SlideShare una empresa de Scribd logo

Secure Communications with VisualWorks - CSTUC 2006

Martin Kobetic
Martin Kobetic

Cincom Smalltalk User Conference 2006

1 de 21
Descargar para leer sin conexión
Secure Communications Martin Kobetic Cincom Smalltalk Development CSTUC’06 Frankfurt December 2006
Contents Web Server Certificates and Keys Secure Web Server Client Authentication Preformance Considerations
Simple Web Server configuration := AdaptorConfiguration webServer addExecutor: WebHello new; addExecutor: WebEcho new; transport: ( TransportConfiguration http marshaler: MarshalerConfiguration web ). server := configuration newAtPort: 4242. server start. url := ’http://localhost:4242/hello’ asURI. client := HttpClient new. [ client get: url ] ensure: [ client close ]. server stop.
Certificate Authority caKeys := DSAKeyGenerator keySize: 1024. caName := Name new O: ’TrustMe’; L: ’Palermo’; C: ’Italy’; yourself. ca := Certificate new serialNumber: 1; issuer: caName; subject: caName; notBefore: Date today; notAfter: (Date today addDays: 7); publicKey: caKeys publicKey; forCertificateSigning; yourself. ca signUsing: caKeys privateKey.
Server Certificate sKeys := RSAKeyGenerator keySize: 1024. sName := Name new O: ’Oogle Inc’; CN: ’localhost’; yourself. sCert := Certificate new serialNumber: 1000; issuer: caName; subject: sName; notBefore: Date today; notAfter: (Date today addDays: 7); publicKey: sKeys publicKey; forKeyExchange; yourself. sCert signUsing: caKeys privateKey. sCert verifyIssuedBy: ca.
Key Storage file := ’server.pk8’ asFilename readWriteStream binary. pwd := ’sesame’ asByteArray. [ sKeys privateKey writeOn: file password: pwd. ] ensure: [ file close ]. "openssl pkcs8 -inform DER -in server.pk8 | openssl rsa -text" file reset. [ PKCS8 readKeyFrom: file password: pwd. ] ensure: [ file close ].
Certificate Storage file := ’server.cer’ asFilename readWriteStream binary. [ sCert writeOn: file ] ensure: [ file close ]. "openssl x509 -inform DER -in server.cer -text" file reset. [ Certificate readFrom: file ] ensure: [ file close ].
Switching to HTTPS sCtx := SSLContext newWithSecureCipherSuites. sCtx certificate: sCert key: sKeys privateKey. transport := TransportConfiguration https. transport serverContext: sCtx; marshaler: configuration transport marshaler. configuration transport: transport. configuration soReuseAddr: true. server := configuration newAtPort: 4433. server start ’https://localhost:4433/hello’ asURI get.
Certificate Registry registry := X509Registry new. registry addTrusted: ca. chain := Array with: sCert. registry validateCertificateChain: chain. registry addRevoked: ca. registry validateCertificateChain: chain. registry removeRevoked: ca. X509Registry default addTrusted: ca. ’https://localhost:4433/hello’ asURI get. CertificateFileReader readFromFile: ’/etc/pki/tls/certs/ca-bundle.crt’.
HTTPS Client cCtx := SSLContext newWithSecureCipherSuitesUsing: registry. url := ’https://localhost:4433/hello’ asURI. client := HttpClient new. client sslContext: cCtx. [ client get: url ] ensure: [ client close ]. file := ’ca.cer’ asFilename readWriteStream binary. [ ca writeOn: file ] ensure: [ file close ].
Client Certificate cKeys := RSAKeyGenerator keySize: 1024. cName := Name new O: ’Oogle Inc’; N: ’John Doe’; E: ’john@oogle.com’; yourself. cCert := Certificate new serialNumber: 2001; issuer: caName; subject: cName; notBefore: Date today; notAfter: (Date today addDays: 7); publicKey: cKeys publicKey; forSigning; yourself. cCert signUsing: caKeys privateKey.
