SSL : Theory and practice

TLS / HTTPS

Theory and practice

1

La 1ère école 100 % dédiée à l'open source

Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.

Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.

Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.

2

Les formations du plein emploi !

Formation Continue

Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.

Pour vos demandes : [email protected]

Formation Initiale

100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.

mailto:[email protected]

3

Nos domaines de formations

Introduction to cryptography Transport Layer Security X509 certificates Certificate Authorities with OpenSSL Revocation

Introduction to cryptography

www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/59


Context

Context



Context

Context

The context : the Web is intrinsically an insecure medium

relatively easy to listen to a communication: eavesdroppingno certification of identity of both ends of the communication:spoofingno validation that the content has not been tampered: MitMinjection

Not so good for banking, eCommerce, medical applications...

A combination of technologies is used to answer these questions,based on TLS and X509.



Shared secret cryptography






Bob and Alice use the same secret to encrypt and decrypt thedata

Problem : the secret has to be communicated with bothparties

meeting in person to avoid compromise of secrethigher risk of leaking as two parties know the secreteven higher risk when communicating with more people

Insecure and unpractical in a web context



Public key cryptography





A Postal AnalogyAlice wants to send a message to Bob

Bob sends his lock to Alice

The lock can be send via a normal postal service, as it cannotbe easily used to create the matching key

Alice send a message in a box locked with Bob’s key

Not one else than Bob can open the box, as he is the only onewith the key

The box can be send over the normal postal service, as themailman cannot open the box


The lock is the public key, as everyone can use it to lock thebox.The lock’s key is the private key, as only the message receiver(Bob) can open the box




Asymmetric keys

Principle

What is encrypted by the public key can only be decrypted bythe private keyWhat is encrypted by the private key can only be decrypted bythe public key

Public key are shared between the two ends of thecommunication. Bob knows Alice’s public key and Aliceknows Bob public key.

Everybody can have and use the public key withoutcompromising the communication confidentiality




Proving origin and integrity

Confidentiality DOES NOT guaranty origin or integrity

But public key cryptography can

Using Alice’s private key to encrypt a (possibly encrypted)message proves that she wrote it

Hash functions can help with integrity




Message signing




Message verification




Remember

Hash ensures integrity

Encryption with the emitter’s private key ensures origin

Encryption with the recipient’s public key ensuresconfidentiality




Drawbacks

very computationally intensive

too costly to use for real time communication

Solution: hybrid crypto-systems

a symmetric key is generated before each exchangethis key is exchanged with public key cryptographyonce the symmetric key has been exchanged, both system useit to encrypt and decrypt data



Trust and the internet






The previously described system made a big asumption

Alice’s public key belongs to AliceBut what if Mallory sent you her public key, telling you it wasAlice’s ?

How to trust the identity of somebody you don’t know, ormeet in person ?

How to trust a website ?

How to be sure a DNS requested has not been spoofed, oreven the domain name stolen ?maybe mybank.com is really fakebank.hacker.ru. . .




Trusted third party

EVERY. SINGLE. secure identification system in the world isbased at some level on a trusted third party

It can be very strict and hierarchical (X509)It can be loose and unstructured (Web of trust, PGP. . . )




Conclusion

Securing a communication channel through the internet means :

Validating the origin through a third party (X.509)

Exchange a secure session key (TLS)

Communicate through symmetric encryption (TLS)



Transport Layer Security



History

History



History

History

SSL : Secure Socket Layer

created by Netscape in 1995last version : 3.0, 1999insecure as of 2014 (POODLE)

TLS : Transport Layer Security

based on SSL 3.0standardized by the RFC 2246last version : 1.2, 2008

Since 2016, SSL and early versions of TLS are considereddeprecated. TLS 1.2 is the only protocol that should be used.

