Java security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Java security

on

  • 232 views

A pragmatic approach to using public / private certificates in keystores in Java. ...

A pragmatic approach to using public / private certificates in keystores in Java.

Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.

Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.

Statistics

Views

Total Views
232
Views on SlideShare
232
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Java security Presentation Transcript

  • 1. SECURITY SECURE CONNECTIONS IN JAVA Created by Bart Blommaerts / Christophe Weyn
  • 2. DEAD GIVEAWAY Security has always been very important. But we may rely on infrastructure too much (eg. proxies, firewalls, ..).
  • 3. CLOUD? Application Security becomes even more important in the cloud: Architect security in from the start. Maintain and evaluate security in all sprints. Maintain and evaluate security after deployment.
  • 4. HTTPS BY DEFAULT ! Google Gmail Facebook Twitter LinkedIn Yahoo
  • 5. HEADS UP “Inevitably, you’ll cry the first time you attempt to configure mutual authentication with SSL (aka two-way SSL).” * The Fifteen Minute Guide to Mutual Authentication
  • 6. Unless you pay attention right now :-)
  • 7. SSL Secure Socket Layer: protocol to ensure secure transactions between web servers and browsers. CERTIFICATES Different types exist: X509, PGP, SDSI, ...
  • 8. X509 X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280.
  • 9. DIFFERENT X509 CHARACTERISTICS ENCODINGS DER = used for binary DER encoded certificates. PEM = used for X509 files which contain Base64 encoded data .
  • 10. DIFFERENT X509 CHARACTERISTICS EXTENSIONS CRT = common extension for certificates. CER = alternative extension for certificates. (Microsoft convention) KEY = extension used for public / private PKCS#8 keys. PKCS#8: PKI standard used to carry private certificate keypairs PKCS#12: PKI standard 'container' used to store private keys with accompanying public key certificates, protected with a password-based symmetric key.
  • 11. CONVERSION WITH OPENSSL PEM TO DER oeslx0 -ncr.r -ufr dr-u cr.e pns 59 i etct otom e ot etdr
  • 12. CONVERSION WITH OPENSSL DER TO PEM oeslx0 -ncr.r -nomdr-ufr pm-u cr.e pns 59 i etct ifr e otom e ot etpm
  • 13. EXAMPLE (PUBLIC KEY)
  • 14. EXAMPLE EXPLAINED Subject: Identification of the certificate. Issuer: Government CA.
  • 15. CERTIFICATE AUTHORITY Instance that issues digital certificates. A trusted third party. by the subject (owner) and the party relying upon the certificate Over 50 root certificates in current browsers. (eg. by Comodo, Symantec, ..)
  • 16. VALIDITY Date From. Date Till. Beware of Certificate Revocation (CRL). eg. improperly issued, compromised, ..
  • 17. EXAMPLE (PRIVATE KEY)
  • 18. EXAMPLE (CHAINED CERTIFICATE)
  • 19. EXAMPLE EXPLAINED Used to obtain the root CA certificate.
  • 20. MORE IN DETAIL Certificate "trsprt-acpt" Issuer CN = Subject CN of "Government CA" Certificate "Government CA" Issuer CN = Subject CN of "Belgium Root CA2" Certificate "Belgium Root CA2" Issuer CN = Subject CN
  • 21. ROOT CERTIFICATE Issuer CN = Subject CN. Self-signed certificate.
  • 22. KEYSTORES A Java KeyStore (JKS) is a repository of security certificates, either authorization certificates or public key certificates - used for instance in SSL encryption. * Wikipedia
  • 23. KEYSTORE Contains public/private keypairs. The private key is accompanied by certificate chain for the corresponding public key Decryption based on private key. Used for certificate validation (, signing).
