SSL/TLS for Mortals (Devoxx FR 2018)

M
Maarten Mulders
SSL/TLS for MortalsSSL/TLS for Mortals @mthmuldersmaartenm@infosupport.com
Troubleshooting time...Troubleshooting time... Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at com.infosupport.maartenm.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488) ... 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 19 more
Why bother?Why bother? Using SSL/TLS correctly is o en hard to achieve ...and understand! Crucial for secure connection between systems Globally deployed (intra-)cloud applications
data unit layers Data Data Data Segments Packets Frames Bits Application  Network Process to Application Presentation  Data Representation  and Encryption Session  Interhost Communication Transport  End­to­End Connections  and Reliability Network  Path Determination and  Logical Addressing (IP) Data Link  Physical Addressing  (MAC and LLC) Physical  Media, Signal and  Binary Transmission Host LayersMedia Layers
SSL 1.0 never released SSL 2.0 1995 - POODLE (2011) SSL 3.0 1996 - POODLE (2014) TLS 1.0 1999 - BEAST (2011) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 dra
Demo time!Demo time! What's the issue?
How to prevent this?How to prevent this? 1. public/private key encryption 2. signed certificates 3. certificate authorities
1. public/private key1. public/private key encryptionencryption
 
 
Math time!Math time! 1. Select two prime numbers: 2. Calculate modulo: 3. Select random number < modulo: 4. Find d, so that p = 11, q = 17 p ∗ q = 187 e = 3 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 320 mod 160 = 0 (321 − 1) mod (10 ∗ 16) = 0 (107 ∗ 3) = 321 ⇒d = 107 Note: varies with : whend e e = 75, ⇒ d = 183
Now, what if P and Q are unknown?Now, what if P and Q are unknown? 1. 2. Find d, so that p ∗ q = 299, e = 5 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 Pretty hard without knowing and !p q   p = 13, q = 23 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 1584 mod 264 = 0 (1585 − 1) mod (12 ∗ 22) = 0 (317 ∗ 5) = 1585 ⇒d = 317
For big enough and , finding those factors will cost an eternity! p q So we can distribute p ∗ q and even !e
Encrypt the letter 'Encrypt the letter 'GG''   p ∗ q = 187, e = 3, G ⇒ 7 = = 3437 e 7 3 343 mod 187 = 156
Decrypt the message 'Decrypt the message '156156'' Since we know and , we can calculate   p q d = 107 = ≈ 4.6 ∗156 d 156 107 10 234 mod 187 = 7156 107 7 ⇒ G
 
Negotiating a secure connection Client   Server 1 ClientHello →   2   ← ServerHello 3   ← Certificate 4   ← ServerKeyExchange 5   ← ServerHelloDone 6 ClientKeyExchange →   7 ChangeCipherSpec →   8 Finished →   9   ← ChangeCipherSpec 10   ← Finished
Demo time!Demo time! No-one is eavesdropping!
2. signed certificates2. signed certificates
Certificate contents Serial Number Subject Validity Usage Public Key Fingerprint Algorithm Fingerprint
But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign stuff
 
A is a mathematical relationship between a message , a private key and a public key . signature x sk pk   It consists of two functions: 1. signing function 2. verifying function t = f (sk, x) [accept, reject] = g(pk, t, x)   So, given and and knowing , we can tell if is indeed signed by . x t pk x sk
3. certificate authorities3. certificate authorities
An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate.
"I can trust you, because I trust John, and John trusts Alice, and Alice trusts you" I John ? Alice Who knows who "John" is? Many "John"'s in todays browsers and operating systems!
Top-notch security procedures, including "key ceremonies" And yet...
Fairytale time!Fairytale time! Once upon a time, a Dutch certificate authority named DigiNotar was living happily and carefree in the town of Beverwijk. But on a bad day, evil hurt it... Real hard.
An attacker compromised a webserver of DigiNotar due to a vulnerability that is present within the DotNetNuke so ware. DotNetNuke version 4.8.2.0 is installed on host winsrv119. This version is affected by a file upload vulnerability.
Due to the weak security of Windows passwords it must be assumed that the attacker was able to compromise the passwords [...] of the accounts found on the system. On the system, [...] the domain administrator account [...] is present.
The attacker was able to traverse the infrastructure and obtain access to at least two CA's that were used to generate certificates.
/** intentionally le blank */
Google blacklists 247 certificates in Chromium Microso removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005   Update Certificate Revocation Lists (except these are self-signed)
Demo time!Demo time! Trust (for what it's worth)
ToolsTools curl -v -k <address> openssl s_client -showcerts -servername <address> -connect <address>:443
Denotes where a can be found: a file that contains . is the password to that file. JVM settings (1)JVM settings (1) -Djavax.net.ssl.trustStore=<file> truststore trusted certs -Djavax.net.ssl.trustStorePassword=...
Denotes where a can be found: a file that contains and/or . is the password to that file. JVM settings (2)JVM settings (2) -Djavax.net.ssl.keyStore=<file> keystore public private keys -Djavax.net.ssl.keyStorePassword=...
Include debug logging for TLS handshake and connections. JVM settings (3)JVM settings (3) -Djavax.net.debug=all
Portecle
#DevoxxFR So longSo long and thanks for all the fishand thanks for all the fish Image attributionsImage attributions Beverwijk by @ . Public Key Krüpto by , , and ( ) Gerard Hogervorst Wikimedia Commons Sándor P. Fekete Sebastian Morr Sebastian Stiller @ideainstruction
1 of 40

