Certificates , SSL and IPsec

Ahmed MuaydhAhmed Muaydh

Sara Bin SaifSara Bin Saif

Shi-Jey ChouShi-Jey Chou

Advisor:Dr. Advisor:Dr. Leszek LilienLeszek Lilien

Abstract:Abstract:

Security is very important topic in Security is very important topic in computer science and in networks. computer science and in networks.

SSL and Certificate is one way to SSL and Certificate is one way to secure sensitive data from attackers.secure sensitive data from attackers.

In this report we will show how In this report we will show how administrator or software developer administrator or software developer can provide secure communication can provide secure communication using SSL and Certificate.using SSL and Certificate.

The overall picture of this process is The overall picture of this process is that the administrator should that the administrator should generate a certificate and has it generate a certificate and has it signed by a Certificate Authority. signed by a Certificate Authority.

The CA verifies that the administrator The CA verifies that the administrator legitimately owns the URL in the CN legitimately owns the URL in the CN field, signs the certificate, and gives field, signs the certificate, and gives it back. it back.

SSL protocol will be used by both the SSL protocol will be used by both the client and the server to encrypt the client and the server to encrypt the data. data.

Motivation for Cert.Motivation for Cert.

Public key is an extremely powerful Public key is an extremely powerful technology but it depends on the technology but it depends on the distribution of the public key. distribution of the public key.

The problem of getting keys to The problem of getting keys to people who need them can be solved people who need them can be solved by using digital certificate. by using digital certificate.

Public Key Certificates

A public key certificate provides a A public key certificate provides a way to associate a public key with way to associate a public key with the name of its owner. the name of its owner.

A public key certificate is a data A public key certificate is a data structure that contains:structure that contains: owner's name, e-mail address owner's name, e-mail address a public key a public key validity dates validity dates location of revocation information location of revocation information location of the issuer's policies location of the issuer's policies Others (optional)Others (optional)

A public key certificate is issued by a A public key certificate is issued by a trusted organization known as a trusted organization known as a certificate authority (CA), and certificate authority (CA), and provides identification for the entity. provides identification for the entity.

One must provide proof of identity in One must provide proof of identity in order to obtain a certificate from a order to obtain a certificate from a CA.CA.

CA is a public certificate authority CA is a public certificate authority that is widely trusted. that is widely trusted.

Information including the CA's public Information including the CA's public key for several root CAs is typically key for several root CAs is typically stored in the client's stored in the client's Internet Internet BrowserBrowser..

Well-known CAs:Well-known CAs:VeriSignVeriSign, , EntrustEntrust, and , and GTE CyberTrustGTE CyberTrust. .

Certificate Process

Certificate Authority Server

Client computer

Web Server

1. Create request for a certificate

2. Submit a request for a certificate 3. Issue the certificate

4. Configure web server to use certificate

Steps to generate a certificate for Steps to generate a certificate for authentication on a web server: authentication on a web server:

1.1. The web server has to generate a key The web server has to generate a key pair and create a request for pair and create a request for certificate.certificate.

2.2. The request submits to certificate The request submits to certificate authority server.authority server.

3.3. The owner of the certificate server will The owner of the certificate server will check if the request belongs to a party check if the request belongs to a party requesting.requesting.

1.1. The certificate is acquired by web The certificate is acquired by web server.server.

2.2. The certificate is used in the The certificate is used in the configuration of the web server.configuration of the web server.

3.3. A client can now access the site A client can now access the site securely.securely.

Demo: How we doing Certificate in Windows

Steps in securing communication Steps in securing communication using certificate:using certificate:

1.1. Create a certificate request.Create a certificate request.

1.1. submit the certificate request submit the certificate request

1. submit the certificate request (continued)

1. submit the certificate request (continued)

1.1. Issue the certificate. Issue the certificate.

1.1. Download the certificate. Download the certificate.

2.2. Configure the web site to use the SSL Configure the web site to use the SSL certificate. certificate.

3.3. Configure the web site to use SSL. Configure the web site to use SSL.

Packets captured with EtherealPackets captured with Ethereal

SSL is considered a layer on the top of SSL is considered a layer on the top of TCP/IP that provides a secure TCP/IP that provides a secure enhancement to the standard TCP/IP enhancement to the standard TCP/IP sockets protocol used for Internet sockets protocol used for Internet communications. communications.

