SlideShare a Scribd company logo

SSL/TLS for Mortals (Devoxx)

M
Maarten Mulders

Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates? In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's. Attend this session to become "that one colleague"!

Technology
1 of 41
Download to read offline
T L S Awesome Sauce, or... Maarten Mulders (@mthmulders)#tlsformortals
H Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net. .protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net. .protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net. .protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net. .protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net. .protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at it.mulders.maarten.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1488) 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to f nd valid certif cation path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) Maarten Mulders (@mthmulders)#tlsformortals
7 L OSI M data unit layers Data Data Data Segments Packets Application  Network Process to Application Presentation  Data Representation  and Encryption Session  Interhost Communication Transport  End­to­End Connections  and Reliability Network  Path Determination and  Host Layers Maarten Mulders (@mthmulders)#tlsformortals
H SSL TLS SSL 1.0 never released SSL 2.0 1995 - 2011 (POODLE) SSL 3.0 1996 - 2014 (POODLE) TLS 1.0 1999 - 2011 (BEAST) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 2018 Maarten Mulders (@mthmulders)#tlsformortals
D What's the issue?! Maarten Mulders (@mthmulders)#tlsformortals
H 1. public/private key encryption 2. signed certificates 3. certificate authorities Maarten Mulders (@mthmulders)#tlsformortals
1 P P K E Maarten Mulders (@mthmulders)#tlsformortals
M 1. Select two prime numbers: 2. Calculate product: 3. Select random number < product: 4. Find d, so that a. b. c. d. p = 11, q = 17 p ∗ q = 187 e = 3 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 (d ∗ 3) − 1 mod (10 ∗ 16) = 0 320 mod 160 = 0 (321 − 1) mod 160 = 0 (107 ∗ 3) = 321 ⇒ d = 107 Maarten Mulders (@mthmulders)#tlsformortals
N , P Q 1. 2. Find d, so that Pretty hard without knowing and ! As soon as we know , calculating is trivial (again). p ∗ q = 299, e = 5 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 p q p = 13, q = 23 d = 317 Maarten Mulders (@mthmulders)#tlsformortals
For big enough and , finding those factors will cost an eternity! So we can distribute and even ! p q p ∗ q e Maarten Mulders (@mthmulders)#tlsformortals
L "G" p ∗ q = 187, e = 3, G ⇒ 7 = = 3437 e 7 3 343 mod 187 = 156 Maarten Mulders (@mthmulders)#tlsformortals
L "156" Since we know and , we can calculatep q d = 107 = ≈ 4.6 ∗156 d 156 107 10 234 mod 187 = 7156 107 7 ⇒ G Maarten Mulders (@mthmulders)#tlsformortals
N Client Server 1 ClientHello → 2 ← ServerHello 3 ← Certificate 4 ← ServerKeyExchange 5 ← ServerHelloDone 6 ClientKeyExchange → 7 ChangeCipherSpec → 8 Finished → 9 ← ChangeCipherSpec 10 ← Finished Maarten Mulders (@mthmulders)#tlsformortals
D No-one is eavesdropping! Maarten Mulders (@mthmulders)#tlsformortals
2 S C Maarten Mulders (@mthmulders)#tlsformortals
A certificate contains: Serial Number Subject Validity Usage Public Key Fingerprint Algorithm Fingerprint Maarten Mulders (@mthmulders)#tlsformortals
But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign certificates. Maarten Mulders (@mthmulders)#tlsformortals
A signature is a mathematical relationship between a message , a private key and a public key . It consists of two functions: 1. signing function 2. verifying function So, given and and knowing , we can tell if is indeed signed by . x sk pk t = f (sk, x) [accept, reject] = g(pk, t, x) x t pk x sk Maarten Mulders (@mthmulders)#tlsformortals
3 C A Maarten Mulders (@mthmulders)#tlsformortals
An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate. Maarten Mulders (@mthmulders)#tlsformortals
I John ? Alice So, who is John, anyway? Many John's in todays browsers and operating systems! “I can trust you, because I trust John, and John trusts Alice, and Alice trusts you. Maarten Mulders (@mthmulders)#tlsformortals
Top-notch security procedures, including "key ceremonies" Maarten Mulders (@mthmulders)#tlsformortals
/** intentionally left blank */ Maarten Mulders (@mthmulders)#tlsformortals
W Google blacklists 247 certificates in Chromium Microsoft removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005 Update Certificate Revocation Lists (although these are self-Maarten Mulders (@mthmulders)#tlsformortals
D Trust (for what it's worth) Maarten Mulders (@mthmulders)#tlsformortals
T , T T Maarten Mulders (@mthmulders)#tlsformortals
Simple HTTP client with TLS support: curl ­v ­k <address> Troubleshoot trust issues and see certificates being used: openssl s_client ­showcerts ­servername <address> ­ connect <address>:443 Troubleshoot supported protocols, ciphers, ...: nmap ­­script ssl­enum­ciphers ­p 443 <address> Maarten Mulders (@mthmulders)#tlsformortals
JVM S ­Djavax.net.ssl.trustStore=<file> Denotes where a truststore can be found: a file that contains trusted certs. ­Djavax.net.ssl.trustStorePassword=changeit is the password to that file. Maarten Mulders (@mthmulders)#tlsformortals
JVM S ­Djavax.net.ssl.keyStore=<file> Denotes where a keystore can be found: a file that contains public and/or private keys. ­Djavax.net.ssl.keyStorePassword=changeit is the password to that file. Maarten Mulders (@mthmulders)#tlsformortals
JVM S ­Djavax.net.debug=ssl[:flag] Include debug logging for TLS handshake and connections. Additional flags: record session sessioncache pluggability plaintext handshake defaultctx keymanager data packet keygen sslctx trustmanager verbose Maarten Mulders (@mthmulders)#tlsformortals
P Maarten Mulders (@mthmulders)#tlsformortals
P - 1. Don't use SSL! Use TLS v1.2 or v1.3. 2. Be careful whom you trust! 3. When in doubt, open your toolbox: openssl, curl, nmap and Portecle Maarten Mulders (@mthmulders)#tlsformortals
Q P D I Router by unknown author Maarten Mulders (@mthmulders)#tlsformortals

