data encryption using ssl topic 5, chapter 15
DESCRIPTION
Network Programming Kansas State University at Salina. Data Encryption using SSL Topic 5, Chapter 15. SSL. Secure Sockets Layer (SSL) Transport Layer Security (TLS) Based on public certificates and private keys - PowerPoint PPT PresentationTRANSCRIPT
Data Encryption using SSLTopic 5, Chapter 15
Network Programming
Kansas State University at Salina
SSL Secure Sockets Layer (SSL)
Transport Layer Security (TLS) Based on public certificates and private keys Certificates may be either self signed or verified by
one of a few trusted Certificate Authorities (CA) Often used with HTTP (https://www...)
Can be used with SMTP, ssh, scp, any client server communication.
Python has basic SSL client capability. OpenSSL module provides more. Re-worked in Python 2.6 to also include server side support.
How it works1. Client and server establish socket
connection2. Server sends public certificate to client3. To verify authenticity of the server, client
may validate the certificate with one a few trusted certificate authorities
4. Client encrypts the message using the public key and sends it to the server
5. Server receives the message and decrypts it using the private key
Public / Private Keys The keys are a matched pair
Messages encrypted with the public key can only be decrypted with the private key
Having the public key will not help decrypt a message
Keys may be self signed for private activities Public servers usually have purchased
certificates In many cases, especially with HTTP, the
message is only encrypted from client to server. Thus, the credit card number is usually ‘X’ed out in the receipt.
Self Signing a certificate1010 timber:~/openssl> openssl req -new -out certfile.pem -keyout keyfile.pemGenerating a 1024 bit RSA private key........++++++................................................++++++writing new private key to 'keyfile.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:USState or Province Name (full name) [Berkshire]:KansasLocality Name (eg, city) [Newbury]:SalinaOrganization Name (eg, company) [My Company Ltd]:Kansas State UniversityOrganizational Unit Name (eg, section) []:Engineering TechnologyCommon Name (eg, your name or your server's hostname) []:timber.sal.ksu.eduEmail Address []:[email protected]
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
Public Certificate and Private Key
1012 timber:~/openssl> cat keyfile.pem -----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,F7FFBD69A863B27B
oq2s6YBa+6XVk+sfhFwYQixYQnP1wDDPVFpf+gdFTQUZ7qkG+qeR23z9LqEiTm1HE5ZB8TW3m1PC8Bhz8EansTV9/Q2AqpgWduytuKX9mo1nEwjTQPx7vZpnb+JrcGB2Ew2qp4NfU1sYVpXV+KO66TunsTdhvNyV1fH8r6Dgk9xruNfvoUB0WRRKDGZ17iaP1GeGPnQWWDC7WWE2LYugz/LW5BSoZtwdYf2U/48F/SvAgf1MyPUExwBqYRinzjdoPP9MXMGPHJQJ9PLeGnIRqUAAU2p0NJB8tb8ZrwFWpK4Aa1B3I9cNiMa42L0mfcaxY10+0MMq4UcAIHkfdIOBbRN8m9lpM3haeAs9ppAewyG3MKII2DC+FsEsdYIBWRhLMfi3WcUOwqrVHLL2Qf1d4QZS9MkYZahvKsz3iYGZkw2Le/BXy+0/esLFnCjDhEOANLLrVRcpo+82bKjjeQf4yTxL6w++HmfWsWSSGgD+BLWx6geVDZsUS65XaNsUsHQ7PPi2taqaTu+rHKbYBoTdZUi3gUHhzH5NlWBvOe3tyWMVtid+GgmI418ib5uOikYLc//IjhwrVzUL4+9raSVcHqFn+kOX/bGxbDzr5vJSJSDFfff2dwYAFvsPYK2ka5gZrYdq2tGjrEQycNXksOqsVGv4JEsuEacXeQRpVqh6AOVEWbC0eTUA1bjo9wM6aywiFIqgr0lLIE7lvL9rW8mkPQ9Tl9lwrLZfqB3vcfmstDXfQqH/A9VEgjhbNHnJkZ3nMihuBRizFEbK/kZRbk0yVMiFU6HltIJUgJ5b06bLEpcz6wlHSBBxhA==-----END RSA PRIVATE KEY-----
1011 timber:~/openssl> cat certfile.pem -----BEGIN CERTIFICATE REQUEST-----MIIB7DCCAVUCAQAwgasxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZLYW5zYXMxDzANBgNVBAcTBlNhbGluYTEgMB4GA1UEChMXS2Fuc2FzIFN0YXRlIFVuaXZlcnNpdHkxHzAdBgNVBAsTFkVuZ2luZWVyaW5nIFRlY2hub2xvZ3kxGzAZBgNVBAMTEnRpbWJlci5zYWwua3N1LmVkdTEaMBgGCSqGSIb3DQEJARYLdGltQGtzdS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOTRJmntlJy7cf3N3yW0/1jSUoWROlVkaZfgAojz59gKlEDMLtVn2DKYDexWe0AUV9gBEpHTguX5Vi322IpPjOvO/3n1kHrdgD5LNnc9tYYe5fF0RKzisRz7HKu6aXXY6dNFJMVRj7cTg4uSh7IS5lJvDCjohEnPJYzF2g8mSoSBAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQC1BjorEY98HkW7ceyH9s3dEcFy6uFKXP2hFjCEesrW+N8lMdyrXYbyxffdE6ZpMEcNoYS9S0wxuwg1f7WjI/3Sy+fA2yviU+7c7blBd7r/r8uaviJB3uMWTgWKdnKBsnqBRvUQcytSrflzANV0MHIqtVhFOv/lfqxQIha0m6BFQw==-----END CERTIFICATE REQUEST-----
Programming SSL Client Side
Limited support in built-in socket module ssl = socket.ssl( socket ) Two methods: read(), write() Create wrapper to make easier to use – see
basic-wrap.py Server Side
Need either additional module or version 2.6 or later of Python
See example on next slide
Python 2.6 ssl module server side example
while True: newsocket, fromaddr = bindsocket.accept() connstream = ssl.wrap_socket(newsocket, server_side=True, certfile="mycertfile", keyfile="mykeyfile", ssl_version=ssl.PROTOCOL_TLSv1) deal_with_client(connstream)