UnderstandingSSL/TLS

orWhatisanSSLCertificate and WhatDoesItDoforMe?

J.K.Harris ElectricalandComputerEngineering VirginiaTech Oct2008

ece

1/39

UnderstandingSSL/TLS
WhatisIt? HowDoesItWork? WhyisItImportant?(Whatdoesitdo?) But,MostImportantly

ece

>Thingstheaverageusershouldknow!

2/39

WhatisIt?
SomethingaboutencryptionofWebpages
https://... Thelockiconatthebottomofyourbrowser

ece

>CanSafelyTypeinYourCreditCardNumber!
(...areyousureitssafe?)

Inshort,veryfewpeopleknowwhatSSL/TLSis!
3/39

HowDoesItWork?

ece

BasedontheRSAalgorithm Isapublickeycryptographysystem Ittakesalittlemathtounderstandthis (I'llkeepthemathtoverylittle!)

4/39

HowDoesItWork?
Alittlemath:
Forproperlychosen(e,d,n)

ece
e

c=m mod n m=c mod n

d

>Functionsareinversesof eachother! Reference: http://en.wikipedia.org/wiki/Rsa I.e.,wikipediaRSA

5/39

HowDoesItWork?
(Somehandwaving:eisnotcritical,almost allRSAusee=65537)

ece
e

Think:
m=message c=cypher(encryptedmessage)

c=m mod n m=c mod n

d

Wecall:
n>thePublickey d>thePrivatekey
6/39

HowDoesItWork?
Forproperlychosen(e,d,n)

ece
e

c=m mod n m=c mod n

d

Wecall:
n>thePublickey d>thePrivatekey

>Givenncannot(easily)findd!

7/39

Encryption
Standardusage: Alice>Bob

ece
c=m mod n
e

Bobproperlychooses(e,d,n) Bobsendspublickey(n)toAlice(How?) Aliceencryptshermessage(m) Alicesendscypher(c)toBob Bobuseshisprivatekey(d)todecrypt

m=c mod n
d

8/39

Encryption
Standardusage:

ece
c=m mod n
e

VeryImportantandSubtlePoint:

Bobsendspublickey(n)toAlice(How?)

m=c mod n
d

9/39

DigitalSignatures
SigningDigitalDocuments: DigitalSignatures Bob>Alice

ece
e

c=m mod n m=c mod n

d

Bobproperlychooses(e,d,n) Bobsendspublickey(n)toAlice(How?) Bobencryptshisdocument(c)usinghis privatekey(d)givingcypher(m) Bobsends(m)toAlice AliceusesBob'spublickey(n)todecrypt

10/39

DigitalSignatures
SigningDigitalDocuments:

ece
e

c=m mod n
VeryImportantandSubtlePoint:

Bobsendspublickey(n)toAlice(How?)

m=c mod n
d

11/39

DigitalSignatures
SigningDigitalDocuments:

ece
e

Workequationsinreverse AliceknowsthatBobsentthemessage becausehispublickeydecrypteda messagethatcouldonlybecreatedusing Bob'sprivatekey. (ThisassumesthatAlicesomehowhasBob's publickey.)

c=m mod n m=c mod n

d

12/39

HowDoesItWork?
Pointstoremember:

ece
e

Equationsintheforwarddirection> encryption Equationsinthereversedirection> messagesigning(digitalsignature)

c=m mod n m=c mod n

d

13/39

HowDoesItWork?
VeryImportantandSubtlePoint:

ece
e

Bobsendspublickey(n)toAlice(How?)

c=m mod n m=c mod n

d

Why?ManintheMiddleAttack

14/39

ManintheMiddleAttack
AliceBob Charlie

ece

Charliehasfullcontrolofthewire CharliesendsAliceCharlie'sPublickeyinplaceof Bob'sPublickey CharliedecryptsAlice'smessageusinghisown Privatekey CharlieusesBob'sPublictosendhimanymessage hewants

c=m mod n
e

m=c mod n
d

15/39

ManintheMiddleAttack
AliceBob Charlie BecauseAlicedoesnothaveBob'spublickey

ece

c=m mod n
e

Alicehasnowayofknowingthatsheis notcommunicatingwithBob Bobhasnowayofknowingthatthe messagedidnotcomefromAlice Charliecandoanythinghewants

m=c mod n
d

16/39

ManintheMiddle
AliceBob Charlie

ece
e

c=m mod n m=c mod n

d

HowtogetBob'spublickeysafelyto Alice?

