SSL/TLS

Secure Socket Layer
Transport Layer Security
RFC2246

TLS

TLS Record Protocol
TLS Handshake Protocol

TLS Record Protocol

Private
- Symmetric Cryptography
- DES, RC4 etc
Enhanced Connection Reliability
- CRC, Checksum ... Ether / TCP
- HMAC ... Keyed-Hashing for Message Authentication Code
- MD5, SHA1

TLS Handshake Protocol

Peer's Identity Authentication ... Public Key Cryptography
Symmetric Algorithm/Key Exchange Negotiation ... Secure and Reliable

Handshake

Handshake ... 0x16 (22)
Version ... 3, 1
Length ... 16bit

ClientHello

ClientHello ... (1)
Sends Random, SessionID, Cipher Suits, Compression Methods
CipherSuit examples
- 01 = TLS_RSA_WITH_NULL_MD5
- 05 = TLS_RSA_WITH_RC4_128_SHA

ServerHello

ServerHello ... (2)
Select CipherSuit and CompressionMethod

Selects for example:

   39 = Ephemeral Diffie-Hellman key exchange using RSA certificate

See

Diffie-Hellman key exchange

See
C->S: A = g^a mod p, g, p
S->C: B = g^b mod p
K_A = A^b = g^ab mod p
K_B = B^a = g^ba mod p

ChangeCipherSpec

Later on, encrypted messages are sent

HTTPS

HTTP over TLS/SSL
use TLS/SSL from the very start
- Immediately after TCP connection was established
C->S: ClientHello
S->C: ServerHello (DHE) ChangeCipherSpec ...
C->S: ChangeCipherSpec ...

TLS over POP

S->C: +OK Qpopper (version 4.0.18) at is01 starting.
C->S: CAPA
S->C: +OK Capability list follows
S->C: STLS ...
C->S: STLS
S->C: +OK STLS
C->S: ClientHello ...

TLS over SMTP

EHLO ... STARTTLS

Server Certificate

Server's public key should be signed by a trusted authority
CA ... Certificate Authority

SSL Server Setup (1)

Compile Apache with SSL enabled
You need OpenSSL library and include files
--enable-ssl and --with-ssl=DIR options for apache httpd configure command

Server keys

Key generation:

   $ openssl genrsa -out server.key 1024

Certficate Request:

   $ openssl req -new -key server.key -out server.csr
   Country Name (2 letter code) [AU]:JP
   State or Province Name (full name) [Some-State]:Kochi
   Locality Name (eg, city) []:Kochi
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kochi University
   Organizational Unit Name (eg, section) []:Information Science
   Common Name (eg, YOUR name) []:www.is.kochi-u.ac.jp
   Email Address []:[email protected]

Get CA signature

See for example
Save the signed key in server.crt

Apache SSL Configuration

in httpd.conf (extra/httpd-ssl.conf)
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
etc. etc.

Role of CA

PGP vs PKI

PGP ... Pretty Good Privacy
PGP -> OpenPGP, GnuPG
Peer Signed Public Key
PKI ... Public Key Infrastructure
PKI -> SSL/TLS, S/MIME
Authorized Key Signing

Signing

PGP (message.txt -> message.txt.asc):
```
   $ gpg --detach-sign -a message.txt
```

S/MIME (message.txt -> mail.msg):

   $ openssl smime -sign -in message.txt -text -out mail.msg -inkey mykey.pem -signer mycrt.pem

Verifying Signature

PGP:
```
   $ gpg --verify message.txt.asc
```

S/MIME:

   $ openssl smime -verify -in mail.msg -CAfile demoCA/cacert.pem

Note that signer's public key is included in mail.msg

Encrypting

PGP:

   $ gpg -r [email protected] -ea message.txt

S/MIME (message.txt -> encmail.msg):

   $ openssl smime -encrypt -in message.txt -des3 -out encmail.msg mycrt.pem

Decrypting

PGP:
```
   $ gpg message.txt.asc
```

S/MIME:

   $ openssl smime -decrypt -in encmail.msg -recip mycrt.pem -inkey mykey.pem

Miscellaneous Applications

SSH ... RFCs 4250, 4251, 4252, 4253, 4254, 4255
OpenID

Quiz of the Day

Spell out the following acronyms
TLS
CA

SSL/TLS S/MIME

Tokio Kikuchi

SSL/TLS

TLS

TLS Record Protocol

TLS Handshake Protocol

Handshake

ClientHello

ServerHello

Diffie-Hellman key exchange

ChangeCipherSpec

HTTPS

TLS over POP

TLS over SMTP

Server Certificate

SSL Server Setup (1)

Server keys

Get CA signature

Apache SSL Configuration

Role of CA

PGP vs PKI

Signing

Verifying Signature

Encrypting

Decrypting

Miscellaneous Applications

Quiz of the Day