NAT & Secure Sockets SSL/TLS

ICW: Lecture 6 Tom Chothia

Network Address Translation

How many IP address are there?

0.0.0.0 to 255.255.255.255 Therefore 256*256*256*256 = 4 294 967 296 address

Not enough for 1 per person (I have 4)

Network Address Translation

Answer IP6: Internet Protocol version 6 •  2128 addresses! Enough for everyone •  Not backwards compatible

Another answer: Network Address Translation (NAT), Share an address.

NAT

Address in the ranges: 192.168.*.*, 172.16.*.* 172.31.*.*,10.*.*.*

are local only. Local machines communicate with the outside

Internet use a NAT router that shares it’s IP address.

Ports used to tells the machines apart.

147.188.254.142

10.0.0.1

10.0.0.3 10.0.0.2

UoB wifi

147.188.193.1

10.0.0.4 10.0.0.3 10.0.0.2

The Labs

Rest of Internet

SSL/TSL

  Why sockets aren't secure.   How to make secure socket connections.   TLS/SSL in Java

  javax.net.ssl.SSLSocket  javax.net.ssl.SSLServerSocket

  Authenticating the Server.

The SSL/TLS Protocol

The Secure Sockets Layer (SSL) protocol has been renamed the Transport Layer Security (TLS).

It provides encrypted socket communication and optionally authentication.

It may use a range of ciphers (RSA,DES,DH,..) These are negotiation at the start of the run.

The Internet Protocol Stack, (Most of the Time):

Stuff that you write

TCP or UDP

IP

Ethernet or 802.11

Application

Transport

Network

Link/Hardware

The Internet Protocol Stack with TLS

Application

Transport

Network

Link/Hardware

The TLS layer runs between the Application layer and the Transport layer.

Once the socket is open the encryption is transparent to the Application layer.

The normal TCP and IP protocols etc. can be used at the low layers

TLS

TLS in Java

TLS with no Authentication •  Create a SSLServerSocketFactory using sockFact=SSLServerSocketFactory.getDefault();

•  Create a SSLServerSocket: secSock=sockFact.createServerSocket(portNo)

•  Set the Ciphers: secSocket.setEnabledCipherSuites(ciphers);

•  Listen on the socket for an encrypted connection: socket = (Socket) secSocket.accept();

Verifying Identity

•  A private key can be used to “sign” a message.

•  The public key can be used to verify this signature.

•  If I have someone's public key, I can use it to make sure I'm talking to them.

Cipher Suites Cipher Suites with encryptions

and authentication:

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_DES_CBC_SHA

SSL_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA

...

Cipher Suites with just authentication:

SSL_RSA_WITH_NULL_MD5

SSL_RSA_WITH_NULL_SHA

Cipher Suites with just encryptions:

SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

SSL_DH_anon_WITH_DES_CBC_SHA

SSL_DH_anon_WITH_RC4_128_MD5

TLS_DH_anon_WITH_AES_128_CBC_SHA

TLS_DH_anon_WITH_AES_256_CBC_SHA

TLS in Java

SSL/TLS contexts and Trust

  SSL/TLS can set up a secure connection with someone if we have their public key.

  The SSL context can be loaded with   the keys used to identify yourself.   the public keys of people we trust.

Keystores: a Reminder

•  We saw keystores in the Crypto Lecture.

•  The Keystore stores password protected keys and certifications.

•  Use “java.security.KeyStore” or the “keytool” from the command line.

keytool Generate and show a key for the server: keytool -genkey -alias serverKey -keystore server.jks

keytool -list -keystore server.jks -storepass password

Export a certification for the key: keytool -export -alias serverKey -file server.crt

-keystore server.jks

Import and show the certificate, at the client end: keytool -import -keystore client.jks -alias serverCert

-file server.crt

keytool -list -keystore client.jks -storepass password

Certificate Chains

•  The public keys are stored as certificates.

•  If we have someone's public key we can use it to check their identity.

•  But we can't have the public key of everyone on the Internet. :-(

Certificate Chains

•  If someone we trust signs someone else's public key, we can trust them.

•  There are a number of companies that check peoples identity and will sign their public key. e.g. Versign.

•  These companies certificates are embedded in most browsers.

Summary

•  SSL/TLS is the most common way to secure connections –  javax.net.ssl.SSLSocket –  javax.net.ssl.SSLServerSocket

•  To Authenticate someone, you must have a certificate/certificate chains for the server.

•  Browsers come with certificates of Versign, etc. they will check your IS and sign your key for a fee.

Next Time:

•  Marco Cova.

•  Web pages: •  HTML •  CCS