17/39

ManintheMiddle
AliceBob Charlie

ece
e

c=m mod n m=c mod n

d

HowtogetBob'spublickeysafelyto Alice? >TrustedThirdParty(+lotsofconfusion)

18/39

TrustedThirdParty
IntroducingTrustedThirdParty,Vera:

ece

Verahasherownpublicandprivatekey Verahasherpublickeywidelydistributedina fashionthateveryonebelieves(How?)

Generally,everyone'swebbrowserhasthembuilt in(InternetExplorer,FireFox,Safari)

(ThinkVera>Verisign)
19/39

TrustedThirdParty

ece

BobsendshispublickeytoVera

CertificateSigningRequest(.csr)

VeraverifiesthatBob iswhohesaysheis(How?)

Thisiswhatyouarepayingfor!

VeradigitallysignsandreturnsthistoBob

SSL/TLSCertificate(.crt)

20/39

TrustedThirdParty
Vera publickey(n) (somehow widelypublished) Generates publickey privatekey (e,d,n) Generates publickey privatekey (e,d,n) Bob publickey(n) certificate signingrequest .csr Vera

ece

verifiesBob'sidentity (callsonthephone?)

builtintothe webbrowser akarootcertificates

Alice

digitallysigns SSL/TLScertificate .crt

Bob

21/39

TrustedThirdParty
NowthecommunicationsbetweenAliceandBob:

ece

AliceasksBobforhisSSL/TLScertificate Alicecheckstoseeifshecanverifythedigitalsignatureusing Vera'spublickey Ifthedigitalsignatureverifies,andAlicetrustsVera,thenAlice believesthattheSSL/TLScertificatecamefromBobNoone elsecouldhavegeneratedVera'sdigitalsignature InsideofthisSSL/TLScertificateisBob'spublickey! AlicenowhasBob'spublickeyandcanproceedasbefore

22/39

TrustedThirdParty
(m) Alice Alice (m) hello SSL/TLS certificate .crt Bob

ece
Bob

checkdigitalsignature usingVera'sbuiltin publickey useBob'spublickey foundincertificate

c=m mod n
e

RSA encryptedmessage (c)

m=c mod n
d
(m)
23/39

That'sHowSSL/TLSWorks
That'sit!That'showSSL/TLSworks!

ece

...Simple,right?

Dependsupon:

TrustingVera:

VeraactuallyverifiesthatBobiswhohesaysheis DistributionofVera'spublickeys(rootcertificates)
24/39

That'sHowSSL/TLSWorks
But,thinkaboutthisalittle:

ece

Insomesense,wehavetradedtheproblemofgettingBob's publickeytoAlice,fortheproblemofgettingVera'spublickey toAlice.

25/39

That'sHowSSL/TLSWorks
But,thinkaboutthisalittle:

ece

Insomesense,wehavetradedtheproblemofgettingBob's publickeytoAlice,fortheproblemofgettingVera'spublickey toAlice. But,thereisonlyoneVera,andlotsofBobs!

So,westillhavetheproblem,butwehavemadetheproblem muchsmaller,andpossiblytractable.

26/39

WhatisIt?

ece

ConnectionisEncryptedbutthat'seasy Verificationoftheotherend

(viathetrustedthirdparty) ThisistherealreasonforSSL/TLS!!!

...Isitanythingelse?

NO!

27/39

LingeringIssues

ece

Trustendswherethecreditcardbegins Who'scertificateisthis? RevocationLists Rootcertificatepoisoning Yourowngovernment

28/39

TrustEndsWherethe CreditCardBegins

ece

AllSSL/TLStellsyouisthatyouhaveanencrypted connectiontowhomeverwasissuedthatcertificate Doyoureallytrustthepersonattheotherendofthe connection? Rulesgoverningverification(youarewhoyousayyouare) arebeingweakened

Duetohighvolumeofcertificatesissued Nohumanintheloop!!!
29/39

Who'sCertificateisThis?
A.K.A.DNS/URLspoofing

ece

AliceBob Charlie

c=m mod n
e

CharliehashisowncertificatesignedbyVera CharliehandshiscertificatetoAlice HowisAlicetoknowitsnotBob'scertificate?

m=c mod n
d

30/39

Who'sCertificateisThis?
e

ece

AliceBob Charlie

c=m mod n m=c mod n

d

CharliehashisowncertificatesignedbyVera CharliehandshiscertificatetoAlice HowisAlicetoknowitsnotBob'scertificate?

