SlideShare a Scribd company logo

Fun With SHA2 Certificates

Gabriella Davis
Gabriella Davis

Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it then just remember to renew it every couple of years. Then suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them as strongly as possible this session will show you how."

Technology
1 of 54
Download to read offline
#engageug Fun With SHA2 Certs by Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com 1
#engageug 2 Who Are We? • Admin of all things and especially quite complicated things where the fun is • Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to • Stubborn and relentless problem solver • Lives in London about half of the time • gabriella@turtlepartnership.com • twitter: gabturtle
#engageug This is Betty 3 Betty gets emails telling her to click on a link and give her password Betty knows the internet is scary. She always clicks the link She likes to shop and bank online
#engageug This is Hank 4 He needs to keep Betty’s money safe. Hank knows Betty will click on the link Hank owns a bank .. and that it will be his fault if her money goes missing
#engageug This is Jazz 5 Jazz is cool Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers Jazz is a system administrator Jazz doesn’t sleep much
#engageug This is Harry 6 Harry is a jerk with no morals He only cares about getting money and causing disruption
#engageug Encryption 7 Hi Betty ! Hi Betty !181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 It’s all about the key. How strong is it? How secure is it? Is it even the right key?
#engageug Encryption Algorithms, Protocols & Strengths 8 • The SSL protocol has been deprecated and replaced with TLS • The last version of SSL is still vulnerable • SHA, SHA2, AES, DES, TLS • all are different methods of encrypting data • the key strength is how complex the key used is • Old or compromised algorithms such as SHA or AES are no longer considered secure enough to use • Using lower key strengths to create certificates makes them more vulnerable to brute force attacks
#engageug Man in the middle Hi Betty ! Bye Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 Bye BettyHi Betty !
#engageug Other Common Session Hijacking Attacks 10 • Sidejacking • stealing session cookies • unencrypted login information is particularly vulnerable • Evil Twin • fake wifi networks that are designed purely to steal data • Sniffing • Reading data traffic on a network using readily available tools
#engageug Why Is This A Growing Problem? 11 • Too many old algorithms with weaknesses still around • Computing power can now break keys with a low strength in hours • Hacking is a playground often about disruption more than theft • As fast as one weakness is updated, another is found • that’s if Jazz had time and resources to keep everything up to date • Obscurity is not security • Just because you don’t think you’re important enough doesn’t mean you aren’t a target • In fact targets are usually random not planned • This isn’t a movie
#engageug So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date How Do We Do That? 12
#engageug Certificate Structures • Certificate authorities • Private keys • Trusted roots • Generating a certificate • You’ll need a keyfile • You’ll need a request with all the details of your certificate • You’ll need the trusted roots and intermediate certificates or your CA • You’ll need the final certificate itself 13
#engageug 14
#engageug 15
#engageug 16
#engageug With SHA2 & Strong Keys Hi Betty ! Hi Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 ! ***
#engageug File Extensions For Certificates • More Acronyms • Certificate formats • PEM (….. BEGIN CERTIFICATE….) • CRT • CER • KEY • DER binary • PFX or P12 • ….CSR (certificate signing request) 18
#engageug OpenSSL • An open source library of SSL and TLS cryptography • Available for most platforms • Developed and managed by https://www.openssl.org • repository for downloads on https://github.com/openssl/ openssl • Create certificates • Convert certificates • Extract certificates 19
#engageug HERE BE TIGERS 20
#engageug Installing OpenSSL - For the brave • https://www.openssl.org/source/ • ftp://ftp.openssl.org/source/ previous version • ftp://ftp.openssl.org/source/old older versions • Download the compressed file and extract • Read the ReadME for instructions e.g run • INSTALL Linux, Unix, etc. • INSTALL.W32 Windows (32bit) • INSTALL.W64 Windows (64bit) • https://wiki.openssl.org/index.php/ Compilation_and_Installation 21
#engageug Installing OpenSSL Under Windows • I found the easiest solution (as an Admin) is to install the pre built Windows executable from Shining Light - there are other’s out there • https://slproweb.com/products/Win32OpenSSL.html • Download the most recent “lite” version • Currently 1.0.2f (Win32OpenSSL_Light-1_0_2f) 22
#engageug 23
#engageug 24
#engageug Installing OpenSSL For Linux • For Linux many distros come with a pre compiled version of OpenSSL • yum install openssl • each OS may have its own method for configuration 25
#engageug Let’s Create Some Certificates 26
#engageug Domino – Creating A SHA2 Certificate • Domino no longer uses the Secure Server Certificate database to generate keyfiles or merge certificates • We use a combination of OpenSSL and an IBM utility for Domino called kyrtool • download kyrtool from IBM Fixcentral http://ibm.co/ 1SAYX5E • copy it to your Notes or Domino program directory • The program files must be 9.0.1 FP3 or higher 27
#engageug Domino – Creating A SHA2 Certificate • We need to decide the size of the key pair we want to create • the larger the key pair the harder it is to decrypt • not all software systems support the largest key pairs • If using Windows set the environment variable for OpenSSL first • Set OpenSSL_Conf=c:opensslbinopenssl.cfg • verify openssl.cfg actually exists in that directory • To create a 4096 key pair • c:opensslbinopenssl genrsa -out mynewserver.key 4096 28
#engageug Create a Certificate Signing Request • When buying a new certificate this sends to your CA • openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr • note that we are requesting a SHA2 certificate • the CSR will be verified by the CA when you submit it so you can check that it’s right • if not you can recreate it by running the command again 29
