SlideShare a Scribd company logo

SSL/TLS for Mortals (UtrechtJUG)

Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates" because he/she knows how that works. But what if “that one colleague” is enjoying vacation and something goes wrong with the certificates? In this session, we’ll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & tricks, as well as demos. Attend this session to become "that one colleague"!

1 of 41
Download to read offline
SSL/TLS
M
Maarten Mulders (@mthmulders)#tlsformortals
T L S
Awesome Sauce, or...
Maarten Mulders (@mthmulders)#tlsformortals
H 🤯Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1506)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net. .protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net. .protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net. .protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net. .protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net. .protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at it.mulders.maarten.Demo.main(Demo.java:13)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1488)
13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to f nd valid certif cation path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun security validator PKIXValidator doBuild(PKIXValidator java:382)
Maarten Mulders (@mthmulders)#tlsformortals
SSL/TLS for Mortals (UtrechtJUG)
7 L OSI M
data unit layers
Data
Data
Data
Segments
Packets
Frames
Bits
Application
Network Process to Application
Presentation
Data Representation
and Encryption
Session
Interhost Communication
Transport
End-to-End Connections
and Reliability
Network
Path Determination and
Logical Addressing (IP)
Data Link
Physical Addressing
(MAC and LLC)
Physical
Media, Signal and
Binary Transmission
HostLayersMediaLayers
Maarten Mulders (@mthmulders)#tlsformortals
H SSL TLS
SSL 1.0 never released
SSL 2.0 1995 - 2011 (POODLE)
SSL 3.0 1996 - 2014 (POODLE)
TLS 1.0 1999 - 2011 (BEAST)
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 2018
Maarten Mulders (@mthmulders)#tlsformortals
Ad

Recommended

SSL/TLS for Mortals (Devoxx)
 SSL/TLS for Mortals (Devoxx) SSL/TLS for Mortals (Devoxx)
SSL/TLS for Mortals (Devoxx)Maarten Mulders
 
The Ring programming language version 1.9 book - Part 69 of 210
The Ring programming language version 1.9 book - Part 69 of 210The Ring programming language version 1.9 book - Part 69 of 210
The Ring programming language version 1.9 book - Part 69 of 210Mahmoud Samir Fayed
 
The Ring programming language version 1.5.3 book - Part 69 of 184
The Ring programming language version 1.5.3 book - Part 69 of 184The Ring programming language version 1.5.3 book - Part 69 of 184
The Ring programming language version 1.5.3 book - Part 69 of 184Mahmoud Samir Fayed
 
SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)Maarten Mulders
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)Maarten Mulders
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)Maarten Mulders
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) Maarten Mulders
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 

More Related Content

Similar to SSL/TLS for Mortals (UtrechtJUG)

SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)Maarten Mulders
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)Maarten Mulders
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)Maarten Mulders
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh)  AND telnet AND CONSOLESecure shell(ssh)  AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLEAmiraMohamedGalal
 
Encrption in mule
Encrption in muleEncrption in mule
Encrption in muleSindhu VL
 
Pgp security mule
Pgp security   mulePgp security   mule
Pgp security muleSindhu VL
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 
Synchronise your data between MySQL and MongoDB
Synchronise your data between MySQL and MongoDBSynchronise your data between MySQL and MongoDB
Synchronise your data between MySQL and MongoDBGiuseppe Maxia
 
Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...
Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...
Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...Deolu Adeleye
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 

Similar to SSL/TLS for Mortals (UtrechtJUG) (20)

SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
 
SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh)  AND telnet AND CONSOLESecure shell(ssh)  AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLE
 
Encrption in mule
Encrption in muleEncrption in mule
Encrption in mule
 
Pgp security mule
Pgp security   mulePgp security   mule
Pgp security mule
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Net
NetNet
Net
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 
Synchronise your data between MySQL and MongoDB
Synchronise your data between MySQL and MongoDBSynchronise your data between MySQL and MongoDB
Synchronise your data between MySQL and MongoDB
 
Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptography
 
Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...
Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...
Brief Lecture on Text Mining and Social Network Analysis with R, by Deolu Ade...
 