SSL

IP

TCP

HTTP, FTP, ...

SSL Layer

The SSL Process

SSL HandshakeSSL Handshake

SSL process begins with an SSL process begins with an exchange of information between exchange of information between the two communicating parties the two communicating parties which is called SSL handshake. which is called SSL handshake.

handshake is done by: handshake is done by: 1.1. Negotiate the cipher suite Negotiate the cipher suite

2.2. Authenticate identity (optional) Authenticate identity (optional)

3.3. Establish information security by Establish information security by agreeing on encryption mechanisms agreeing on encryption mechanisms

NegotiatingNegotiating thethe CipherCipher Suite Suite The client and the server, begin The client and the server, begin

negotiating which negotiating which cipher suitecipher suite they they will use. will use.

Cipher suite:Cipher suite: a set of cryptographic a set of cryptographic algorithms and key sizes that a algorithms and key sizes that a computer can use to encrypt data. computer can use to encrypt data.

figure 1.1 (next page)figure 1.1 (next page)

{ ServerHello*Certificate*ServerKeyExchange*CertificateRequestServerHelloDone

*CertificateClientKeyExchange*CertificateVerify[ChangeCipherSpec]Finished

}

ClientHello

Handshake done

Client Server

SSL HandshakeThe messages marked with * are optional.

Java provides secure socket Java provides secure socket framework that enables secure framework that enables secure Internet communications. Internet communications.

The JSSE (Java Secure Socket The JSSE (Java Secure Socket Extension) API is capable of Extension) API is capable of supporting SSL versions 2.0 and 3.0 supporting SSL versions 2.0 and 3.0 and Transport Layer Security (TLS) and Transport Layer Security (TLS) 1.0. 1.0.

SSL and Certificate Programming Using Java

How to program SSL in java How to program SSL in java

SSL uses certificates for SSL uses certificates for authentication so we need to create authentication so we need to create certificates for our clients and certificates for our clients and servers. servers.

JSSE can use certificates created by JSSE can use certificates created by the java the java keytoolkeytool

Java keytool key and certificate Java keytool key and certificate management tool can:management tool can: create public and private key pairs create public and private key pairs issue certificate requests issue certificate requests import certificate replies import certificate replies designate public keys belonging to other designate public keys belonging to other

parties as trusted parties as trusted manage manage keystorekeystore

KeystoreKeystore is a special file that holds is a special file that holds keys and certificates and encrypts keys and certificates and encrypts them all with a password them all with a password

When a server sets up SSL session, it When a server sets up SSL session, it will retrieve its certificates and keys will retrieve its certificates and keys from its keystore. from its keystore.

when a client wants to verify the when a client wants to verify the identities of servers, it will retrieve identities of servers, it will retrieve trusted certification authority (CA) trusted certification authority (CA) certificates from its certificates from its truststorestruststores. .

In order to program SSL sockets in In order to program SSL sockets in java, it is important to know the main java, it is important to know the main packages that are part of the JSSE packages that are part of the JSSE API:API: javax.netjavax.net package which provides the package which provides the

SocketFactory and ServerSocketFactory SocketFactory and ServerSocketFactory classes, which are used to replace classes, which are used to replace normal TCP sockets with SSL sockets. normal TCP sockets with SSL sockets.

javax.net.ssljavax.net.ssl package provides classes package provides classes and interfaces for establishing and and interfaces for establishing and managing an SSL sessionmanaging an SSL session

Generating a Server Generating a Server Certificate Certificate

Keytool can be used to create server Keytool can be used to create server certificate. We used the following certificate. We used the following command to create an RSA certificate, command to create an RSA certificate, referenced by the alias of referenced by the alias of AhmedAhmed , and , and stored in a new created keystore named stored in a new created keystore named servercertsservercerts. .

keytool -genkey -keystore keytool -genkey -keystore servercertsservercerts - -keyalg rsa -alias keyalg rsa -alias AhmedAhmed -storepass 123456 -storepass 123456 -keypass 123456-keypass 123456

