SSL : Theory and practice

TLS / HTTPS
Theory and practice

1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de
l'intégration et de l'infogérance open source, et de l'EPSI,établissement
privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le
gouvernement français a décidé de soutenir la création de cette école en
lui attribuant une première aide de 1,4M€ et confirme sa volonté de
soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000
postes vacants chaque année dans le secteur du Logiciel
Libre, OSS entend répondre à la pénurie de compétences du
secteur en mobilisant l’ensemble de l’écosystème et en
proposant la plus vaste offre en matière de formation aux
technologies open source tant en formation initiale qu'en
formation continue.

2
Les formations du plein emploi !
 Formation Continue
Open Source School "Executive Education" est un organisme
de formation qui propose un catalogue de plus de 200
formations professionnelles et différents dispositifs de
reconversion permettant le retour à l’emploi (POE) ou une
meilleure employabilité pour de nombreux professionnels de
l’informatique.
 Pour vos demandes : formations@opensourceschool.fr
 Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open
Source School s’appuie sur le référentiel des blocs de
compétences de l’EPSI.
Il est sanctionné par un titre de niveau I RNCP, Bac+5.
Le programme est proposé dans 6 campus à Bordeaux, Lille,
Lyon, Montpellier, Nantes, Paris.

Introduction to cryptography Transport Layer Security X509 certiﬁcates Certiﬁcate Authorities with OpenSSL Revoca
Introduction to cryptography
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/59

Context
Context

Context
Context
The context : the Web is intrinsically an insecure medium
relatively easy to listen to a communication: eavesdropping
no certiﬁcation of identity of both ends of the communication:
spooﬁng
no validation that the content has not been tampered: MitM
injection
Not so good for banking, eCommerce, medical applications...
A combination of technologies is used to answer these questions,
based on TLS and X509.

Shared secret cryptography

Bob and Alice use the same secret to encrypt and decrypt the
data
Problem : the secret has to be communicated with both
parties
meeting in person to avoid compromise of secret
higher risk of leaking as two parties know the secret
even higher risk when communicating with more people
Insecure and unpractical in a web context

Public key cryptography

A Postal Analogy
Alice wants to send a message to Bob
Bob sends his lock to Alice
The lock can be send via a normal postal service, as it cannot
be easily used to create the matching key
Alice send a message in a box locked with Bob’s key
Not one else than Bob can open the box, as he is the only one
with the key
The box can be send over the normal postal service, as the
mailman cannot open the box
The lock is the public key, as everyone can use it to lock the
box.
The lock’s key is the private key, as only the message receiver
(Bob) can open the box

Asymmetric keys
Principle
What is encrypted by the public key can only be decrypted by
the private key
What is encrypted by the private key can only be decrypted by
the public key
Public key are shared between the two ends of the
communication. Bob knows Alice’s public key and Alice
knows Bob public key.
Everybody can have and use the public key without
compromising the communication conﬁdentiality

Proving origin and integrity
Conﬁdentiality DOES NOT guaranty origin or integrity
But public key cryptography can
Using Alice’s private key to encrypt a (possibly encrypted)
message proves that she wrote it
Hash functions can help with integrity

Message signing

Message veriﬁcation

Remember
Hash ensures integrity
Encryption with the emitter’s private key ensures origin
Encryption with the recipient’s public key ensures
conﬁdentiality

Drawbacks
very computationally intensive
too costly to use for real time communication
Solution: hybrid crypto-systems
a symmetric key is generated before each exchange
this key is exchanged with public key cryptography
once the symmetric key has been exchanged, both system use
it to encrypt and decrypt data

Trust and the internet

The previously described system made a big asumption
Alice’s public key belongs to Alice
But what if Mallory sent you her public key, telling you it was
Alice’s ?
How to trust the identity of somebody you don’t know, or
meet in person ?
How to trust a website ?
How to be sure a DNS requested has not been spoofed, or
even the domain name stolen ?
maybe mybank.com is really fakebank.hacker.ru. . .

