Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

SSL/TLS for Mortals (JavaZone) Slide 1 SSL/TLS for Mortals (JavaZone) Slide 2 SSL/TLS for Mortals (JavaZone) Slide 3 SSL/TLS for Mortals (JavaZone) Slide 4 SSL/TLS for Mortals (JavaZone) Slide 5 SSL/TLS for Mortals (JavaZone) Slide 6 SSL/TLS for Mortals (JavaZone) Slide 7 SSL/TLS for Mortals (JavaZone) Slide 8 SSL/TLS for Mortals (JavaZone) Slide 9 SSL/TLS for Mortals (JavaZone) Slide 10 SSL/TLS for Mortals (JavaZone) Slide 11 SSL/TLS for Mortals (JavaZone) Slide 12 SSL/TLS for Mortals (JavaZone) Slide 13 SSL/TLS for Mortals (JavaZone) Slide 14 SSL/TLS for Mortals (JavaZone) Slide 15 SSL/TLS for Mortals (JavaZone) Slide 16 SSL/TLS for Mortals (JavaZone) Slide 17 SSL/TLS for Mortals (JavaZone) Slide 18 SSL/TLS for Mortals (JavaZone) Slide 19 SSL/TLS for Mortals (JavaZone) Slide 20 SSL/TLS for Mortals (JavaZone) Slide 21 SSL/TLS for Mortals (JavaZone) Slide 22 SSL/TLS for Mortals (JavaZone) Slide 23 SSL/TLS for Mortals (JavaZone) Slide 24 SSL/TLS for Mortals (JavaZone) Slide 25 SSL/TLS for Mortals (JavaZone) Slide 26 SSL/TLS for Mortals (JavaZone) Slide 27 SSL/TLS for Mortals (JavaZone) Slide 28 SSL/TLS for Mortals (JavaZone) Slide 29 SSL/TLS for Mortals (JavaZone) Slide 30 SSL/TLS for Mortals (JavaZone) Slide 31 SSL/TLS for Mortals (JavaZone) Slide 32 SSL/TLS for Mortals (JavaZone) Slide 33 SSL/TLS for Mortals (JavaZone) Slide 34 SSL/TLS for Mortals (JavaZone) Slide 35 SSL/TLS for Mortals (JavaZone) Slide 36 SSL/TLS for Mortals (JavaZone) Slide 37 SSL/TLS for Mortals (JavaZone) Slide 38 SSL/TLS for Mortals (JavaZone) Slide 39 SSL/TLS for Mortals (JavaZone) Slide 40 SSL/TLS for Mortals (JavaZone) Slide 41 SSL/TLS for Mortals (JavaZone) Slide 42
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

SSL/TLS for Mortals (JavaZone)

Download to read offline

Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?

In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.

Attend this session to become "that one colleague"!

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

SSL/TLS for Mortals (JavaZone)

