Certificates , SSL and IPsec - Computer Science
Download
Report
Transcript Certificates , SSL and IPsec - Computer Science
Certificates , SSL and
IPsec
Ahmed Muaydh
Sara Bin Saif
Shi-Jey Chou
Advisor:Dr. Leszek Lilien
Abstract:
Security is very important topic in
computer science and in networks.
SSL and Certificate is one way to secure
sensitive data from attackers.
In this report we will show how
administrator or software developer can
provide secure communication using SSL
and Certificate.
The overall picture of this process is that
the administrator should generate a
certificate and has it signed by a
Certificate Authority.
The CA verifies that the administrator
legitimately owns the URL in the CN field,
signs the certificate, and gives it back.
SSL protocol will be used by both the
client and the server to encrypt the data.
Motivation for Cert.
Public key is an extremely powerful
technology but it depends on the
distribution of the public key.
The problem of getting keys to people
who need them can be solved by using
digital certificate.
Public Key Certificates
A public key certificate provides a way to
associate a public key with the name of its
owner.
A public key certificate is a data structure
that contains:
owner's name, e-mail address
a public key
validity dates
location of revocation information
location of the issuer's policies
Others (optional)
A public key certificate is issued by a
trusted organization known as a certificate
authority (CA), and provides identification
for the entity.
One must provide proof of identity in
order to obtain a certificate from a CA.
CA is a public certificate authority that is
widely trusted.
Information including the CA's public key
for several root CAs is typically stored in
the client's Internet Browser.
Well-known CAs:
VeriSign, Entrust, and GTE CyberTrust.
Certificate Process
1. Create request for a certificate
2. Submit a request for a certificate
3. Issue the certificate
4. Configure web server to use certificate
Certificate Authority Server
Web Server
ee
LS
SS
si o
n
Client computer
Steps to generate a certificate for
authentication on a web server:
1.
2.
3.
The web server has to generate a key pair
and create a request for certificate.
The request submits to certificate authority
server.
The owner of the certificate server will check
if the request belongs to a party requesting.
1.
2.
3.
The certificate is acquired by web server.
The certificate is used in the configuration of
the web server.
A client can now access the site securely.
Demo: How we doing
Certificate in Windows
Steps in securing communication using
certificate:
1.
Create a certificate request.
1.
submit the certificate request
1.
submit the certificate request (continued)
1.
submit the certificate request (continued)
1.
Issue the certificate.
Download the certificate.
2. Configure the web site to use the SSL
certificate.
3. Configure the web site to use SSL.
1.
Packets captured with Ethereal
SSL is considered a layer on the top of TCP/IP
that provides a secure enhancement to the
standard TCP/IP sockets protocol used for
Internet communications.
SSL Layer
HTTP, FTP, ...
SSL
TCP
IP
The SSL Process
SSL Handshake
SSL process begins with an exchange of
information between the two
communicating parties which is called
SSL handshake.
handshake is done by:
1.
2.
3.
Negotiate the cipher suite
Authenticate identity (optional)
Establish information security by agreeing
on encryption mechanisms
Negotiating the Cipher Suite
The client and the server, begin
negotiating which cipher suite they will
use.
Cipher suite: a set of cryptographic
algorithms and key sizes that a computer
can use to encrypt data.
figure 1.1 (next page)
Client
Server
ClientHello
{
*Certificate
ClientKeyExchange
*CertificateVerify
[ChangeCipherSpec]
Finished
ServerHello
*Certificate
*ServerKeyExchange
*CertificateRequest
ServerHelloDone
}
Handshake done
SSL Handshake
The messages marked with * are optional.
Java provides secure socket framework
that enables secure Internet
communications.
The JSSE (Java Secure Socket Extension)
API is capable of supporting SSL versions
2.0 and 3.0 and Transport Layer Security
(TLS) 1.0.
SSL and Certificate
Programming Using Java
How to program SSL in java
SSL uses certificates for authentication so
we need to create certificates for our
clients and servers.
JSSE can use certificates created by the
java keytool
Java keytool key and certificate
management tool can:
create public and private key pairs
issue certificate requests
import certificate replies
designate public keys belonging to other
parties as trusted
manage keystore
Keystore is a special file that holds keys
and certificates and encrypts them all with
a password
When a server sets up SSL session, it will
retrieve its certificates and keys from its
keystore.
when a client wants to verify the identities
of servers, it will retrieve trusted
certification authority (CA) certificates
from its truststores.