Trusted third party
EVERY. SINGLE. secure identiﬁcation system in the world is
based at some level on a trusted third party
It can be very strict and hierarchical (X509)
It can be loose and unstructured (Web of trust, PGP. . . )

Conclusion
Securing a communication channel through the internet means :
Validating the origin through a third party (X.509)
Exchange a secure session key (TLS)
Communicate through symmetric encryption (TLS)

Transport Layer Security

History
History

History
History
SSL : Secure Socket Layer
created by Netscape in 1995
last version : 3.0, 1999
insecure as of 2014 (POODLE)
TLS : Transport Layer Security
based on SSL 3.0
standardized by the RFC 2246
last version : 1.2, 2008
Since 2016, SSL and early versions of TLS are considered
deprecated. TLS 1.2 is the only protocol that should be used.
TLS is often erroneously called SSL

STARTTLS
STARTTLS

STARTTLS
STARTTLS
Regular TLS connections use a dedicated port (80 vs 443)
the communication is encrypted from the beginning to the end.
if you need unencrypted and encrypted communications, two
ports are necessary
TLS allows security to be negociated mid-communication
only one port is needed and is capable to have both
unencrypted and encrypted communications
but this is optional
HTTP does not use
IMAP, LDAP, do both (“old” SSL mode vs STARTTLS)

Algorithms
Algorithms

Algorithms
Algorithms
Auto-negociated
Main source of non-certiﬁcate problems, although they are
rare
Troubleshooting = disable problematic algorithms

Algorithms
Algorithms - state of the art in 2013
NSA Suite (best)
encryption AES256-GCM, AES256-CTR
signature ECDSA
hash SHA256, SHA384
key exchange ECDH
Previous generation
encryption AES-CBC
signature RSA, DSA
hash SHA1
key exchange DH
Alternatives
encryption CAMELLIA, BLOWFISH
hash WHIRLPOOL, RIPEMD160
Insecure
encryption RC4 (ArcFour), 3DES, DES
hash MD5, MD4

X509 certiﬁcates

Chain of trust
Chain of trust

Chain of trust
Content of a certificate
A trusted certification authority is used to asymmetrically sign
a website public key into a digital certificate
A Digital Certificate contains
entity public key
Metadata :
subject (what this certificate is for)
certificate issuer (CA)
certificate validity dates
etc. (usually constraints)
A signature : crypt(hash(key+meta),issuer private key)

Chain of trust
X509 Certification chain
A CA can be signed by an other CA
this is the certificate chain of trust
The chain is hierarchical
The CA at the top (or bottom of the tree) is the ”root
certification authority
The trust is transmitted from the root certification authority
to the highest level certificate : the website one

Chain of trust
X509 Root Certificates
Locally stored !
in opposition to non-root CA certificates and website
certificate that are provided directly by the website
Can be provided
by the browser
by the OS
by the JVM
Root CA must
be well known and established (Verisign, GoDaddy, Thawte,
etc. . . )
be secured: stealing the private key of a CA means end of
business for a root CA (Diginotar)
undergo audit from entity like WebTrust

Chain of trust
X509 Root certiﬁcate storage
In the browser
Preferences -> Advanced -> Encryption -> View certiﬁcates
The OpenSSL storage
/etc/ssl/certs (in Debian)
The JVM storage
<jre path>lib/security/cacerts

X509 and TLS
X509 and TLS

X509 and TLS
HTTPS Handshake
The client connects to a server and announces supported
ciphers
The server chooses the strongest cipher and sends its
certiﬁcate
The clients now has the servers public key, and proof (via the
signature) that it is authentic
(simpliﬁed : ) the client generates the session key, encrypts it
with the server’s pubkey, and sends it to the server
From now on, every communication is secured using a session
key that has been accepted by the two parties

Practice
Practice

Practice
HTTPS Handshake
Handshaking
openssl s client -showcerts -host <myhost> -port
443
With locally stored certiﬁcate (Debian) openssl s client
-showcerts -h <myhost> -p 443 -CApath
/etc/ssl/certs/
The CN of the certiﬁcate must be equals to the domain name
used to access the website

Practice
Decoding a certificate
Copy and paste from the previous OpenSSL command,
between BEGIN CERTIFICATE and END CERTIFICATE,
included
openssl x509 -in <file.pem> -text
Certificate formats
by default : PEM format
DER (PEM is simply base64 encoded DER)
can be used by OpenSSL and Java (keytool) indifferently
PKCS#12, PKCS#7 (often used for client certificate)

Practice
How to create a certiﬁcate
What do we need ?
a public and private keys pair
an authority to sign our public key and generate our certiﬁcate

Practice
How to create a certiﬁcate - Public/private key pair
Create a public/private key pair
openssl genrsa -out <mykey> 2048

Practice
How to create a certificate - CSR
Create a certificate signing request (CSR)
by providing all the data of the certificate
openssl req -new -key <mykey> -out
<myserver.csr>
be careful : CN = domain name used to access the server

Practice
How to create a certificate - Signature
Create the certificate
by signing the data provided by the certificate request
either send it to the CA
either signed it with your own key
self signed certificate
openssl x509 -req -days <validity> -in
<myserver.csr> -signkey <mykey> -out
<myserver.crt>

