Your SlideShare is downloading. ×
  • Like
Java security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Java security

  • 174 views
Published

A pragmatic approach to using public / private certificates in keystores in Java. …

A pragmatic approach to using public / private certificates in keystores in Java.

Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.

Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
174
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
9
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SECURITY SECURE CONNECTIONS IN JAVA Created by Bart Blommaerts / Christophe Weyn
  • 2. DEAD GIVEAWAY Security has always been very important. But we may rely on infrastructure too much (eg. proxies, firewalls, ..).
  • 3. CLOUD? Application Security becomes even more important in the cloud: Architect security in from the start. Maintain and evaluate security in all sprints. Maintain and evaluate security after deployment.
  • 4. HTTPS BY DEFAULT ! Google Gmail Facebook Twitter LinkedIn Yahoo
  • 5. HEADS UP “Inevitably, you’ll cry the first time you attempt to configure mutual authentication with SSL (aka two-way SSL).” * The Fifteen Minute Guide to Mutual Authentication
  • 6. Unless you pay attention right now :-)
  • 7. SSL Secure Socket Layer: protocol to ensure secure transactions between web servers and browsers. CERTIFICATES Different types exist: X509, PGP, SDSI, ...
  • 8. X509 X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280.
  • 9. DIFFERENT X509 CHARACTERISTICS ENCODINGS DER = used for binary DER encoded certificates. PEM = used for X509 files which contain Base64 encoded data .
  • 10. DIFFERENT X509 CHARACTERISTICS EXTENSIONS CRT = common extension for certificates. CER = alternative extension for certificates. (Microsoft convention) KEY = extension used for public / private PKCS#8 keys. PKCS#8: PKI standard used to carry private certificate keypairs PKCS#12: PKI standard 'container' used to store private keys with accompanying public key certificates, protected with a password-based symmetric key.
  • 11. CONVERSION WITH OPENSSL PEM TO DER oeslx0 -ncr.r -ufr dr-u cr.e pns 59 i etct otom e ot etdr
  • 12. CONVERSION WITH OPENSSL DER TO PEM oeslx0 -ncr.r -nomdr-ufr pm-u cr.e pns 59 i etct ifr e otom e ot etpm
  • 13. EXAMPLE (PUBLIC KEY)
  • 14. EXAMPLE EXPLAINED Subject: Identification of the certificate. Issuer: Government CA.
  • 15. CERTIFICATE AUTHORITY Instance that issues digital certificates. A trusted third party. by the subject (owner) and the party relying upon the certificate Over 50 root certificates in current browsers. (eg. by Comodo, Symantec, ..)
  • 16. VALIDITY Date From. Date Till. Beware of Certificate Revocation (CRL). eg. improperly issued, compromised, ..
  • 17. EXAMPLE (PRIVATE KEY)
  • 18. EXAMPLE (CHAINED CERTIFICATE)
  • 19. EXAMPLE EXPLAINED Used to obtain the root CA certificate.
  • 20. MORE IN DETAIL Certificate "trsprt-acpt" Issuer CN = Subject CN of "Government CA" Certificate "Government CA" Issuer CN = Subject CN of "Belgium Root CA2" Certificate "Belgium Root CA2" Issuer CN = Subject CN
  • 21. ROOT CERTIFICATE Issuer CN = Subject CN. Self-signed certificate.
  • 22. KEYSTORES A Java KeyStore (JKS) is a repository of security certificates, either authorization certificates or public key certificates - used for instance in SSL encryption. * Wikipedia
  • 23. KEYSTORE Contains public/private keypairs. The private key is accompanied by certificate chain for the corresponding public key Decryption based on private key. Used for certificate validation (, signing).