Client Authentication transport clientValidator: [ :nm | ’*@oogle.com’ match: nm email ]. echo := ’https://localhost:4433/echo’ asURI. [ client get: echo ] ensure: [ client close ]. cCtx certificate: cCert key: cKeys privateKey. X509Registry default addTrusted: ca.
Client Authentication - Browser "openssl pkcs8 -inform DER -in client.pk8 -out clientk.pem" file := ’clientk.pem’ asFilename writeStream. [ cKeys privateKey asX509Key writePEMOn: file ] ensure: [ file close ]. "openssl x509 -inform DER -in client.cer -out client.pem" file := ’client.pem’ asFilename writeStream. [ cCert writePEMOn: file ] ensure: [ file close ]. "openssl pkcs12 -export -in client.pem -inkey clientk.pem -out client.p12 -name ’John Doe’"
Performance transport clientValidator: nil. [ [ client get: echo ] ensure: [ client close ] ] repeatUntil: 5. "Persistent connection" [ [ client get: echo ] repeatUntil: 5. ] ensure: [ client close ].
Session Resumption session := SSLSession newIn: cCtx. [ [ socket := SocketAccessor newTCPclientToHost: ’localhost’ port: 4433. binary := socket readAppendStream binary. connection := cCtx connectionFor: binary using: session. connection connectSubject: [ :nm | nm CN = ’localhost’ ]. ] ensure: [ connection close. socket close ] ] repeatUntil: 10 sCtx allowResumableSessions. sCtx disallowResumableSessions.
Session Resumption - Data [ [ socket := SocketAccessor newTCPclientToHost: ’localhost’ port: 4433. binary := socket readAppendStream binary. con := cCtx connectionFor: binary using: session. con connectSubject: [ :nm | nm CN = ’localhost’ ]. stream := (con withEncoding: #iso8859_1) readAppendStream lineEndCRLF. stream nextPutAll: ’GET /echo HTTP 1.1’; cr; nextPutAll: ’Host: localhost:4433’; cr; cr; flush. stream upToAll: ’’ withCRs; upToAll: ’’ withCRs ] ensure: [ stream close. socket close ] ] repeatUntil: 10.
Performance - Data Transfer [ [ client get: echo ] repeatUntil: 5. ] ensure: [ client close ] sCtx initializeSuites: ( Array with: SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5); certificate: sCert key: sKeys privateKey. SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA
Performance - DH Suites pars := DHParameterGenerator m: 256 l: 1024. sCtx initializeSuites: ( Array with:SSLCipherSuite SSL_DHE_RSA_WITH_DES_CBC_SHA); certificate: cCert key: cKeys privateKey; dhParameters: (Array with: pars p with: pars g) client validationBlock: [ :n | n name = ’John Doe’ ]. [ [ client get: echo ] ensure: [ client close ] ] repeatUntil: 5. SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Books Rescorla: SSL and TLS Housley, Polk: Planning for PKI Ferguson, Schneier: Practical Cryptography Menezes, van Oorschot, Vanstone: Handbook of Applied Cryptography Schneier, B: Applied Cryptography http://www.cincomsmalltalk.com/publicRepository/ bundle Presentations-MK class CSTUC06SecureCommunications
Simple Web Service url := ’http://localhost:4242/timeserver’ asURI. server := RequestBroker newSoapHttpAtPort: 4242 bindingNamed: ’TimeServerSoapBinding’. server export: Time oid: url tail. server start. (url copy query: ’wsdl’) get contents. client := WsdlClient url: (url copy query: ’wsdl’). client executeSelector: #now. client close. server stop.
Secure Web Service url := ’https://localhost:4433/timeserver’ asURI. server := BrokerConfiguration standard adaptor: (AdaptorConfiguration connectionOriented transport: (TransportConfiguration https serverContext: sCtx; marshaler: (MarshalerConfiguration soap bindingNamed: ’TimeServerSoapBinding’))). server := server newAtPort: url port. server export: Time oid: url tail. server start. server stop.

