Embed Size (px)
Citation preview
Softsmith Infotech
Secure Socket Layer (SSL)and Tomcat
Softsmith Infotech
What is SSL
• SSL stands for Secure Socket Layer.• Secure Socket Layer (SSL) technology allows web browsers and
web servers to communicate over a secure connection
Softsmith Infotech
Secure Socket Layer (SSL)
• Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers.
• Responsible for the emergence of
e-commerce, other security sensitive services on the web
Softsmith Infotech
The SSL Protocol
• The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP
Softsmith Infotech
Why SSL SSL addresses the following important security considerations.
• Authentication: During initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be.
• Confidentiality: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.
• Integrity: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.
Softsmith Infotech
What SSL Provides
• Confidentiality (Privacy)• Data integrity (Tamper-proofing)• Server authentication
Softsmith Infotech
SSL KEY EXCHANGE STEPS
• SSL client connects to an SSL server
• Server then sends its own certificate that contains its public key
• Client then creates a random key (premaster key) and uses server's public key to encrypts it
Softsmith Infotech
SSL KEY EXCHANGE STEPS (ctd ..)
• Client then sends encrypted premaster key to the server
• Server then decrypts it and uses decrypted premaster key to create secret session key
• Now both client and server uses secret session key for further communication
Softsmith Infotech
SSL and Authentication
• Server Authentication:
Server needs to provide its own certificate to a
client in order to authenticate itself to the client
A Web server typically has a CA-signed certificate and it provides it to its clients
• Client Authentication:
Client needs to provide its own certificate to a
server in order to authenticate itself to the server• Mutual Authentication
Softsmith Infotech
SSL and Web-tier Security
• Encrypted password move from the browser
to the web server• Encrypted data move between the browser
and the web server• Server authentication
– Done before encrypted data transfer occurs• Client Authentication
– Not used in most cases
Softsmith Infotech
What is a Certificate (Ctd..)
• A certificate is cryptographically signed and is practically impossible for anyone else to forge
• A certificate can be purchased from (signed by) a well-known CA (Certificate Authority) like Verisign
Softsmith Infotech
What is Server Certificate?
• A server certificate is a container that contains server's public key and other miscellaneous information
• Web server must have an associated certificate for each external interface, or IP address, that accepts secure connections.This provides some kind of reasonable assurance that its owner is who you think it is
Softsmith Infotech
Why Server Certificate is Needed?
• Server Certificate enables Server Authentication
• Server sends server certificate as part of SSL key handshake
• HTTPS service of Tomcat would not work unless a server certificate is installed
• Verifies the server's identity to the client, before receiving any sensitive information
Softsmith Infotech
Creating a Server Certificate(ctd)
To create a server certificate follow these steps:
1) Create the keystore.
2) Export the certificate from the keystore.
3) Sign the certificate.
4) Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate
Softsmith Infotech
Generate the server certificate
• To generate the certificate, run the keytool utility as follows JAVA_HOME>\bin\ keytool -genkey -keyalg RSA -alias tomcat -keystore
localhost.jks
When you press Enter, keytool prompts you to enter the server name,
organizational unit, organization, locality, state, and country code
Softsmith Infotech
Generate the server certificate(Ctd)
• Screen Display
Softsmith Infotech
Export the certificate from the keystore.
• Export the generated server certificate in keystore.jks into the file server.cer.
<JAVA_HOME>\bin\keytool -export -alias tomcat storepass changeit -file server.cer
-keystore localhost.jks
Softsmith Infotech
Export the certificate from the keystore(Ctd..)
• Screen Display
Softsmith Infotech
Signing Digital Certificates
• After a digital certificate is created , they are signed by its owner. After the digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to forge.
• For sites involved in e-commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority such as VeriSign or Thawte.
• If authentication is not really a concern ,use the self-signed certificate
Softsmith Infotech
Importing certificate into trust-store
• To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool with following parameters
<JAVA_HOME>\bin\keytool -import -v -trustcacerts-alias server-alias -file server.cer - keystore cacerts.jks -keypass changeit - storepass changeit
Softsmith Infotech
Importing certificate into trust-store
• Information on the certificate, such as that shown next, will display
Softsmith Infotech
Programming with JSSE
• The Java Secure Socket Extension (JSSE) provides a framework and a Java implementation of the SSL and TLS protocols
• It provides mechanisms for data encryption, server authentication, message integrity, and optional client authentication.
• The JSSE APIs supplement the java.security and java.net packages by providing extended networking socket classes, trust and key managers, and a socket factory framework for encapsulating socket creation behavior. These classes are included in the packages javax.net and javax.net.ssl.
Softsmith Infotech
Programming with JSSE(Ctd.)
SSLSocket and SSLServerSocket
The javax.net.ssl.SSLSocket is a subclass of the java.net.Socket class. Therefore, it supports all the standard Socket methods and adds additional methods specific to secure sockets. The javax.net.ssl.SSLServerSocket class is analogous to the SSLSocket class except that it is used to create server sockets.