#engageug 30
#engageug MyNewServer.CSR • -----BEGIN CERTIFICATE REQUEST----- • MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG • A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw • JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG • SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+ • CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp • R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/ • JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj • GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN • GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe • nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC • o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n • IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E • Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1 • 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE • H4btBohD7B6fiqdozsOsvN1s • -----END CERTIFICATE REQUEST----- 31
#engageug Now Comes The Domino Bit • We have to create a keyring file in a format Domino will be able to read • For that we use the kyrtool we downloaded from FixCentral • From your Notes program directory • kyrtool create -k c:notesdatamynewserver.kyr - p <passwordyouwanttouse> • this will create two files • mynewserver.kyr • mynewserver.sth (this is the stashed password that unlocks the keyring) 32
#engageug Nearly There… • We have our keyring file • We have sent our request for a certificate, generated off our new key pair to our CA • When the CA sends the certificate back we can merge the new certificate into our keyring file • we need to merge ALL the certificates, root, intermediate and server into a single “key” file • c:opensslbintype mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt 33
#engageug Last Step • We now add our new txt file with all the certificates in it into our new Domino keyring • c:ibmnoteskyrtool import all -k c:notesdata mynewserver.kyr -i c:opensslbinmynewserver.txt • That’s it. We now have a shiny keyring pair to use with our Domino server 34
#engageug Installing A SHA2 Certificate Under Domino • Install Using Internet Site Documents • The first keyring file in the Internet Site docs view that matches the server configuration “wins”. • Avoid too many wildcard or duplicate Internet Site Documents • What can you use it for • HTTPS (Traveler, Websites) • S/MIME (encrypted mail) • TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3) • DIIOP as of 9.0.1 FP5 35
#engageug More Domino SSL • Remove weak ciphers from the site documents • Add Disable_SSLV3=1 to the notes.ini on the server • Domino support TLS 1.2 now • SSL_DISABLE_TLS_10 • https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 36
#engageug Working With WebSphere Certificates • WebSphere installs with its own keystores for each cell and node you add • The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default • The cell keystores are found in • /profiles/Dmgr01/config/cells/{cellname}/trust.p12 • /profiles/Dmgr01/config/cells/{cellname}/key.p12 37
#engageug Accessing The SSL Configuration • Login to the WebSphere ISC • Security - SSL Certificate and Key Management 38
#engageug 39
#engageug Adding A New Certificate To WebSphere • Go to the CellDefaultTrustStore if the certificate existing on another server already you can “Retrieve from port” • Add your root and intermediate certificates here 40
#engageug Personal Certificate Request • The simplest way to generate a WAS certificate • create a CSR in WAS • “receive” it into WAS when sent from the CA • you can’t “receive” a certificate you didn’t request 41
#engageug WebSphere and 4096 Key Length Certificates • A 4096 certificate can generate an error when attempting to add to WebSphere • “RSA premaster secret” • You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported 42
#engageug The Unrestricted Policy Files • ibm.co/1JZGs3z 43
#engageug Exporting A Certificate From WebSphere • Export a WAS certificate so that it can be imported onto other systems • Such as a keyfile database generated by ikeyman and used by IBM HTTP Server 44
#engageug Working With Ikeyman • There are different versions of ikeyman that create keyfile databases recognised by different products • Look in the program directory for your installed product to find the right one • For IBM HTTP Server the file is in /IBM/HTTPServer/bin • On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface 45
#engageug Working With IKeyMan - Signer Certificates • Import the WebSphere certificate we extracted earlier • Add root and intermediate certificates 46
#engageug Working With IKeyman - Personal Certificates 47
#engageug Editing httpd.conf to add SSL configuration • Example content • LoadModule ibm_ssl_module modules/mod_ibm_ssl.so • Listen 0.0.0.0:443 • <VirtualHost *:443> • SSLEnable • SSLProtocolDisable SSLv2 • </VirtualHost> • KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb • SSLDisable • Restart IHS - use netstat to see if 443 is active and listening • Check IHS logs for SSL errors • If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate 48
#engageug SSL and Development • Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment. • If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment • Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server 49
#engageug Testing SSL On Your Site • https://www.ssllabs.com/ssltest/ 50
#engageug • You can’t stay ahead of the hackers but you must be vigilant and keep up • Have a plan for monitoring • Have a plan for lock down at the first appearance of exposure • Have a plan to fix the vulnerability • Have a plan to identify what information may be compromised • Have a plan to make that information of as little value as possible 51
#engageug Resources • Working with OpenSSL https://www.feistyduck.com/books/ openssl-cookbook/ • Creating SHA2 For Domino http://turtleblog.info/2015/06/22/ creating-sha-2-4096-ssl-certificates-for-domino/ • Unrestricted policy files for WebSphere http:// www-01.ibm.com/support/docview.wss? uid=swg21663373 52
#engageug My presentation with Mark Myers from LDC Via given at IBM Connect contains more information about specific SSL vulnerabilities such as POODLE, Heartbleed, Freak etc and is available on Slideshare http://bit.ly/1R6W9ck 53
#engageug Thank you Questions? 54

