Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Programmer’s Guide to Secure Connections

Published byAngela Lawrence Modified over 5 years ago

Similar presentations

Presentation on theme: "A Programmer’s Guide to Secure Connections"— Presentation transcript:

1 A Programmer’s Guide to Secure Connections
Liz Rice

2

3

4 A guide to TLS connections
How do I set up secure connections? What do these error messages mean? What the hell are all these .crt, .key, .csr and .pem files? In distributed systems we might be using secure communications between components

5 Establishing identity is critical
Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Establishing identity is critical

6 Encrypted traffic prevents interception
Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Encrypted traffic prevents interception

7 TLS is a newer version of SSL
TLS is a newer version of SSL. SSL is now deprecated so even though people still talk about SSL

8 HTTP(S) runs over TCP Create TCP connection
“hi” blah blah blah “hi” TLS - encrypt TCP connection Skip if regular HTTP Create TCP connection Send HTTP packets on connection

9 “Connection refused” = wrong port
TCP connection :60401 :8080 “Connection refused” = wrong port (nearly always)

10 VerifyPeerCertificate
SYN Establishing TCP ACK HELLO <server name> HELLO GetCertificate (or Certificate) <Server certificate> Verify certificate, then call VerifyPeerCertificate HELLO DONE GetClientCertificate (or Certificate) <Client certificate> Verify certificate, then call VerifyPeerCertificate TLS Handshake Generate Pre-Master Secret <Pre-Master Secret> (encrypted with server key) Generate session key from Pre-Master Secret Generate session key from Pre-Master Secret Change cipher <session key> FINISHED FINISHED blah blah blah Symmetric encryption with session key Symmetric encryption with session key

11 Keys & certificates

12 Public / private key encryption
Public key can be freely distributed and is used to encrypt Private key must be kept private and is used to decrypt <encrypted> “hello” “hello” If I send you my public key, I can send you encrypted messages and you will be able to read them So will anyone else who has my public key

13 Public / private key signatures
Private key must be kept private and is used to sign message Public key is used to verify signature “hello” “hello” + + “hello” signature + signature = signature If I send you my public key, I can send you encrypted messages and you will be able to read them So will anyone else who has my public key

14 Need a trusted authority in common “Certificate Authority”
Sharing a public key Hi, I’m Liz. Here’s my public key. Why should I believe you? Need a trusted authority in common “Certificate Authority”

15 X.509 certificate This is to certify that liz-server has public key
abcdef CA Subject name Subject’s public key Issuer (CA) name Validity Certificate signed by issuer (CA)

16 Subject Name Your certs should use Subject alternative names (SAN)
Common Name deprecated in 2000 Chrome browser stopped supporting CN in April 2017 SAN supports multiple DNS names in one certificate

17 Creating keys & certificates

18 Trusted Certificate Authorities
Like Let’s Encrypt Known in system certificate pools Create a Certificate Signing Request openssl req -key private-key -new -out csr For public-facing domains Not for internal components in a distributed system

19 CLI tools openssl cfssl mkcert minica
See contents of certificate: openssl x509 -text Doesn’t easily support SANs (Subject Alternative Names) cfssl Comprehensive toolkit mkcert Local development Installs CA into your system & browsers minica Easy generation of key & certs

20 DER is an ASN-1 encoding format (TLV)

21 Mutually-authenticated TLS (mTLS)

22 Takeaways

23 To establish your identity
You will need: A private key A certificate for your identity The other end needs to trust the Certificate Authority that signed your certificate. This may require appending the CA’s certificate.

24 File extensions Inconsistently used
Information type : .crt for certificate, .key for private key... Or file format: .pem PEM files are base64-encoded and tell you what they contain openssl can tell you about the contents

25 Common error messages Connection refused
Check you’re connecting to the right port Certificate signed by unknown authority Received a certificate, but it’s not trusted Examine CA in certificate to see if it should be known to receiver Remote error It’s the other end that’s complaining

26 github.com/lizrice/secure-connections

Download ppt "A Programmer’s Guide to Secure Connections"

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security

Cryptography and Network Security
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Chapter 8 Web Security.

Chapter 8 Web Security.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
SSL Technology Overview and Troubleshooting Tips.

SSL Technology Overview and Troubleshooting Tips.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Similar presentations

Ads by Google