OpenSSL and Data Security on the Web

Li-Chiou ChenSeidenberg School of Computer Science and Information SystemsPace UniversityMarch 27th, 2015

Agenda

Web transaction What HTTPS What is a digital certificate What is SSL? What is OpenSSL? OpenSSL Vulnerabilities Cybersecurity awareness resources

© Li-Chiou Chen, Pace University 2

What are things you do on the web?

© Li-Chiou Chen, Pace University 3

© Li-Chiou Chen, Pace University 4

How is my web transactions secured?

© Li-Chiou Chen, Pace University 5

© Li-Chiou Chen, Pace University 6

How are the web transactions secured?

What is HTTPS

A protocol for secure communications using HTTP.

HTTP + TLS (Transport Layer Security)

How is this done? We need to talk about digital certificate first.

© Li-Chiou Chen, Pace University 7

Activity I: Explore SSL Server Certificate

Go to https://www.facebook.com Click on the lock on the left of the URL A little dialog box that says “you are connected to

facebook” will show up. Click on More Information on the dialog box. You can then see more information about

Facebook’s certificate.

© Li-Chiou Chen, Pace University 8

Click on View Certificate

© Li-Chiou Chen, Pace University 9

Discuss the information on the certificate; what do they mean?

© Li-Chiou Chen, Pace University 10

What is a Digital Certificate

Digital proof of who you are verified by a trusted third party

Contain information to achieve encryption and authentication Version Serial number Signature algorithm identifier: hash algorithm Issuer’s name; uniquely identifies issuer Interval of validity Subject’s name; uniquely identifies subject Subject’s public key Signature: enciphered hash

© Li-Chiou Chen, Pace University 11

© Li-Chiou Chen, CSIS, Pace 12

Certificate Authority

CA

Client Server

Client install a root certificate (CR) => CA

KC issues a certificate (CS) for Facebook

CS => Facebook

Authenticate CS

using CR

Send CS

Who are CA? How do we know which CA to trust?

Activity II: Look for Root Certificates

Open Firefox Click on Options under the Firebox tab on the top Click on Certificate tab Click on View Certificate botton Click on Authorities tab You can then find a list of CA root certificate

installed on your browser Name some of them

© Li-Chiou Chen, Pace University 13

Have you heard about these companies?

© Li-Chiou Chen, Pace University 14

What is Secure Socket Layer (SSL) or Transport Layer Security (TLS)

A secure communication protocol for

Encryption of web content

Authentication of web server

Authentication of web client is optional and is typically implemented using user login.

© Li-Chiou Chen, Pace University 15

© Li-Chiou Chen, CSIS, Pace 16

Secure Socket Layer: Handshaking

CA: DigiCert

Alice Facebook

2: DigiCert signs Facebook’s certificate using

its public key in the root certificate)

3: Send Facebook’s certificate

4: Verify Facebook’s certificate using DigiCert’s certificate

1: Install DigitCert’s public key (root certificate) in

Alice’s browser

© Li-Chiou Chen, CSIS, Pace 17

Secure Socket Layer: Sending Data

Alice Facebook3: Send the encrypted date

(session key)

1: Decide an encryption algorithm

2: Decrypt the encrypted data ( a

session key) using in Facebook’s public key

(in certificate)

4: Decrypt the encrypted data using

Facebook’s private key to obtain the session

key.

5: Alice and Facebook communicated securely by encrypting data using the session key

What is OpenSSL?

A set of open source libraries to implement the SSL protocol and other crypto algorithms

Generate public key and private key Create digital certificate Testing Communication between server and client …..

More information on https://www.openssl.org/

© Li-Chiou Chen, Pace University 18

Activity III: Use OpenSSL to communicate with a server

Open openssl-0.9.8k_WIN32 folder Open bin folder Click on openssl.exe and an openssl command

prompt should show up We will try to communicate with a server

securely using openssl.

© Li-Chiou Chen, Pace University 19

Communicate with a server securely using openssl

Under openssl command prompt, type s_client -connect www.facebook.com:443

What is your result? Try to explain it. Now type GET / HTTP/1.1

What is your result? Try to explain it. Now, exit openssl command line, type exit

© Li-Chiou Chen, Pace University 20

So, what is wrong with openssl?

Many companies use openssl to implement their certificates and SSL communications

Used for web server, email security….etc. Recent vulnerabilities; fixed Heartbleed bug CCS Injection ClientHello sigalgs DoS

© Li-Chiou Chen, Pace University 21

Resources: Watch Video

DoD DISA video on cybersecurity awareness

http://iase.disa.mil/eta

© Li-Chiou Chen, Pace University 22

Questions / Comments

© Li-Chiou Chen, Pace University 23