Recommended

The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 

Recommended

The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Traveler management, security and performance
Traveler management, security and performanceTraveler management, security and performance
Traveler management, security and performanceGabriella Davis
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade 1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soupDarren Duke
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMwareRonan Dunne, CEH, SSCP
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Whats new in Microsoft Windows Server 2016 Clustering and Storage
Whats new in Microsoft Windows Server 2016 Clustering and StorageWhats new in Microsoft Windows Server 2016 Clustering and Storage
Whats new in Microsoft Windows Server 2016 Clustering and StorageJohn Moran
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoGabriella Davis
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 

More Related Content

What's hot

Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Traveler management, security and performance
Traveler management, security and performanceTraveler management, security and performance
Traveler management, security and performanceGabriella Davis
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade 1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soupDarren Duke
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Whats new in Microsoft Windows Server 2016 Clustering and Storage
Whats new in Microsoft Windows Server 2016 Clustering and StorageWhats new in Microsoft Windows Server 2016 Clustering and Storage
Whats new in Microsoft Windows Server 2016 Clustering and StorageJohn Moran
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoGabriella Davis
 

What's hot (20)

Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Traveler management, security and performance
Traveler management, security and performanceTraveler management, security and performance
Traveler management, security and performance
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade 1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMware
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Whats new in Microsoft Windows Server 2016 Clustering and Storage
Whats new in Microsoft Windows Server 2016 Clustering and StorageWhats new in Microsoft Windows Server 2016 Clustering and Storage
Whats new in Microsoft Windows Server 2016 Clustering and Storage
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & Video
 

Similar to Fun With SHA2 Certificates

Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxHow To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxVEXXHOST Private Cloud
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...JosephTesta9
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 

Similar to Fun With SHA2 Certificates (20)

Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxHow To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Encryption for Everyone
Encryption for EveryoneEncryption for Everyone
Encryption for Everyone
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 
Internet security
Internet securityInternet security
Internet security
 

More from Gabriella Davis

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience ProjectGabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and ManagingGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Gabriella Davis
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerGabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...Gabriella Davis
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerGabriella Davis
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryGabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsGabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To DockerGabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To DockerGabriella Davis
 

More from Gabriella Davis (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
 
Home Working
Home WorkingHome Working
Home Working
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 

