18-ssl_52
TRANSCRIPT
-
7/28/2019 18-SSL_52
1/52
1
1
SSLSSL(Secure Socket Layer)(Secure Socket Layer)
This session is about how to use SSL for deploying web applicationssecurely over Tomcat.
By deploying web applications securely using SSL, I mean two specificthings. First, data confidentiality between browser and the web server. Forexample, if you are sending sensitive information such as your credit cardnumber to a web server, you want to make sure nobody can read it while it is
being transported on the wire. As we talked about in Web applicationSecurity session, SSL can be used to achieve this data confidentiality. Thesecond thing I am talking about is client certificate authentication. Againhere SSL can be used.
02/28/2006
-
7/28/2019 18-SSL_52
2/52
2
2
Sang ShinSang [email protected]@sun.com
www.javapassion.com/j2eewww.javapassion.com/j2ee
Technology EvangelistTechnology EvangelistSun Microsystems, Inc.Sun Microsystems, Inc.
02/28/2006
-
7/28/2019 18-SSL_52
3/52
3
3
Disclaimer & Acknowledgments
? Even though Sang Shin is a full-time employeeof Sun Microsystems, the contents here arecreated as his own personal endeavor and thusdoes not reflect any official stance of SunMicrosystems.
? Sun Microsystems is not responsible for anyinaccuracies in the contents.
? Acknowledgments
All examples in this presentation is from JavaWSDP
02/28/2006
-
7/28/2019 18-SSL_52
4/52
4
4
Revision History? 01/22/2002: version 1, contents created with speaker notes (Sang)
? 10/26/2004: version 2, slides of JSSE are added (Sang)
02/28/2006
-
7/28/2019 18-SSL_52
5/52
5
5
Agenda
? What is SSL?
? What is Certificate?
? SSL support in Tomcat
? Steps of Installation/Configuration of SSLHTTPS Connector over Tomcat
? Browser and Certificates
So this is what we are going to talk about in this30 minutes session.
First, we will talk about what SSL is first, then we will talk aboutwhat a certificate is. We already talked about what a certificate is inSecurity Basics presentation. So this is a bit of rehash. SSL uses
public/private key scheme and understanding what a certificate is as acontainer of a public key and other information is important tounderstand SSL.
Then we will talk about how SSL can be supported over Tomcat andgo over the steps you will take in order to install and configure SSLconnector. And then we will talk about how a browser recognizes andmaintains server certificates that it receives when it accesses the SSL-
protected web page.
If you don't understand what I am talking about right now, don't beconcerned. We will go over each of these topics in rather detail in this
presentation, and you will have relatively good understanding onthese at the end of this presentation.
02/28/2006
-
7/28/2019 18-SSL_52
6/52
6
6
What is SSL?What is SSL?
So let's talk about what SSL is first.
02/28/2006
-
7/28/2019 18-SSL_52
7/52
7
7
SSL (Secure Socket Layer)
SSL stands for Secure Socket Layer. The primary security service SSLprovides is protection of data while the data is on the wire. That is, thedata can be sent over the wire in encrypted form using SSL, thus providesdata confidentiality.
02/28/2006
-
7/28/2019 18-SSL_52
8/52
8
8
Secure Socket Layer (SSL)? By far, the dominant security technology
on the web
? Transport layer security HTTPS is HTTP over SSL
? Responsible for the emergence ofe-commerce, other security sensitive
services on the web
? Beneficiary of several years of publicscrutiny
SSL is the dominant security technology especially over the web. Prettymuch all secure communications over the web is based on SSL.
SSL is transport layer security over TCP/IP. So any TCP/IP applicationcan be protected by using SSL. For example, FTP communication or
Telnet or HTTP communication can be protected by using SSL. By theway, you might have heard HTTPS. It stands for HTTP over SSL.
SSL is so popular on the web right now and I would even claim SSL ispartly responsible for the emergence of e-commerce and other securitysensitive services over the web. Well.. SSL has its own limitations,however, especially under the context of web services. But for now, SSLis the only option for doing any kind of sensitive transactions over the web.
And SSL has gone through many years of usage and pretty much all theproducts out there support it.
