Introduction to Open SSL Jing Li Dalhousie University

  • Slides: 28
Download presentation
Introduction to Open. SSL Jing Li @ Dalhousie University

Introduction to Open. SSL Jing Li @ Dalhousie University

Overview • • • What is Open. SSL Protocol Command-Line Interface Application Programming Interface

Overview • • • What is Open. SSL Protocol Command-Line Interface Application Programming Interface Problems with Open. SSL Summary

What is Open. SSL • The Open. SSL Project is a collaborative effort to

What is Open. SSL • The Open. SSL Project is a collaborative effort to develop a robust, commercialgrade, fully featured, and Open Source toolkit implementing the SSL_v 2/v 3 and TLS_v 1 protocols as well as a full-strength general purpose cryptography library.

What is Open. SSL – Cont. • The Open. SSL Project is managed by

What is Open. SSL – Cont. • The Open. SSL Project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the toolkit and its related documentation.

What is Open. SSL – Cont. • Open. SSL is based on the excellent

What is Open. SSL – Cont. • Open. SSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. • The current versions are 0. 9. 7 c (AES Algorithm) and 0. 9. 6 k-engine, which supports hardware accelerators for encryption and decryption.

What is Open. SSL – Cont. • Features: – Open Source – Fully Functional

What is Open. SSL – Cont. • Features: – Open Source – Fully Functional Implementation – Cross-Platform (Unix & Windows) – Command-Line Interface (openssl command) – Application Programming Interface (C/C++, Perl, PHP & Python)

SSL Protocol • The primary goal of the SSL (Secure Sockets Layer) Protocol and

SSL Protocol • The primary goal of the SSL (Secure Sockets Layer) Protocol and its successor TLS (Transport Layer Security) Protocol is to provide privacy and reliability between two communicating applications.

SSL Protocol – Cont. • It is composed of two layers: – SSL Record

SSL Protocol – Cont. • It is composed of two layers: – SSL Record Protocol • It is used for the transmission of bulk data. – SSL Handshake Protocol • It is used to establish the secure connection for data transfer.

SSL Protocol – Cont. • Handshake – Negotiate the cipher suite – Authenticate the

SSL Protocol – Cont. • Handshake – Negotiate the cipher suite – Authenticate the server – Authenticate the client (Optional) – Generate the session keys – Establish a secure connection

SSL Protocol – Cont. • More detail information can be found from: – SSL

SSL Protocol – Cont. • More detail information can be found from: – SSL Protocol v 3 @ http: //www. netscape. com/eng/ssl 3/draft 302. txt – TLS Protocol v 1 @ http: //www. ietf. org/rfc 2246. txt

Command-Line Interface • Functionality – Creation of RSA, DSA & DH key pairs –

Command-Line Interface • Functionality – Creation of RSA, DSA & DH key pairs – Creation of X 509 Certificates, CSRs & CRLs – Calculation of Message Digests – Encryption & Decryption with Ciphers – SSL/TLS Client & Server Tests – Handling of S/MIME signed and/or encrypted mails

Command-Line Interface – Cont. • Example 1 – Secure Apache Web Server with mod_ssl

Command-Line Interface – Cont. • Example 1 – Secure Apache Web Server with mod_ssl & Open. SSL • Example 2 – S/MIME

Secure Apache Web Server with mod_ssl & Open. SSL • Generate the Root Certificate

Secure Apache Web Server with mod_ssl & Open. SSL • Generate the Root Certificate • Generate the CSR (Certificate Signing Request) • Sign the CSR • Generate the PKCS 12 • Modify the Apache Configuration File

Generate The Root Certificate – openssl req -x 509 -days 2922 -newkey rsa: 1024

Generate The Root Certificate – openssl req -x 509 -days 2922 -newkey rsa: 1024 -md 5 -out ca. crt -keyout ca. key -config. openssl. cnf

Generate The CSR – openssl req -newkey rsa: 1024 -out mec. csr keyout mec.

