security cns 4650 fall 2004 rev. 2 ssl, sasl, pki
TRANSCRIPT
Security
CNS 4650Fall 2004
Rev. 2
SSL, SASL, PKI
Encryption
• Symmetric• Shared-secret• Password• Most common form of general
cryptography
• Asymmetric• Public/Private Key
Symmetric
• User supplied password• Examples
• DES• AES• MD5• Crypt
• Cleartext password goes in and comes out as a hash
Symmetric Example: MD5
%openssl passwd -1 -salt "test" -stdinpassword$1$test$28Tmd0tsvqI1Eq.TDxcaq/
Password: password
Resulting hash: 28Tmd0tsvqI1Eq.TDxcaq/
Assymmetric
• Public key is derived from Private key
• Data encrypted with Public key can only be decrypted with Private and vice vesa
• Example• RSA• ElGamiel
Assymetric Example: x509 certificate
%openssl x509 -inform DER -text -in root.der
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Utah, L=Orem, O=Apple, OU=Edu, CN=dsinema root CA/[email protected] Validity Not Before: Jun 14 18:19:48 2004 GMT Not After : Jul 14 18:19:48 2004 GMT Subject: C=US, ST=Utah, L=Orem, O=Apple, OU=Edu, CN=dsinema root CA/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:eb:78:66:c8:cf:a2:ab:39:9c:35:2b:3f:2e: 4e:bb:c8:cd:e3:3f:c2:67:5e:81:07:d6:ea:1d:75: 79:37:8f:e6:d8:92:e5:c2:15:d4:34:10:81:7b:d3: 24:18:ae:59:b3:52:8f:27:d9:9b:5b:fd:6d:9a:f1: e9:f5:c9:0d:6c:e4:60:35:ce:07:e4:02:c8:4a:92: 0b:bb:1c:d6:4f:f8:88:fa:d1:63:7b:da:49:80:90: b9:a4:19:ee:02:32:0b:c2:ad:45:30:49:2e:b1:1c:
Basics of SSL
• Client sends handshake to the server
• Server replies with a certificate
• Key exchange and negotiation
• Data transfer
• Optionally• Client can be required to provide certificate
SSL
SASL
• Simple Authentication and Security Layer
• RFC 2222
• Plug-able authentication scheme
• Client/Server negotiate auth mechanism
• Can also negotiate a security layer• Such as SSL/TLS
SASL cont.
• Defines • Kerberos v4• GSSAPI (Kerberos 5)• S/Key• External
PKI
• A world wide “authentication” model• SSL/TLS uses PKI• Trusted third party authenticates the server and
issues certificates for the server• Third party can:
• Set expiration dates on certificate• Revoke certificates
• Certificates Authorities• Thwate• RSA