SlideShare una empresa de Scribd logo

Ssl in a nutshell

Descargar como PPTX, PDF
Frank Kelly
Frank Kelly

A gentle guide to SSL, how it works, how it works with Java and how to debug SSL connections

TecnologíaEducación
1 de 26
SSL in a Nutshell Just enough to be dangerous . . . . .
In the kingdom of the blind, the one eyed man is king (In other words I am not an expert – I just play one on TV!) This is all relatively introductory information Expectation setting
What is SSL? Certificates How does SSL work? How we use SSL? SSL & Java Configuration Debugging Resources Agenda
SSL = Secure Socket Layer TLS = Transport Layer Security is the new name A cryptographic protocol to provide secure communication over networks (such as Internet) Protocol provides two of the three key aspects for Security Confidentiality (Encryption) Authentication (you are who you say you are) Authorization (What you can do – controlled by your app – not the protocol) What is SSL?
What is a Certificate? A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign But first this . . . .
Creation date: Jul 28, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 7c391cdfaf10822ce338c3eb925f77bc Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011 Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3 And more stuff . . . . What does a cert look like? Ours.
One-Way SSL How does SSL work? ,[object Object],[object Object]
Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key) Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption. This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closes How does SSL work? (cont.)
In the One-way example the client just verified the server is who they say they are? Example: Login to your bank? But how does your bank know YOU are who you say you are? Typically a login/password 2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs 2-Way SSL
2-Way SSL
It is a Widespread Standard and is rock solid – no major hacking stories / events. But nothing is impervious Why SSL?
We use SSL to talk with aggregators Outbound: TO the aggregator Inbound: FROM the aggregator (the callback) We also use SSL in communication with folks upstream but dedicated fiber With Dev certs (we trust them right!) And we add Digital Signing . . . . Just in case? How do we use SSL?
JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK. Either way it’s not easy to use We use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection(); } SSL using Java
The hard part is acquiring and managing the keys and certs Procuring a cert is described elsewhere Keystore Contains our private key and private certificate Created from scratch Truststore Used to contain Self-Signed Certs from Aggregators Copied from Java’s own cacerts (to handle the case where certs are signed by the CA) The hard part . . . . .
Keytool ships with Java Show Keys & Certs in Keystore keytool -list -v -keystore keystore -storepass changeit Show Certs in the Truststore keytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .
SSL does not have to be handled (“offloaded”) by Jboss/Tomcat It can be offloaded by Apache Web Server It can be offloaded by Load Balancer Architecture
IMPORTANT NOTE: Not addressed here – this is up to your application Authorization
Typical Exceptions if . . . Can’t find keystore / truststore Our private key is missing from keystore Whitelisting error (not really SSL) Debugging: What to look for
-Djavax.net.debug=all Debugging Tools #1
Use “wget” to unit test your key/certs (one-way!) e.g. to test wget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE' --private-key=/somekey https://someurl.com Debugging tools #2: wget
Resolving somestage.com... XXX.242.50.144 Caching somestage.com => XXX.242.50.144 Connecting to somestage.com|XXX.242.50.144|:443... connected. Created socket 3. Releasing 0x000000001b0a5e70 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40 certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SC398/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services X509 certificate successfully verified and matches host somestage.com ---request begin--- POST /thepath HTTP/1.0 . . . . . ---response begin--- HTTP/1.1 200 OK Date: Fri, 13 Aug 2010 16:27:31 GMT Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e wget Output
On most linux boxes Tcpdump Monitors traffic e.g. Monitor port 443 tcpdump -i eth0 -v dst port 443 Wireshark Also monitors traffic (but a bit nicer UI) http://www.wireshark.org/ Debugging tools #3: tcpdump etc.
You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assist Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g. SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey Apache HTTP Server and SSL
At a high-level SSL is pretty straight-forward But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . . Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate). We are here to help . . . Summary
JSSE Reference Guide (for JDK 6) http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html Java Resources
Ssl in a nutshell

Recomendados

Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
SSL
SSLSSL
SSLtheekuchi
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 