Generate The CSR – openssl req -newkey rsa: 1024 -out mec. csr keyout mec. key -config. openssl. cnf -reqexts v 3_req

Sign The CSR – openssl x 509 -req -in mec. csr -extfile. openssl. cnf

Sign The CSR – openssl x 509 -req -in mec. csr -extfile. openssl. cnf -extensions usr_cert -CA ca. crt CAkey ca. key -CAcreateserial -sha 1 -days 1461 -out mec. crt

Generate The PKCS 12 – openssl pkcs 12 -export -out mec. p 12 -in

Generate The PKCS 12 – openssl pkcs 12 -export -out mec. p 12 -in mec. crt -inkey mec. key -certfile ca. crt

Modify The Apache Configuration File – httpd. conf Load. Module ssl_modules/libssl. so Add. Module

Modify The Apache Configuration File – httpd. conf Load. Module ssl_modules/libssl. so Add. Module mod_ssl. c SSLEngine off SSLSession. Cache dbm: logs/ssl_cache SSLSession. Cache. Timeout 300 Listen 80 Listen 443

Modify The Apache Configuration File – Cont. <Virtual. Host _default_: 80> <Location /admin> Deny

Modify The Apache Configuration File – Cont. <Virtual. Host _default_: 80> <Location /admin> Deny from all </Location> </Virtual. Host> <Virtual. Host _default_: 443> SSLEngine on SSLCertificate. File “conf/ssl. crt/mec. crt” SSLCertificate. Key. File “conf/ssl. key/mec. key” SSLCACertificate. File “conf/ssl. crt/ca. crt”

Modify The Apache Configuration File – Cont. <Location /admin> SSLVerify. Client require SSLRequire %{SSL_CLIENT_S_DN_CN}

Modify The Apache Configuration File – Cont. <Location /admin> SSLVerify. Client require SSLRequire %{SSL_CLIENT_S_DN_CN} eq “Administrator” </Location> </Virtual. Host>

S/MIME – Sign • openssl smime -sign -in m. txt -out sign_clear. eml signer

S/MIME – Sign • openssl smime -sign -in m. txt -out sign_clear. eml signer jingli. pem – Verify • openssl smime -verify -in sign_clear. eml -signer jingli. pem -CAfile ca. crt

S/MIME – Cont. – Encrypt • openssl smime -encrypt -des 3 -in m. txt

S/MIME – Cont. – Encrypt • openssl smime -encrypt -des 3 -in m. txt -out encrypt. eml jingli. crt – Decrypt • openssl smime -decrypt -in encrypt. eml -recip jingli. pem – Sign & Encrypt • openssl smime -sign -in m. txt -text -signer jingli. pem | openssl smime -encrypt -des 3 -out sign_encrypt. eml jingli. pem

Application Programming Interface • libssl. a or libssl. so – Implementation of SSL_v 2/3

Application Programming Interface • libssl. a or libssl. so – Implementation of SSL_v 2/3 & TLS_v 1 • libcrypto. a or libcrypto. so – Ciphers (AES, DES, RC 2/4, Blowfish, IDEA) – Digests (MD 5, SHA-1, MDC 2) – Public Keys (RSA, DH) – X 509 s (ASN. 1 DER & PEM) – Others (BIO, BASE 64)

Application Programming Interface – Cont. • Open. SSL’s libraries are also used by other

Application Programming Interface – Cont. • Open. SSL’s libraries are also used by other tools, such as Open. CA, Open. SSH, to implement secure transmission of data • Using SSL Proxy, arbitrary socket connections can be secured by SSL

Problems with Open. SSL • • It is powerful, but is not easy for

Problems with Open. SSL • • It is powerful, but is not easy for use Non object-oriented Be lack of documents, especially for APIs Problems with shared libraries in some platforms

Summary • Open. SSL is an Open Source toolkit implementing SSL/TLS & Cryptography •

Summary • Open. SSL is an Open Source toolkit implementing SSL/TLS & Cryptography • It has a command-line interface & an application programming interface • There a lot of tools using Open. SSL’s libraries to secure data or establish secure connections

References • • • Open. SSL – http: //www. openssl. org SSL – http:

References • • • Open. SSL – http: //www. openssl. org SSL – http: //www. netscape. com/eng/ssl 3/draft 302. txt TLS – http: //www. ietf. org/rfc 2246. txt Apache – http: //www. apache. org mod_ssl – http: //www. modssl. org Network Security with Open. SSL by Pravir Chandra, Matt Messier & John Viega • Applied Cryptography by Bruce Schneier