  • 24. SIGNSTORE Same as keystore, but only used for signing.
  • 25. SYMMETRIC STORE Decryption + encryption, based on same symmetric key.
  • 26. TRUSTSTORE Signature verifcation. Encryption based on public key. Used to store certificates of parties you trust.
  • 27. EXAMPLE KEYSTORE
  • 28. EXAMPLE (DEFAULT) TRUSTSTORE
  • 29. 1-WAY SSL The server is required to present a certificate to the client but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server, but the server will accept a connection from any client.
  • 30. 2-WAY SSL The server presents a certificate to the client and the client presents a certificate to the server.
  • 31. BEST PRACTICES DO NOT USE JVM PARAMETERS -jvxntsltuttr=X-jvxntsltuttrPswr=X Daa.e.s.rsSoeX Daa.e.s.rsSoeasodX Obvious Security Risk.
  • 32. BEST PRACTICES DO NOT USE DEFAULT CACERTS One day, you will upgrade or migrate, .. and forget about it.
  • 33. BEST PRACTICES KEEP IT REALLY SIMPLE You will probably not be the one maintaining it. Use a different keystore for each: Platform (DEV, UAT, PRD). Functionality: keystore, signstore, truststore.
  • 34. BEST PRACTICES DO NOT SHARE YOUR PRIVATE KEY Obvious Security Risk.
  • 35. DEMO APPLICATION https://bitbucket.org/elvinno/security-brown-bag.git SOAP messages over secured SSL connection. Do not confuse with signing a SOAP message using an X.509 Certificate!
  • 36. DEMO APPLICATION MODULES Server: B o n a S r i e u l s e . a a rwBgevcPbihrjv Client: C i n . a a letjv
  • 37. PREREQUISITE FOR RUNNING THE DEMO Create client & server public/private keypair and certificates. In this demo we'll be using java keytool to create a keystore with generated keypairs.. In a production environment certificates must be created/requested by the application manager. Afterwards these certificate can be imported into a keystore using java keytool.
  • 38. SERVER KEYPAIR Create server keystore & generate certificate with java keytool. Use common name: server.security.brownbag.hp.com $kyol-eky-eagRA-la scsre eto gne kyl S ais e_evr -esoesre_esoejs kytr evrkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoesre_esoejs eto ls kytr evrkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 PiaeeEty e_evr 9jn21, rvtKynr, Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0 CN: server.security.brownbag.hp.com must be used to connect to the server. Java SSL context compares the name of the CN with the connection address. => Adjust in TCP host file!
  • 39. CLIENT KEYPAIR Create the client keystore $kyol-eky-eagRA-la sccin eto gne kyl S ais e_let -esoecin_esoejs kytr letkytr.k -trps cagi -aiiy30-esz 24 soeas hnet vldt 6 kyie 08 $kyol-it-esoecin_esoejs eto ls kytr letkytr.k Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 PiaeeEty e_let 9jn21, rvtKynr, Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
  • 40. SERVER Run main method in BrownBagServicePublisher.java Has a keystore with a certificate & private key Has a truststore containing the client certificate
  • 41. CREATE SERVER TRUSTSTORE: TRUSTSTORE.JKS Extract certificate from client keystore Import client certificate into the truststore $kyol-xot-esoecin_esoejs eto epr kytr letkytr.k -la sccin -iesccin.r -trps cagi ais e_let fl e_letct soeas hnet $kyol-mot-iesccin.r -la sccin eto ipr fl e_letct ais e_let -esoesre_rssoejs-trps cagi kytr evrtuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr sccin,2-a-04 tutdetnr, e_let 9jn21, rseCrEty Criiaefnepit(H1:8:E2:48:79:50:3E:0C:1F:74:84:2 etfct igrrn SA) FE:47:92:AD:E0:B9:14:69:85:94