Recently uploaded

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Fun With SHA2 Certificates

  • 1. #engageug Fun With SHA2 Certs by Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com 1
  • 2. #engageug 2 Who Are We? • Admin of all things and especially quite complicated things where the fun is • Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to • Stubborn and relentless problem solver • Lives in London about half of the time • gabriella@turtlepartnership.com • twitter: gabturtle
  • 3. #engageug This is Betty 3 Betty gets emails telling her to click on a link and give her password Betty knows the internet is scary. She always clicks the link She likes to shop and bank online
  • 4. #engageug This is Hank 4 He needs to keep Betty’s money safe. Hank knows Betty will click on the link Hank owns a bank .. and that it will be his fault if her money goes missing
  • 5. #engageug This is Jazz 5 Jazz is cool Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers Jazz is a system administrator Jazz doesn’t sleep much
  • 6. #engageug This is Harry 6 Harry is a jerk with no morals He only cares about getting money and causing disruption
  • 7. #engageug Encryption 7 Hi Betty ! Hi Betty !181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 It’s all about the key. How strong is it? How secure is it? Is it even the right key?
  • 8. #engageug Encryption Algorithms, Protocols & Strengths 8 • The SSL protocol has been deprecated and replaced with TLS • The last version of SSL is still vulnerable • SHA, SHA2, AES, DES, TLS • all are different methods of encrypting data • the key strength is how complex the key used is • Old or compromised algorithms such as SHA or AES are no longer considered secure enough to use • Using lower key strengths to create certificates makes them more vulnerable to brute force attacks
  • 9. #engageug Man in the middle Hi Betty ! Bye Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 Bye BettyHi Betty !
  • 10. #engageug Other Common Session Hijacking Attacks 10 • Sidejacking • stealing session cookies • unencrypted login information is particularly vulnerable • Evil Twin • fake wifi networks that are designed purely to steal data • Sniffing • Reading data traffic on a network using readily available tools
  • 11. #engageug Why Is This A Growing Problem? 11 • Too many old algorithms with weaknesses still around • Computing power can now break keys with a low strength in hours • Hacking is a playground often about disruption more than theft • As fast as one weakness is updated, another is found • that’s if Jazz had time and resources to keep everything up to date • Obscurity is not security • Just because you don’t think you’re important enough doesn’t mean you aren’t a target • In fact targets are usually random not planned • This isn’t a movie
  • 12. #engageug So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date How Do We Do That? 12
  • 13. #engageug Certificate Structures • Certificate authorities • Private keys • Trusted roots • Generating a certificate • You’ll need a keyfile • You’ll need a request with all the details of your certificate • You’ll need the trusted roots and intermediate certificates or your CA • You’ll need the final certificate itself 13
  • 17. #engageug With SHA2 & Strong Keys Hi Betty ! Hi Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 ! ***
  • 18. #engageug File Extensions For Certificates • More Acronyms • Certificate formats • PEM (….. BEGIN CERTIFICATE….) • CRT • CER • KEY • DER binary • PFX or P12 • ….CSR (certificate signing request) 18
  • 19. #engageug OpenSSL • An open source library of SSL and TLS cryptography • Available for most platforms • Developed and managed by https://www.openssl.org • repository for downloads on https://github.com/openssl/ openssl • Create certificates • Convert certificates • Extract certificates 19
  • 21. #engageug Installing OpenSSL - For the brave • https://www.openssl.org/source/ • ftp://ftp.openssl.org/source/ previous version • ftp://ftp.openssl.org/source/old older versions • Download the compressed file and extract • Read the ReadME for instructions e.g run • INSTALL Linux, Unix, etc. • INSTALL.W32 Windows (32bit) • INSTALL.W64 Windows (64bit) • https://wiki.openssl.org/index.php/ Compilation_and_Installation 21