Recomendados

Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerAbhishek Gupta
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
SSL
SSLSSL
SSLtheekuchi
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer SecurityByronKimani
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
Self-Signed SSL Versus Trusted CA Signed SSL Certificate
Self-Signed SSL Versus Trusted CA Signed SSL CertificateSelf-Signed SSL Versus Trusted CA Signed SSL Certificate
Self-Signed SSL Versus Trusted CA Signed SSL CertificateCheapSSLsecurity
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS HandshakeArpit Agarwal
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3 Vedant Jain
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Kerberos
KerberosKerberos
KerberosRafatSamreen
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL? Shehzad Imran
 
Digital certificates
Digital certificatesDigital certificates
Digital certificatesBuddhika Karunanayaka
 
ssl
sslssl
sslsjyuva
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 

Más contenido relacionado

La actualidad más candente

Self-Signed SSL Versus Trusted CA Signed SSL Certificate
Self-Signed SSL Versus Trusted CA Signed SSL CertificateSelf-Signed SSL Versus Trusted CA Signed SSL Certificate
Self-Signed SSL Versus Trusted CA Signed SSL CertificateCheapSSLsecurity
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3 Vedant Jain
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 

La actualidad más candente (20)

SSL
SSLSSL
SSL
 
Self-Signed SSL Versus Trusted CA Signed SSL Certificate
Self-Signed SSL Versus Trusted CA Signed SSL CertificateSelf-Signed SSL Versus Trusted CA Signed SSL Certificate
Self-Signed SSL Versus Trusted CA Signed SSL Certificate
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Ssl https
Ssl httpsSsl https
Ssl https
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
Kerberos
KerberosKerberos
Kerberos
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 

Similar a Ssl in a nutshell

SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificatecodeandyou forums
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 

Similar a Ssl in a nutshell (20)

ssl
sslssl
ssl
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Ssl
SslSsl
Ssl
 
The last picks
The last picksThe last picks
The last picks
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificate
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 

Último

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Último (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Ssl in a nutshell