Whispered secrets
Whispered secretsWhispered secrets
Whispered secrets
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 

More from Maarten Mulders

What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)Maarten Mulders
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Maarten Mulders
 
Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Maarten Mulders
 
Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Maarten Mulders
 
Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Maarten Mulders
 
Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Maarten Mulders
 
React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) Maarten Mulders
 
React in 40 minutes (JCON)
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON) Maarten Mulders
 
React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)Maarten Mulders
 
React in 50 Minutes (JNation)
 React in 50 Minutes (JNation)  React in 50 Minutes (JNation)
React in 50 Minutes (JNation) Maarten Mulders
 
Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Maarten Mulders
 
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Maarten Mulders
 
Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Maarten Mulders
 
React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) Maarten Mulders
 
React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) Maarten Mulders
 
React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)Maarten Mulders
 
Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Maarten Mulders
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Maarten Mulders
 
Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)Maarten Mulders
 
Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL) Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL) Maarten Mulders
 

More from Maarten Mulders (20)

What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)
 
Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)
 
Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)
 
Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)
 
Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)
 
React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania)
 
React in 40 minutes (JCON)
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON)
 
React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)
 
React in 50 Minutes (JNation)
 React in 50 Minutes (JNation)  React in 50 Minutes (JNation)
React in 50 Minutes (JNation)
 
Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)
 
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
 
Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)
 
React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue)
 
React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus)
 
React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)
 
Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Building web applications with React (Jfokus)
Building web applications with React (Jfokus)
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)
 
Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)
 
Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL) Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL)
 

Recently uploaded

sql ppt for students who preparing for sql
sql ppt for students who preparing for sqlsql ppt for students who preparing for sql
sql ppt for students who preparing for sqlbharatjanadharwarud
 
Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...
Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...
Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...ISPMAIndia
 
Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)
Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)
Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)GDSCNiT
 
maximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsmaximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsssuser82c38d
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkTimothy Spann
 
The Age of AI: Elevating Experiences & Delivering Customer Value!
The Age of AI: Elevating Experiences & Delivering Customer Value!The Age of AI: Elevating Experiences & Delivering Customer Value!
The Age of AI: Elevating Experiences & Delivering Customer Value!ISPMAIndia
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...emili denli
 
LLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flowLLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flowNaoki (Neo) SATO
 
killing camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdfkilling camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdfssuser82c38d
 
AI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit BendigiriAI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit BendigiriISPMAIndia
 
P1 Inspection Types in Municity 5 Smartsheet
P1 Inspection Types in Municity 5 SmartsheetP1 Inspection Types in Municity 5 Smartsheet
P1 Inspection Types in Municity 5 SmartsheetMatthewTHawley
 
SPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product ManagementSPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product ManagementISPMAIndia
 
Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)Jeffrey Haguewood
 
Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Asher Sterkin
 
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이ssuser82c38d
 
"Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ...
"Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ..."Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ...
"Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ...ISPMAIndia
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!Anthony Dahanne
 
Getting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxGetting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxmavinoikein
 

Recently uploaded (20)

sql ppt for students who preparing for sql
sql ppt for students who preparing for sqlsql ppt for students who preparing for sql
sql ppt for students who preparing for sql
 
Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...
Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...
Product Manager vs Product Owner – Why Do Companies Still Struggle 23 Years A...
 
Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)
Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)
Open Sprintera (Where Open Source Sparks a Sprint of Possibilities)
 
maximum subarray ppt for killing camp students
maximum subarray ppt for killing camp studentsmaximum subarray ppt for killing camp students
maximum subarray ppt for killing camp students
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
 
The Age of AI: Elevating Experiences & Delivering Customer Value!
The Age of AI: Elevating Experiences & Delivering Customer Value!The Age of AI: Elevating Experiences & Delivering Customer Value!
The Age of AI: Elevating Experiences & Delivering Customer Value!
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
The Game-Changer_ How Software Development Outsource Can Catapult Your Growth...
 
LLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flowLLMOps with Azure Machine Learning prompt flow
LLMOps with Azure Machine Learning prompt flow
 
killing camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdfkilling camp week 6 problem - maximal matrix.pdf
killing camp week 6 problem - maximal matrix.pdf
 
AI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit BendigiriAI Product Management by Abhijit Bendigiri
AI Product Management by Abhijit Bendigiri
 
P1 Inspection Types in Municity 5 Smartsheet
P1 Inspection Types in Municity 5 SmartsheetP1 Inspection Types in Municity 5 Smartsheet
P1 Inspection Types in Municity 5 Smartsheet
 
SPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product ManagementSPM 2024 – Overview of and benefits of AI in Product Management
SPM 2024 – Overview of and benefits of AI in Product Management
 
Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)Automation for Bonterra Impact Management (fka Apricot)
Automation for Bonterra Impact Management (fka Apricot)
 
Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024Essence of Requirements Engineering: Pragmatic Insights for 2024
Essence of Requirements Engineering: Pragmatic Insights for 2024
 
eLearning Content Development Company Code and Pixels.pdf
eLearning Content Development Company Code and Pixels.pdfeLearning Content Development Company Code and Pixels.pdf
eLearning Content Development Company Code and Pixels.pdf
 
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
killingcamp 광고삽입문제 풀이, killingcamp 광고삽입문제 풀이
 
"Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ...
"Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ..."Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ...
"Taking an idea to a Product in Health diagnostics" by Dr. Geetha Manjunath, ...
 
No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!No more Dockerfiles? Buildpacks to help you ship your image!
No more Dockerfiles? Buildpacks to help you ship your image!
 
Getting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptxGetting Started with Trello for Beginners.pptx
Getting Started with Trello for Beginners.pptx
 

SSL/TLS for Mortals (UtrechtJUG)