02/28/2006
-
7/28/2019 18-SSL_52
9/52
9
9
SSL runs over TCP
source:java.sun.com
02/28/2006
-
7/28/2019 18-SSL_52
10/52
10
10
Why SSL? SSL Provides ...? Confidentiality (Privacy)
? Data integrity (Tamper-proofing)
? Server authentication (Proving a serveris what it claims it is) Used in typical B2C transaction
? Optional client authentication Would be required in B2B (or Web services
environment in which program talks to
program)
So what does SSL provide?
First, as was mentioned, SSL provides confidentiality of the data while it is onthe wire. We are talking about privacy or confidentiality of the data.
SSL also supports data integrity, which is also called as tamper-proofing. Thisis done as part of digital signing.
In a typical secure communication between your browser and the web server,for example, when you check out and ready to send your credit card number toa online shopping site, for example, amazon.com, the secure communication
between the browser and the web server gets started with so-called serverauthentication. That is, when you are sending your credit card information toamazon.com, you want to make sure the amazon.com you think it is is reallyamazon.com. So server authentication proves the identity of amazon.com toyour browser.
Optionally, you can do client authentication. In this case, the server wants tomake sure the client is what it claims it is. In a typical B2C environment, theserver does not usually send any sensitive information to the browser so there isless need for proving the client identity. In B2B or Web services environmentin the future, this will change.
02/28/2006
-
7/28/2019 18-SSL_52
11/52
11
11
SSL and Security Keys? Uses public/private key (asymmetric)
scheme to create secret key(symmetric)
? Secret key is then used for encryptionof data SSL operation is optimized for performance:
Using symmetric key for encryption is a lot
faster than using asymmetric keys
We talked about, during the session Security Basics presentation, howkeys are used in the context of cryptographic process. We also talkedabout there are two key schemes: public/private key scheme and secret keyscheme. The public/private key scheme is called asymmetric while secretkey scheme is called symmetric. We also learned that public/private key
operation is very expensive from the performance standpoint.
Now SSL uses both public/private key and secret key schemes. We willsee how these keys are created and used in the following slides. But
basically SSL uses public/private key to create what is called a secretsession key. And public/private key scheme is used for authenticationwhile the secret session key is used for encryption.
02/28/2006
-
7/28/2019 18-SSL_52
12/52
12
12
SSL Key Exchange (Simplified)
Server
This picture shows a simplified view on how SSL works.
First, the client, in this case, the browser, accesses the web server. And wealready learned during the Web application security session, how this
secure communication gets started. The web server then sends its publickey in the form of certificate. Please note that the certificate containsserver's public key.
After making sure the server's public key that it received is a valid one, theclient then creates a so called a premaster key and encrypts it using server's
public key and sends it to the server. Because the premaster key isencrypted with server's public key, only the server can decrypt it. Theserver then creates a secret session key which will be used for encryptingdata for any further data exchange between the browser and the server.
There is a few more things that happens in this handshake but this isbasically the guts of SSL handshake.
02/28/2006
-
7/28/2019 18-SSL_52
13/52
13
13
SSL Key Exchange Steps
1.SSL client connects to an SSL server
2.Server then sends its own certificate thatcontains its public key
3.Client then creates a random key (premasterkey) and uses server's public key to encrypts it
4.Client then sends encrypted premaster key tothe server
5.Server then decrypts it and uses decrypted
premaster key to create secret session key6.Now both client and server uses secret session
key for further communication
So this is the repeat of what I just said in the previous slide. (Please readthe slide.)
02/28/2006
-
7/28/2019 18-SSL_52
14/52
14
14
Negotiable Encryption Algorithms
? Not all clients and servers use sameencryption and authentication algorithms
? SSL client and server negotiatesencryption and decryption algorithms(cipher suites) during their initialhandshake Connection will fail of they do not have common
algorithms
Among the features of SSL that have made it the de facto standard vehiclefor secure e-commerce
transactions is its support for negotiable encryption andauthentication algorithms. The designers
of SSL realized that not all parties will use the same client
software and consequently not allclients will include any particular encryption algorithm. Thesame is true for servers. The client and
server at the two ends of a connection negotiate the encryptionand decryption algorithms (cipher
suites) during their initial handshake. It may turn out that theydo not have sufficient algorithms in
common, in which case the connection attempt will fail
02/28/2006
-
7/28/2019 18-SSL_52
15/52
15
15
SSL Handshake Protocol
1.ClientHello: The client sends the server information such as SSL protocol version, session id,and cipher suites information such cryptographic algorithms and key sizes
supported.2.ServerHello: The server chooses the best cipher suite that both the client and
server supportand sends this information to the client.