SSL/TLS for Mortals (Devoxx FR 2018)

Download to read offline
Technology

Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates? In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's. Attend this session to become "that one colleague"!

M
Maarten Mulders

Recommended

SSL/TLS for Mortals (JAX DE 2018) by
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)Maarten Mulders
245 views40 slides
SSL/TLS for Mortals (DevNexus) by
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)Maarten Mulders
213 views39 slides
SSL/TLS for Mortals (GOTO Berlin) by
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
236 views41 slides
SSL/TLS for Mortals (J-Fall) by
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
286 views43 slides
SSL/TLS for Mortals (JavaZone) by
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
105 views42 slides
SSL/TLS for Mortals (JavaOne 2017) by
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)Maarten Mulders
325 views38 slides

More Related Content

What's hot

Cryptography 101 for Java developers by
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
233 views68 slides
Carlos García - Pentesting Active Directory Forests [rooted2019] by
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
4.5K views75 slides
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC by
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
91 views46 slides
Open SSL and MS Crypto API EKON21 by
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
267 views25 slides
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy by
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
256 views33 slides
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M... by
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
2.3K views92 slides

What's hot(20)

Cryptography 101 for Java developers by Michel Schudel
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel233 views
Carlos García - Pentesting Active Directory Forests [rooted2019] by RootedCON
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON4.5K views
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC by PROIDEA
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA91 views
Open SSL and MS Crypto API EKON21 by Max Kleiner
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
Max Kleiner267 views
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy by RootedCON
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON256 views
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M... by Shakacon
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon2.3K views
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit by Hackito Ergo Sum
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum1.8K views
Security as Code in Docker Ecosystem for Cloud Native Apps by enlamp
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Apps
enlamp532 views
Authentication Systems by Bit Hacker
Authentication SystemsAuthentication Systems
Authentication Systems
Bit Hacker1.6K views
232 md5-considered-harmful-slides by Dan Kaminsky
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky6K views
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... by BlueHat Security Conference
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference471 views
Secure development on Kubernetes by Andreas Falk by SBA Research
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research168 views
Mens jan piet_dnssec-in-practice by kuchinskaya
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya680 views
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses by OWASP
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP198 views
Encryption Boot Camp at Øredev by Matthew McCullough
Encryption Boot Camp at ØredevEncryption Boot Camp at Øredev
Encryption Boot Camp at Øredev
Matthew McCullough2.1K views
Active Directory Recon 101 by prashant3535
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101
prashant35351.1K views
Practical non blocking microservices in java 8 by Michal Balinski
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
Michal Balinski878 views
Mimikatz by prashant3535
MimikatzMimikatz
Mimikatz
prashant3535482 views
Advanced Encryption on the JVM v0.2.8 by Matthew McCullough
Advanced Encryption on the JVM v0.2.8Advanced Encryption on the JVM v0.2.8
Advanced Encryption on the JVM v0.2.8
Matthew McCullough2.2K views
Encryption Boot Camp at JavaZone 2010 by Matthew McCullough
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010
Matthew McCullough1.8K views

Similar to SSL/TLS for Mortals (Devoxx FR 2018)