Creating an SSL Client Creating an SSL Client Socket Socket

An example on how to create a client An example on how to create a client socket and specify a truststore that socket and specify a truststore that contains the certificates needed to contains the certificates needed to validate any server's certificate validate any server's certificate received from the server. received from the server. To do so, run the example below with the To do so, run the example below with the

following command: following command:

java -Djavax.net.ssl.trustStore=java -Djavax.net.ssl.trustStore=mytruststoremytruststore - -Djavax.net.ssl.trustStorePassword=Djavax.net.ssl.trustStorePassword=mytruststorepmytruststorepww MyClientMyClient

/** * <p>SSL Client </p> * * <p>This program uses SSL socket * and certificate </p> * * <p>Copyright: Copyright (c) 2005</p> * * <p>School: Western Michigan University</p> * * @author: Ahmed Muaydh * @version 1.0 */import javax.net.*;import java.net.*;import javax.net.ssl.*;import java.io.*;

class MyClient{public static void main(String str[]){ try { int port = 443;

int i; String hostname = "localhost";

InetAddress ina = InetAddress.getLocalHost() ;//Create secure SSL socket

SocketFactory socketFactory = SSLSocketFactory.getDefault(); Socket socket = socketFactory.createSocket(ina , port); System.out.println(InetAddress.getLocalHost()); // Create streams to securely send and receive data to the server InputStream in = socket.getInputStream(); OutputStream out = socket.getOutputStream(); // Read from in and write to out... DataInputStream dataIn = new DataInputStream (in); System.out.println(dataIn.readUTF()); // BufferedOutputStream buffOut = new BufferedOutputStream (out); DataOutputStream data = new DataOutputStream (out); data.writeUTF("Hello There from the client"); // Close the socket in.close(); out.close(); } catch(IOException e) {

System.out.println(e); }}}

Creating an SSL Server Creating an SSL Server Socket Socket

Now assume that a keystore is Now assume that a keystore is created. created.

To specify the keystore of certificates To specify the keystore of certificates for an SSL server socket, we can use for an SSL server socket, we can use the the javax.net.ssl.keyStorejavax.net.ssl.keyStore system system property.property.To do so, run the example below with the To do so, run the example below with the

following command: following command:

java -Djavax.net.ssl.keyStore=java -Djavax.net.ssl.keyStore=AhmedAhmed - -Djavax.net.ssl.keyStorePassword=Djavax.net.ssl.keyStorePassword=123456123456 MyServerMyServer

/** * <p>SSL Server </p> * * <p>This program uses SSL socket * and certificate </p> * * <p>Copyright: Copyright (c) 2005</p> * * <p>School: Western Michigan University</p> * * @author: Ahmed Muaydh * @version 1.0 */import javax.net.*;import java.net.*;import javax.net.ssl.*;import java.io.*;

class MyServer{public static void main(String str[]){ try { int port = 443; ServerSocketFactory ssocketFactory = SSLServerSocketFactory.getDefault(); ServerSocket ssocket = ssocketFactory.createServerSocket(port); // Listen for connections Socket socket = ssocket.accept();

System.out.println("Client got connected"); // Create streams to securely send and receive data to the client InputStream in = socket.getInputStream(); OutputStream out = socket.getOutputStream(); // Read from in and write to out... // BufferedOutputStream buffOut = new BufferedOutputStream (out); DataOutputStream data = new DataOutputStream (out); data.writeUTF("Hello There from the Server"); //BufferedInputStream buffIn = new BufferedInputStream (in); DataInputStream dataIn = new DataInputStream (in); System.out.println(dataIn.readUTF()); // Close the socket in.close(); out.close(); } catch(IOException e) {

System.out.println(e); }}}

IP secIP sec

IPsec is a protocol which sits on top of the Internet Protocol (IP) layer. It allows two or more hosts to communicate in a secure way.

● IPSec in Windows consists of three main IPSec in Windows consists of three main components components ● Policy Agent("IPSec Policy Agent" in Windows Policy Agent("IPSec Policy Agent" in Windows 2000): acquire and distribute the IPSec policies that 2000): acquire and distribute the IPSec policies that the administrator has definedthe administrator has defined● Internet Key Exchange (IKE) module : (Its function Internet Key Exchange (IKE) module : (Its function is to negotiate Security Associations (SA).is to negotiate Security Associations (SA).● IPSec driver is responsible for exercising the filters, IPSec driver is responsible for exercising the filters, and maintaining the stateful status of connectionsand maintaining the stateful status of connections

●To secure the link we will be using IPsec in To secure the link we will be using IPsec in VPNVPN

To enable audit policy