  • 22. #engageug Installing OpenSSL Under Windows • I found the easiest solution (as an Admin) is to install the pre built Windows executable from Shining Light - there are other’s out there • https://slproweb.com/products/Win32OpenSSL.html • Download the most recent “lite” version • Currently 1.0.2f (Win32OpenSSL_Light-1_0_2f) 22
  • 25. #engageug Installing OpenSSL For Linux • For Linux many distros come with a pre compiled version of OpenSSL • yum install openssl • each OS may have its own method for configuration 25
  • 26. #engageug Let’s Create Some Certificates 26
  • 27. #engageug Domino – Creating A SHA2 Certificate • Domino no longer uses the Secure Server Certificate database to generate keyfiles or merge certificates • We use a combination of OpenSSL and an IBM utility for Domino called kyrtool • download kyrtool from IBM Fixcentral http://ibm.co/ 1SAYX5E • copy it to your Notes or Domino program directory • The program files must be 9.0.1 FP3 or higher 27
  • 28. #engageug Domino – Creating A SHA2 Certificate • We need to decide the size of the key pair we want to create • the larger the key pair the harder it is to decrypt • not all software systems support the largest key pairs • If using Windows set the environment variable for OpenSSL first • Set OpenSSL_Conf=c:opensslbinopenssl.cfg • verify openssl.cfg actually exists in that directory • To create a 4096 key pair • c:opensslbinopenssl genrsa -out mynewserver.key 4096 28
  • 29. #engageug Create a Certificate Signing Request • When buying a new certificate this sends to your CA • openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr • note that we are requesting a SHA2 certificate • the CSR will be verified by the CA when you submit it so you can check that it’s right • if not you can recreate it by running the command again 29
  • 31. #engageug MyNewServer.CSR • -----BEGIN CERTIFICATE REQUEST----- • MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG • A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw • JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG • SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+ • CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp • R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/ • JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj • GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN • GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe • nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC • o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n • IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E • Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1 • 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE • H4btBohD7B6fiqdozsOsvN1s • -----END CERTIFICATE REQUEST----- 31
  • 32. #engageug Now Comes The Domino Bit • We have to create a keyring file in a format Domino will be able to read • For that we use the kyrtool we downloaded from FixCentral • From your Notes program directory • kyrtool create -k c:notesdatamynewserver.kyr - p <passwordyouwanttouse> • this will create two files • mynewserver.kyr • mynewserver.sth (this is the stashed password that unlocks the keyring) 32
  • 33. #engageug Nearly There… • We have our keyring file • We have sent our request for a certificate, generated off our new key pair to our CA • When the CA sends the certificate back we can merge the new certificate into our keyring file • we need to merge ALL the certificates, root, intermediate and server into a single “key” file • c:opensslbintype mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt 33
  • 34. #engageug Last Step • We now add our new txt file with all the certificates in it into our new Domino keyring • c:ibmnoteskyrtool import all -k c:notesdata mynewserver.kyr -i c:opensslbinmynewserver.txt • That’s it. We now have a shiny keyring pair to use with our Domino server 34