Recomendados

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
tls_resumption_detailed_final
tls_resumption_detailed_finaltls_resumption_detailed_final
tls_resumption_detailed_finalSergii Cherkavskyi
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSLPau Freixes
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open sshDan Kaminsky
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015Zi Lin
 
OSMC 2021 | On the Bleeding Edge of OpenTelemetry
OSMC 2021 | On the Bleeding Edge of OpenTelemetryOSMC 2021 | On the Bleeding Edge of OpenTelemetry
OSMC 2021 | On the Bleeding Edge of OpenTelemetryNETWAYS
 

Recomendados

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
tls_resumption_detailed_final
tls_resumption_detailed_finaltls_resumption_detailed_final
tls_resumption_detailed_finalSergii Cherkavskyi
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSLPau Freixes
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open sshDan Kaminsky
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015Zi Lin
 
OSMC 2021 | On the Bleeding Edge of OpenTelemetry
OSMC 2021 | On the Bleeding Edge of OpenTelemetryOSMC 2021 | On the Bleeding Edge of OpenTelemetry
OSMC 2021 | On the Bleeding Edge of OpenTelemetryNETWAYS
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually likeEdorian
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshootingRoman Tereschenko
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptographybehrad eslamifar
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!Drew Fustini
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Zabbix
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE Dr Anjan Krishnamurthy
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Pts
PtsPts
PtsMaya Arymurti
 
Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Martin Kobetic
 

Más contenido relacionado

La actualidad más candente

HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually likeEdorian
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Zabbix
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 

La actualidad más candente (20)

HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCL
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshooting
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse Proxy
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
 

Destacado

Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Martin Kobetic
 
Maycafotos2 eviita
Maycafotos2 eviitaMaycafotos2 eviita
Maycafotos2 eviitaangelinayoli
 
WordCamp Utah 2010 Presentation
WordCamp Utah 2010 PresentationWordCamp Utah 2010 Presentation
WordCamp Utah 2010 PresentationJ.R. Farr
 
Maycafotos2 eviita
Maycafotos2 eviitaMaycafotos2 eviita
Maycafotos2 eviitaangelinayoli
 

Destacado (7)

Pts
PtsPts
Pts
 
Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006
 
Jane Austen Can Get You A Job
Jane Austen Can Get You A JobJane Austen Can Get You A Job
Jane Austen Can Get You A Job
 
Maycafotos2 eviita
Maycafotos2 eviitaMaycafotos2 eviita
Maycafotos2 eviita
 
Xtreams - ESUG 2010
Xtreams - ESUG 2010Xtreams - ESUG 2010
Xtreams - ESUG 2010
 
WordCamp Utah 2010 Presentation
WordCamp Utah 2010 PresentationWordCamp Utah 2010 Presentation
WordCamp Utah 2010 Presentation
 
Maycafotos2 eviita
Maycafotos2 eviitaMaycafotos2 eviita
Maycafotos2 eviita
 

Similar a Secure Communications with VisualWorks - CSTUC 2006

Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsJean-Frederic Clere
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSVEXXHOST Private Cloud
 
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Develcz
 
Kafka security ssl
Kafka security sslKafka security ssl
Kafka security sslHeng-Xiu Xu
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultBram Vogelaar
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN ServerManish Kc
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?zunda
 

Similar a Secure Communications with VisualWorks - CSTUC 2006 (20)

Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
 
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
 
Rhel5
Rhel5Rhel5
Rhel5
 
Kafka security ssl
Kafka security sslKafka security ssl
Kafka security ssl
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp Vault
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a service
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?
 