Practice
Apache conﬁguration
In the 443 port-based VirtualHost
SSLEngine on
SSLCertificateFile <myserver.crt>
SSLCertificateKeyFile <mykey.key>
SSLCertificateChainFile <mychain.pem>
Note : usually, put the <myserver.crt> and <mykey> ﬁles
in the /etc/apache2/ssl/ directory, only accessible by root

Practice
HTTPS and VirtualHost by Name
The name of the virtualhost is inside the HTTP Host header
The HTTP headers are inside the encrypted communication
The communication is encrypted using the public key that
contains the hostname. . .
Apache cannot select a certificate if several VirtualHost by
name with different certificate are configured
Solutions
wildcard certificate : *.smile.fr
use the X509 alternative name extensions : several CN can be
used inside one certificate
Server Name Indication (SNI) : a TLS extension that sends the
VirtualHost name as part of the TLS handshake. Only works
on recent clients and server : Debian Squeeze, Windows
Vista+IE7

Java and TLS
Java and TLS

Java and TLS
Keytool
Much more basic than openssl tools
Should not be used to generate production certificate
no support for X509v3 extensions
Certificates are stored inside keystore
Listing a keystore content
keytool -list -v -keystore <mykeystore>
Export them to use them outside the Java world
keytool -exportcert -keystore <mykeystore> -alias
-file <mycert>
Displaying certificate content
keytool -printcert -file <cert>

Java and TLS
Keystore
<jre root>/lib/security/cacerts
standard Java Keystore password: changeit
Importing certiﬁcate into cacerts
keytool -importcert -alias <myCertAlias> -file
<myCaFile> -keystore cacerts

Java and TLS
Debugging
Use the SSLTest program (in formation/https/programs) to
access intranet.smile.fr
java -cp . SSLTest intranet.smile.fr 443
Use “ssl” for the javax.net.debug property
java -Djavax.net.debug=ssl

Certiﬁcate Authorities with Ope

Conﬁguring the CA
Conﬁguring the CA

Conﬁguring the CA
Conﬁguring the CA
Create a section at the end of /etc/ssl/openssl.cnf
[ my ca ]
d i r = /home/ formation /my ca
database = $ d i r / index . t x t
n e w c e r t s d i r = $ d i r / newcerts
c e r t i f i c a t e = $ d i r / c a c e r t . pem
s e r i a l = $ d i r / s e r i a l
p r i v a t e k e y = $ d i r / p r i v a t e / cakey . pem
RANDFILE = $ d i r / p r i v a t e /. rand
d e f a u l t d a y s = 365
d e f a u l t c r l d a y s= 30
default md = md5
p o l i c y = p o l i c y a n y t h i n g
e m a i l i n d n = no
name opt = c a d e f a u l t
c e r t o p t = c a d e f a u l t
c o p y e x t e n s i o n s = none

Creating the CA key
Creating the CA key

Creating the CA key
Creating the CA key
Create the requires folders :
mkdir /home/formation/my ca
mkdir /home/formation/my ca/private
mkdir /home/formation/my ca/newcerts
touch /home/formation/my ca/index.txt
echo 01 > /home/formation/my ca/serial
openssl req -new -x509 -days 3650 -extensions v3 ca
-keyout /home/formation/my ca/private/cakey.pem -out
/home/formation/my ca/cacert.pem
the -extensions switch specify which section in
/etc/ssl/openssl.cnf must be applied
A root CA is self-signed

Creating a server certiﬁcate

Signing the CSR with the CA
openssl ca -in myserver.csr -name my ca -out
myserver.cert
Importing the CA in the browser
In Firefox:
Preferences -> Advanced -> View certiﬁcates -> Authorities
-> Import. . .
In Internet Explorer
Windows : Manage Root Certiﬁcate

Client authentication

Creating a client certificate
Almost the same thing as a server certificate
When generating the key
Add a password to the key (-des3) to avoid unauthorized use
When generating the CSR
Add the -extensions usr cert switch to the command line
Then sign it with the CA key
To be used in a browser, must be exported to p12 format
openssl pkcs12 -export -in client.crt -inkey
client.key -out client.p12
Specify an export password to avoid people extracting your
certificate from your browser
Now import it in “Your Certificates”

Client authentication with Apache
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/myCA.cert
Authentication and identification are done by Apache via the
certificate
SSO with client certificate
each application can read data provided by the certificate
the user does not need to enter password

Revocation

Certificate Revocation List
specify with certificate should be revocated
use openssl ca to manage them
Online Certificate Status Protocol
tell the browser where it can find the revocation status of a
certificate

SSL : Theory and practice

More Related Content

Similar to SSL : Theory and practice

More from Open Source School

Recently uploaded

SSL : Theory and practice