design of sslproxy ganesh kumar godavari department of computer science univ. of colorado, colorado...
DESCRIPTION
Design Of SSLProxy Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado, Colorado springs. About SSL. Secure Sockets Layer (SSL) protocol developed by Netscape Communications to ensure private and authenticated communications - PowerPoint PPT PresentationTRANSCRIPT
04/22/23 SSL Proxy by Ganesh Godavari 1
Design Of SSLProxy
Ganesh Kumar GodavariDepartment of Computer Science
Univ. of Colorado, Colorado springs
04/22/23 SSL Proxy by Ganesh Godavari 2
About SSL
• Secure Sockets Layer (SSL) protocol – developed by Netscape Communications to ensure private and
authenticated communications– put into the public domain for the Internet community
04/22/23 SSL Proxy by Ganesh Godavari 3
SSLSession
Please refer to Appendix A
04/22/23 SSL Proxy by Ganesh Godavari 4
SSL HANDSHAKE• Elements of the handshake sequence
– Negotiate the Cipher Suite to be used during data transfer – Establish and share a session key between client and server – Optionally authenticate the server to the client – Optionally authenticate the client to the server
• Components of Cipher Suite– Key Exchange Method
• key exchange method defines how the shared secret symmetric cryptography key used for application data transfer will be agreed upon by client and server.
• SSL 2.0 uses RSA key exchange, while SSL 3.0 supports a choice of key exchange algorithms including the RSA key exchange when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates and without prior communication between client and server
– Cipher for Data Transfer • SSL uses the conventional cryptography algorithm (symmetric cryptography) described earlier
for encrypting messages in a session. There are nine choices, including the choice to perform no encryption:
– No encryption – Stream Ciphers – RC4 with 40-bit keys – RC4 with 128-bit keys – CBC Block Ciphers – RC2 with 40 bit key – DES40, DES, 3DES_EDE. – Idea – Fortezza
04/22/23 SSL Proxy by Ganesh Godavari 5
SSL HANDSHAKE Contd..
– Message Digest for creating the Message Authentication Code (MAC)• The choice of digest function determines how a digest is created from a record
unit. SSL supports the following: – No digest (Null choice) – MD5, a 128-bit hash
• Secure Hash Algorithm (SHA), a 160-bit hash designed for use with the Digital Signature Standard (DSS)
• The message digest is used to create a Message Authentication Code (MAC) which is encrypted with the message to provide integrity and to prevent against replay attacks.
04/22/23 SSL Proxy by Ganesh Godavari 6
Handshake Sequence Protocol
The handshake sequence uses three protocols: – The "SSL Handshake Protocol" for performing the client and server
SSL session establishment. – The "SSL Change Cipher Spec protocol" for actually establishing
agreement on the Cipher Suite for the session. – The "SSL Alert Protocol" for conveying SSL error messages
between client and server.
SSL Protocol Stack
04/22/23 SSL Proxy by Ganesh Godavari 7
SSL Record Protocol• SSL Record Protocol is used
– to transfer application and SSL Control data between the client and server, possibly fragmenting this data into smaller units, or combining multiple higher level protocol data messages into single units.
– It may compress, attach digest signatures, and encrypt these units before transmitting them using the underlying reliable transport protocol
04/22/23 SSL Proxy by Ganesh Godavari 8
Session Reusability
04/22/23 SSL Proxy by Ganesh Godavari 9
OpenSSL
• OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson.
• Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library
• Important Libraries – SSL
• The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
– Crypto• The OpenSSL crypto library implements a wide range of cryptographic
algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards
04/22/23 SSL Proxy by Ganesh Godavari 10
Command Interface
• The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for
– Creation of RSA, DH and DSA key parameters – Creation of X.509 certificates, and CRLs– Calculation of Message Digests o Encryption and Decryption with Ciphers – SSL/TLS Client and Server Tests – Handling of S/MIME signed or encrypted mail
04/22/23 SSL Proxy by Ganesh Godavari 11
Working with OpenSSL
• First an SSL_CTX object is created as a framework to establish TLS/SSL enabled connections.
• When a network connection has been created, it can be assigned to an SSL object. After the SSL object has been created using SSL_new, SSL_set_fd or SSL_set_bio can be used to associate the network connection with the object.
• Then the TLS/SSL handshake is performed using SSL_accept or SSL_connect respectively.
• SSL_read and SSL_write are used to read and write data on the TLS/SSL connection.
• SSL_shutdown can be used to shut down the TLS/SSL connection.
