SlideShare una empresa de Scribd logo

Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

Richard Fussenegger
Richard Fussenegger

The slides I used during the presentation.

TecnologíaEducación
1 de 10
Descargar para leer sin conexión
(Perfect) Forward Secrecy with nginx and OpenSSL by Richard Fussenegger, BSc
Rules • Ask—if you have a question • Ask—if you don’t understand something • Ask—if you want to know more • Shout—if I get something wrong
nginx why use it? • I use it since approximately 2008 • Asynchronous event-driven • Multiple workers (fork) • Modular architecture • Used by e.g. WordPress, GitHub, Golem.de
OpenSSL why use it? • Supported by all major (*nix) software • Can be compiled directly into nginx • Lot’s of ciphers supported • Almost a standard today
Forward Secrecy “…allows today information to be kept secret even if the private key is compromised in the future.” Vincent Bernat, PhD
TLS AES128-SHA how does it work? • Server presents certificate • Both agree on master secret • Built from 48byte premaster secret gen. and encrypted by client w. public key of server • Master secret derived from premaster secret + random values via plain text • Authentication and encryption w. same private key! Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
Solution Ephemeral Diffie-Hellman • Use different key for authentication and encryption • Extending classic TLS handshake Server sends a Server Key Exchange message after regular Certificate message
How To very easy with nginx https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
Validate do things work? • Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443 • Online: https://www.ssllabs.com/ssltest/analyze.html
Thank you • More in my master thesis • Questions about nginx, PHP, Debian/Ubuntu? richard@fussenegger.info

Recomendados

Matriux blue
Matriux blueMatriux blue
Matriux blueInMobi Technology
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Hacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsHacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsChris Bell
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecuritySkeeve Stevens
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 

Recomendados

Matriux blue
Matriux blueMatriux blue
Matriux blueInMobi Technology
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Hacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsHacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsChris Bell
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecuritySkeeve Stevens
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwordsinaz2
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to ExploitationUTD Computer Security Group
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NETMatt Watson
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsAlexandru Radovici
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppNGINX, Inc.
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Lecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsLecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsAlexandru Radovici
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureOpenCredo
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Webinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyWebinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyCeph Community
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 

Más contenido relacionado

La actualidad más candente

$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NETMatt Watson
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsAlexandru Radovici
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppNGINX, Inc.
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Lecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsLecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsAlexandru Radovici
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureOpenCredo
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 

La actualidad más candente (20)

Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Mod Security
Mod SecurityMod Security
Mod Security
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of Things
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Lecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsLecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of Things
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 

Similar a Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

Webinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyWebinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyCeph Community
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Duncan Wannamaker
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
From Test to Live with Rex
From Test to Live with RexFrom Test to Live with Rex
From Test to Live with RexJan Gehring
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber WeaponryJoshua L. Davis
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansPeter Clapham
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol SecurityDavid Barker
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
scrazzl - A technical overview
scrazzl - A technical overviewscrazzl - A technical overview
scrazzl - A technical overviewscrazzl
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...JosephTesta9
 
OPEN'17_2_Customer Experience_Essent
OPEN'17_2_Customer Experience_EssentOPEN'17_2_Customer Experience_Essent
OPEN'17_2_Customer Experience_EssentKangaroot
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Kubernetes for HCL Connections Component Pack - Build or Buy?
Kubernetes for HCL Connections Component Pack - Build or Buy?Kubernetes for HCL Connections Component Pack - Build or Buy?
Kubernetes for HCL Connections Component Pack - Build or Buy?Martin Schmidt
 
Netflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talksNetflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talksRuslan Meshenberg
 

Similar a Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL (20)

Webinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyWebinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case Study
 
Web security
Web securityWeb security
Web security
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
From Test to Live with Rex
From Test to Live with RexFrom Test to Live with Rex
From Test to Live with Rex
 
Infura
InfuraInfura
Infura
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
 
Flexible compute
Flexible computeFlexible compute
Flexible compute
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol Security
 
Sqlviking
SqlvikingSqlviking
Sqlviking
 
Vp ns
Vp nsVp ns
Vp ns
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
scrazzl - A technical overview
scrazzl - A technical overviewscrazzl - A technical overview
scrazzl - A technical overview
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
OPEN'17_2_Customer Experience_Essent
OPEN'17_2_Customer Experience_EssentOPEN'17_2_Customer Experience_Essent
OPEN'17_2_Customer Experience_Essent
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Kubernetes for HCL Connections Component Pack - Build or Buy?
Kubernetes for HCL Connections Component Pack - Build or Buy?Kubernetes for HCL Connections Component Pack - Build or Buy?
Kubernetes for HCL Connections Component Pack - Build or Buy?
 
Netflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talksNetflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talks
 

Último

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

  • 1. (Perfect) Forward Secrecy with nginx and OpenSSL by Richard Fussenegger, BSc
  • 2. Rules • Ask—if you have a question • Ask—if you don’t understand something • Ask—if you want to know more • Shout—if I get something wrong
  • 3. nginx why use it? • I use it since approximately 2008 • Asynchronous event-driven • Multiple workers (fork) • Modular architecture • Used by e.g. WordPress, GitHub, Golem.de
  • 4. OpenSSL why use it? • Supported by all major (*nix) software • Can be compiled directly into nginx • Lot’s of ciphers supported • Almost a standard today
  • 5. Forward Secrecy “…allows today information to be kept secret even if the private key is compromised in the future.” Vincent Bernat, PhD
  • 6. TLS AES128-SHA how does it work? • Server presents certificate • Both agree on master secret • Built from 48byte premaster secret gen. and encrypted by client w. public key of server • Master secret derived from premaster secret + random values via plain text • Authentication and encryption w. same private key! Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
  • 7. Solution Ephemeral Diffie-Hellman • Use different key for authentication and encryption • Extending classic TLS handshake Server sends a Server Key Exchange message after regular Certificate message
  • 8. How To very easy with nginx https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
  • 9. Validate do things work? • Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443 • Online: https://www.ssllabs.com/ssltest/analyze.html
  • 10. Thank you • More in my master thesis • Questions about nginx, PHP, Debian/Ubuntu? richard@fussenegger.info