Java security
Java securityJava security
Java security
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
 

Secure Communications with VisualWorks - CSTUC 2006

  • 1. Secure Communications Martin Kobetic Cincom Smalltalk Development CSTUC’06 Frankfurt December 2006
  • 2. Contents Web Server Certificates and Keys Secure Web Server Client Authentication Preformance Considerations
  • 3. Simple Web Server configuration := AdaptorConfiguration webServer addExecutor: WebHello new; addExecutor: WebEcho new; transport: ( TransportConfiguration http marshaler: MarshalerConfiguration web ). server := configuration newAtPort: 4242. server start. url := ’http://localhost:4242/hello’ asURI. client := HttpClient new. [ client get: url ] ensure: [ client close ]. server stop.
  • 4. Certificate Authority caKeys := DSAKeyGenerator keySize: 1024. caName := Name new O: ’TrustMe’; L: ’Palermo’; C: ’Italy’; yourself. ca := Certificate new serialNumber: 1; issuer: caName; subject: caName; notBefore: Date today; notAfter: (Date today addDays: 7); publicKey: caKeys publicKey; forCertificateSigning; yourself. ca signUsing: caKeys privateKey.
  • 5. Server Certificate sKeys := RSAKeyGenerator keySize: 1024. sName := Name new O: ’Oogle Inc’; CN: ’localhost’; yourself. sCert := Certificate new serialNumber: 1000; issuer: caName; subject: sName; notBefore: Date today; notAfter: (Date today addDays: 7); publicKey: sKeys publicKey; forKeyExchange; yourself. sCert signUsing: caKeys privateKey. sCert verifyIssuedBy: ca.
  • 6. Key Storage file := ’server.pk8’ asFilename readWriteStream binary. pwd := ’sesame’ asByteArray. [ sKeys privateKey writeOn: file password: pwd. ] ensure: [ file close ]. "openssl pkcs8 -inform DER -in server.pk8 | openssl rsa -text" file reset. [ PKCS8 readKeyFrom: file password: pwd. ] ensure: [ file close ].
  • 7. Certificate Storage file := ’server.cer’ asFilename readWriteStream binary. [ sCert writeOn: file ] ensure: [ file close ]. "openssl x509 -inform DER -in server.cer -text" file reset. [ Certificate readFrom: file ] ensure: [ file close ].
  • 8. Switching to HTTPS sCtx := SSLContext newWithSecureCipherSuites. sCtx certificate: sCert key: sKeys privateKey. transport := TransportConfiguration https. transport serverContext: sCtx; marshaler: configuration transport marshaler. configuration transport: transport. configuration soReuseAddr: true. server := configuration newAtPort: 4433. server start ’https://localhost:4433/hello’ asURI get.
  • 9. Certificate Registry registry := X509Registry new. registry addTrusted: ca. chain := Array with: sCert. registry validateCertificateChain: chain. registry addRevoked: ca. registry validateCertificateChain: chain. registry removeRevoked: ca. X509Registry default addTrusted: ca. ’https://localhost:4433/hello’ asURI get. CertificateFileReader readFromFile: ’/etc/pki/tls/certs/ca-bundle.crt’.
  • 10. HTTPS Client cCtx := SSLContext newWithSecureCipherSuitesUsing: registry. url := ’https://localhost:4433/hello’ asURI. client := HttpClient new. client sslContext: cCtx. [ client get: url ] ensure: [ client close ]. file := ’ca.cer’ asFilename readWriteStream binary. [ ca writeOn: file ] ensure: [ file close ].
  • 11. Client Certificate cKeys := RSAKeyGenerator keySize: 1024. cName := Name new O: ’Oogle Inc’; N: ’John Doe’; E: ’john@oogle.com’; yourself. cCert := Certificate new serialNumber: 2001; issuer: caName; subject: cName; notBefore: Date today; notAfter: (Date today addDays: 7); publicKey: cKeys publicKey; forSigning; yourself. cCert signUsing: caKeys privateKey.
