Certificates, SSL and IPsec Ahmed Muaydh Sara Bin Saif Shi-Jey Chou Advisor:Dr. Leszek Lilien
Abstract: Security is very important topic in computer science and in networks. Security is very important topic in computer science and in networks. SSL and Certificate is one way to secure sensitive data from attackers. SSL and Certificate is one way to secure sensitive data from attackers. In this report we will show how administrator or software developer can provide secure communication using SSL and Certificate. In this report we will show how administrator or software developer can provide secure communication using SSL and Certificate.
The overall picture of this process is that the administrator should generate a certificate and has it signed by a Certificate Authority. The overall picture of this process is that the administrator should generate a certificate and has it signed by a Certificate Authority. The CA verifies that the administrator legitimately owns the URL in the CN field, signs the certificate, and gives it back. The CA verifies that the administrator legitimately owns the URL in the CN field, signs the certificate, and gives it back. SSL protocol will be used by both the client and the server to encrypt the data. SSL protocol will be used by both the client and the server to encrypt the data.
Motivation for Cert. Public key is an extremely powerful technology but it depends on the distribution of the public key. Public key is an extremely powerful technology but it depends on the distribution of the public key. The problem of getting keys to people who need them can be solved by using digital certificate. The problem of getting keys to people who need them can be solved by using digital certificate.
Public Key Certificates
A public key certificate provides a way to associate a public key with the name of its owner. A public key certificate provides a way to associate a public key with the name of its owner. A public key certificate is a data structure that contains: A public key certificate is a data structure that contains: owner's name, address owner's name, address a public key a public key validity dates validity dates location of revocation information location of revocation information location of the issuer's policies location of the issuer's policies Others (optional) Others (optional)
A public key certificate is issued by a trusted organization known as a certificate authority (CA), and provides identification for the entity. A public key certificate is issued by a trusted organization known as a certificate authority (CA), and provides identification for the entity. One must provide proof of identity in order to obtain a certificate from a CA. One must provide proof of identity in order to obtain a certificate from a CA.
CA is a public certificate authority that is widely trusted. CA is a public certificate authority that is widely trusted. Information including the CA's public key for several root CAs is typically stored in the client's Internet Browser. Information including the CA's public key for several root CAs is typically stored in the client's Internet Browser. Well-known CAs: Well-known CAs: VeriSign, Entrust, and GTE CyberTrust.
Certificate Process
Steps to generate a certificate for authentication on a web server: Steps to generate a certificate for authentication on a web server: 1. The web server has to generate a key pair and create a request for certificate. 2. The request submits to certificate authority server. 3. The owner of the certificate server will check if the request belongs to a party requesting.
1. The certificate is acquired by web server. 2. The certificate is used in the configuration of the web server. 3. A client can now access the site securely.
Demo: How we doing Certificate in Windows
Steps in securing communication using certificate: Steps in securing communication using certificate: 1. Create a certificate request.
1. submit the certificate request
1. submit the certificate request (continued)
1. Issue the certificate.
1. Download the certificate. 2. Configure the web site to use the SSL certificate. 3. Configure the web site to use SSL.
Packets captured with Ethereal Packets captured with Ethereal
SSL is considered a layer on the top of TCP/IP that provides a secure enhancement to the standard TCP/IP sockets protocol used for Internet communications. SSL is considered a layer on the top of TCP/IP that provides a secure enhancement to the standard TCP/IP sockets protocol used for Internet communications.
The SSL Process
SSL Handshake SSL process begins with an exchange of information between the two communicating parties which is called SSL handshake. SSL process begins with an exchange of information between the two communicating parties which is called SSL handshake. handshake is done by: 1. Negotiate the cipher suite 2. Authenticate identity (optional) 3. Establish information security by agreeing on encryption mechanisms
Negotiating the Cipher Suite The client and the server, begin negotiating which cipher suite they will use. The client and the server, begin negotiating which cipher suite they will use. Cipher suite: a set of cryptographic algorithms and key sizes that a computer can use to encrypt data. Cipher suite: a set of cryptographic algorithms and key sizes that a computer can use to encrypt data. figure 1.1 (next page) figure 1.1 (next page)
Java provides secure socket framework that enables secure Internet communications. Java provides secure socket framework that enables secure Internet communications. The JSSE (Java Secure Socket Extension) API is capable of supporting SSL versions 2.0 and 3.0 and Transport Layer Security (TLS) 1.0. The JSSE (Java Secure Socket Extension) API is capable of supporting SSL versions 2.0 and 3.0 and Transport Layer Security (TLS) 1.0.
SSL and Certificate Programming Using Java
How to program SSL in java SSL uses certificates for authentication so we need to create certificates for our clients and servers. SSL uses certificates for authentication so we need to create certificates for our clients and servers. JSSE can use certificates created by the java keytool JSSE can use certificates created by the java keytool
Java keytool key and certificate management tool can: Java keytool key and certificate management tool can: create public and private key pairs create public and private key pairs issue certificate requests issue certificate requests import certificate replies import certificate replies designate public keys belonging to other parties as trusted designate public keys belonging to other parties as trusted manage keystore manage keystore
Keystore is a special file that holds keys and certificates and encrypts them all with a password Keystore is a special file that holds keys and certificates and encrypts them all with a password When a server sets up SSL session, it will retrieve its certificates and keys from its keystore. When a server sets up SSL session, it will retrieve its certificates and keys from its keystore. when a client wants to verify the identities of servers, it will retrieve trusted certification authority (CA) certificates from its truststores. when a client wants to verify the identities of servers, it will retrieve trusted certification authority (CA) certificates from its truststores.