  • 24. SIGNSTORE Same as keystore, but only used for signing.
  • 25. SYMMETRIC STORE Decryption + encryption, based on same symmetric key.
  • 26. TRUSTSTORE Signature verifcation. Encryption based on public key. Used to store certificates of parties you trust.
  • 27. EXAMPLE KEYSTORE
  • 28. EXAMPLE (DEFAULT) TRUSTSTORE
  • 29. 1-WAY SSL The server is required to present a certificate to the client but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server, but the server will accept a connection from any client.
  • 30. 2-WAY SSL The server presents a certificate to the client and the client presents a certificate to the server.
  • 31. BEST PRACTICES DO NOT USE JVM PARAMETERS -jvxntsltuttr=X-jvxntsltuttrPswr=X Daa.e.s.rsSoeX Daa.e.s.rsSoeasodX Obvious Security Risk.
  • 32. BEST PRACTICES DO NOT USE DEFAULT CACERTS One day, you will upgrade or migrate, .. and forget about it.
  • 33. BEST PRACTICES KEEP IT REALLY SIMPLE You will probably not be the one maintaining it. Use a different keystore for each: Platform (DEV, UAT, PRD). Functionality: keystore, signstore, truststore.
  • 34. BEST PRACTICES DO NOT SHARE YOUR PRIVATE KEY Obvious Security Risk.
  • 35. DEMO APPLICATION https://bitbucket.org/elvinno/security-brown-bag.git SOAP messages over secured SSL connection. Do not confuse with signing a SOAP message using an X.509 Certificate!
  • 36. DEMO APPLICATION MODULES Server: B o n a S r i e u l s e . a a rwBgevcPbihrjv Client: C i n . a a letjv
  • 37. PREREQUISITE FOR RUNNING THE DEMO Create client & server public/private keypair and certificates. In this demo we'll be using java keytool to create a keystore with generated keypairs.. In a production environment certificates must be created/requested by the application manager. Afterwards these certificate can be imported into a keystore using java keytool.
  • 38. SERVER KEYPAIR Create server keystore & generate certificate with java keytool. Use common name: server.security.brownbag.hp.com $kyol-eky-eagRA-la scsre eto gne kyl S ais e_evr -esoesre_esoejs kytr evrkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoesre_esoejs eto ls kytr evrkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 PiaeeEty e_evr 9jn21, rvtKynr, Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0 CN: server.security.brownbag.hp.com must be used to connect to the server. Java SSL context compares the name of the CN with the connection address. => Adjust in TCP host file!
  • 39. CLIENT KEYPAIR Create the client keystore $kyol-eky-eagRA-la sccin eto gne kyl S ais e_let -esoecin_esoejs kytr letkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoecin_esoejs eto ls kytr letkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 PiaeeEty e_let 9jn21, rvtKynr, Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
  • 40. SERVER Run main method in BrownBagServicePublisher.java Has a keystore with a certificate & private key Has a truststore containing the client certificate
  • 41. CREATE SERVER TRUSTSTORE: TRUSTSTORE.JKS Extract certificate from client keystore Import client certificate into the truststore $kyol-xot-esoecin_esoejs eto epr kytr letkytr.k -la sccin -iesccin.r -trps cagi ais e_let fl e_letct soeas hnet $kyol-mot-iesccin.r -la sccin eto ipr fl e_letct ais e_let -esoesre_rssoejs-trps cagi kytr evrtuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 tutdetnr, e_let 9jn21, rseCrEty Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
