ost ssl lec
DESCRIPTION
OST lecture 16/9/2014TRANSCRIPT
SSH / SSLKaustubh Joshi
April 12, 2023 1
One of the primary goals of the ARPANET was remote access
Several different connections allowed rlogin rcp rsh
All data was unencrypted This was a different world than exists today.
2
Secure Shell
April 12, 2023
SSH is a UNIX-based command interface and protocol for securely accessing a remote computer
Suite of four utilities—slogin, ssh, sftp, and scp
Can protect against: IP spoofing DNS spoofing Intercepting information Sniffing Tunneling
3
Secure Shell Contd.
April 12, 2023
SSH Objectives
Protect data sent over the network Negotiate an encryption algorithm
between sender and receiver Use that algorithm and a session key to
encrypt / decrypt data sent
Provide site authentication Use public key / fingerprint to ensure
identity of remote host. Relies on locally generated keys, so no
certifying authority is generally available.
4April 12, 2023
SSH supported
Graphical FTP Client
5April 12, 2023
https://filezilla-project.org/download.php?type=client
Installation of SSL manually from terminal
Install mod_ssl yum install mod ssl
Create an SSL Certificate # cd /etc/pki/tls/certs
# openssl genrsa -des3 -out apachekey.pem 2048
Generate a Certificate Signing Request (CSR)
# openssl req -new -key apachekey.pem -out apachekey.csr
Create the Web Server Certificate # openssl ca -in apachekey.csr -out
apachecert.pem
6April 12, 2023
Installation
Install SSL Certificate # cp apachecert.pem /etc/pki/tls/http/
# cp apachekey.pem /etc/pki/tls/http/ # vi /etc/httpd/conf.d/ssl.conf
Listen 10.10.29.68:443 SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 <VirtualHost www.nixcraft.com:443>
SSLEngine On SSLCertificateFile /etc/pki/tls/http/apachecert.pem SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem SSLProtocol All -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5 DocumentRoot "/var/www/html/ssl" ServerName www.nixcraft.com:443</VirtualHost>
# mkdir -p /var/www/html/ssl # vi /etc/httpd/conf/httpd.conf
<Directory /var/www/html/ssl> SSLRequireSSL SSLOptions +StrictRequire SSLRequire %{HTTP_HOST} eq
"www.nixcraft.com" ErrorDocument 403
https://www.nixcraft.com/sslerror.html </Directory>
# service httpd restart7April 12, 2023
Installation
Firewall Configuration /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# service iptables restart
8April 12, 2023
9April 12, 2023
SSL in demoroot – vmware guestOSSSL in demoroot – vmware guestOS
10
SSH Client SSH Server
SSH2?
SSH2Diffie-Helman, etc?
Diffie-Helman
Serv_Pub_key(S_key)OK
S_key(Uname,pwd)
OK
S_key(data)
Send Serv_Pub_Key
SSL secure communication
April 12, 2023
11
SSH Wireshark Trace
April 12, 2023
Problems with Password Authentication Passwords can be guessed. Default allows multiple attempts against
account Only 1 account / password needs to be
guessed Alternate approach is to use public / private
keys to authenticate user
Public Key Authentication Create public / private keypair Ensure that private Upload public key to server user account:
~.ssh/authorized_keys ssh –o PreferredAuthentications=publickey
server.example.org
SSH Communications using public key
April 12, 2023
SSH Client SSH Server
SSH2?SSH2
Diffie-Helman, etc?
Diffie-Helman
Serv_Pub_key(S_key)
OK
S_key(Uname)
OK
S_key(data)
Send Serv_Pub_Key
Client_Pub_key(Random)
Client_Pri_key(msg)Hash(Random)
SSH Communications using public key
April 12, 2023
sFTP in Linux
14April 12, 2023
sFTP in Linux (contd.)
15April 12, 2023
sFTP in Linux (contd.)
16April 12, 2023
SSH Tunneling
Use SSH to create an encrypted channel between remote host and server
Use that encrypted channel to carry other traffic.
17April 12, 2023
SSH Tunneling
ssh –L 12345:192.168.1.10:80 –l root homenet.net
April 12, 2023
SSL/TLS Security
Depends on integrity of public key certificate
Public Key Infrastructure (PKI) Components necessary to securely
distribute public keys Certificate Authorities: Organizations that
certify the relationship between a public key and its owner.
Verisign,Thawte
19April 12, 2023
SSL/TLS Vulnerability
SSL/TLS supports the concept of session renegotiation due to errors, requests, etc.
This feature assumes that the renegotiation is with the original party, and any requests or messages transmitted before the renegotiation are combined (pre-pended) with the requests after renegotiation
This behavior can be abused to allow man-in-the-middle attacks
Demonstrated with https, but the vulnerability exists with any application that uses SSL/TLS
April 12, 2023
Reference
sce.umkc.edu/~cotterr/it426_sp13/CS490ns_SSH_SSL_sp11_bw.ppt
http://www.cyberciti.biz/faq/rhel-apache-httpd-mod-ssl-tutorial/
SSH SSH Tutorial
(http://www.suso.org/docs/shell/ssh.sdf) www.openssh.org UNIX Secure Shell – Carasik – McGraw-Hill,
1999 SSH Agent Forwarding
(unixwiz.net/techtips/ssh-agent-forwarding.html)
SSL www.openSSL.org RFCs – 2246, 3546 SSL Authentication Gap (SSL Gap)
(http://www.phonefactor.com/sslgap ) TLS/SSL renegotiation vulnerability
explained (http://www.g-sec.lu/practicaltls.pdf )
21April 12, 2023