TLS is often erroneously called SSL



STARTTLS

STARTTLS



STARTTLS

STARTTLS

Regular TLS connections use a dedicated port (80 vs 443)

the communication is encrypted from the beginning to the end.if you need unencrypted and encrypted communications, twoports are necessary

TLS allows security to be negociated mid-communication

only one port is needed and is capable to have bothunencrypted and encrypted communicationsbut this is optional

HTTP does not useIMAP, LDAP, do both (“old” SSL mode vs STARTTLS)



Algorithms

Algorithms



Algorithms

Algorithms

Auto-negociated

Main source of non-certificate problems, although they arerare

Troubleshooting = disable problematic algorithms



Algorithms

Algorithms - state of the art in 2013

NSA Suite (best)

encryption AES256-GCM, AES256-CTRsignature ECDSAhash SHA256, SHA384key exchange ECDH

Previous generation

encryption AES-CBCsignature RSA, DSAhash SHA1key exchange DH

Alternativesencryption CAMELLIA, BLOWFISHhash WHIRLPOOL, RIPEMD160

Insecureencryption RC4 (ArcFour), 3DES, DEShash MD5, MD4



X509 certificates



Chain of trust

Chain of trust



Chain of trust

Content of a certificate

A trusted certification authority is used to asymmetrically signa website public key into a digital certificate

A Digital Certificate contains

entity public keyMetadata :

subject (what this certificate is for)certificate issuer (CA)certificate validity datesetc. (usually constraints)

A signature : crypt(hash(key+meta),issuer private key)



Chain of trust

X509 Certification chain

A CA can be signed by an other CA

this is the certificate chain of trust

The chain is hierarchical

The CA at the top (or bottom of the tree) is the ”rootcertification authority

The trust is transmitted from the root certification authorityto the highest level certificate : the website one



Chain of trust

X509 Root Certificates

Locally stored !

in opposition to non-root CA certificates and websitecertificate that are provided directly by the website

Can be provided

by the browserby the OSby the JVM

Root CA must

be well known and established (Verisign, GoDaddy, Thawte,etc. . . )

be secured: stealing the private key of a CA means end ofbusiness for a root CA (Diginotar)

undergo audit from entity like WebTrust



Chain of trust

X509 Root certificate storage

In the browser

Preferences -> Advanced -> Encryption -> View certificates

The OpenSSL storage

/etc/ssl/certs (in Debian)

The JVM storage

<jre path>lib/security/cacerts



X509 and TLS

X509 and TLS



X509 and TLS

HTTPS Handshake

The client connects to a server and announces supportedciphers

The server chooses the strongest cipher and sends itscertificate

The clients now has the servers public key, and proof (via thesignature) that it is authentic

(simplified : ) the client generates the session key, encrypts itwith the server’s pubkey, and sends it to the server

From now on, every communication is secured using a sessionkey that has been accepted by the two parties



Practice

Practice



Practice

HTTPS Handshake

Handshakingopenssl s client -showcerts -host <myhost> -port

443

With locally stored certificate (Debian) openssl s client

-showcerts -h <myhost> -p 443 -CApath

/etc/ssl/certs/

The CN of the certificate must be equals to the domain nameused to access the website



Practice

Decoding a certificate

Copy and paste from the previous OpenSSL command,between BEGIN CERTIFICATE and END CERTIFICATE,included

openssl x509 -in <file.pem> -text

Certificate formats

by default : PEM formatDER (PEM is simply base64 encoded DER)can be used by OpenSSL and Java (keytool) indifferentlyPKCS#12, PKCS#7 (often used for client certificate)



Practice

How to create a certificate

What do we need ?

a public and private keys pair

an authority to sign our public key and generate our certificate



Practice

How to create a certificate - Public/private key pair

Create a public/private key pair

openssl genrsa -out <mykey> 2048



Practice

How to create a certificate - CSR

Create a certificate signing request (CSR)

by providing all the data of the certificateopenssl req -new -key <mykey> -out

<myserver.csr>be careful : CN = domain name used to access the server



Practice

How to create a certificate - Signature

Create the certificate

by signing the data provided by the certificate request

either send it to the CA

either signed it with your own key

self signed certificate

openssl x509 -req -days <validity> -in

<myserver.csr> -signkey <mykey> -out

<myserver.crt>



Practice

Apache configuration

In the 443 port-based VirtualHost

SSLEngine on

SSLCertificateFile <myserver.crt>SSLCertificateKeyFile <mykey.key>SSLCertificateChainFile <mychain.pem>

Note : usually, put the <myserver.crt> and <mykey> filesin the /etc/apache2/ssl/ directory, only accessible by root



Practice

HTTPS and VirtualHost by Name

The name of the virtualhost is inside the HTTP Host header

The HTTP headers are inside the encrypted communication

The communication is encrypted using the public key thatcontains the hostname. . .