>CertificatehasBob'snameonit
31/39

Who'sCertificateisThis?
CertificatehasBob'snameonit?
WhatisBob'sname? Bob'snameishisDNSname

ece

>AlwayschecktheURL!

32/39

AlwaysChecktheURL?
IscheckingtheURLsufficient? Whataboutsimilarnames

ece

www.amazon.com>www.amazone.com www.capitalone.com>www.capitolone.com www.there.com>www.their.com www.amazon.com>www.amazon.om

33/39

AlwaysChecktheURL?
IscheckingtheURLsufficient? Whataboutsimilarnames

ece

www.amazon.com>www.amazone.com www.capitalone.com>www.capitolone.com www.there.com>www.their.com www.amazon.com>www.amazon.om

34/39

RevocationLists
RevocationListsandShortvalidtimes

ece

Certificatesusuallyvalidonlyfor12years Widelypublishedlistofcertificatesthathavebeenrevoked

Minimizetheamountoftimeabadguycanusehis certificate Quicklyrevokebadguy'scertificate

Largelyunused!

Idefyyoutofindthesewidelypublishedrevocationlist!!!

35/39

RootCertificatePoisoning
Thisisabigdeal!Mostpeoplejustignorethis.

ece

Microsoftpeopleclickingokmightinstallabadguy'sroot certificate Leaveyourdesk,someonecouldeasily,inacoupleofclicks, installhisownrootcertificate Productupdatechannelsgetpoisonedalongtheway

36/39

YourOwnGovernment
(Getoutyourtinfoilhats!)

ece

TheUSGovernment'sencryptionpolicy:Strongenoughsothat citizenscan'tlistentoothercitizens,butnotsostrongthatthe Governmentcan't YouthinktheGovernmentdoesnotalreadyhasVerisign's privatekey? DESGovernmentpushedencryption,nowknowntohave Governmentexploitableweaknesses RecentA.Q.Kahnallegationsimpliesthatittook~3yearsto breakencryptiononhislaptop

37/39

Recommendations fortheAverageUser

ece

Don'tjustclickoktoanycertificateerror popupunlessyoureallyknowwhatyour doing!!! ChecktheURLcarefully,isitwhoyouthinkit shouldbe? Yourleveloftrustattheotherendofthe connectionDon'tdealwithunknownwebsites

38/39

Recommendationsforthe SysAdminsandDevelopers

ece

Somewaytoshoreupthedistributionofroot certificates Somewaytoeasilyverifyifanyofyourusers havesuspiciousrootcertificates Somewaytoactuallyusethoserevocationlists Educationofyourusers! Other???

39/39

UnderstandingSSL/TLS
Endoffirsthalfoftalk Secondhalf,willbeatechnicalhowto
(Ifyou'reapointyhairedboss,nowwouldbeagoodtimetomakefortheexit.)

ece

40/39

OpenSSLHowTo
Therearetwothingswewouldliketocover

ece

StandardSSLuse,haverealsignersignyour certificatewhatmostpeoplewanttodo SelfsignedcertificatesBeyourown signingauthority

(ThiswillbeaLinuxpointofviewhowto)

41/39

OpenSSLHowTo
SSL/TLSisusuallyonesided

ece

Akeyconceptthatwasleftoutofthefirsthalf:
Anonymousclientwantstoconnecttoaverified server Typicalwebsituation

SSL/TLScanbemutual(twosided),justneeda certificateforbothends

Therehavebeensuggestionsthatallmailservers shoulduseandrequiremutualSSL/TLS

42/39

StandardSSLUse

ece

Haverealsignersignyourcertificatewhat mostpeoplewanttodo

Generateyourpublic/privatekeypair Createacertificatesigningrequest SendittoVerisign Receivecertificate Putfilesincorrectplace,anddoconfigfiles Debug

43/39

SSL/TLSSetup
Vera publickey(n) Bob publickey(n) certificate signingrequest .csr Vera

ece

verifiesBob'sidentity (callsonthephone?)