3.Certificate: The server sends the client its certificate which contains the server's
public key.While this message is optional, it is used when server authentication is required.
In other
words, it is used to confirm the server's identity to the client.4.Certificate Request: This message is sent only if the server requires the client to
authenticate
itself. Most e-commerce applications do not require the client to authenticateitself.
5.Server Key Exchange: This message is sent if the certificate, which contains the
server'spublic key, is not sufficient for key exchange.
6.ServerHelloDone: This message informs the client that the server finished the
initialnegotiation process.
7.Certificate: This message is sent only if the server requested the client to
authenticate itself.8.Client Key Exchange: The client generates a secret key to be shared between the
client and
server. If the Rivest-Shamir-Adelman (RSA) encryption algorithm is used, theclient encrypts
the key using the server's public key and sends it to the server. The server uses
its privateor secret key to decrypt the message and retrieves the shared secret key. Now,
client and
server share a secret key that has been distributed securely.
9.Certificate Verify: If the server requested to authenticate the client, this message
02/28/2006
-
7/28/2019 18-SSL_52
16/52
16
16
SSL and Encryption? You need only server's certificate in
order to have encrypted data transfer This is the reason why you don't need to install
client certificate on your browser in order tosend your credit card number securely
Now I just want to repeat a key aspects of SSL one more time so that youfolks get clear understanding how it works.
As mentioned before, SSL is used for both encryption and authentication.For encryption, you need a certificate from only one side. In a typical B2C
communication, it is the server's certificate that is used. This is the reasonwhy you can still send your credit card information to amazon.com evenwithout installing client certificate on your browser.
02/28/2006
-
7/28/2019 18-SSL_52
17/52
17
17
SSL and Authentication? Server authentication
Server needs to provide its own certificate to aclient in order to authenticate itself to the client
A Web server typically has a CA-signedcertificate and it provides it to its clients
? Client authentication Client needs to provide its own certificate to a
server in order to authenticate itself to the
server
? Mutual authentication
Another important security service SSL provides is authentication. Duringyour initial attempt to communicate with a Web server over a secureconnection, that server will present your Web browser with a set ofcredentials in the form of a server certificate. The purpose of the certificateis to verify that the server is who and what it claims it is.
Now in an internet environment, the server certificate is typically signed bywell-know certificate authority such as Verisign.
In some cases, the server may request a client certificate in order to verifythat the client is who and what it claims it is and that is known as clientauthentication.
And when both server authentication and client authentication areperformed using certificates, it is referred as mutual authentication.
02/28/2006
-
7/28/2019 18-SSL_52
18/52
18
18
SSL and Authentication? In a typical browser talking to web
server communication, only serverauthentication is needed When you send your credit card to a server,
you want to make sure the server is who it
claims to be
? In the future of B2B environment, client
certification would be also required
So just to repeat what has been said a couple of times already, in a typicalbrowser talking to a web server B2C communication, only the serverauthentication occurs. In the future of B2B communication or Webservices environment, where the difference between client and serverwould be blurring, both parties might have to authenticate themselves to
the other parties, thus mutual authentication would be required.
02/28/2006
-
7/28/2019 18-SSL_52
19/52
19
19
SSL and Web-tier Security? Encrypted password move from the
browser to the web server
? Encrypted data move between thebrowser and the web server
? Server authentication Done before encrypted data transfer occurs
? Client Authentication Not used in most cases
Again, I added this somewhat repeating slide to make sure you reallyunderstand how things work between a browser and the web server.
Between a browser and web server, any sensitive information should beencrypted. And examples of sensitive information include your password
and credit card number.