Creating an instance of SSLSocket can be done in two ways:
1. As an instance of SSLSocketFactory by invoking one of the createSocket methods on that class
2. Through the accept method on the SSLServerSocket
Softsmith Infotech
Programming with JSSE(Ctd..)
SSLSocketFactory and SSLServerSocketFactory
• The javax.net.ssl.SSLSocketFactory class is an object factory for creating secure sockets, and the javax.net.ssl.SSLServerSocketFactory is an object factory for creating server sockets.
An SSLSocketFactory instance can be obtained in two ways
1.Get the default factory by calling SSLSocketFactory.getDefault.
2. Construct a new factory with specified configured behavior
Softsmith Infotech
Making Existing Client/Server Applications Secure
Incorporating SSL into existing client/server applications to make them secure can be easily done using a few lines of JSSE code. The lines highlighted in bold in the following example show the code necessary to make a server secure:
import java.io.*; import javax.net.ssl.*; public class Server { int port = portNumber; SSLServerSocket server; try { SSLServerSocketFactory factory = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault(); server = (SSLServerSocket) factory.createServerSocket(portNumber); SSLSocket client = (SSLSocket) server.accept(); // Create input and output streams as usual // send secure messages to client through the // output stream // receive secure messages from client through // the input stream } catch(Exception e) { } }
Softsmith Infotech
Making Existing Client/Server Applications Secure
• The lines highlighted in bold in the following example show the code necessary to make a client secure
import java.io.*; import javax.net.ssl.*; public class Client { . try { SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault(); server = (SSLServerSocket) factory.createServerSocket(portNumber);
SSLSocket client = (SSLSOcket) factory.createSocket(serverHost, port);
// Create input and output streams as usual // send secure messages to server through the // output stream receive secure // messages from server through the input stream } catch(Exception e) { } }
Softsmith Infotech
SSL Support inTomcat
To implement SSL on Tomcat you need the following installed :
- JSSE (Java Secure Socket Extension). package installed – Server certificate keystore – An HTTPS connector
Softsmith Infotech
Configure SSL Connector
• After the Server certificate is generated using keytool as shown above ,Tomcat needs to be configured for SSL
• By default, an SSL HTTPS Connector is not enabled in Tomcat. • SSL HTTPS Connector on port 8443 can be enabled & configured in one of
two methods – via Admintool – Modify server.xml
• Restart Tomcat
Softsmith Infotech
Verify SSL Support
• The next step is verifying if SSL is configured correctly. For testing purposes, and to verify that SSL support has been correctly installed on Tomcat, load the default Tomcat introduction page with the following URL:
https://localhost:8443/
• The https in this URL indicates that the browser should be using the SSL protocol. The port of 8443 is where the SSL Connector was configured in the previous step
Softsmith Infotech
Verify SSL Support
• Screen Display
Softsmith Infotech
Verify SSL Support
• Screen Display of Certificate
Softsmith Infotech
Tips on running SSL
• The SSL protocol is designed to be as efficient as securely possible. However, encryption and decryption are computationally expensive processes from a performance standpoint.
• It is not necessary to run an entire web application over SSL, Pages that might require a secure connection include login pages, personal information pages, shopping cart checkouts, or any pages where credit card information could possibly be transmitted
Softsmith Infotech
SSL Drawbacks
The problems associated with SSL are
• It prevents caching.
• Using SSL imposes greater overheads on the server and the client.
• Some firewalls and/or web proxies may not allow SSL traffic.
• There is a financial cost associated with gaining a Certificate for the server/subject device
Softsmith Infotech
Common Security Problems
• Unvalidated Parameters.:– Information from web request is not validated before used by a
web application.Attackers can use these flaws to attack backend components through a web application.
Softsmith Infotech
Common Security Problems
• Broken Access Control:– Restriction on what authenticated users allowed to do are not
properly enforced.– Attackers can exploit these flaws to access other users accounts
view sensitive files, or use unauthorized functions.
Softsmith Infotech
Common Security Problems
• Broken Account and session Management.• Cross-Site scripting Flaws
– The web application can be used as a mechanism to transport an attack to an end user’s browsers.
Softsmith Infotech
Common Security Problems
• Buffer Overflows:– Web application components in some languages that do not
properly validate input can be crashed and, in some cases, used to take control of process.
– These components can include CGI,libraries,drivers and web application server components.
Softsmith Infotech
Common Security Problems
• Error Handling Problems:– Error Conditions that occur during normal operation are not
handled properly.– If an attacker can cause errors to occur that the web application
does not handle, they can gain detailed system information,deny service, cause security mechanisms to fail, or crash the server.
Softsmith Infotech
Common Security Problems
• Remote Administration Flaws:– Many web application allow administrators to access the site
using a web interface.– If these administrative functions are not very carefully protected,
an attacker can gain full access to all aspects of a site.
Softsmith Infotech
Using a Firewall
• A firewall can be software ,hardware or a combination of both.• They are different types: proxy servers, packet filters.• Play a key role in protecting Tomcat.