Generates publickey privatekey (e,d,n)

Alice
builtintothe webbrowser akarootcertificates

Generates publickey privatekey (e,d,n)

digitallysigns SSL/TLScertificate .crt WeDoThis Bob

VerisignDoesThis

44/39

OpenSSLHowTo

ece

Beforewegetstarted,somequestionsthatneed answers:

Aretheredifferenttypesofcertificates? Where(whatdirectory)doIdothis? ToPassphraseornottopassphrase?

45/39

OpenSSLHowTo
Aretheredifferenttypesofcertificates?
Notreally.

ece

Sometimeyouseeinstructionsforapachemod_ssl, apachestronghold,etc.Thesedifferencesarefor config/setupdifferences. IusethesamecertificateforSMTP,LDAP,web. Caveat:Windowsusers,Idon'treallyknow.

46/39

OpenSSLHowTo
Where(whatdirectory)doIdothis?

ece

Youoftenfindinstructionsthatsogotosuchnsuch directorytogenerateyourkeys. Itdoesnotmatter.Ijustmakeadirectorysomeplace andusethat.Lateron,youmoveallthefilesto theirproperplace.

47/39

OpenSSLHowTo
ToPassphraseornottopassphrase?

ece

Theshortanswerisno.Why?Becauseeverytime yourebootyourwebserveryouhavetotypeinthe passphrase. Furthermore,youcanremovethepassphrase anytimeyouwant. Justhandleyourkeysandcertificateswisely.

48/39

GeneratePublic&PrivateKeys
opensslgenrsaoutserver.key1024

ece

Createadirectorysomewhere,gothereandtype:

49/39

Public&PrivateKeys
Now,letslookinsidethisfile:
opensslrsainserver.keytextnoout

ece

50/39

ece
c=m mod n
e

m=c mod n
d

51/39

CreateaCertificateSigningRequest
opensslreqnewkeyserver.keyoutserver.csr Asksforyour name!! ThisMUSTbe correct.

ece

52/39

CertificateSigningRequest
Toseewhatisinsidethe.csr:
opensslreqinserver.csrtextnoout

ece

53/39

CertificateSigningRequest
Hasonlypublickey andname

ece

c=m mod n
e

m=c mod n
d
54/39

CertificateSigningRequest
The.csrisPEMencodedtextformat:

ece

Itistypicalthatyoucutnpastethistextintoa webpagetosubmityour.csrtothesigning authority.

55/39

SendYourCSR

ece

Yousendyourmoneyandyour.csrtoVerisign Verisignsomehowverifythatyouareyou VerisignwillsignandsendyouyourX.509 certificate!

56/39

ReceiveYourCertificate(X.509)
VerisignsendsyouyourX.509certificate! Andfortheobligatorylookinside:
opensslx509inserver.crtnoouttext

ece

57/39

ece

58/39

ConfiguringApache

ece

O.k.,soyougotyourshinynewcertificate,lets seeitgo.
Apachesetup: vi/etc/httpd/conf.d/ssl.conf

c=m mod n
e

m=c mod n
d
59/39

TestingApache
Restartyouwebserver,andtry
https://<machine.domain>

ece

Ifallgoeswell,youseethelittlelockappear withnocertificateerrorpopups.

60/39

Debugging

ece

Weallknowthatintherealworld,everythingworks perfectly,thefirsttime,everytime...Butshouldthat exceedinglyrareeventactuallyoccurwherethings aren'tworking...

Takealonglookattheconffile,makesurethe filesarewhereyousaytheyare Lookatthelogfiles(notesslhasseparatelog filesssl_access_log,ssl_error_log)

61/39

Debugging
Andlastly,try

ece

openssls_clientconnect<machine>:<port>debugstate

KeepinmindthattheportnumberchangesforSSL. Forwebservers,itisnotport80,butport443. Whatthisdoesisgivesyoualotofoutput,butmost importantly,abidirectionalconnectiontoyour webserverthroughSSL.