Server authentication has to occur before sensitive information getstransported from the browser to the server. And on the other direction,there is a less need for it in a typical B2C environment.
02/28/2006
-
7/28/2019 18-SSL_52
20/52
20
20
Certificates &Certificates &Keytool UtilityKeytool Utility
Now let's talk about how certificates are created and which tool you canuse to create so called self-signed certificates.
02/28/2006
-
7/28/2019 18-SSL_52
21/52
21
21
What is a Certificate?
? A certificate is like digital driver license
? A certificate is cryptographically signed and ispractically impossible for anyone else to forge
? A certificate can be purchased from (signed by)a well-known CA (Certificate Authority) likeVerisign (for a fee)
? A certificate can be self-signed whenauthentication over the internet is not really a
concern, that is only data privacy and integrityare important
A certificate is a digitally-signed statement from one entity (person,company, etc.), saying that the public key (and some other information) ofsome other entity has a particular value. So in a sense, it is like digitalversion of your ID card such as driver's license.
The certificate is cryptographically signed and is practically impossible foranyone else to forge.
For sites involved in e-commerce, or any other business transaction in whichauthentication of identity is important, a signed certificate can be purchasedfrom a well-known Certificate Authority (CA) such as Verisign or Thawte.
If authentication is not really a concern, in other words, you only wants dataconfidentiality via encryption, then you can save the time and expenseinvolved in obtaining a CA certificate and simply use a self-signedcertificate. This is very important aspect you want to make sure you
understand.
02/28/2006
-
7/28/2019 18-SSL_52
22/52
22
22
What is Server Certificate?
? A certificate that contains information about theserver
Server's public key
Other misc. information
? Web server must have an associated certificatefor each external interface, or IP address, thataccepts secure connections
HTTP service of Tomcat will not run unless a server
certificate has been installed
So what is server certificate? A server certificate is a container thatcontains server's public key and other miscellaneous information.
Now as I said several times already, in a typical B2C communication,only server authentication occurs. That is, the web server sends its
own certificate to each browser that connects to it. So a web servermust have an certificate for any externally exposed interface forexample an IP address that accepts secure connections. In fact, this isthe reason why you have to install SSL package and HTTPSconnector to Tomcat, otherwise, no SSL operation would occur.
02/28/2006
-
7/28/2019 18-SSL_52
23/52
23
23
Why Server Certificate is Needed?
? Enables server authentication Verifies the server's identity to the client
Client would need to have an access to theserver certificate
Server sends server certificate as part of SSLkey handshake
HTTPS service of Tomcat would not work unlessa server certificate is installed
Certificates are used with the HTTPS protocol to authenticate Webservers to clients. (There is incorrect information in Java WSDPregarding this. ) The HTTPS service of the Tomcat server will not rununless a server certificate has been installed. Use the procedureoutlined in Java WSDP to set up a server certificate that can be used
by Tomcat to enable SSL.
02/28/2006
-
7/28/2019 18-SSL_52
24/52
24
24
keytool Utility
? A key and certificate management utility? Enables users to create and administer their own
public/private key pairs and associated certificates? Ships with JDK (Uses RSA-based JCE provider
as default)? Allows users to cache the public keys (in the form
of certificates) of their communicating peers? Stores the keys and certificates in a so-called
keystore
One tool that can be used in order to set up a Tomcat server certificate iskeytool, a key and certificate management utility. The keytool utility letyou create a self-signed certificate among others things it lets you do.
The keytool utility that ships with the J2SE SDK version also supports a
Java Cryptographic Extension provider that has implementations of RSAalgorithms. This provider enables you to import RSA-signed certificates.
It also enables users to administer their own public/private key pairs andassociated certificates for use in self-authentication (where the userauthenticates himself/herself to other users/services) or data integrity andauthentication services, using digital signatures.
It also allows users to cache the public keys (in the form of certificates) oftheir communicating peers.
The keytool stores the keys and certificates in a so-called keystore. Thedefault keystore implementation implements the keystore as a file. It
protects private keys with a password. For more information on keytool,read its documentation athttp://java.sun.com/j2se/1.4/docs/tooldocs/solaris/keytool.html.
