If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
Updated, extended presentation how to deploy EAP-TLS based certificate authentication and authorisation solution within organisation or enterprise. In addition to EAP-TLS in general, the presentation also covers some features of Radiator RADIUS server software, which are particularly useful when used with certificates and EAP-TLS. The presentation was originally presented in the JISC govroam stakeholder's meeting 23rd of October 2019 in London, United Kingdom.
Routing host certificates in eduroam/govroamKarri Huhtanen
A presentation for govroam stakeholders' meeting about issuing, configuring and deploying such host client certificates, which can be used in roaming federation networks such as eduroam, govroam, roam.fi, openroaming etc.
Security issues in RADIUS based Wi-Fi AAA (aka WPA2 Enterprise AAA) presentation in alumni seminar for Tampere University of Technology information technology, software engineering and telecommunications alumni at Tampere University of Technology, 13th of October 2018.
MobileFunet meeting 27.1.2021 describing idea how non-routable Windows host certificates could be routed by encapsulating them inside EAP-TTLS authentication. The presentation already includes proof-of-concept tests and plans for future work.
Updated, extended presentation how to deploy EAP-TLS based certificate authentication and authorisation solution within organisation or enterprise. In addition to EAP-TLS in general, the presentation also covers some features of Radiator RADIUS server software, which are particularly useful when used with certificates and EAP-TLS. The presentation was originally presented in the JISC govroam stakeholder's meeting 23rd of October 2019 in London, United Kingdom.
Routing host certificates in eduroam/govroamKarri Huhtanen
A presentation for govroam stakeholders' meeting about issuing, configuring and deploying such host client certificates, which can be used in roaming federation networks such as eduroam, govroam, roam.fi, openroaming etc.
Security issues in RADIUS based Wi-Fi AAA (aka WPA2 Enterprise AAA) presentation in alumni seminar for Tampere University of Technology information technology, software engineering and telecommunications alumni at Tampere University of Technology, 13th of October 2018.
MobileFunet meeting 27.1.2021 describing idea how non-routable Windows host certificates could be routed by encapsulating them inside EAP-TTLS authentication. The presentation already includes proof-of-concept tests and plans for future work.
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Kerberos is a Network Protocol that uses Secret - key cryptography to authenticate client - server applications. It provides the difference between the Firewall and kerberos. And also this slides are gives the information about how does the Kerberos works in ticket granting service and in Application server. Kerberos are work Within networks and small sets of networks.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Kerberos is a Network Protocol that uses Secret - key cryptography to authenticate client - server applications. It provides the difference between the Firewall and kerberos. And also this slides are gives the information about how does the Kerberos works in ticket granting service and in Application server. Kerberos are work Within networks and small sets of networks.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Hardening cassandra for compliance or paranoiazznate
How to secure a cassandra cluster. Includes details on configuring SSL, setting up a certificate authority and creating certificates and trust chains for the JVM.
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines.
Topics will include:
- Encrypting cross-DC traffic
- Different types of at-rest disk encryption options available (and how to tune them)
- Configuring SSL for inter-cluster communication
- Configuring SSL between clients and the API
- Configuring and managing client authentication
Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Details how to secure Apache Cassandra clusters. Covers client to server and server to server encryption, securing management and tooling, using authentication and authorization, as well as options for encryption at rest.
Cisco iso based CA (certificate authority)Netwax Lab
IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates
in environments where PKI is needed for security reasons.
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the
private key that corresponds to the certified public key. In this model of trust relationships, a CA is a
trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon
the certificate.
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
Experience in implementing SSL between Oracle DB and Oracle Clients" - presentation will explain how to configure implement SSL between Oracle DB/Client
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
Karri Huhtanen's presentation about Wi-Fi Roaming Security and Privacy in Disobey 2024 on the 16th of February 2024 ( https://disobey.fi/2024/profile/disobey2024-154-wi-fi-roaming-security-and-privacy ).
Wi-Fi network security presentations are often about breaking the link level (radio) encryption or deploying evil twin Wi-Fi access points to perform man-in-the-middle attacks. This presentation focuses instead to the security and privacy in Wi-Fi roaming, offloading and federated networks, where there are different issues and vectors to utilise or defend against.
Adding OpenRoaming to existing IdP and roaming federation serviceKarri Huhtanen
The first deployment experiences of adding OpenRoaming functionality to existing IdP and roaming federation service. A presentation presented in the OpenRoaming Implementer's call on the 2nd of November 2022.
My presentation in the Radiator Software's webinar about OpenRoaming, how it works, what are its benefits and how Radiator Software can help to deploy it in your business.
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
A presentation at FUNET Technical Days 2021 about research projects combining (5G) SIM authentication to eduroam Finland and ongoing work and benefits with OpenRoaming global Wi-Fi roaming in roam.fi or eduroam Finland networks.
A presentation for KyLÄ project opening seminar ( https://projects.tuni.fi/kyla/tapahtumat/avausseminaari/ ) about experiences and lessons learned in building cooperative labs, testbeds and networks.
Privacy and traceability in Wi-Fi networksKarri Huhtanen
Tampere Smart City Week 2021 presentation about recent privacy and traceability developments in Wi-Fi networks and especially about MAC address randomisation and its implications.