62/39

Debugging

ece

openssls_clientconnectfilebox.ece.vt.edu:443debugstate

So,youmustbeabletospeakHTTP.Typethe aboveandadmirethevoluminousoutput.Itwill waitforinput.Thereisnoprompt,justtype:

GET/HTTP1.0<enter> <enter>

Morevoluminousoutput,butyoushouldsee someHTMLlookingstuff.
63/39

StandardUse
opensslgenrsaoutserver.key1024 opensslreqnewinserver.keyoutserver.csr

ece

Thatsit!Itsthatsimple,onlytwocommands:

Note(s)toself:

Protectyourkeys,especiallytheprivatekey. Changefile/directorypermissions. Makeabackupofyourkeys!Ifyouloseyour certificate,theyarenotsupposetoissueyou anotherone(buttheydo).

64/39

SelfSignedCertificates
Selfsignedcertificates Beyourownsigningauthority

ece

WhatdoyoumeanSelfsignedcertificate? Whywouldyouwanttodothis? Whathappenswhenyouuseyourselfsigned certificate? Andofcourse,howdoyoudothis?

65/39

WhatDoYouMeanby SelfSignedCertificate?

ece

ThetermSelfsignedcertificateisincorrect, theproperphraseisBeingyourownCertificate Authority,orCA Youhavetherootkey Andyoucansignothercertificates

66/39

WhyWouldYouWanttodoThis?

ece

Costfree.Anylinuxboxthathasopenssl installed(all)haseverythingyouneed Providesencryption,butnoverification Closedsystems.Sometimesyouwanttokeep othersout.Ex.LDAP/wrequiressl KeepBigBrotherfromsnooping!

67/39

SelfSignedCertificates

ece

Whathappenswhenyouuseyourselfsigned certificate?

Someapplicationswon'tproceed,e.g.,LDAP requressl Well,yougetthecertificateerrorpopup Youcaninstallthepublickey Oryoucaninstalltherootcertificate

68/39

SelfSignedCertificates

ece

Thereisalotofconfusiononthenetaboutthis.Ifyou googleselfsignedcertificatewillgetlotsofhits.They'll giveyousomecommandstotype,butalmostallofthe instructionslackexplanation(thatIcanunderstand).

...Butallthesewebpagesgivedifferent instructions!

69/39

SelfSignedCertificates
Beforewegetstarted,oneimportantpoint:

ece

Privatekeysdonothavethenameinthem Publickeys(AKAX.509)Certificateshavethe name

WhenyoucreateanX.509certificate,youwillbe askedforthename.Thenameisactually morethanjusttheDNS,itisalsoyour location,affiliationandperhapsa responsibleparty.(Other?) 70/39

SelfSignedCertificates
O.k.,enoughadieu,letsgetstarted. Weneed:

ece

Twosetsofkeys:

TheCA'skeys(CertificateAuthority) Thecertificateyouaregoingtosign

71/39

SSL/TLSSetup
CA publickey(n) Server publickey(n) certificate signingrequest .csr CA

ece

Identity Verification?

Generates publickey privatekey (e,d,n)

CA
Distributed Somehow

Generates publickey privatekey (e,d,n)

digitallysigns SSL/TLScertificate .crt

Server

72/39

SelfSignedCertificates
Step1:CreatetheCA'skeypair
opensslgenrsaoutCA.key1024

ece

73/39

SelfSignedCertificates
Step2:TheCAneedsitsowncertificate
Why?

ece

>Thisisthewidelypublishedrootcertificate opensslreqnewx509days3650keyCA.keyout CA.crt >Askforname

ThisnameistheCA'sname!!!NotavalidDNS name.
74/39

SelfSignedCertificates
Create CA'sroot Create rootcert (asksfor Name)

ece

75/39

SelfSignedCertificates

ece

Note:Forthepedanticmindedpeople,theroot certificateistheonlyselfsignedcertificate.

76/39

SelfSignedCertificates
Step3:Createtheprivatekeyfortheserver.

ece

(Theserverinthiscase,isyouwebserver.) Justlikeanyotherpublic/privatekeygeneration:
opensslgenrsaoutserver.key1024

77/39

SelfSignedCertificates

ece

Step4:CreateaCertificateSigningRequest
opensslreqnewkeyserver.keyoutserver.csr

Thiswillaskyouforthenameofthemachine. InthiscaseyoumustusetheDNSname!!!