  • 2. T L S Awesome Sauce, or... Maarten Mulders (@mthmulders)#tlsformortals
  • 3. H 🤯Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net. .protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net. .protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net. .protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net. .protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net. .protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at it.mulders.maarten.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1488) 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to f nd valid certif cation path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun security validator PKIXValidator doBuild(PKIXValidator java:382) Maarten Mulders (@mthmulders)#tlsformortals
  • 5. 7 L OSI M data unit layers Data Data Data Segments Packets Frames Bits Application Network Process to Application Presentation Data Representation and Encryption Session Interhost Communication Transport End-to-End Connections and Reliability Network Path Determination and Logical Addressing (IP) Data Link Physical Addressing (MAC and LLC) Physical Media, Signal and Binary Transmission HostLayersMediaLayers Maarten Mulders (@mthmulders)#tlsformortals
  • 6. H SSL TLS SSL 1.0 never released SSL 2.0 1995 - 2011 (POODLE) SSL 3.0 1996 - 2014 (POODLE) TLS 1.0 1999 - 2011 (BEAST) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 2018 Maarten Mulders (@mthmulders)#tlsformortals
  • 7. D What's the issue?! Maarten Mulders (@mthmulders)#tlsformortals
  • 8. H . public/private key encryption . signed certificates . certificate authorities Maarten Mulders (@mthmulders)#tlsformortals
  • 9. 1 P P K E Maarten Mulders (@mthmulders)#tlsformortals
  • 12. M . Select two prime numbers: . Calculate product: . Select random number < product: . Find d, so that a. b. c. d. Note that varies with : when . p = 11, q = 17 p ∗ q = 187 e = 3 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 (d ∗ 3) − 1 mod (10 ∗ 16) = 0 320 mod 160 = 0 (321 − 1) mod 160 = 0 (107 ∗ 3) = 321 ⇒ d = 107 d e e = 75, d = 183 Maarten Mulders (@mthmulders)#tlsformortals
  • 13. N , P Q . . Find d, so that Pretty hard without knowing and ! As soon as we know , calculating is trivial (again). p ∗ q = 299, e = 5 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 p q p = 13, q = 23 d = 317 Maarten Mulders (@mthmulders)#tlsformortals
  • 14. For big enough and , finding those factors will cost an eternity! So we can distribute and even ! p q p ∗ q e Maarten Mulders (@mthmulders)#tlsformortals
  • 15. L "G" p ∗ q = 187, e = 3, G ⇒ 7 = = 3437 e 7 3 343 mod 187 = 156 Maarten Mulders (@mthmulders)#tlsformortals
  • 16. L "156" Since we know and , we can calculatep q d = 107 = ≈ 4.6 ∗156 d 156 107 10 234 mod 187 = 7156 107 7 ⇒ G Maarten Mulders (@mthmulders)#tlsformortals
  • 18. N Client Server 1 ClientHello → 2 ← ServerHello 3 ← Certificate 4 ← ServerKeyExchange 5 ← ServerHelloDone 6 ClientKeyExchange → 7 ChangeCipherSpec → 8 Finished → 9 ← ChangeCipherSpec 10 ← Finished Maarten Mulders (@mthmulders)#tlsformortals
  • 19. D No-one is eavesdropping! Maarten Mulders (@mthmulders)#tlsformortals
  • 20. 2 S C Maarten Mulders (@mthmulders)#tlsformortals
  • 21. A certificate contains: Serial Number Subject Validity Usage Public Key Fingerprint Algorithm Fingerprint Maarten Mulders (@mthmulders)#tlsformortals
  • 22. But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign certificates. Maarten Mulders (@mthmulders)#tlsformortals
  • 24. A signature is a mathematical relationship between a message , a private key and a public key . It consists of two functions: . signing function . verifying function So, given and and knowing , we can tell if is indeed signed by . x sk pk t = f (sk, x) [accept, reject] = g(pk, t, x) x t pk x sk Maarten Mulders (@mthmulders)#tlsformortals
  • 25. 3 C A Maarten Mulders (@mthmulders)#tlsformortals
  • 26. An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate. Maarten Mulders (@mthmulders)#tlsformortals
  • 27. I John ? Alice So, who is John, anyway? Many John's in todays browsers and operating systems! “I can trust you, because I trust John, and John trusts Alice, and Alice trusts you. Maarten Mulders (@mthmulders)#tlsformortals
  • 28. Top-notch security procedures, including "key ceremonies" Maarten Mulders (@mthmulders)#tlsformortals
  • 31. /** intentionally left blank */ Maarten Mulders (@mthmulders)#tlsformortals
  • 32. W Google blacklists 247 certificates in Chromium Microsoft removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005 Update Certificate Revocation Lists (although these are self- signed) Maarten Mulders (@mthmulders)#tlsformortals
  • 33. D Trust (for what it's worth) Maarten Mulders (@mthmulders)#tlsformortals
  • 34. T , T T Maarten Mulders (@mthmulders)#tlsformortals
  • 35. Simple HTTP client with TLS support: curl -v -k <address> Troubleshoot trust issues and see certificates being used: openssl s_client -showcerts -servername <address> - connect <address>:443 Troubleshoot supported protocols, ciphers, ...: nmap --script ssl-enum-ciphers -p 443 <address> Trace (or even decrypt) TLS traffic: ssldump -i eth0 port 443 and host <address> (add -Ad -k <keyfile> -p <password> for decryption) Maarten Mulders (@mthmulders)#tlsformortals
  • 36. JVM S -Djavax.net.ssl.trustStore=<file> Denotes where a truststore can be found: a file that contains trusted certs. -Djavax.net.ssl.trustStorePassword=changeit is the password to that file. Maarten Mulders (@mthmulders)#tlsformortals
  • 37. JVM S -Djavax.net.ssl.keyStore=<file> Denotes where a keystore can be found: a file that contains public and/or private keys. -Djavax.net.ssl.keyStorePassword=changeit is the password to that file. Maarten Mulders (@mthmulders)#tlsformortals
  • 38. JVM S -Djavax.net.debug=ssl[:flag] Include debug logging for TLS handshake and connections. Additional flags: record session sessioncache pluggability plaintext handshake defaultctx keymanager data packet keygen sslctx trustmanager verbose Maarten Mulders (@mthmulders)#tlsformortals
  • 40. P 🔑 - . Don't use SSL! Use TLS v1.2 or v1.3. . Be careful whom you trust! . When in doubt, open your toolbox: openssl, curl, nmap, ssldump and Portecle Maarten Mulders (@mthmulders)#tlsformortals
  • 41. Q I Router by Public Key Krüpto by , , and ( ) Puss In Boots by IANA Root KSK Ceremony #36 @ Beverwijk by @ unknown author Sándor P. Fekete Sebastian Morr Sebastian Stiller @ideainstruction kisspng https://www.iana.org/dnssec/ceremonies/36 Gerard Hogervorst Wikimedia Commons Maarten Mulders (@mthmulders)#tlsformortals