  • 1. SSL in a Nutshell Just enough to be dangerous . . . . .
  • 2. In the kingdom of the blind, the one eyed man is king (In other words I am not an expert – I just play one on TV!) This is all relatively introductory information Expectation setting
  • 3. What is SSL? Certificates How does SSL work? How we use SSL? SSL & Java Configuration Debugging Resources Agenda
  • 4. SSL = Secure Socket Layer TLS = Transport Layer Security is the new name A cryptographic protocol to provide secure communication over networks (such as Internet) Protocol provides two of the three key aspects for Security Confidentiality (Encryption) Authentication (you are who you say you are) Authorization (What you can do – controlled by your app – not the protocol) What is SSL?
  • 5. What is a Certificate? A signed digital certificate is an industry-standard means of verifying the authenticity of an entity, such as a server, client, or application. To ensure maximum security, a certificate is issued by a third-party certificate authority (CA) e.g. Verisign But first this . . . .
  • 6. Creation date: Jul 28, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=some.url, OU=Services, O=Nokia, L=Burlington, ST=Massachusetts, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 7c391cdfaf10822ce338c3eb925f77bc Valid from: Mon Apr 12 00:00:00 UTC 2010 until: Tue Apr 12 23:59:59 UTC 2011 Certificate fingerprints: MD5: 06:5C:45:66:C5:28:77:48:E6:58:D9:FB:C5:06:41:1C SHA1: 74:4B:A8:3D:A7:BF:57:30:4E:23:B5:21:4C:2E:9B:8B:27:5F:9E:A5 Signature algorithm name: SHA1withRSA Version: 3 And more stuff . . . . What does a cert look like? Ours.
  • 7.
  • 8. Client picks a random number, encrypts that (with server’s public key) and sends it to server. Only server can decrypt it (using it’s private key) Now they both have a shared secret (the random number) From the random number, both parties generate key material for encryption and decryption. This concludes the handshake Secured connection, which is encrypted and decrypted with the key material until the connection closes How does SSL work? (cont.)
  • 9. In the One-way example the client just verified the server is who they say they are? Example: Login to your bank? But how does your bank know YOU are who you say you are? Typically a login/password 2 Way SSL achieves the same “Mutual Authentication” by having both sides use Certs 2-Way SSL
  • 11. It is a Widespread Standard and is rock solid – no major hacking stories / events. But nothing is impervious Why SSL?
  • 12. We use SSL to talk with aggregators Outbound: TO the aggregator Inbound: FROM the aggregator (the callback) We also use SSL in communication with folks upstream but dedicated fiber With Dev certs (we trust them right!) And we add Digital Signing . . . . Just in case? How do we use SSL?
  • 13. JSSE = Java Secure Socket Extension is the default Java package Was optional package before JDK 1.4. Now it’s bundled in the JDK. Either way it’s not easy to use We use Apache HTTP Client - it’s still REALLY hard (not!) HttpClient httpclient = new HttpClient(); GetMethod httpget = new GetMethod("https://www.verisign.com/"); try { httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine()); } finally { httpget.releaseConnection(); } SSL using Java
  • 14. The hard part is acquiring and managing the keys and certs Procuring a cert is described elsewhere Keystore Contains our private key and private certificate Created from scratch Truststore Used to contain Self-Signed Certs from Aggregators Copied from Java’s own cacerts (to handle the case where certs are signed by the CA) The hard part . . . . .
  • 15. Keytool ships with Java Show Keys & Certs in Keystore keytool -list -v -keystore keystore -storepass changeit Show Certs in the Truststore keytool -list -v -keystore cacerts -storepass changeit Keystore / truststore: how to . . .
  • 16. SSL does not have to be handled (“offloaded”) by Jboss/Tomcat It can be offloaded by Apache Web Server It can be offloaded by Load Balancer Architecture
  • 17. IMPORTANT NOTE: Not addressed here – this is up to your application Authorization
  • 18. Typical Exceptions if . . . Can’t find keystore / truststore Our private key is missing from keystore Whitelisting error (not really SSL) Debugging: What to look for
  • 20. Use “wget” to unit test your key/certs (one-way!) e.g. to test wget -d -v --certificate=/somecrt --post-data ‘SOAP STUFF GOES HERE' --private-key=/somekey https://someurl.com Debugging tools #2: wget
  • 21. Resolving somestage.com... XXX.242.50.144 Caching somestage.com => XXX.242.50.144 Connecting to somestage.com|XXX.242.50.144|:443... connected. Created socket 3. Releasing 0x000000001b0a5e70 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x000000001b10ee40 certificate: subject: /C=DK/postalCode=9210/ST=Aalborg/L=Aalborg SC398/streetAddress=Indkildevej 6E/O=TBD/OU=TBD/OU=Issued through TBD Manager/OU=Comodo PremiumSSL Legacy Wildcard/CN=*.somestag.com issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services X509 certificate successfully verified and matches host somestage.com ---request begin--- POST /thepath HTTP/1.0 . . . . . ---response begin--- HTTP/1.1 200 OK Date: Fri, 13 Aug 2010 16:27:31 GMT Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7e wget Output
  • 22. On most linux boxes Tcpdump Monitors traffic e.g. Monitor port 443 tcpdump -i eth0 -v dst port 443 Wireshark Also monitors traffic (but a bit nicer UI) http://www.wireshark.org/ Debugging tools #3: tcpdump etc.
  • 23. You shouldn’t need to go here . . . But if you do Bryan, Derrick, Pete and Frank can assist Basically there are config files and they point to the usual suspects (Certs, Keys etc.) e.g. SSLVerifyClient require SSLVerifyDepth 10 SSLCertificateFile /etc/httpd/conf/ssl.crt/somecert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/somekey Apache HTTP Server and SSL
  • 24. At a high-level SSL is pretty straight-forward But the devil is in the details – keystores / truststores, apache configuration, different aggregator environments . . . . Plus add in server white listing . . .. When you hit a problem with SSL – first don’t panic! Check your configuration (run.conf, keystore/truststore, apache settings – if appropriate). We are here to help . . . Summary
  • 25. JSSE Reference Guide (for JDK 6) http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html Java Resources