SSL/TLS for Mortals (Voxxed Days Luxembourg) by
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
257 views37 slides
Cryptography 101 for_java_developers, Fall 2019 by
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019Michel Schudel
272 views77 slides
Dns protocol design attacks and security by
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
3.7K views49 slides
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014 by
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
346 views49 slides
WebRTC 101 - How to get started building your first WebRTC application by
WebRTC 101 - How to get started building your first WebRTC applicationWebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationDan Jenkins
1.4K views50 slides
Overview of SSL & TLS Client-Server Interactions by
Overview of SSL & TLS Client-Server InteractionsOverview of SSL & TLS Client-Server Interactions
Overview of SSL & TLS Client-Server InteractionsKatie Knowles
250 views26 slides

Similar to SSL/TLS for Mortals (Devoxx FR 2018)(20)

SSL/TLS for Mortals (Voxxed Days Luxembourg) by Maarten Mulders
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
Maarten Mulders257 views
Cryptography 101 for_java_developers, Fall 2019 by Michel Schudel
Cryptography 101 for_java_developers, Fall 2019Cryptography 101 for_java_developers, Fall 2019
Cryptography 101 for_java_developers, Fall 2019
Michel Schudel272 views
Dns protocol design attacks and security by Michael Earls
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls3.7K views
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014 by Jakub Kałużny
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny346 views
WebRTC 101 - How to get started building your first WebRTC application by Dan Jenkins
WebRTC 101 - How to get started building your first WebRTC applicationWebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC application
Dan Jenkins1.4K views
Overview of SSL & TLS Client-Server Interactions by Katie Knowles
Overview of SSL & TLS Client-Server InteractionsOverview of SSL & TLS Client-Server Interactions
Overview of SSL & TLS Client-Server Interactions
Katie Knowles250 views
VisualWorks Security Reloaded - STIC 2012 by Martin Kobetic
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
Martin Kobetic801 views
BSides London 2015 - Proprietary network protocols - risky business on the wire. by Jakub Kałużny
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny395 views
Secure socket layer by BU
Secure socket layerSecure socket layer
Secure socket layer
BU771 views
Codetainer: a Docker-based browser code 'sandbox' by Jen Andre
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre3.8K views
Basics of ssl by n|u - The Open Security Community
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community2.6K views
Shameful secrets of proprietary network protocols by Slawomir Jasek
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek432 views
Django cryptography by Erik LaBianca
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca9.5K views
Pki by Steve Lamb by Information Security Awareness Group
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group1.4K views
Seattle C* Meetup: Hardening cassandra for compliance or paranoia by zznate
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
zznate2.4K views
Da APK al Golden Ticket by Giuseppe Trotta
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta419 views
Random musings on SSL/TLS configuration by extremeunix
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
extremeunix1.2K views
BCS_PKI_part1.ppt by UskuMusku1
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
UskuMusku14 views
Training Slides: 302 - Securing Your Cluster With SSL by Continuent
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent78 views
Preventing Data Breaches: How to Tighten Your Security Stance by Sara Goodison
Preventing Data Breaches: How to Tighten Your Security StancePreventing Data Breaches: How to Tighten Your Security Stance
Preventing Data Breaches: How to Tighten Your Security Stance
Sara Goodison139 views

More from Maarten Mulders

What's cooking in Maven? (Devoxx FR) by
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)Maarten Mulders
173 views25 slides
Making Maven Marvellous (Devnexus) by
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Maarten Mulders
149 views13 slides
Making Maven Marvellous (Java.il) by
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Maarten Mulders
146 views13 slides
Making Maven Marvellous (JavaZone) by
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Maarten Mulders
90 views13 slides
Dapr: Dinosaur or Developer's Dream? (v1) by
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Maarten Mulders
132 views42 slides
Dapr: Dinosaur or Developer Dream? (J-Fall) by
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Maarten Mulders
137 views42 slides

More from Maarten Mulders(20)

