A Programmer’s Guide to Secure Connections

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

SSL Implementation Guide Onno W. Purbo
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Digital Signatures. Anononymity and the Internet.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Chapter 8 Web Security.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
SSL Technology Overview and Troubleshooting Tips.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
The Secure Sockets Layer (SSL) Protocol
TOPIC: HTTPS (Security protocol)
Web Security CS-431.
CSCI 555 Adv Computer Security
Data Virtualization Tutorial… SSL with CIS Web Data Sources
Digital Signatures.
Cryptography CS 555 Topic 34: SSL/TLS.
Apache web server Quick overview.
SSL Certificates for Secure Websites
Cryptography and Network Security
Apache Security with SSL Using FreeBSD
Secure Sockets Layer (SSL)
UNIT.4 IP Security.
SSL Implementation Guide
COMP3220 Web Infrastructure COMP6218 Web Architecture
How to Check if a site's connection is secure ?
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Using SSL – Secure Socket Layer
Cryptography and Network Security
CS 465 TLS Last Updated: Oct 31, 2017.
Secure Electronic Transaction (SET) University of Windsor
SSL (Secure Socket Layer)
The Secure Sockets Layer (SSL) Protocol
Public Key Infrastructure
Transport Layer Security (TLS)
Kai Bu 05 Secure Connection The topic to be covered this week is secure connection. Apparently, the.
Grid Security Infrastructure
Unit 8 Network Security.
Advanced Computer Networks
Cryptography and Network Security
Transport Layer Security
Presentation transcript:

A Programmer’s Guide to Secure Connections Liz Rice

A guide to TLS connections How do I set up secure connections? What do these error messages mean? What the hell are all these .crt, .key, .csr and .pem files? In distributed systems we might be using secure communications between components

Establishing identity is critical Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Establishing identity is critical

Encrypted traffic prevents interception Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Encrypted traffic prevents interception

TLS is a newer version of SSL TLS is a newer version of SSL. SSL is now deprecated so even though people still talk about SSL

HTTP(S) runs over TCP Create TCP connection “hi” blah blah blah “hi” TLS - encrypt TCP connection Skip if regular HTTP Create TCP connection Send HTTP packets on connection

“Connection refused” = wrong port TCP connection 59.97.3.25:60401 27.193.43.2:8080 “Connection refused” = wrong port (nearly always)

VerifyPeerCertificate SYN Establishing TCP ACK HELLO <server name> HELLO GetCertificate (or Certificate) <Server certificate> Verify certificate, then call VerifyPeerCertificate HELLO DONE GetClientCertificate (or Certificate) <Client certificate> Verify certificate, then call VerifyPeerCertificate TLS Handshake Generate Pre-Master Secret <Pre-Master Secret> (encrypted with server key) Generate session key from Pre-Master Secret Generate session key from Pre-Master Secret Change cipher <session key> FINISHED FINISHED blah blah blah Symmetric encryption with session key Symmetric encryption with session key

Keys & certificates

Public / private key encryption Public key can be freely distributed and is used to encrypt Private key must be kept private and is used to decrypt <encrypted> “hello” “hello” If I send you my public key, I can send you encrypted messages and you will be able to read them So will anyone else who has my public key

Public / private key signatures Private key must be kept private and is used to sign message Public key is used to verify signature “hello” “hello” + + “hello” signature + signature = signature If I send you my public key, I can send you encrypted messages and you will be able to read them So will anyone else who has my public key

Need a trusted authority in common “Certificate Authority” Sharing a public key Hi, I’m Liz. Here’s my public key. Why should I believe you? Need a trusted authority in common “Certificate Authority”

X.509 certificate This is to certify that liz-server has public key abcdef CA Subject name Subject’s public key Issuer (CA) name Validity Certificate signed by issuer (CA)

Subject Name Your certs should use Subject alternative names (SAN) Common Name deprecated in 2000 Chrome browser stopped supporting CN in April 2017 SAN supports multiple DNS names in one certificate

Creating keys & certificates

Trusted Certificate Authorities Like Let’s Encrypt Known in system certificate pools Create a Certificate Signing Request openssl req -key private-key -new -out csr For public-facing domains Not for internal components in a distributed system

CLI tools openssl cfssl mkcert minica See contents of certificate: openssl x509 -text Doesn’t easily support SANs (Subject Alternative Names) cfssl Comprehensive toolkit mkcert Local development Installs CA into your system & browsers minica Easy generation of key & certs

DER is an ASN-1 encoding format (TLV)

Mutually-authenticated TLS (mTLS)

Takeaways

To establish your identity You will need: A private key A certificate for your identity The other end needs to trust the Certificate Authority that signed your certificate. This may require appending the CA’s certificate.

File extensions Inconsistently used Information type : .crt for certificate, .key for private key... Or file format: .pem PEM files are base64-encoded and tell you what they contain openssl can tell you about the contents

Common error messages Connection refused Check you’re connecting to the right port Certificate signed by unknown authority Received a certificate, but it’s not trusted Examine CA in certificate to see if it should be known to receiver Remote error It’s the other end that’s complaining

github.com/lizrice/secure-connections

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.