04/22/23 SSL Proxy by Ganesh Godavari 12
Sample Code SSL_CTX *ctx; SSL_METHOD *method=SSLv23_server_method(); X509 *ca_cert, *client_cert; FILE *ca_fp=(FILE *) NULL; SSL *ssl=(SSL *) NULL;
SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); ctx=(SSL_CTX *) SSL_CTX_new(method);
if (ctx == (SSL_CTX *) NULL) printf("Unable to create new SSL CTX\n");
if (!SSL_CTX_load_verify_locations(ctx,ca_file,ca_path)) printf("Failed in SSL_CTX_load_verify_locations()!\n");
/*Load Private Key*/ if (SSL_CTX_use_RSAPrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) == -1) printf("Error reading private key\n");
04/22/23 SSL Proxy by Ganesh Godavari 13
Sample Code
/*Load Certificate */if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) == -1)printf("Error reading certificate\n");
/*check if the certificate and private key match*/ if (SSL_CTX_check_private_key(ctx) == -1)printf(“Error cerificate and private key don’t match\n");
/*Load randomness*/if (!RAND_load_file(rand_file,1024*1024)) printf(stderr,"Unable to load Randomness for generating Entropy :-( \n");/*read the ca certificate and save the issuer string, we'll compare the
client's issuer with this one, if they match allow connection or zap him*/
04/22/23 SSL Proxy by Ganesh Godavari 14
Sample Code
if ((ca_fp=fopen(ca_file,"r"))== (FILE *) NULL) printf("Failed to open Trusted CA certificate file: %s\n", ca_file); ca_cert=NULL; ca_cert=X509_new();if (!PEM_read_X509(ca_fp,&ca_cert,NULL,NULL)) printf("Error reading trusted CA certificate file: %s\n",ca_file);
X509_NAME_oneline(X509_get_issuer_name(ca_cert),issuer,256);
if (issuer == (char *) NULL) printf("No issuer for trusted CA certificate file!\n");
if (ca_cert != NULL) X509_free(ca_cert);
04/22/23 SSL Proxy by Ganesh Godavari 15
Sample Code
sock_fd=serverSocket((u_short) SERVER_PORT ,1000);if ((ssl=SSL_new(ctx)) == NULL) printf("Failed in SSL_new()!\n");SSL_set_fd(ssl,sock_fd);/* cleanup the structures */ SSL_clear(ssl); SSL_set_session(ssl,NULL); SSL_set_accept_state(ssl); /*session handling fucntions*/ SSL_CTX_flush_sessions(ctx, SSL_SESSION_CACHE_TIMEOUT); SSL_CTX_sess_set_new_cb(ctx, ssl_callback_NewSessionCacheEntry); SSL_CTX_sess_set_get_cb(ctx,
ssl_callback_GetSessionCacheEntry); SSL_CTX_sess_set_remove_cb(ctx,
ssl_callback_DelSessionCacheEntry);
04/22/23 SSL Proxy by Ganesh Godavari 16
err=SSL_accept(ssl); /* case where the connection was closed before any data was transferred */ if (SSL_get_error(ssl, err) == SSL_ERROR_ZERO_RETURN)printf("SSL handshake stopped: connection was closed"); /*case where OpenSSL has recognized a HTTP request => client speaks
plain HTTP on our HTTPS*/ else if (ERR_GET_REASON(ERR_peek_error()) ==
SSL_R_HTTP_REQUEST) printf("SSL handshake failed: HTTP spoken on HTTPS port; "); else if (SSL_get_error(ssl, err)==SSL_ERROR_SYSCALL){ if (errno > 0) printf("SSL handshake interrupted bysystem\n [Hint: Stop button pressed in browser?!]\n"); else printf("Spurious SSL handshake interrupt [Hint: Usually just one of those
OpenSSL confusions!?]\n");} else if (err == -1)printf("Error : unknown error in SSL_accept()\n");
04/22/23 SSL Proxy by Ganesh Godavari 17
Sample Code
/* not verifying client at thistime ?? */ server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE;
(void)SSL_CTX_set_verify(ctx,server_verify,NULL);
if(SSL_get_verify_result(ssl) != X509_V_OK) printf("Client %s certificate does not verify\n",szclient.name);
04/22/23 SSL Proxy by Ganesh Godavari 18
SSL Read
int ireadSSL(SSL *ssl,char *buf,int nbyte){ int ret=0; while (1) { ret=SSL_read(ssl,buf,nbyte); if((ret < 0) && (errno == EINTR)) continue; else return (ret); } return (ret); /* won't be here but for saftey*/}
04/22/23 SSL Proxy by Ganesh Godavari 19
SSL Write int sockWriteSSL(SSL *ssl,char *str,size_t count){ size_t bytesSent=0; int thisWrite; while (bytesSent < count) { do thisWrite=SSL_write(ssl,str,count-bytesSent); while ((thisWrite < 0) && (errno == EINTR)); if (thisWrite <= 0) return (thisWrite); bytesSent += thisWrite; str += thisWrite; } return (count);}
04/22/23 SSL Proxy by Ganesh Godavari 20
What is SSLproxy
• SSLproxy is a transparent proxy that can translate between encrypted and unencrypted data transport on socket connections.
04/22/23 SSL Proxy by Ganesh Godavari 21
Advantages of SSLproxy
• Preferential Treatment– SSLproxy has been developed to handle secure Content based routing of
Requests.• Security
– The proxy establishes the secure connection if the Server doesn't support HTTPS
04/22/23 SSL Proxy by Ganesh Godavari 22
Questions ??
04/22/23 SSL Proxy by Ganesh Godavari 23
References• Introducing SSL and certificates using SSLeay, http://www.
ultrnet.com/~fhirsch/Papers/wwwj/article.html • SSL tunneling and the proxy,
http://developer.netscape.com/docs/manuals/proxy/ProxyUnx/SSL-TUNL.HTM
• SSL and Crypto web pages at http://openssl.org/docs/crypto/crypto.html
• Designing a secured web site; what you need to know about SSL Benchmarking, Intel white paper.http://www.intel.com/network/idc/doc_library/white_papers/ssl_benchmarking/index.htm