Apache cannot select a certificate if several VirtualHost byname with different certificate are configured

Solutions

wildcard certificate : *.smile.fruse the X509 alternative name extensions : several CN can beused inside one certificateServer Name Indication (SNI) : a TLS extension that sends theVirtualHost name as part of the TLS handshake. Only workson recent clients and server : Debian Squeeze, WindowsVista+IE7



Java and TLS

Java and TLS



Java and TLS

Keytool

Much more basic than openssl tools

Should not be used to generate production certificate

no support for X509v3 extensions

Certificates are stored inside keystore

Listing a keystore content

keytool -list -v -keystore <mykeystore>

Export them to use them outside the Java world

keytool -exportcert -keystore <mykeystore> -alias

-file <mycert>

Displaying certificate content

keytool -printcert -file <cert>



Java and TLS

Keystore

<jre root>/lib/security/cacerts

standard Java Keystore password: changeit

Importing certificate into cacerts

keytool -importcert -alias <myCertAlias> -file

<myCaFile> -keystore cacerts



Java and TLS

Debugging

Use the SSLTest program (in formation/https/programs) toaccess intranet.smile.fr

java -cp . SSLTest intranet.smile.fr 443

Use “ssl” for the javax.net.debug property

java -Djavax.net.debug=ssl



Certificate Authorities with OpenSSL



Configuring the CA

Configuring the CA



Configuring the CA

Configuring the CA

Create a section at the end of /etc/ssl/openssl.cnf

[ my ca ]d i r = /home/ f o r m a t i o n / my cad a t a b a s e = $ d i r / i n d e x . t x tn e w c e r t s d i r = $ d i r / n e w c e r t sc e r t i f i c a t e = $ d i r / c a c e r t . pems e r i a l = $ d i r / s e r i a lp r i v a t e k e y = $ d i r / p r i v a t e / cakey . pemRANDFILE = $ d i r / p r i v a t e / . randd e f a u l t d a y s = 365d e f a u l t c r l d a y s= 30d e f a u l t m d = md5p o l i c y = p o l i c y a n y t h i n ge m a i l i n d n = noname opt = c a d e f a u l tc e r t o p t = c a d e f a u l tc o p y e x t e n s i o n s = none



Creating the CA key

Creating the CA key



Creating the CA key

Creating the CA key

Create the requires folders :

mkdir /home/formation/my ca

mkdir /home/formation/my ca/private

mkdir /home/formation/my ca/newcerts

touch /home/formation/my ca/index.txt

echo 01 > /home/formation/my ca/serial

openssl req -new -x509 -days 3650 -extensions v3 ca

-keyout /home/formation/my ca/private/cakey.pem -out

/home/formation/my ca/cacert.pem

the -extensions switch specify which section in/etc/ssl/openssl.cnf must be applied

A root CA is self-signed



Creating a server certificate






Signing the CSR with the CA

openssl ca -in myserver.csr -name my ca -out

myserver.cert

Importing the CA in the browser

In Firefox:

Preferences -> Advanced -> View certificates -> Authorities-> Import. . .

In Internet Explorer

Windows : Manage Root Certificate



Client authentication





Creating a client certificateAlmost the same thing as a server certificate

When generating the key

Add a password to the key (-des3) to avoid unauthorized use

When generating the CSR

Add the -extensions usr cert switch to the command line

Then sign it with the CA key

To be used in a browser, must be exported to p12 format

openssl pkcs12 -export -in client.crt -inkey

client.key -out client.p12

Specify an export password to avoid people extracting yourcertificate from your browser

Now import it in “Your Certificates”




Client authentication with Apache

SSLOptions +StdEnvVars

SSLVerifyClient require

SSLCACertificateFile /etc/apache2/myCA.cert

Authentication and identification are done by Apache via thecertificate

SSO with client certificate

each application can read data provided by the certificatethe user does not need to enter password



Revocation



Certificate Revocation List

specify with certificate should be revocated

use openssl ca to manage them

Online Certificate Status Protocol

tell the browser where it can find the revocation status of acertificate


Technology

SSL : Theory and practice