openssl and data security on the webcsis.pace.edu/~lchen/pcap15/websecurity.pdf · secure socket...
TRANSCRIPT
OpenSSL and Data Security on the Web
Li-Chiou ChenSeidenberg School of Computer Science and Information SystemsPace UniversityMarch 27th, 2015
Agenda
Web transaction What HTTPS What is a digital certificate What is SSL? What is OpenSSL? OpenSSL Vulnerabilities Cybersecurity awareness resources
© Li-Chiou Chen, Pace University 2
What are things you do on the web?
© Li-Chiou Chen, Pace University 3
© Li-Chiou Chen, Pace University 4
How is my web transactions secured?
© Li-Chiou Chen, Pace University 5
© Li-Chiou Chen, Pace University 6
How are the web transactions secured?
What is HTTPS
A protocol for secure communications using HTTP.
HTTP + TLS (Transport Layer Security)
How is this done? We need to talk about digital certificate first.
© Li-Chiou Chen, Pace University 7
Activity I: Explore SSL Server Certificate
Go to https://www.facebook.com Click on the lock on the left of the URL A little dialog box that says “you are connected to
facebook” will show up. Click on More Information on the dialog box. You can then see more information about
Facebook’s certificate.
© Li-Chiou Chen, Pace University 8
Click on View Certificate
© Li-Chiou Chen, Pace University 9
Discuss the information on the certificate; what do they mean?
© Li-Chiou Chen, Pace University 10
What is a Digital Certificate
Digital proof of who you are verified by a trusted third party
Contain information to achieve encryption and authentication Version Serial number Signature algorithm identifier: hash algorithm Issuer’s name; uniquely identifies issuer Interval of validity Subject’s name; uniquely identifies subject Subject’s public key Signature: enciphered hash
© Li-Chiou Chen, Pace University 11
© Li-Chiou Chen, CSIS, Pace 12
Certificate Authority
CA
Client Server
Client install a root certificate (CR) => CA
KC issues a certificate (CS) for Facebook
CS => Facebook
Authenticate CS
using CR
Send CS
Who are CA? How do we know which CA to trust?
Activity II: Look for Root Certificates
Open Firefox Click on Options under the Firebox tab on the top Click on Certificate tab Click on View Certificate botton Click on Authorities tab You can then find a list of CA root certificate
installed on your browser Name some of them
© Li-Chiou Chen, Pace University 13
Have you heard about these companies?
© Li-Chiou Chen, Pace University 14
What is Secure Socket Layer (SSL) or Transport Layer Security (TLS)
A secure communication protocol for
Encryption of web content
Authentication of web server
Authentication of web client is optional and is typically implemented using user login.
© Li-Chiou Chen, Pace University 15
© Li-Chiou Chen, CSIS, Pace 16
Secure Socket Layer: Handshaking
CA: DigiCert
Alice Facebook
2: DigiCert signs Facebook’s certificate using
its public key in the root certificate)
3: Send Facebook’s certificate
4: Verify Facebook’s certificate using DigiCert’s certificate
1: Install DigitCert’s public key (root certificate) in
Alice’s browser
© Li-Chiou Chen, CSIS, Pace 17
Secure Socket Layer: Sending Data
Alice Facebook3: Send the encrypted date
(session key)
1: Decide an encryption algorithm
2: Decrypt the encrypted data ( a
session key) using in Facebook’s public key
(in certificate)
4: Decrypt the encrypted data using
Facebook’s private key to obtain the session
key.
5: Alice and Facebook communicated securely by encrypting data using the session key
What is OpenSSL?
A set of open source libraries to implement the SSL protocol and other crypto algorithms
Generate public key and private key Create digital certificate Testing Communication between server and client …..
More information on https://www.openssl.org/
© Li-Chiou Chen, Pace University 18
Activity III: Use OpenSSL to communicate with a server
Open openssl-0.9.8k_WIN32 folder Open bin folder Click on openssl.exe and an openssl command
prompt should show up We will try to communicate with a server
securely using openssl.
© Li-Chiou Chen, Pace University 19
Communicate with a server securely using openssl
Under openssl command prompt, type s_client -connect www.facebook.com:443
What is your result? Try to explain it. Now type GET / HTTP/1.1
What is your result? Try to explain it. Now, exit openssl command line, type exit
© Li-Chiou Chen, Pace University 20
So, what is wrong with openssl?
Many companies use openssl to implement their certificates and SSL communications
Used for web server, email security….etc. Recent vulnerabilities; fixed Heartbleed bug CCS Injection ClientHello sigalgs DoS
© Li-Chiou Chen, Pace University 21
Resources: Watch Video
DoD DISA video on cybersecurity awareness
http://iase.disa.mil/eta
© Li-Chiou Chen, Pace University 22
Questions / Comments
© Li-Chiou Chen, Pace University 23