  1. 1. SSL/TLSSSL/TLS MM
  2. 2. TT Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net. .protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net. .protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net. .protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net. .protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net. .protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at com.infosupport.maartenm.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488) 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
  3. 3. WW Using SSL/TLS correctly is often hard to achieve ...and understand! Crucial for secure connection between systems Globally deployed (intra-)cloud applications
  4. 4. 7 L OSI M7 L OSI M data unit layers Data Data Data Segments Packets Frames Bits Application  Network Process to Application Presentation  Data Representation  and Encryption Session  Interhost Communication Transport  End­to­End Connections  and Reliability Network  Path Determination and  Logical Addressing (IP) Data Link  Physical Addressing  (MAC and LLC) Physical  Media, Signal and  Binary Transmission Host LayersMedia Layers
  5. 5. H SSL TLSH SSL TLS SSL 1.0 never released SSL 2.0 1995 - 2011 (POODLE) SSL 3.0 1996 - 2014 (POODLE) TLS 1.0 1999 - 2011 (BEAST) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 2018
  6. 6. DD What's the issue?!
  7. 7. HH 1. public/private key encryption 2. signed certificates 3. certificate authorities
  8. 8. 1 P P1 P P K EK E
  9. 9. MM 1. Select two prime numbers: 2. Calculate modulo: 3. Select random number < modulo: 4. Find d, so that a. b. c. Note that varies with : when p = 11, q = 17 p ∗ q = 187 e = 3 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 320 mod 160 = 0 (321 − 1) mod (10 ∗ 16) = 0 (107 ∗ 3) = 321 ⇒d = 107 d e e = 75, ⇒ d = 183
  10. 10. N , P QN , P Q 1. 2. Find d, so that Pretty hard without knowing and ! As soon as we know , calculating is trivial (again). p ∗ q = 299, e = 5 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 p q p = 13, q = 23 d = 317
  11. 11. For big enough and , finding those factors will cost an eternity! So we can distribute and even ! p q p ∗ q e
  12. 12. LL GG p ∗ q = 187, e = 3, G ⇒ 7 = = 3437 e 7 3 343 mod 187 = 156
  13. 13. LL 156156 Since we know and , we can calculatep q d = 107 = ≈ 4.6 ∗156 d 156 107 10 234 mod 187 = 7156 107 7 ⇒ G
  14. 14. NN Client Server 1 ClientHello → 2 ← ServerHello 3 ← Certificate 4 ← ServerKeyExchange 5 ← ServerHelloDone 6 ClientKeyExchange → 7 ChangeCipherSpec → 8 Finished → 9 ← ChangeCipherSpec 10 ← Finished
  15. 15. DD No-one is eavesdropping!
  16. 16. 2 S2 S CC
  17. 17. A certificate contains: Serial Number Subject Validity Usage Public Key Fingerprint Algorithm Fingerprint
  18. 18. But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign certificates.
  19. 19. A signature is a mathematical relationship between a message , a private key and a public key . It consists of two functions: 1. signing function 2. verifying function So, given and and knowing , we can tell if is indeed signed by . x sk pk t = f (sk, x) [accept, reject] = g(pk, t, x) x t pk x sk
  20. 20. 3 C3 C AA
  21. 21. An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate.
  22. 22. “I can trust you, because I trust John, and John trusts Alice, and Alice trusts you.
  23. 23. So, who is John, anyway? Many John's in todays browsers and operating systems!
  24. 24. Top-notch security procedures, including "key ceremonies" And yet...
  25. 25. “Once upon a time, a Dutch certificate authority named DigiNotar was living happily and carefree in the town of Beverwijk.
  26. 26. “An attacker compromised a webserver of DigiNotar due to a vulnerability that is present within the DotNetNuke software. DotNetNuke version 4.8.2.0 is installed on host winsrv119. This version is affected by a file upload vulnerability.
  27. 27. “Due to the weak security of Windows passwords it must be assumed that the attacker was able to compromise the passwords [...] of the accounts found on the system. On the system, [...] the domain administrator account [...] is present.
  28. 28. “The attacker was able to traverse the infrastructure and obtain access to at least two CA's that were used to generate certificates.
  29. 29. /** intentionally left blank */
  30. 30. WW Google blacklists 247 certificates in Chromium Microsoft removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005 Update Certificate Revocation Lists (although these are self- signed)
  31. 31. DD Trust (for what it's worth)
  32. 32. T , T TT , T T
  33. 33. Simple HTTP client with TLS support: curl -v -k <address> Troubleshoot trust issues and see certificates being used: openssl s_client -showcerts -servername <address> - connect <address>:443 Troubleshoot supported protocols, ciphers, ...: nmap --script ssl-enum-ciphers -p 443 <address>
  34. 34. JVM SJVM S -Djavax.net.ssl.trustStore=<file> Denotes where a truststore can be found: a file that contains trusted certs. -Djavax.net.ssl.trustStorePassword=changeit is the password to that file.
  35. 35. JVM SJVM S -Djavax.net.ssl.keyStore=<file> Denotes where a keystore can be found: a file that contains public and/or private keys. -Djavax.net.ssl.keyStorePassword=changeit is the password to that file.
  36. 36. JVM SJVM S -Djavax.net.debug=ssl:[flag] Include debug logging for TLS handshake and connections. Additional flags: record session sessioncache pluggability plaintext handshake defaultctx keymanager data packet keygen sslctx trustmanager verbose
  37. 37. PP
  38. 38. II Public Key Krüpto by , , and ( ) Puss In Boots by Beverwijk by @ “So long and thanks for all the fish! Sándor P. Fekete Sebastian Morr Sebastian Stiller @ideainstruction kisspng Gerard Hogervorst Wikimedia Commons Maarten Mulders (@mthmulders)#tlsformortals

Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates? In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's. Attend this session to become "that one colleague"!

Views

Total views

122

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×