  • 35. #engageug Installing A SHA2 Certificate Under Domino • Install Using Internet Site Documents • The first keyring file in the Internet Site docs view that matches the server configuration “wins”. • Avoid too many wildcard or duplicate Internet Site Documents • What can you use it for • HTTPS (Traveler, Websites) • S/MIME (encrypted mail) • TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3) • DIIOP as of 9.0.1 FP5 35
  • 36. #engageug More Domino SSL • Remove weak ciphers from the site documents • Add Disable_SSLV3=1 to the notes.ini on the server • Domino support TLS 1.2 now • SSL_DISABLE_TLS_10 • https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 36
  • 37. #engageug Working With WebSphere Certificates • WebSphere installs with its own keystores for each cell and node you add • The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default • The cell keystores are found in • /profiles/Dmgr01/config/cells/{cellname}/trust.p12 • /profiles/Dmgr01/config/cells/{cellname}/key.p12 37
  • 38. #engageug Accessing The SSL Configuration • Login to the WebSphere ISC • Security - SSL Certificate and Key Management 38
  • 40. #engageug Adding A New Certificate To WebSphere • Go to the CellDefaultTrustStore if the certificate existing on another server already you can “Retrieve from port” • Add your root and intermediate certificates here 40
  • 41. #engageug Personal Certificate Request • The simplest way to generate a WAS certificate • create a CSR in WAS • “receive” it into WAS when sent from the CA • you can’t “receive” a certificate you didn’t request 41
  • 42. #engageug WebSphere and 4096 Key Length Certificates • A 4096 certificate can generate an error when attempting to add to WebSphere • “RSA premaster secret” • You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported 42
  • 43. #engageug The Unrestricted Policy Files • ibm.co/1JZGs3z 43
  • 44. #engageug Exporting A Certificate From WebSphere • Export a WAS certificate so that it can be imported onto other systems • Such as a keyfile database generated by ikeyman and used by IBM HTTP Server 44
  • 45. #engageug Working With Ikeyman • There are different versions of ikeyman that create keyfile databases recognised by different products • Look in the program directory for your installed product to find the right one • For IBM HTTP Server the file is in /IBM/HTTPServer/bin • On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface 45
  • 46. #engageug Working With IKeyMan - Signer Certificates • Import the WebSphere certificate we extracted earlier • Add root and intermediate certificates 46
  • 47. #engageug Working With IKeyman - Personal Certificates 47
  • 48. #engageug Editing httpd.conf to add SSL configuration • Example content • LoadModule ibm_ssl_module modules/mod_ibm_ssl.so • Listen 0.0.0.0:443 • <VirtualHost *:443> • SSLEnable • SSLProtocolDisable SSLv2 • </VirtualHost> • KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb • SSLDisable • Restart IHS - use netstat to see if 443 is active and listening • Check IHS logs for SSL errors • If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate 48
  • 49. #engageug SSL and Development • Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment. • If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment • Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server 49
  • 50. #engageug Testing SSL On Your Site • https://www.ssllabs.com/ssltest/ 50
  • 51. #engageug • You can’t stay ahead of the hackers but you must be vigilant and keep up • Have a plan for monitoring • Have a plan for lock down at the first appearance of exposure • Have a plan to fix the vulnerability • Have a plan to identify what information may be compromised • Have a plan to make that information of as little value as possible 51
  • 52. #engageug Resources • Working with OpenSSL https://www.feistyduck.com/books/ openssl-cookbook/ • Creating SHA2 For Domino http://turtleblog.info/2015/06/22/ creating-sha-2-4096-ssl-certificates-for-domino/ • Unrestricted policy files for WebSphere http:// www-01.ibm.com/support/docview.wss? uid=swg21663373 52
  • 53. #engageug My presentation with Mark Myers from LDC Via given at IBM Connect contains more information about specific SSL vulnerabilities such as POODLE, Heartbleed, Freak etc and is available on Slideshare http://bit.ly/1R6W9ck 53