In order to program SSL sockets in java, it is important to know the main packages that are part of the JSSE API: javax.net package which provides the SocketFactory and ServerSocketFactory classes, which are used to replace normal TCP sockets with SSL sockets. javax.net package which provides the SocketFactory and ServerSocketFactory classes, which are used to replace normal TCP sockets with SSL sockets. javax.net.ssl package provides classes and interfaces for establishing and managing an SSL session javax.net.ssl package provides classes and interfaces for establishing and managing an SSL session
Generating a Server Certificate Keytool can be used to create server certificate. We used the following command to create an RSA certificate, referenced by the alias of Ahmed, and stored in a new created keystore named servercerts. Keytool can be used to create server certificate. We used the following command to create an RSA certificate, referenced by the alias of Ahmed, and stored in a new created keystore named servercerts. keytool -genkey -keystore servercerts -keyalg rsa -alias Ahmed -storepass keypass keytool -genkey -keystore servercerts -keyalg rsa -alias Ahmed -storepass keypass
Creating an SSL Client Socket An example on how to create a client socket and specify a truststore that contains the certificates needed to validate any server's certificate received from the server. An example on how to create a client socket and specify a truststore that contains the certificates needed to validate any server's certificate received from the server. To do so, run the example below with the following command:
java -Djavax.net.ssl.trustStore=mytruststore - Djavax.net.ssl.trustStorePassword=mytruststorepw MyClient java -Djavax.net.ssl.trustStore=mytruststore - Djavax.net.ssl.trustStorePassword=mytruststorepw MyClient /** * SSL Client * * This program uses SSL socket * and certificate * * Copyright: Copyright (c) 2005 * * School: Western Michigan University * Ahmed Muaydh 1.0 */ import javax.net.*; import java.net.*; import javax.net.ssl.*; import java.io.*;
class MyClient{ public static void main(String str[]) { try { int port = 443; int i; String hostname = "localhost"; InetAddress ina = InetAddress.getLocalHost() ; //Create secure SSL socket SocketFactory socketFactory = SSLSocketFactory.getDefault(); Socket socket = socketFactory.createSocket(ina, port); System.out.println(InetAddress.getLocalHost()); // Create streams to securely send and receive data to the server InputStream in = socket.getInputStream(); OutputStream out = socket.getOutputStream(); // Read from in and write to out... DataInputStream dataIn = new DataInputStream (in); System.out.println(dataIn.readUTF()); // BufferedOutputStream buffOut = new BufferedOutputStream (out); DataOutputStream data = new DataOutputStream (out); data.writeUTF("Hello There from the client"); // Close the socket in.close(); out.close(); } catch(IOException e) { System.out.println(e); }
Creating an SSL Server Socket Now assume that a keystore is created. Now assume that a keystore is created. To specify the keystore of certificates for an SSL server socket, we can use the javax.net.ssl.keyStore system property. To specify the keystore of certificates for an SSL server socket, we can use the javax.net.ssl.keyStore system property. To do so, run the example below with the following command:
java -Djavax.net.ssl.keyStore=Ahmed - Djavax.net.ssl.keyStorePassword= MyServer java -Djavax.net.ssl.keyStore=Ahmed - Djavax.net.ssl.keyStorePassword= MyServer /** * SSL Server * * This program uses SSL socket * and certificate * * Copyright: Copyright (c) 2005 * * School: Western Michigan University * Ahmed Muaydh 1.0 */ import javax.net.*; import java.net.*; import javax.net.ssl.*; import java.io.*;
class MyServer{ public static void main(String str[]) { try { int port = 443; ServerSocketFactory ssocketFactory = SSLServerSocketFactory.getDefault(); ServerSocket ssocket = ssocketFactory.createServerSocket(port); // Listen for connections Socket socket = ssocket.accept(); System.out.println("Client got connected"); // Create streams to securely send and receive data to the client InputStream in = socket.getInputStream(); OutputStream out = socket.getOutputStream(); // Read from in and write to out... // BufferedOutputStream buffOut = new BufferedOutputStream (out); DataOutputStream data = new DataOutputStream (out); data.writeUTF("Hello There from the Server"); //BufferedInputStream buffIn = new BufferedInputStream (in); DataInputStream dataIn = new DataInputStream (in); System.out.println(dataIn.readUTF()); // Close the socket in.close(); out.close(); } catch(IOException e) { System.out.println(e); }
IP sec IPsec is a protocol which sits on top of the Internet Protocol (IP) layer. It allows two or more hosts to communicate in a secure way.
● IPSec in Windows consists of three main components ● Policy Agent("IPSec Policy Agent" in Windows 2000): acquire and distribute the IPSec policies that the administrator has defined ● Internet Key Exchange (IKE) module : (Its function is to negotiate Security Associations (SA). ● IPSec driver is responsible for exercising the filters, and maintaining the stateful status of connections ● To secure the link we will be using IPsec in VPN
To enable audit policy