secure socket layer

بسم الله الرحمن الرحیم

SSL / TLS S.Masihullah Hamidullah Ab.Sattar

Contents Introduction SSL/TLS Why SSL? How does SSL works? Requirements Self signed certificate Authorized certificate How to create certificate Terms to know about Practice

Introduction

What Business Opportunities does internet provides?

• Online Commerce .

• Online Shopping .

• Online Resource Sharing.

• Email and Messaging.

• Data Transfer.

Benefits.

• Cost effectiveness of online operations and delivery

• Open global markets - gain customers from all over the world.

• New and exciting ways of marketing directly to your customers

• Offer new data products and services via the Web

Cont ...

Improvement needs concentration and security

What is important to be secure?

• Important and Secret Data Transfer

• Username and Passwords.

• Bank Account Numbers .

• Credit Cards.

Unsecure Data Threats and challenges

• Hack

• Data stealing

• ID misuse

SSL / TLS

SSL ( Secure Socket Layer )TLS ( Transport layer Security )

It is a protocol used along with http in order to provide

• Identity assurance• Encryption When we implement the SSL protocol along with http it turns into https , whichIndicates the Secure Socket layerProtocol

Why SSL ?

1.Encryption:

• Process of hiding what is sent from one computer to another.• Encrypting and securing the data that we want to send to a

host.

2.Identity assurance

• Making sure that the computer we are speaking to is the one we trust.

• Assurance for validation of the remote server by issuing a certificate.

Identity Assurance

Request: www.gmail.com

Responding https://gmail.com

• The server authenticates us and gives us assurance that the

server we are trying to connect with is a real server.

Plain Text Data transfer with No Secure Socket Layer

Hello

Hello

Hello

@$%^$&#!?

@$%#&

Encrypted Data transfer With Secure Socket Layer

How does SSL Work?

Request http:// www.gmail.com

Response https:// www.gmail.com Public key

Request GET index.html Public keyEncrypted

Client Request for page Server responds with a Public key for encryption

Client Encrypts Request using Server Public Key

Server Decrypts Request using Private Key

What do we need?

• We need a Key

• Crete a Certificate using that key

We have two types of certificate

Self signed Certificate.

Authorized certificate.

Self Signed Certificate

A self signed certificate is a certificate that is signed by the person

creating it rather than a trusted authority .

It has major Disadvantage:

A visitor's connection could be hijacked allowing an attacker view

all the data sent and the certificate cannot be revoked like a

trusted certificate can.

We're going to explain when a self signed certificate should and

shouldn't be used .

We can generate a self signed certificate for common platforms

like Microsoft IIS, Apache, and Java Keytool or openssl .

Self signed Certificate Usage

In a local Network.

When clients only have to go through a local Intranet to get to

the server, there is virtually no chance of a man-in-the-middle

attack.

A Development Server.

There is no need to spend extra cash buying a trusted certificate

when you are just developing or testing an application.

Personal sites with few visitors.

If you have a small personal site that transfers non-critical

information, there is very little incentive for someone to attack

the connections.

Authorized Certificate

The certificate which is signed by an authorized vendor.

SSL Certificate will contain

• your domain name.

• your company name

• your address

• your city

• your state and your country.

It will also contain the expiration date of the Certificate

and details of the Certification Authority responsible for

the issuance of the Certificate.

How to create Certificate?

We can create our Certificate using Utilities that we have here.

OPENSSL

It’s a utility used to create a SSL Certificate.

It comes with apache binary package .

TOOLKIT

This is also a utility used to create SSL Certificate

It comes with java package inside the /bin Directory

Terms to know about

RSA Algorithm

The RSA algorithm is named after Ron Rivest, Adi Shamir and

Len Adleman, who invented it in 1977. The basic technique was

first discovered in 1973 by Clifford Cocks (part of the British

GCHQ) but this was a secret until 1997.

The RSA cryptosystem is the most widely-used public key

cryptography algorithm in the world.

The RSA algorithm can be used for both public key encryption

and digital signatures. Its security is based on the difficulty of

factoring large integers.

Terms to know about

Des3 Algorithm

The Data Encryption Standard (DES) was developed by an IBM

team around 1974 and adopted as a national standard in

1977. Triple DES is a minor variation of this standard. It is three

times slower than regular DES but can be billions of times

more secure if used properly. Triple DES enjoys much wider use

than DES because DES is so easy to break with today's rapidly

advancing technology.

Terms to know about

The OSI X.509 standard2.

X.509 uses a centralized hierarchy with at most a few trusted

entities at its core.

These trusted entities issue files which are used to distribute

public keys and certify that the bearer of the file is who or

what he or she claims to be.

Lets see code in a glanceCertificate Signing Request: genrsa -des3 -out server.key 1024

Create Unencrypted Key:rsa -in server.key -out server.pem

Generate Unsigned Certificate: req -new -key server.key -out server.csr

30 day certificate:x509 -req -days 30 -in server.csr -signkey server.key -out server.crt

Practice

You can install the setup file of apache server or the Binary

File as we are using it in here. Copy the Binary File in to a drive (C:) .

Follow the path using the command line “C:\apache2\bin”

Use this command to install apache “httpd –k install”

Type localhost in your browser to see if your apache server works.

Apache Installation

Openssl environment To use the openssl utility in order to create certificate , we can copy the path

and past it to the windows environment to use it in any where with out every

time typing the path to its location .

The Openssl utility exists in your “c:\apache2\bin” directory.

Copy the above path and go to the windows environment shown below

My Computer Properties > Advanced System Settings > Environment

Variable

In the Environment Variable choose new path ,give it the name path in

variable path and past the path in to the variable value .

Windows Environment

Now that you introduce the Openssl Utility to the windows environment you

Can run it using your CMD in any where you want to make your certificate .

Running Openssl Utility

Creating certificate Use the following commands to create your certificate using openssl and provide information during certificate creation as it asks for it.

To create Certificate Signing Request: genrsa -des3 -out server.key 1024

To Create Unencrypted Key:rsa -in server.key -out server.pem

It gives an error when typing this code . We have to read the error and solve it It says to copy the openssl.conf file to a directory in your (C:) . Follow the exact name for the directory as it says in the error.

To Generate Unsigned Certificate: req -new -key server.key -out server.csr

To create or sign a 30 day certificate:x509 -req -days 30 -in server.csr -signkey server.key -out server.crt

This is the process of how to create a key and a certificate.

During creation it asks for “Passphrase” And info about the Web site we are creating this certificate for.

Provide your FQDN if your going to create it for your website , but here we are working locally so we provide localhost for our FQDN

You can ignore the optional [] options as we did some by just hitting ENTER

We have to bring changes in the following configuration files of apache server.

To enable the below modules in httpd.conf file see “C:\apache\conf” and enable.

#Loadmodule ssl_module modules/mod_ssl.so

#LoadModule socache_shmcb_module

#modules/mod_socache_shmcb.so

#Include conf/extra/httpd-default.conf

#Include conf/extra/httpd-ssl.con

Specify the certificate and key path in the httpd-ssl in C:\apache2\conf\extrsas

SSLCertificateFile "c:/Apache24/conf/localhost.crt"

SSLCertificateKeyFile "c:/Apache24/conf/localhost.pem“

RESTART YOUR APACHE SERVER TO TO GET YOUR CONFIGURATION DONE !

Changing Apache Configuration Files

Now you are ready to use the https protocol or Secure Socket Layer

Questions