What's cooking in Maven? (Devoxx FR) by Maarten Mulders
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)
Maarten Mulders173 views
Making Maven Marvellous (Devnexus) by Maarten Mulders
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)
Maarten Mulders149 views
Making Maven Marvellous (Java.il) by Maarten Mulders
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)
Maarten Mulders146 views
Making Maven Marvellous (JavaZone) by Maarten Mulders
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)
Maarten Mulders90 views
Dapr: Dinosaur or Developer's Dream? (v1) by Maarten Mulders
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)
Maarten Mulders132 views
Dapr: Dinosaur or Developer Dream? (J-Fall) by Maarten Mulders
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)
Maarten Mulders137 views
SSL/TLS for Mortals (Devoxx UK) by Maarten Mulders
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)
Maarten Mulders70 views
React in 40 minutes (Voxxed Days Romania) by Maarten Mulders
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania)
Maarten Mulders93 views
React in 40 minutes (JCON) by Maarten Mulders
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON)
Maarten Mulders105 views
React in 50 minutes (Bucharest Software Craftsmanship Community) by Maarten Mulders
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)
Maarten Mulders244 views
React in 50 Minutes (JNation) by Maarten Mulders
React in 50 Minutes (JNation) React in 50 Minutes (JNation)
React in 50 Minutes (JNation)
Maarten Mulders143 views
SSL/TLS for Mortals (JavaLand) by Maarten Mulders
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand)
Maarten Mulders58 views
Making Maven Marvellous (J-Fall) by Maarten Mulders
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)
Maarten Mulders91 views
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour) by Maarten Mulders
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Maarten Mulders127 views
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour) by Maarten Mulders
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
Maarten Mulders114 views
SSL/TLS for Mortals (UtrechtJUG) by Maarten Mulders
SSL/TLS for Mortals (UtrechtJUG)SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)
Maarten Mulders202 views
Building a DSL with GraalVM (javaBin online) by Maarten Mulders
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)
Maarten Mulders221 views
SSL/TLS for Mortals (Lockdown Lecture) by Maarten Mulders
SSL/TLS for Mortals (Lockdown Lecture)SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)
Maarten Mulders122 views
React in 50 Minutes (OpenValue) by Maarten Mulders
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue)
Maarten Mulders162 views
React in 50 Minutes (DevNexus) by Maarten Mulders
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus)
Maarten Mulders114 views

Recently uploaded

Future of Learning - Yap Aye Wee.pdf by
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdfNUS-ISS
41 views11 slides
ChatGPT and AI for Web Developers by
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web DevelopersMaximiliano Firtman
181 views82 slides
AMAZON PRODUCT RESEARCH.pdf by
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdfJerikkLaureta
15 views13 slides
Voice Logger - Telephony Integration Solution at Aegis by
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at AegisNirmal Sharma
17 views1 slide
The Importance of Cybersecurity for Digital Transformation by
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationNUS-ISS
27 views26 slides
Understanding GenAI/LLM and What is Google Offering - Felix Goh by
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix GohNUS-ISS
41 views33 slides

Recently uploaded(20)

Future of Learning - Yap Aye Wee.pdf by NUS-ISS
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdf
NUS-ISS41 views
ChatGPT and AI for Web Developers by Maximiliano Firtman
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman181 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta15 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma17 views
The Importance of Cybersecurity for Digital Transformation by NUS-ISS
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS27 views
Understanding GenAI/LLM and What is Google Offering - Felix Goh by NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS41 views
Web Dev - 1 PPT.pdf by gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet55 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP19 views
Combining Orchestration and Choreography for a Clean Architecture by ThomasHeinrichs1
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean Architecture
ThomasHeinrichs169 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2216 views
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica... by NUS-ISS
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
NUS-ISS16 views
Roadmap to Become Experts.pptx by dscwidyatamanew
Roadmap to Become Experts.pptxRoadmap to Become Experts.pptx
Roadmap to Become Experts.pptx
dscwidyatamanew11 views
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu... by NUS-ISS
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
NUS-ISS37 views
Black and White Modern Science Presentation.pptx by maryamkhalid2916
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptx
maryamkhalid291614 views
How the World's Leading Independent Automotive Distributor is Reinventing Its... by NUS-ISS
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...
NUS-ISS15 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman27 views
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors by sugiuralab
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab15 views
.conf Go 2023 - Data analysis as a routine by Splunk
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk93 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 views

SSL/TLS for Mortals (Devoxx FR 2018)

