SSL/TLS S/MIME

SSL/TLS

• Secure Socket Layer
• Transport Layer Security
• RFC2246

TLS

• TLS Record Protocol
• TLS Handshake Protocol

TLS Record Protocol

• Private
  • Symmetric Cryptography
  • DES, RC4 etc
• Enhanced Connection Reliability
  • CRC, Checksum ... Ether / TCP
  • HMAC ... Keyed-Hashing for Message Authentication Code
  • MD5, SHA1

TLS Handshake Protocol

• Peer's Identity Authentication ... Public Key Cryptography
• Symmetric Algorithm/Key Exchange Negotiation ... Secure and Reliable

Handshake

• Handshake ... 0x16 (22)
• Version ... 3, 1
• Length ... 16bit

ClientHello

• ClientHello ... (1)
• Sends Random, SessionID, Cipher Suits, Compression Methods
• CipherSuit examples
  • 01 = TLS_RSA_WITH_NULL_MD5
  • 05 = TLS_RSA_WITH_RC4_128_SHA

ServerHello

• ServerHello ... (2)
• Select CipherSuit and CompressionMethod
• Selects for example:

     39 = Ephemeral Diffie-Hellman key exchange using RSA certificate
  

• See

Diffie-Hellman key exchange

• See
• C->S: A = g^a mod p, g, p
• S->C: B = g^b mod p
• K_A = A^b = g^ab mod p
• K_B = B^a = g^ba mod p

ChangeCipherSpec

• Later on, encrypted messages are sent

HTTPS

• HTTP over TLS/SSL
• use TLS/SSL from the very start
  • Immediately after TCP connection was established
• C->S: ClientHello
• S->C: ServerHello (DHE) ChangeCipherSpec ...
• C->S: ChangeCipherSpec ...

TLS over POP

• S->C: +OK Qpopper (version 4.0.18) at is01 starting.
• C->S: CAPA
• S->C: +OK Capability list follows
• S->C: STLS ...
• C->S: STLS
• S->C: +OK STLS
• C->S: ClientHello ...

TLS over SMTP

• EHLO ... STARTTLS

Server Certificate

• Server's public key should be signed by a trusted authority
• CA ... Certificate Authority

SSL Server Setup (1)

• Compile Apache with SSL enabled
• You need OpenSSL library and include files
• --enable-ssl and --with-ssl=DIR options for apache httpd configure command

Server keys

• Key generation:

     $ openssl genrsa -out server.key 1024
  

• Certficate Request:

     $ openssl req -new -key server.key -out server.csr
     Country Name (2 letter code) [AU]:JP
     State or Province Name (full name) [Some-State]:Kochi
     Locality Name (eg, city) []:Kochi
     Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kochi University
     Organizational Unit Name (eg, section) []:Information Science
     Common Name (eg, YOUR name) []:www.is.kochi-u.ac.jp
     Email Address []:[email protected]
  

Get CA signature

• See for example
• Save the signed key in server.crt

Apache SSL Configuration

• in httpd.conf (extra/httpd-ssl.conf)
• SSLEngine on
• SSLCertificateFile /path/to/server.crt
• SSLCertificateKeyFile /path/to/server.key
• etc. etc.

Role of CA

• See
• Certified Site
• Self Certified Site

PGP vs PKI

• PGP ... Pretty Good Privacy
• PGP -> OpenPGP, GnuPG
• Peer Signed Public Key
• PKI ... Public Key Infrastructure
• PKI -> SSL/TLS, S/MIME
• Authorized Key Signing

Signing

• PGP (message.txt -> message.txt.asc):

     $ gpg --detach-sign -a message.txt
  

• S/MIME (message.txt -> mail.msg):

     $ openssl smime -sign -in message.txt -text -out mail.msg -inkey mykey.pem -signer mycrt.pem
  

Verifying Signature

• PGP:

     $ gpg --verify message.txt.asc
  

• S/MIME:

     $ openssl smime -verify -in mail.msg -CAfile demoCA/cacert.pem
  

• Note that signer's public key is included in mail.msg

Encrypting

• PGP:

     $ gpg -r [email protected] -ea message.txt
  

• S/MIME (message.txt -> encmail.msg):

     $ openssl smime -encrypt -in message.txt -des3 -out encmail.msg mycrt.pem
  

Decrypting

• PGP:

     $ gpg message.txt.asc
  

• S/MIME:

     $ openssl smime -decrypt -in encmail.msg -recip mycrt.pem -inkey mykey.pem
  

Miscellaneous Applications

• SSH ... RFCs 4250, 4251, 4252, 4253, 4254, 4255
• OpenID

Quiz of the Day

• Spell out the following acronyms
• TLS
• CA