  • 42. TEST SERVER WITH FIREFOX How-to: Accept self signed certificate warning in Firefox. Import client certificate & private key from PKCS#12 file in Firfox' personal certificates. Create PKCS#12 file: client_keystore.p12 $kyol-motesoe-rkytr cin_esoejs-etesoecin_esoep2 eto iprkytr scesoe letkytr.k dskytr letkytr.1 -rsoeyeJS-ettrtp PC1 -rsoeascagi sctrtp K dssoeye KS2 sctrps hnet -ettrps cagi -raissccin -etla sccin dssoeas hnet scla e_let dsais e_let -rkyascagi -eteps cagi -ormt sceps hnet dskyas hnet npop
  • 43. THE JAVA CLIENT Run main method in Client.java Has a keystore with the client certificate & private key Has a truststore containing the server certificate Uses the spring-ws framework
  • 44. CREATE THE CLIENT TRUSTSTORE Extract certificate from server keystore Import server certificate into the truststore $kyol-xot-esoesre_esoejs eto epr kytr evrkytr.k -la scsre -iescsre.r -trps cagi ais e_evr fl e_evrct soeas hnet $kyol-mot-iescsre.r -la scsre eto ipr fl e_evrct ais e_evr -esoecin_rssoejs-trps cagi kytr lettuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 tutdetnr, e_evr 9jn21, rseCrEty Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0
  • 45. JAVA CODE Init keystore & truststore in java code. Configure SSLContext for the JVM. vi stpesoe( trw NScAgrtmxeto,KytrEcpin IEcpin od euKytrs) hos ouhloihEcpin eSoexeto, Oxeto, Criiaexeto,UrcvrbeeEcpin Kyaaeetxeto { etfctEcpin neoealKyxeto, eMngmnEcpin fnlSrn KYTR ="pt/okytr.k" ia tig ESOE /aht/esoejs; fnlSrn TUTTR ="pt/otuttr.k" ia tig RSSOE /aht/rssoejs; fnlSrn KYTR_AS="hnet; ia tig ESOEPS cagi" /La tekytr /od h esoe KyaaeFcoykyatr =KyaaeFcoygtntneKyaaeFcoygtealAgrtm); eMngratr eFcoy eMngratr.eIsac(eMngratr.eDfutloih() Kytr kytr =Kytr.eIsac(JS) eSoe eSoe eSoegtntne"K"; kytr.odnwFlIpttemKYTR) KYTR_AStCaAry); eSoela(e ienuSra(ESOE, ESOEPS.ohrra() kyatr.ntkytr,KYTR_AStCaAry); eFcoyii(eSoe ESOEPS.ohrra() /La tetuttr /od h rssoe TutaaeFcoytutatr =TutaaeFcoygtntneTutaaeFcoygtealAgrtm); rsMngratr rsFcoy rsMngratr.eIsac(rsMngratr.eDfutloih() Kytr tuttr =Kytr.eIsac(JS) eSoe rsSoe eSoegtntne"K"; tuttr.odnwFlIpttemTUTTR) KYTR_AStCaAry); rsSoela(e ienuSra(RSSOE, ESOEPS.ohrra() tutatr.nttuttr) rsFcoyii(rsSoe; /CniueSLCnetfrteJM /ofgr S otx o h V SLotx cnet=SLotx.eIsac(SL) SCnet otx SCnetgtntne"S"; cnetii(eFcoygteMngr(,tutatr.eTutaaes) nl) otx.ntkyatr.eKyaaes) rsFcoygtrsMngr(, ul; SLotx.eDfutcnet; SCnetsteal(otx) }
  • 46. TROUBLESHOOTING Use the system property: -jvxntdbgsl Daa.e.eu=s
  • 47. CLIENT EXCEPTION Uepce err jv.euiyIvldloihPrmtrxeto: nxetd ro: aascrt.naiAgrtmaaeeEcpin tetutnhr prmtrms b nnepy h rsAcos aaee ut e o-mt Truststore is not found.
  • 48. CLIENT EXCEPTION Cue b:snscrt.aiao.aiaoEcpin asd y u.euiyvldtrVldtrxeto: PI pt bidn fie: KX ah ulig ald snscrt.rvdrcrpt.uCrPtBidrxeto: u.euiypoie.etahSnetahuleEcpin ual t fn vldcriiainpt t rqetdtre nbe o id ai etfcto ah o euse agt Server certificate not found in truststore. Server certificate expired or revoked.
  • 49. CLIENT EXCEPTION IOerr Rmt hs coe cneto drn hnsae / ro: eoe ot lsd oncin uig adhk; nse ecpini jvxntslSLadhkEcpin etd xeto s aa.e.s.SHnsaexeto: Rmt hs coe cneto drn hnsae eoe ot lsd oncin uig adhk IOerr Cneto rst / ro: oncin ee; nse ecpini jv.e.oktxeto: etd xeto s aantSceEcpin Cneto rst oncin ee The server doesn't trust the client, client certificate not in server truststore. The client is sending the wrong certificate to the server. Or a technincal error...
  • 50. QUESTIONS? ...