02/28/2006
-
7/28/2019 18-SSL_52
25/52
25
25
SSL Support inSSL Support inTomcatTomcat
Now let's talk about how SSL is being supported in Tomcat.
02/28/2006
-
7/28/2019 18-SSL_52
26/52
26
26
SSL on Tomcat? You need the following modules
JSSE (Java Secure Socket Extension)
Server certificate keystore
An HTTPS connector
? You have to install and configure SSLHTTPS connector over Tomcat
You only need to configure Tomcat to take advantage of SSL supportwhen you are planning on running it as a stand-alone Web server.When you are planning to run Tomcat primarily as a JSP and JavaServlet container behind another Web server, such as Apache Webserver, it is usually necessary to configure the primary Web server to
handle the SSL connections from users. The communications betweenthe primary Web server and Tomcat do not need to be encrypted.
To install and configure SSL support on Tomcat, you need thefollowing three things
* Java Secure Socket Extension (JSSE)* A server certificate keystore* An HTTPS connector
02/28/2006
-
7/28/2019 18-SSL_52
27/52
27
27
JSSE
? Included in Java WSDP
/common/jsse.jar
? Provides Java packages that support SSL/TLS(jsse.jar)
? SSL supports Encryption, server authentication,message integrity over TCP/IP
Data over any application level protocol (HTTP,FTP, Telnet, ...) can be securely protected
? Based on Certificate-based (Public and Privatekey) security scheme
You need to have Java Secure Socket Extension (JSSE) packageinstalled in order for Tomcat to use SSL. JSSE is integrated into theJava WSDP.
JSSE is a set of Java packages that enables secure Internet
communications. These packages implement a Java version of SSL(Secure Sockets Layer) and TLS (Transport Layer Security) protocolsand include functionality for data encryption, server authentication,message integrity, and optional client authentication.
Using JSSE, developers can provide for the secure passage of databetween a client and a server running any application protocol (suchas HTTP, Telnet, NNTP, and FTP) over TCP/IP.
By default, the location of the jsse.jar file under Java WSDP is/common/lib/jsse.jar.
02/28/2006
-
7/28/2019 18-SSL_52
28/52
28
28
Steps of InstallingSteps of Installingand Configuringand ConfiguringSSL over TomcatSSL over Tomcat
Now let's go over the steps you will follow in order to install andconfigure SSL over Tomcat.
02/28/2006
-
7/28/2019 18-SSL_52
29/52
29
29
1. Generate a key pair and a
self-signed Server certificate
? keytool -genkey -keyalg RSA -alias tomcat
-keystore
? Enter password, fully-qualified name ofyour server, organizational unit,organization, etc.
? Tomcat is looking for the keystore to have
the name .keystore in the home directoryof the machine on which Tomcat is runningas a default
First, you want generate a public/private key pair and generate aserver certificate from the pair.
To generate the certificate, run the keytool utility as follows, setting with the name of your keystore file:
keytool -genkey -keyalg RSA -alias tomcat-keystore
Tomcat is looking for the keystore to have the name .keystore (dot -keystore) in the home directory of the machine on which Tomcat isrunning.
02/28/2006
-
7/28/2019 18-SSL_52
30/52
30
30
1.1 Example: keytool usageC:\>keytool -genkey -keyalg RSA -alias tomcat -keystore
\tmp\keyfile.keystoreEnter keystore password: changeitWhat is your first and last name? [Unknown]: localhostWhat is the name of your organizational unit?
[Unknown]: sunWhat is the name of your organization?
[Unknown]: mdeWhat is the name of your City or Locality?
[Unknown]: burlington
What is the name of your State or Province?[Unknown]: ma
What is the two-letter country code for this unit?[Unknown]: us
Is CN=localhost, OU=sun, O=mde, L=burlington, ST=ma, C=us correct?[no]: yes
Enter key password for (RETURN if same as keystore password):
This slide shows an example of creating a certificate.The keytool utility prompts you for the following information:# Keystore password--Enter a password. (You may want to use changeit to beconsistent with the default password of the J2SE SDK keystore.)