What is Network Function Virtualisation (NFV)?Karri Huhtanen
An updated presentation (v1.2) about what is the concept and the idea behind Network Function Virtualisation (NFV) for Tampere University of Technology Service oriented architectures course. Includes introduction to NFV and VNF (Virtualised Network Function) architecture, components and interfaces.
What is Network Function Virtualisation (NFV)?Karri Huhtanen
A presentation about what is the concept and the idea behind Network Function Virtualisation (NFV). Includes introduction to NFV and VNF (Virtualised Network Function) architecture, components and interfaces.
Building secure, privacy aware, quality Wi-Fi coverage via cooperationKarri Huhtanen
Building secure, privacy aware, quality Wi-Fi coverage via cooperation presentation for MindTrek 2015 ( #mtom2015 ) in Tampere, Finland. The presentation covers an idea to build community Wi-Fi networks by joining existing networks via federated RADIUS authentication just like eduroam, but for all organisations, cities, government organisations, operators and companies regardless if they are commercial or not.
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringKarri Huhtanen
Nowadays data of the network usage is too often separated to various network components all around service provider network. Utilising RADIUS more efficiently is one approach to collect more data about network usage, combining it to network measurement, monitoring and management makes it even more efficient tool to use to get a real network situation and history overview.
Building city and nationwide Wi-Fi coverage via cooperationKarri Huhtanen
Building city and nationwide Wi-Fi coverage via cooperation presents the problem of building yet another overlapping citywide network instead of choosing cooperative approach to connect existing Wi-Fi networks via common policies, configurations and authentication decisions. The presentation promotes expanding eduroam(tm) model from academic world to regional, intercompany and government roaming.
Using NoSQL databases to store RADIUS and Syslog dataKarri Huhtanen
A seminar presentation done for TUT's NoSQL course. A brief look into the possibility and the feasibility of using NoSQL databases to store RADIUS accounting and Syslog data. In this particular case, Syslog-NG, Radiator RADIUS server and MongoDB were used as trial platforms. The presentation includes configuration examples and also some code.
5 minute pitch in Mobile Monday Tampere (#momotre) about the opportunties in cloud based identity management and what is Arch Red's (my company) offering.
Joukkoliikennedatan ongelmat ja ratkaisujaKarri Huhtanen
Avoimen datan talkoissa työryhmämme otti mietittäväkseen joukkoliikennedatan ongelmat. Ryhmän löytämät kaksi ongelmaa ja niiden ratkaisut ovat kuitenkin yleisiä datan tarjoamiseen liittyviä ongelmia ja ratkaisuja, joita kannattaa ainakin miettiä avointa dataa tarjotessa.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
4. It is more complicated than that...
>>> import httplib
>>> conn = httplib.HTTPSConnection("www.python.org")
>>> conn.request("GET", "/")
>>> r1 = conn.getresponse()
>>> print r1.status, r1.reason
200 OK
Who is this www.python.org? What DNS are we
using? What is the IP of this www.python.org in
the DNS we are using? Do these match, do we
get exception if they don’t? Do we verify the
certificate? Who do we accept as certifiers for
the certificate? What is the allowed use of
certificate? What TLS/SSL version we are
using? What encryption? Do we have Perfect
Forward Secrecy? What are the other TLS
connection parameters? What wrapper,
TLS/SSL library we are using and what are their
defaults? ...
5. Making the connection...
class httplib.HTTPSConnection(host[, port[, key_file[, cert_file[, strict[, timeout[, source_address[, context]]]]]]])
A subclass of HTTPConnection that uses SSL for communication with secure servers. Default port is 443. If
context is specified, it must be a ssl.SSLContextinstance describing the various SSL options.
key_file and cert_file are deprecated, please use ssl.SSLContext.load_cert_chain() instead, or let
ssl.create_default_context() select the system’s trusted CA certificates for you.
Please read Security considerations for more information on best practices.
New in version 2.0.
Changed in version 2.6: timeout was added.
Changed in version 2.7: source_address was added.
Changed in version 2.7.9: context was added.
This class now performs all the necessary certificate and hostname checks by default. To revert to the previous,
unverified, behavior ssl._create_unverified_context() can be passed to the context parameter.
CVE-2014-9365 – HTTPS man-in-the-middle attack
against Python clients using default settings
6. Checking context...
ssl.create_default_context(purpose=Purpose.SERVER_AUTH, cafile=None, capath=None, cadata=None)
Return a new SSLContext object with default settings for the given purpose. The settings are chosen by the ssl module,
and usually represent a higher security level than when calling the SSLContext constructor directly.
cafile, capath, cadata represent optional CA certificates to trust for certificate verification, as in
SSLContext.load_verify_locations(). If all three are None, this function can choose to trust the system’s default CA
certificates instead.
The settings are: PROTOCOL_SSLv23, OP_NO_SSLv2, and OP_NO_SSLv3 with high encryption cipher suites without
RC4 and without unauthenticated cipher suites. Passing SERVER_AUTH as purpose sets verify_mode to
CERT_REQUIRED and either loads CA certificates (when at least one of cafile, capath or cadata is given) or uses
SSLContext.load_default_certs() to load default CA certificates.