  • 42. TEST SERVER WITH FIREFOX How-to: Accept self signed certificate warning in Firefox. Import client certificate & private key from PKCS#12 file in Firfox' personal certificates. Create PKCS#12 file: client_keystore.p12 $kyol-motesoe-rkytr cin_esoejs-etesoecin_esoep2 eto iprkytr scesoe letkytr.k dskytr letkytr.1 -rsoeyeJS-ettrtp PC1 -rsoeascagi sctrtp K dssoeye KS2 sctrps hnet -ettrps cagi -raissccin -etla sccin dssoeas hnet scla e_let dsais e_let -rkyascagi -eteps cagi -ormt sceps hnet dskyas hnet npop
  • 43. THE JAVA CLIENT Run main method in Client.java Has a keystore with the client certificate & private key Has a truststore containing the server certificate Uses the spring-ws framework
  • 44. CREATE THE CLIENT TRUSTSTORE Extract certificate from server keystore Import server certificate into the truststore $kyol-xot-esoesre_esoejs eto epr kytr evrkytr.k -la scsre -iescsre.r -trps cagi ais e_evr fl e_evrct soeas hnet $kyol-mot-iescsre.r -la scsre eto ipr fl e_evrct ais e_evr -esoecin_rssoejs-trps cagi kytr lettuttr.k soeas hnet $kyol-it-esoetuttr.k eto ls kytr rssoejs Kytr tp:JS esoe ye K Kytr poie:SN esoe rvdr U Yu kytr cnan 1ety or esoe otis nr scsre,2-a-04 tutdetnr, e_evr 9jn21, rseCrEty Criiaefnepit(H1:8:FC:08:F2:12:F3:BE:0F:14:CB:D etfct igrrn SA) EF:0A:B1:E4:77:3F:2C:94:78:E0
  • 45. JAVA CODE Init keystore & truststore in java code. Configure SSLContext for the JVM. vi stpesoe( trw NScAgrtmxeto,KytrEcpin IEcpin od euKytrs) hos ouhloihEcpin eSoexeto, Oxeto, Criiaexeto,UrcvrbeeEcpin Kyaaeetxeto { etfctEcpin neoealKyxeto, eMngmnEcpin fnlSrn KYTR ="pt/okytr.k" ia tig ESOE /aht/esoejs; fnlSrn TUTTR ="pt/otuttr.k" ia tig RSSOE /aht/rssoejs; fnlSrn KYTR_AS="hnet; ia tig ESOEPS cagi" /La tekytr /od h esoe KyaaeFcoykyatr =KyaaeFcoygtntneKyaaeFcoygtealAgrtm); eMngratr eFcoy eMngratr.eIsac(eMngratr.eDfutloih() Kytr kytr =Kytr.eIsac(JS) eSoe eSoe eSoegtntne"K"; kytr.odnwFlIpttemKYTR) KYTR_AStCaAry); eSoela(e ienuSra(ESOE, ESOEPS.ohrra() kyatr.ntkytr,KYTR_AStCaAry); eFcoyii(eSoe ESOEPS.ohrra() /La tetuttr /od h rssoe TutaaeFcoytutatr =TutaaeFcoygtntneTutaaeFcoygtealAgrtm); rsMngratr rsFcoy rsMngratr.eIsac(rsMngratr.eDfutloih() Kytr tuttr =Kytr.eIsac(JS) eSoe rsSoe eSoegtntne"K"; tuttr.odnwFlIpttemTUTTR) KYTR_AStCaAry); rsSoela(e ienuSra(RSSOE, ESOEPS.ohrra() tutatr.nttuttr) rsFcoyii(rsSoe; /CniueSLCnetfrteJM /ofgr S otx o h V SLotx cnet=SLotx.eIsac(SL) SCnet otx SCnetgtntne"S"; cnetii(eFcoygteMngr(,tutatr.eTutaaes) nl) otx.ntkyatr.eKyaaes) rsFcoygtrsMngr(, ul; SLotx.eDfutcnet; SCnetsteal(otx) }
  • 46. TROUBLESHOOTING Use the system property: -jvxntdbgsl Daa.e.eu=s
  • 47. CLIENT EXCEPTION Uepce err jv.euiyIvldloihPrmtrxeto: nxetd ro: aascrt.naiAgrtmaaeeEcpin tetutnhr prmtrms b nnepy h rsAcos aaee ut e o-mt Truststore is not found.
  • 48. CLIENT EXCEPTION Cue b:snscrt.aiao.aiaoEcpin asd y u.euiyvldtrVldtrxeto: PI pt bidn fie: KX ah ulig ald snscrt.rvdrcrpt.uCrPtBidrxeto: u.euiypoie.etahSnetahuleEcpin ual t fn vldcriiainpt t rqetdtre nbe o id ai etfcto ah o euse agt Server certificate not found in truststore. Server certificate expired or revoked.
  • 49. CLIENT EXCEPTION IOerr Rmt hs coe cneto drn hnsae / ro: eoe ot lsd oncin uig adhk; nse ecpini jvxntslSLadhkEcpin etd xeto s aa.e.s.SHnsaexeto: Rmt hs coe cneto drn hnsae eoe ot lsd oncin uig adhk IOerr Cneto rst / ro: oncin ee; nse ecpini jv.e.oktxeto: etd xeto s aantSceEcpin Cneto rst oncin ee The server doesn't trust the client, client certificate not in server truststore. The client is sending the wrong certificate to the server. Or a technincal error...
  • 50. QUESTIONS? ...