# First and last name--Enter the fully-qualified name of your server. This fully-qualified name includes the host name and the domain name. For testing purposeson a local machine, this will be localhost. (Yes, I know entering localhost asa value of first and last name is somewhat confusing.)# Organizational unit--Enter the appropriate value.# Organization--Enter the appropriate value.# City or locality--Enter the appropriate value.# State or province--Enter the unabbreviated name.# Two-letter country code--For the USA, the two-letter country code is US.# Review the information you've entered so far, enter Yes if it is correct.# Key password for Tomcat--Do not enter a password. Press Return.
02/28/2006
-
7/28/2019 18-SSL_52
31/52
31
31
2. Configure SSL Connector &
Restart Tomcat? By default, SSL HTTPS is not enabled in Tomcat? You enable and configure an SSL HTTPS
Connector on port 8443 in one of two methods
viaAdmintool
Modify (actually uncomment SSL connector
element) /conf/server.xml asdescribed in
? /docs/tutorial/doc/WebAppSecurity6.html#68482
? Restart Tomcat
By default, an SSL HTTPS Connector is not enabled in Tomcat. Youcan enable and configure an SSL HTTPS Connector on port 8443using either of the two mentioned above, either by using Admintool ormodifying the server.xml file manually. Then restart Tomcat.
Now let's take a look at each step in detail in the following slide.
02/28/2006
-
7/28/2019 18-SSL_52
32/52
32
32
2.1 Admintool
To configure an SSL Connector using admintool, you must first have created a keystoreas described in Setting Up a Server Certificate of Java WSDP. Tomcat will be lookingfor a keystore file named .keystore in the home directory of the machine on whichTomcat is running. When you have verified that you have created the .keystore file,follow these steps.
# Start Tomcat, if you haven't already done so.# Start admintool by entering http://localhost:8080/admin in a Web browser.# Enter a user name and password combination that is assigned the role of admin.# Select Service (Java Web Services Developer Pack) in the left pane.# Select Create New Connector from the drop-down list in the right pane.# In the Type field, select HTTPS.# In the Port field, enter 8443 (or whatever port you require). This defines the TCP/IP
port number on which Tomcat will listen for secure connections.# Enter the Keystore Name and Keystore Password if you have created a keystore filenamed something other than .keystore, if .keystore is located in a directory other than
the home directory of the machine on which Tomcat is running, or if the password issomething other than the default value of changeit. If you have used the defaultvalues, you can leave these fields blank. The home directory is generally/home/user_name on Unix and Linux systems, and C:\Documents andSettings\user_name on Microsoft Windows systems. Make sure you give the full pathname, for example, c:\Documents and Settings\boda\keyfile.keystore under Windows.# Select Save to save the new Connector for this session.# Select Commit Changes to write the new Connector information to the server.xml fileso that it is available the next time Tomcat is started.
02/28/2006
-
7/28/2019 18-SSL_52
33/52
33
33
2.2 SSL Connector Element in
server.xml
You can also configure HTTP Connector by changing the server.xml.
An example Connector element for an SSL connector is included inthe default server.xml. This Connector element is commented out bydefault. To enable the SSL Connector for Tomcat, remove the
comment tags around the SSL Connector element.
02/28/2006
-
7/28/2019 18-SSL_52
34/52
34
34
3. Verify SSL Support
? From the browser, go to https://localhost:8443/
? Port 8443 is where SSL connector iscreated
The next step is verifying if SSL is configured correctly.
For testing purposes, and to verify that SSL support has been correctlyinstalled on Tomcat, load the default Tomcat introduction page withthe following URL:
https://localhost:8443/The https in this URL indicates that the browser should be using theSSL protocol. The port of 8443 is where the SSL Connector wasconfigured in the previous step.
02/28/2006
-
7/28/2019 18-SSL_52
35/52
35
35
3.1 Example: Verify SSL Support
Now the first time a user accesses secure site, the New Site Certificatedialog displays.
What this dialog box is saying is that the browser has no knowledgeof this web server meaning the browser does not have any way to
verify if the server's certificate it received is in fact a valid one or not.This is because the server's certificate is the one that I created, that is,self-signed. If the certificate has been signed by well-knownCertificate Authority such as VeriSign, then the browser willautomatically will recognize that the public key is a valid one andwould not display this dialog box.
