

Web security: SSL and TLS
CP3397 ECommerce.

CP3397 ECommerce.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Similar presentations

Ads by Google