In order to program SSL sockets in java, it
is important to know the main packages
that are part of the JSSE API:
javax.net package which provides the
SocketFactory and ServerSocketFactory
classes, which are used to replace normal TCP
sockets with SSL sockets.
javax.net.ssl package provides classes and
interfaces for establishing and managing an
SSL session
Generating a Server Certificate
Keytool can be used to create server certificate.
We used the following command to create an
RSA certificate, referenced by the alias of Ahmed
, and stored in a new created keystore named
servercerts.
keytool -genkey -keystore servercerts -keyalg
rsa -alias Ahmed -storepass 123456 -keypass
123456
Creating an SSL Client Socket
An example on how to create a client
socket and specify a truststore that
contains the certificates needed to validate
any server's certificate received from the
server.
To do so, run the example below with the
following command:
java -Djavax.net.ssl.trustStore=mytruststore Djavax.net.ssl.trustStorePassword=mytruststorepw
MyClient
/**
* <p>SSL Client </p>
*
* <p>This program uses SSL socket
* and certificate </p>
*
* <p>Copyright: Copyright (c) 2005</p>
*
* <p>School: Western Michigan University</p>
*
* @author: Ahmed Muaydh
* @version 1.0
*/
import javax.net.*;
import java.net.*;
import javax.net.ssl.*;
import java.io.*;
class MyClient{
public static void main(String str[])
{
try {
int port = 443;
int i;
String hostname = "localhost";
InetAddress ina = InetAddress.getLocalHost() ;
//Create secure SSL socket
SocketFactory socketFactory = SSLSocketFactory.getDefault();
Socket socket = socketFactory.createSocket(ina , port);
System.out.println(InetAddress.getLocalHost());
// Create streams to securely send and receive data to the server
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
// Read from in and write to out...
DataInputStream dataIn = new DataInputStream (in);
System.out.println(dataIn.readUTF());
// BufferedOutputStream buffOut = new BufferedOutputStream (out);
DataOutputStream data = new DataOutputStream (out);
data.writeUTF("Hello There from the client");
// Close the socket
in.close();
out.close();
} catch(IOException e) {
System.out.println(e);
}
}
}
Creating an SSL Server Socket
Now assume that a keystore is created.
To specify the keystore of certificates for
an SSL server socket, we can use the
javax.net.ssl.keyStore system property.
To do so, run the example below with the
following command:
java -Djavax.net.ssl.keyStore=Ahmed Djavax.net.ssl.keyStorePassword=123456
MyServer
/**
* <p>SSL Server </p>
*
* <p>This program uses SSL socket
* and certificate </p>
*
* <p>Copyright: Copyright (c) 2005</p>
*
* <p>School: Western Michigan University</p>
*
* @author: Ahmed Muaydh
* @version 1.0
*/
import javax.net.*;
import java.net.*;
import javax.net.ssl.*;
import java.io.*;
class MyServer{
public static void main(String str[])
{
try {
int port = 443;
ServerSocketFactory ssocketFactory = SSLServerSocketFactory.getDefault();
ServerSocket ssocket = ssocketFactory.createServerSocket(port);
// Listen for connections
Socket socket = ssocket.accept();
System.out.println("Client got connected");
// Create streams to securely send and receive data to the client
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
// Read from in and write to out...
// BufferedOutputStream buffOut = new BufferedOutputStream (out);
DataOutputStream data = new DataOutputStream (out);
data.writeUTF("Hello There from the Server");
//BufferedInputStream buffIn = new BufferedInputStream (in);
DataInputStream dataIn = new DataInputStream (in);
System.out.println(dataIn.readUTF());
// Close the socket
in.close();
out.close();
} catch(IOException e) {
System.out.println(e);
}
}
}
IP sec
IPsec is a protocol which sits on top of the
Internet Protocol (IP) layer. It allows two
or more hosts to communicate in a secure
way.
To secure the link we will be using IPsec in
VPN
● IPSec in Windows consists of three main components
● Policy Agent("IPSec Policy Agent" in Windows
2000): acquire and distribute the IPSec policies that
the administrator has defined
● Internet Key Exchange (IKE) module : (Its function
is to negotiate Security Associations (SA).
● IPSec driver is responsible for exercising the filters,
and maintaining the stateful status of connections
●
To enable audit policy