Now since the browser is not sure, it is asking the user to verify thevalidity of the certificate using a series of dialog box. So here it saysthat the web server's name is localhost and it receives a certificatefrom it. By the way, since we are running the server on the localhost,the name of the web server happened to be set to localhost. If theserver is a machine other than localhost, that machine's host namewill be displayed.
02/28/2006
-
7/28/2019 18-SSL_52
36/52
36
36
3.2 Example: Verify SSL Support
So the browser display a bit of information about the certificate itreceived so that you can make in intelligent decision whether toaccept this certificate or not. So here the browser found out that thecertificate was created for an organization entity called MDE andsigned by MDE and which encryption method is used. (By the way,
MDE stands for Market Development Engineering group within Sun.And since I work for MDE, I used it as a organization name when Icreated the self-signed certificate.)
02/28/2006
-
7/28/2019 18-SSL_52
37/52
37
37
3.3 Example: Verify SSL Support
Now it is asking if you are ready to accept this certificate. And youhave a choice to accept this certificate only for this session or foreveror you can certainly reject it.
02/28/2006
-
7/28/2019 18-SSL_52
38/52
38
38
3.4 Example: Verify SSL Support
This is another warning message. Basically what is saying is thatcertificate can be used in order to encrypt the information that is beingtransported between the browser and the web server. However, itdoes not protect it from fraud. That is, if in fact, this website is run bySadam Hussein, the information that you are exchanging with him can
be seen only by you and him, but you don't know what he will do withthe information you passed to him.
02/28/2006
-
7/28/2019 18-SSL_52
39/52
39
39
3.5 Example: Verify SSL Support
This is the final message.
02/28/2006
-
7/28/2019 18-SSL_52
40/52
40
40
Browser &Browser &CertificatesCertificates
We touched upon a bit how a browser deals with newly received certificatefrom a new web server it encounters for the first time. Let's talk aboutsome of the certificate management features of a typical browser. Thisexample is used using Netscape navigator.
02/28/2006
-
7/28/2019 18-SSL_52
41/52
41
41
Netscape: Certificates of CA's
If picture shows all the certificate authorities that the browser knowsabout. These are typically pre-installed by the browser vendor. Asyou can see, they include Verisign as one of the primary certificationauthorities.
02/28/2006
-
7/28/2019 18-SSL_52
42/52
42
42
Netscape: Certificates of Websites
This is the list of certificates from websites that this browser hasaccessed.
02/28/2006
-
7/28/2019 18-SSL_52
43/52
43
43
Netscape: Certificates of Other People
People certainly can use certificates as a way to communicate withyou, for example, through email, in a secure fashion. And this is thelist of people who sent you emails using certificates. Thesecertificates are mainly used for confidentiality only.
02/28/2006
-
7/28/2019 18-SSL_52
44/52
44
44
Netscape: Certificates of Yourself
This is the list of certificates you have installed yourself.
02/28/2006
-
7/28/2019 18-SSL_52
45/52
45
45
JSSEJSSE
Now let's talk a bit on Web services tools for J2EE.
02/28/2006
-
7/28/2019 18-SSL_52
46/52
46
46
What is JSSE?? Java API for Secure Sockets Layer
(SSL)
? Now standard part of J2SE 1.4
SSL 3.0 and TLS 1.0
? Supports
Encryption
Server authentication
Optional client authentication Data integrity
SSL was founded by netscape. IETF standardized it as TLS.
Provides security at the session layer. Uses the keys transparently.
02/28/2006
-
7/28/2019 18-SSL_52
47/52
47
47
Why JSSE?? 100% pure Java implementation
? Abstracts the complex underlyingcryptographic algorithms and thusminimizes the risk of creating subtle anddangerous security vulnerabilities
Uses algorithms, keys transparently
? Simple to use to create secure
application
SSL was founded by netscape. IETF standardized it as TLS.
Provides security at the session layer. Uses the keys transparently.