Note The protocol, options, cipher and other settings may change to more restrictive values anytime without prior
deprecation. The values represent a fair balance between compatibility and security. If your application needs specific
settings, you should create a SSLContext and apply the settings yourself.
Who can be the certifier?
What TLS protocols are allowed?
To ensure consistent settings, DIY?
Purpose here is not the X.509 certificate
extended parameter purpose
7. This does not feel so difficult...
So I make my own context correctly, make the
connection, check the possible exceptions and
then it is no worries mate?
10. Certificate revocation check (against CRL)
SSLContext.verify_flags
The flags for certificate
verification operations. You
can set flags like
VERIFY_CRL_CHECK_LEAF
by ORing them together. By
default OpenSSL does
neither require nor verify
certificate revocation lists
(CRLs). Available only with
openssl version 0.9.8+.
#!/usr/bin/env python
import httplib
import ssl
context=ssl.create_default_context()
context.verify_flags=context.verify_flags|ssl.VERIFY_CRL_CHECK_CHAIN
conn = httplib.HTTPSConnection("www.python.org",context=context)
conn.request("GET", "/")
r1 = conn.getresponse()
print r1.status, r1.reason
The code works, I was able to see connection to crl servers, but soon the
CRL was cached by the OpenSSL and could not get a dump with contents
to see if anything was transferred.
11. Certificate revocation lists (CRL)
● Are retrieved and cached the first time a
request to check the certificate chain is made
● SSL library handles caching
● CRLs have LastUpdate and NextUpdate Fields
to control caching
● But what if first time CRL cannot be retrieved?
12. Case: Internet Explorer and Wi-Fi captive portals
● Internet Explorer users were complaining that getting to web
authentication page took too long. Other browser users were
fine.
● It was discovered that Internet Explorer wanted to check the
CRL of the captive portal WWW server and because it could
not get it, it waited until all of its tries timeouted.
● The solution was to define at least some of the CRL server
IPs as pass through addresses in the captive portal.
● When Internet Explorer was able to get and verify CRLs, the
delay vanished.
13. HTTPS is easy compared to other TLS services
● In most cases everybody just trusts all CA certificates in
browser or operating system certificate store.
● With HTTPS one usually has enough network connectivity to
retrieve CRLs or even use Online Certificate Status Protocol
(OCSP).
● DNS-IP Address-Certificate verification (and others even
better verifications) can be performed against used service.
● With other TLS services everything is not so straight forward.
14. Securing TLS services
● For VPN or network access accepting any CA signed
certificates is probably not a good idea.
● For email, instant messaging, software updates etc.
accepting any CA signed certificates will mean that at least
state actors can have access to your data and devices.
● The certifying CA, purpose of the certificate and checking
what it really verifies becomes increasingly important.
● Methods that help detecting service certificate changes
(certificate pinning) and verify certificates offline (OCSP
stapling) help to prevent MitM attacks.
15. Case: TLS VPN with certificate authentication
● PKI with Root CA and separate Intermediate CAs for People and
Servers
● VPN termination point misconfigured to trust Root CA verified
certificates, VPN clients misconfigured to trust Root CA
● Now Root, Servers and People CA signed client certificates can
authenticate successfully against VPN termination point, VPN
clients accept any certificates certified by previous CAs as VPN
termination point.
● This is made possible by not being careful in configuring CA
settings, hostname, certificate and certificate purpose checks.
Think about if we would in addition trust to any CA in system?
16. Case: WPA Enterprise Wi-Fi authentication
● Without IP connectivity terminal starts authentication process with
RADIUS server.
● Terminal is supposed to verify RADIUS server certificate and
certificate details (usually hostname) against certain CA certificate.
● Often these checks are bypassed, sometimes they are not even
configurable without creating and deploying separate device
management configuration profiles in devices.
● At least username and password hash are in danger to be
captured by anyone setting up Wi-Fi AP and RADIUS server with a
certificate and network name accepted by the client device.
● Once again certificate checks and configuration matter.
17. Securing WPA Enterprise Wi-Fi Authentication
● Certificate check and configuration, (forcing) device
profiles
● Switching from username-password to client
certificate, SIM or elliptic curves (EAP-PWD) based
authentication
● Using certificate pinning for RADIUS server certificate
● Using OCSP stapling [1]
[1] http://radiatorcookbook.open.com.au/2018/02/new-feature-ocsp-and-ocsp-stapling.html
18. Summary
● TLS and certificates are not easy. They require careful design,
implementation, testing, configuration and deployment.
● This presentation did not cover everything. It barely scratched PKI
and more advanced certificate verification.
● Hopefully this presentation raised more concern or interest in
ensuring that TLS and certificates are properly done in your
projects, services and systems.
● Doing everything properly needs understanding of the whole stack
(PKI, users, application/service, programming language, TLS
wrappers, TLS library, configurations and Internet/transport in
between service and terminal).
19. Thank you. Questions?
For more information:
Karri Huhtanen
Radiator Software Oy
https://radiatorsoftware.com/