78/39

SelfSignedCertificates
Step5:Signthecertificate.
opensslx509req days3650 CACA.crtCAkeyCA.key set_serial01 inserver.csr outserver.crt

ece

79/39

ece

80/39

SelfSignedCertificates

ece

Youcanlookatthecertificatesthesameas above. Youinstallthecertificatesthesameasabove. Andofcourse,debugasbefore.

81/39

SelfSignedCertificates

ece

O.k.,soyou'vecreatedyourownselfsigned certificate,nowwhat?

Alwaysgetthecertificateerrorpopupjust clickOK Acceptthecertificateforevernomorepopup. Installtherootcertificatenopopupsforany certificatesignedbythisCA.

82/39

CertificateErrorPopup

ece

Alwaysgetthecertificateerrorpopupjustclick OK

83/39

ExaminetheCertificate
Sureenough, weseeour certificate.

ece

84/39

AccepttheCertificate

ece

Youcanblessthiscertificateandgetridofthe popup.

85/39

AccepttheCertificate

ece

Let'stakealookatwhatacceptingthe certificatedid.Click:Edit,Preferences,tab Advanced,ViewCertificates.Nowclick:tab WebSites.

86/39

InstallRootCertificate

ece

Supposeyouhaveanumberofplacesthatyou mightuseacertificatethatissignedbyyour CA.Ratherthanacceptingthecertificatefora givenwebsite,youcouldinstalltheCA'sroot certificate. Thishastheaffectofsaying:Itrustall certificatessignedbythisCA.

87/39

InstallRootCertificate

ece

AquickwayofdoingthisistoputthefileCA.crt onawebpage.Then,fromyourbrowser,just clickonthefile,thebrowserwillknowwhat a.crtfileis.

88/39

ece

>

89/39

InstallRootCertificate

ece

Youmustsayforwhatyouwilltrustthisroot certificate: 1.Web 2.email 3.Javaapplet

90/39

InstallRootCertificate

ece

Let'stakealookatwhatinstallingtheroot certificatedid.Click:Edit,Preferences,tab Advanced,ViewCertificates.Nowclick:tab Authorities.

91/39

SelfSignedSummery

ece

GenerateCA(.keyand.crt):
opensslgenrsaoutCA.key1024 opensslreqnewx509days3650keyCA.keyoutCA.crt

Generateserver(.keyand.csr):
opensslgenrsaoutserver.key1024 opensslreqnewkeyserver.keyoutserver.csr

Signthecertificate(.crt):
opensslx509reqdays3650set_serial01 CACA.crtCAkeyCA.key inserver.csroutserver.crt
92/39

UnderstandingSSL/TLS
Wrappingup,lastcomments

ece

WetalkedaboutSSL,whataboutTLS? SomethingaboutDSA ProtocolsthatsupportSSL/TLS Thingsnotcoveredinthistalk

93/39

WhatAboutTLS?

ece

TryingtoSSLexistingapplicationsrequireda secondTCPport.Eg.www:80(nonSSL)& 443(SSLport),SMTP:25&465,IMAP:143& 585.Portproliferation. TLSisbasicallySSL,butyoustarttheconnection unencrypted,andask:CanyoudoTLS? ThenenterintotheSSLprotocol.

94/39

SomethingAboutDSA

ece

InadditiontotheRSAalgorithm,thereare severalotheralgorithms,buttothebestofthis authorsresearch,theonlyonewidely implementedisRSA. Inshort,somedaywemighthavesomething otherthanRSA,butforrightnow,justuseRSA.

95/39

ProtocolsThatSupportSSL/TLS

ece

www nntp imap pop SMTP ftps LDAP

CORBA Oracle MSGlobalCatalog

96/39

ThingsNotCoveredinThisTalk:

ece

BeingarealCAmorecomplicatedthanyou'd everexpect;revocationlist,serialnumbers,etc. Mutualtrust:certificateatbothendsofthe connection.Eg.LDAP,SMTP? ProgrammingusingSSL/TLS Understandingtherhymeandreasonbehind openssl'scommandline... HowtodothisusingWindows

97/39

UnderstandingSSL/TLS
References:

ece

www.openssl.org www.openldap.org www.couriermta.org http://www.madboa.com/geek/openssl/ (Recommended!)

98/39

UnderstandingSSL/TLS
TheEnd(Finally!)

ece

99/39