47
Why JSSE?? 100% pure Java implementation
? Abstracts the complex underlyingcryptographic algorithms and thusminimizes the risk of creating subtle anddangerous security vulnerabilities
Uses algorithms, keys transparently
? Simple to use to create secure
application
02/28/2006
-
7/28/2019 18-SSL_52
48/52
48
48
JSSE Framework? Supplements java.security and java.net
packages
? Provides javax.net and javax.net.sslpackages Extends networking socket classes, trust and
key managers, and a socket factory frameworkfor encapsulating socket creation behavior
SSL was founded by netscape. IETF standardized it as TLS.
Provides security at the session layer. Uses the keys transparently.
48
JSSE Framework? Supplements java.security and java.net
packages
? Provides javax.net and javax.net.sslpackages Extends networking socket classes, trust and
key managers, and a socket factory frameworkfor encapsulating socket creation behavior
02/28/2006
-
7/28/2019 18-SSL_52
49/52
49
49
SunJSSE Provider
? JSSE provider that comes with JDK 1.4.1
? Installed and pre-registered with the JavaCryptography Architecture
? Supplies implementations of the SSLv3.0 and TLS v1.0 as well as mostcommon SSL and TLS cipher suites getSupportedCipherSuites
getEnabledCipherSuites
setEnabledCipherSuites
The J2SE v1.4.1 release comes with a JSSE provider, SunJSSE, that comes installed andpre-registered with the Java Cryptography Architecture. Think of the SunJSSE
provider as the nameof the implementation. It supplies implementations of the SSL v3.0 and TLS v1.0
as well as mostcommon SSL and TLS cipher suites. If you wish to find the list of cipher suites that
are supported
by your implementation of SSL (SunJSSE in this case), make a call to thegetSupportedCipherSuites method in SSLSocket. Not all of these cipher suites,
however,
might be enabled. To find out which ones are enabled, call the methodgetEnabledCipherSuites. The list can be modified by calling
setEnabledCipherSuites.
02/28/2006
-
7/28/2019 18-SSL_52
50/52
50
50
JSSE Programming: Server Side
import java.io.*;
import javax.net.ssl.*;
public class Server {
int port = portNumber; SSLServerSocket server;
try {
SSLServerSocketFactory factory =(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
server =(SSLServerSocket)factory.createServerSocket(portNumber);
SSLSocket client = (SSLSocket) server.accept();
// Create input and output streams as usual// send secure messages to client through the
// output stream
// receive secure messages from client through// the input stream
} catch(Exception e) {}
}
Converting the previous program to use SSL is fairly trivial.
We use a SSLServerSocketFactory to get a factory which is used to create a socket associatedwith a port, which is then used to accept connections
50
JSSE Programming: Server Side
import java.io.*;
import javax.net.ssl.*;
public class Server {
int port = portNumber; SSLServerSocket server;
try {
SSLServerSocketFactory factory =(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
server =(SSLServerSocket)factory.createServerSocket(portNumber);
SSLSocket client = (SSLSocket) server.accept();
// Create input and output streams as usual// send secure messages to client through the
// output stream
// receive secure messages from client through// the input stream
} catch(Exception e) {}
}
02/28/2006
-
7/28/2019 18-SSL_52
51/52
51
51
JSSE Programming: Client Side
import java.io.*;
import javax.net.ssl.*;
public class Client {
...try {
SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault();server =
(SSLServerSocket)factory.createServerSocket(portNumber);SSLSocket client =
(SSLSOcket) factory.createSocket(serverHost, port);
// Create input and output streams as usual// send secure messages to server through the
// output stream receive secure
// messages from server through the input stream} catch(Exception e) {
}}
Converting the previous program to use SSL is fairly trivial.
We use a SSLServerSocketFactory to get a factory which is used to create a socket associatedwith a port, which is then used to accept connections
51
JSSE Programming: Client Side
import java.io.*;
import javax.net.ssl.*;
public class Client {
...try {
SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault();server =
(SSLServerSocket)factory.createServerSocket(portNumber);SSLSocket client =
(SSLSOcket) factory.createSocket(serverHost, port);
// Create input and output streams as usual// send secure messages to server through the
// output stream receive secure
// messages from server through the input stream} catch(Exception e) {
}}
02/28/2006
-
7/28/2019 18-SSL_52
52/52
52
Passion!Passion!
02/28/2006