  • 12. Client Authentication transport clientValidator: [ :nm | ’*@oogle.com’ match: nm email ]. echo := ’https://localhost:4433/echo’ asURI. [ client get: echo ] ensure: [ client close ]. cCtx certificate: cCert key: cKeys privateKey. X509Registry default addTrusted: ca.
  • 13. Client Authentication - Browser "openssl pkcs8 -inform DER -in client.pk8 -out clientk.pem" file := ’clientk.pem’ asFilename writeStream. [ cKeys privateKey asX509Key writePEMOn: file ] ensure: [ file close ]. "openssl x509 -inform DER -in client.cer -out client.pem" file := ’client.pem’ asFilename writeStream. [ cCert writePEMOn: file ] ensure: [ file close ]. "openssl pkcs12 -export -in client.pem -inkey clientk.pem -out client.p12 -name ’John Doe’"
  • 14. Performance transport clientValidator: nil. [ [ client get: echo ] ensure: [ client close ] ] repeatUntil: 5. "Persistent connection" [ [ client get: echo ] repeatUntil: 5. ] ensure: [ client close ].
  • 15. Session Resumption session := SSLSession newIn: cCtx. [ [ socket := SocketAccessor newTCPclientToHost: ’localhost’ port: 4433. binary := socket readAppendStream binary. connection := cCtx connectionFor: binary using: session. connection connectSubject: [ :nm | nm CN = ’localhost’ ]. ] ensure: [ connection close. socket close ] ] repeatUntil: 10 sCtx allowResumableSessions. sCtx disallowResumableSessions.
  • 16. Session Resumption - Data [ [ socket := SocketAccessor newTCPclientToHost: ’localhost’ port: 4433. binary := socket readAppendStream binary. con := cCtx connectionFor: binary using: session. con connectSubject: [ :nm | nm CN = ’localhost’ ]. stream := (con withEncoding: #iso8859_1) readAppendStream lineEndCRLF. stream nextPutAll: ’GET /echo HTTP 1.1’; cr; nextPutAll: ’Host: localhost:4433’; cr; cr; flush. stream upToAll: ’’ withCRs; upToAll: ’’ withCRs ] ensure: [ stream close. socket close ] ] repeatUntil: 10.
  • 17. Performance - Data Transfer [ [ client get: echo ] repeatUntil: 5. ] ensure: [ client close ] sCtx initializeSuites: ( Array with: SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5); certificate: sCert key: sKeys privateKey. SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • 18. Performance - DH Suites pars := DHParameterGenerator m: 256 l: 1024. sCtx initializeSuites: ( Array with:SSLCipherSuite SSL_DHE_RSA_WITH_DES_CBC_SHA); certificate: cCert key: cKeys privateKey; dhParameters: (Array with: pars p with: pars g) client validationBlock: [ :n | n name = ’John Doe’ ]. [ [ client get: echo ] ensure: [ client close ] ] repeatUntil: 5. SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • 19. Books Rescorla: SSL and TLS Housley, Polk: Planning for PKI Ferguson, Schneier: Practical Cryptography Menezes, van Oorschot, Vanstone: Handbook of Applied Cryptography Schneier, B: Applied Cryptography http://www.cincomsmalltalk.com/publicRepository/ bundle Presentations-MK class CSTUC06SecureCommunications
  • 20. Simple Web Service url := ’http://localhost:4242/timeserver’ asURI. server := RequestBroker newSoapHttpAtPort: 4242 bindingNamed: ’TimeServerSoapBinding’. server export: Time oid: url tail. server start. (url copy query: ’wsdl’) get contents. client := WsdlClient url: (url copy query: ’wsdl’). client executeSelector: #now. client close. server stop.
  • 21. Secure Web Service url := ’https://localhost:4433/timeserver’ asURI. server := BrokerConfiguration standard adaptor: (AdaptorConfiguration connectionOriented transport: (TransportConfiguration https serverContext: sCtx; marshaler: (MarshalerConfiguration soap bindingNamed: ’TimeServerSoapBinding’))). server := server newAtPort: url port. server export: Time oid: url tail. server start. server stop.