  • 1. SSL/TLS for MortalsSSL/TLS for Mortals @mthmuldersmaartenm@infosupport.com
  • 2. Troubleshooting time...Troubleshooting time... Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at com.infosupport.maartenm.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488) ... 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 19 more
  • 3. Why bother?Why bother? Using SSL/TLS correctly is o en hard to achieve ...and understand! Crucial for secure connection between systems Globally deployed (intra-)cloud applications
  • 5. SSL 1.0 never released SSL 2.0 1995 - POODLE (2011) SSL 3.0 1996 - POODLE (2014) TLS 1.0 1999 - BEAST (2011) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 dra
  • 7. How to prevent this?How to prevent this? 1. public/private key encryption 2. signed certificates 3. certificate authorities
  • 8. 1. public/private key1. public/private key encryptionencryption
  • 9.  
  • 10.  
  • 11. Math time!Math time! 1. Select two prime numbers: 2. Calculate modulo: 3. Select random number < modulo: 4. Find d, so that p = 11, q = 17 p ∗ q = 187 e = 3 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 320 mod 160 = 0 (321 − 1) mod (10 ∗ 16) = 0 (107 ∗ 3) = 321 ⇒d = 107 Note: varies with : whend e e = 75, ⇒ d = 183
  • 12. Now, what if P and Q are unknown?Now, what if P and Q are unknown? 1. 2. Find d, so that p ∗ q = 299, e = 5 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 Pretty hard without knowing and !p q   p = 13, q = 23 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 1584 mod 264 = 0 (1585 − 1) mod (12 ∗ 22) = 0 (317 ∗ 5) = 1585 ⇒d = 317
  • 13. For big enough and , finding those factors will cost an eternity! p q So we can distribute p ∗ q and even !e
  • 14. Encrypt the letter 'Encrypt the letter 'GG''   p ∗ q = 187, e = 3, G ⇒ 7 = = 3437 e 7 3 343 mod 187 = 156
  • 15. Decrypt the message 'Decrypt the message '156156'' Since we know and , we can calculate   p q d = 107 = ≈ 4.6 ∗156 d 156 107 10 234 mod 187 = 7156 107 7 ⇒ G
  • 16.  
  • 17. Negotiating a secure connection Client   Server 1 ClientHello →   2   ← ServerHello 3   ← Certificate 4   ← ServerKeyExchange 5   ← ServerHelloDone 6 ClientKeyExchange →   7 ChangeCipherSpec →   8 Finished →   9   ← ChangeCipherSpec 10   ← Finished
  • 18. Demo time!Demo time! No-one is eavesdropping!
  • 19. 2. signed certificates2. signed certificates
  • 21. But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign stuff
  • 22.  
  • 23. A is a mathematical relationship between a message , a private key and a public key . signature x sk pk   It consists of two functions: 1. signing function 2. verifying function t = f (sk, x) [accept, reject] = g(pk, t, x)   So, given and and knowing , we can tell if is indeed signed by . x t pk x sk
  • 24. 3. certificate authorities3. certificate authorities
  • 25. An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate.
  • 26. "I can trust you, because I trust John, and John trusts Alice, and Alice trusts you" I John ? Alice Who knows who "John" is? Many "John"'s in todays browsers and operating systems!
  • 27. Top-notch security procedures, including "key ceremonies" And yet...
  • 28. Fairytale time!Fairytale time! Once upon a time, a Dutch certificate authority named DigiNotar was living happily and carefree in the town of Beverwijk. But on a bad day, evil hurt it... Real hard.
  • 29. An attacker compromised a webserver of DigiNotar due to a vulnerability that is present within the DotNetNuke so ware. DotNetNuke version 4.8.2.0 is installed on host winsrv119. This version is affected by a file upload vulnerability.
  • 30. Due to the weak security of Windows passwords it must be assumed that the attacker was able to compromise the passwords [...] of the accounts found on the system. On the system, [...] the domain administrator account [...] is present.
  • 31. The attacker was able to traverse the infrastructure and obtain access to at least two CA's that were used to generate certificates.
  • 33. Google blacklists 247 certificates in Chromium Microso removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005   Update Certificate Revocation Lists (except these are self-signed)
  • 34. Demo time!Demo time! Trust (for what it's worth)
  • 35. ToolsTools curl -v -k <address> openssl s_client -showcerts -servername <address> -connect <address>:443
  • 36. Denotes where a can be found: a file that contains . is the password to that file. JVM settings (1)JVM settings (1) -Djavax.net.ssl.trustStore=<file> truststore trusted certs -Djavax.net.ssl.trustStorePassword=...
  • 37. Denotes where a can be found: a file that contains and/or . is the password to that file. JVM settings (2)JVM settings (2) -Djavax.net.ssl.keyStore=<file> keystore public private keys -Djavax.net.ssl.keyStorePassword=...
  • 38. Include debug logging for TLS handshake and connections. JVM settings (3)JVM settings (3) -Djavax.net.debug=all
  • 40. #DevoxxFR So longSo long and thanks for all the fishand thanks for all the fish Image attributionsImage attributions Beverwijk by @ . Public Key Krüpto by , , and ( ) Gerard Hogervorst Wikimedia Commons Sándor P. Fekete Sebastian Morr Sebastian Stiller @ideainstruction