1 / 18

Secure Sockets SSL/TLS

ICW: Lecture 6 Tom Chothia. Secure Sockets SSL/TLS. Last Lecture. How to make socket connections between computers. Socket = (IP_from,port_from,IP_to,port_to) java.io.Socket java.io.ServerSocket. Introduction. Why sockets aren't secure.

Download Presentation

Secure Sockets SSL/TLS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ICW: Lecture 6 Tom Chothia Secure Sockets SSL/TLS

  2. Last Lecture • How to make socket connections between computers. • Socket = (IP_from,port_from,IP_to,port_to) • java.io.Socket • java.io.ServerSocket

  3. Introduction • Why sockets aren't secure. • How to make secure socket connections. • The TLS/SSL protocol. • TLS/SSL in Java • javax.net.ssl.SSLSocket • javax.net.ssl.SSLServerSocket • Authenticating the Server.

  4. The SSL/TLS Protocol • The Secure Sockets Layer (SSL) protocol has been renamed the Transport Layer Security (TLS). • It provides encrypted socket communication and optionally authentication. • It may use a range of ciphers (RSA,DES,DH,..) • These are negotiation at the start of the run.

  5. The Internet Protocol Stack, (Most of the Time): Stuff that you write Application TCP or UDP Transport Network IP Link/Hardware Ethernet or 802.11

  6. The Internet Protocol Stack with TLS Application The TLS layer runs between the Application layer and the Transport layer. Once the socket is open the encryption is transparent to the Application layer. The normal TCP and IP protocols etc. can be used at the low layers TLS Transport Network Link/Hardware

  7. TLS in Java

  8. TLS with no Authentication • Create a SSLServerSocketFactory using sockFact = SSLServerSocketFactory.getDefault(); • Create a SSLServerSocket: secSock=sockFact.createServerSocket(portNo) • Set the Ciphers: secSocket.setEnabledCipherSuites(ciphers); • Listen on the socket for an encrypted connection: socket = (Socket) secSocket.accept();

  9. Verifying Identity • A private key can be used “sign” a message. • The public key can be used to verify this signature. • If I have someone's public key, I can use it to make sure I'm talking to them.

  10. Cipher Suites with just authentication: SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA Cipher Suites with just encryptions: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA Cipher Suites • Cipher Suites with encryptions and authentication: • SSL_RSA_WITH_3DES_EDE_CBC_SHA • SSL_RSA_WITH_DES_CBC_SHA • SSL_RSA_WITH_RC4_128_MD5 • SSL_RSA_WITH_RC4_128_SHA • TLS_DHE_DSS_WITH_AES_128_CBC_SHA • TLS_DHE_DSS_WITH_AES_256_CBC_SHA • TLS_DHE_RSA_WITH_AES_128_CBC_SHA • TLS_DHE_RSA_WITH_AES_256_CBC_SHA • TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 • TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA • ...

  11. TLS in Java

  12. SSL/TLS contexts and Trust • SSL/TLS can set up a secure connection with someone if we have their public key. • The SSL context can be loaded with • the keys used to identify yourself. • the public keys of people we trust.

  13. Keystores: a Reminder • We saw keystores in the Crypto Lecture. • The Keystore stores password protected keys and certifications. • Use “java.security.KeyStore” or the “keytool” from the command line.

  14. keytool • Generate and show a key for the server: • keytool -genkey -alias serverKey -keystore server.jks • keytool -list -keystore server.jks -storepass password • Export a certification for the key: • keytool -export -alias serverKey -file server.crt • -keystore server.jks • Import and show the certificate, at the client end: • keytool -import -keystore client.jks -alias serverCert • -file server.crt • keytool -list -keystore client.jks -storepass password

  15. Certificate Chains • The public keys are stored as certificates. • If we have someone's public key we can use it to check their identity. • But we can't have the public key of everyone on the Internet. :-(

  16. Certificate Chains • If someone we trust signs someone else's public key, we can trust them. • There are a number of companies that check peoples identity and will sign their public key. e.g. Versign. • These companies certificates are embedded in most browsers.

  17. Summary • SSL/TLS is the most common way to secure connections • javax.net.ssl.SSLSocket • javax.net.ssl.SSLServerSocket • To Authenticate someone, you must have a certificate/certificate chains for the server. • Browsers come with certificates of Versign, etc. they will check your IS and sign your key for a fee.

  18. Next Time: • XML and Java XML tools. • XML is the default file format of Internet systems. • The next lecture will tell you what XML is and how to manipulate XML in Java.

More Related