Recommended

SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)Maarten Mulders
 
SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)Maarten Mulders
 
The Ring programming language version 1.7 book - Part 64 of 196
The Ring programming language version 1.7 book - Part 64 of 196The Ring programming language version 1.7 book - Part 64 of 196
The Ring programming language version 1.7 book - Part 64 of 196Mahmoud Samir Fayed
 
Guess the distribution
Guess the distributionGuess the distribution
Guess the distributionRasmus Bååth
 
Getting Started with the Amazon GameOn API - Peter Heinrich
Getting Started with the Amazon GameOn API - Peter HeinrichGetting Started with the Amazon GameOn API - Peter Heinrich
Getting Started with the Amazon GameOn API - Peter HeinrichAmazon Web Services
 
Ch10
Ch10Ch10
Ch10kinnarshah8888
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)Maarten Mulders
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)Maarten Mulders
 

Recommended

SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)SSL/TLS for Mortals (UtrechtJUG)
SSL/TLS for Mortals (UtrechtJUG)Maarten Mulders
 
SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)SSL/TLS for Mortals (Lockdown Lecture)
SSL/TLS for Mortals (Lockdown Lecture)Maarten Mulders
 
The Ring programming language version 1.7 book - Part 64 of 196
The Ring programming language version 1.7 book - Part 64 of 196The Ring programming language version 1.7 book - Part 64 of 196
The Ring programming language version 1.7 book - Part 64 of 196Mahmoud Samir Fayed
 
Guess the distribution
Guess the distributionGuess the distribution
Guess the distributionRasmus Bååth
 
Getting Started with the Amazon GameOn API - Peter Heinrich
Getting Started with the Amazon GameOn API - Peter HeinrichGetting Started with the Amazon GameOn API - Peter Heinrich
Getting Started with the Amazon GameOn API - Peter HeinrichAmazon Web Services
 
Ch10
Ch10Ch10
Ch10kinnarshah8888
 
SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)SSL/TLS for Mortals (Devoxx UK)
SSL/TLS for Mortals (Devoxx UK)Maarten Mulders
 
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)
SSL/TLS for Mortals (Oracle Groundbreaker EMEA Virtual Tour)Maarten Mulders
 
SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) Maarten Mulders
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)Maarten Mulders
 
SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)Maarten Mulders
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)Maarten Mulders
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLEAmiraMohamedGalal
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Encrption in mule
Encrption in muleEncrption in mule
Encrption in muleSindhu VL
 
Pgp security mule
Pgp security mulePgp security mule
Pgp security muleSindhu VL
 
Mimikatz
MimikatzMimikatz
Mimikatzprashant3535
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 
What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)Maarten Mulders
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Maarten Mulders
 

More Related Content

Similar to SSL/TLS for Mortals (Devoxx)

SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) Maarten Mulders
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)Maarten Mulders
 
SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)Maarten Mulders
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)Maarten Mulders
 
SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)Maarten Mulders
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)Maarten Mulders
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)Maarten Mulders
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLEAmiraMohamedGalal
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)Maarten Mulders
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeWim Godden
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Encrption in mule
Encrption in muleEncrption in mule
Encrption in muleSindhu VL
 
Pgp security mule
Pgp security mulePgp security mule
Pgp security muleSindhu VL
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Gerardo Pardo-Castellote
 

Similar to SSL/TLS for Mortals (Devoxx) (20)

SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand) SSL/TLS for Mortals (JavaLand)
SSL/TLS for Mortals (JavaLand)
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
 
SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)SSL/TLS for Mortals (JavaOne 2017)
SSL/TLS for Mortals (JavaOne 2017)
 
SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)SSL/TLS for Mortals (DevNexus)
SSL/TLS for Mortals (DevNexus)
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
 
SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)SSL/TLS for Mortals (JAX DE 2018)
SSL/TLS for Mortals (JAX DE 2018)
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLE
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Encrption in mule
Encrption in muleEncrption in mule
Encrption in mule
 
Pgp security mule
Pgp security mulePgp security mule
Pgp security mule
 
Mimikatz
MimikatzMimikatz
Mimikatz
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)Using DDS to Secure the Industrial Internet of Things (IIoT)
Using DDS to Secure the Industrial Internet of Things (IIoT)
 

More from Maarten Mulders

What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)Maarten Mulders
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Maarten Mulders
 
Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Maarten Mulders
 
Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Maarten Mulders
 
Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Maarten Mulders
 
Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Maarten Mulders
 
React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) Maarten Mulders
 
React in 40 minutes (JCON)
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON) Maarten Mulders
 
React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)Maarten Mulders
 
React in 50 Minutes (JNation)
React in 50 Minutes (JNation) React in 50 Minutes (JNation)
React in 50 Minutes (JNation) Maarten Mulders
 
Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Maarten Mulders
 
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Maarten Mulders
 
Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Maarten Mulders
 
React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) Maarten Mulders
 
React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) Maarten Mulders
 
React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)Maarten Mulders
 
Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Maarten Mulders
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Maarten Mulders
 
Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)Maarten Mulders
 
Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL) Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL) Maarten Mulders
 

More from Maarten Mulders (20)

What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)What's cooking in Maven? (Devoxx FR)
What's cooking in Maven? (Devoxx FR)
 
Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)Making Maven Marvellous (Devnexus)
Making Maven Marvellous (Devnexus)
 
Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)Making Maven Marvellous (Java.il)
Making Maven Marvellous (Java.il)
 
Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)Making Maven Marvellous (JavaZone)
Making Maven Marvellous (JavaZone)
 
Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)Dapr: Dinosaur or Developer's Dream? (v1)
Dapr: Dinosaur or Developer's Dream? (v1)
 
Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)Dapr: Dinosaur or Developer Dream? (J-Fall)
Dapr: Dinosaur or Developer Dream? (J-Fall)
 
React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania) React in 40 minutes (Voxxed Days Romania)
React in 40 minutes (Voxxed Days Romania)
 
React in 40 minutes (JCON)
React in 40 minutes (JCON) React in 40 minutes (JCON)
React in 40 minutes (JCON)
 
React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)React in 50 minutes (Bucharest Software Craftsmanship Community)
React in 50 minutes (Bucharest Software Craftsmanship Community)
 
React in 50 Minutes (JNation)
React in 50 Minutes (JNation) React in 50 Minutes (JNation)
React in 50 Minutes (JNation)
 
Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)Making Maven Marvellous (J-Fall)
Making Maven Marvellous (J-Fall)
 
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
Building a DSL with GraalVM (Oracle Groundbreaker APAC Virtual Tour)
 
Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)Building a DSL with GraalVM (javaBin online)
Building a DSL with GraalVM (javaBin online)
 
React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue) React in 50 Minutes (OpenValue)
React in 50 Minutes (OpenValue)
 
React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus) React in 50 Minutes (DevNexus)
React in 50 Minutes (DevNexus)
 
React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)React in 45 Minutes (Jfokus)
React in 45 Minutes (Jfokus)
 
Building web applications with React (Jfokus)
Building web applications with React (Jfokus)Building web applications with React (Jfokus)
Building web applications with React (Jfokus)
 
Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)Building a DSL with GraalVM (CodeOne)
Building a DSL with GraalVM (CodeOne)
 
Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)Building a DSL with GraalVM (Full Stack Antwerpen)
Building a DSL with GraalVM (Full Stack Antwerpen)
 
Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL) Building a DSL with GraalVM (Devoxx PL)
Building a DSL with GraalVM (Devoxx PL)
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

SSL/TLS for Mortals (Devoxx)

  • 1.
  • 2. T L S Awesome Sauce, or... Maarten Mulders (@mthmulders)#tlsformortals
  • 3. H Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net. .protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net. .protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net. .protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) at sun.net. .protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440) at sun.net. .protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at it.mulders.maarten.Demo.main(Demo.java:13) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertif cate(ClientHandshaker.java:1488) 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to f nd valid certif cation path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) Maarten Mulders (@mthmulders)#tlsformortals
  • 4.
  • 5. 7 L OSI M data unit layers Data Data Data Segments Packets Application  Network Process to Application Presentation  Data Representation  and Encryption Session  Interhost Communication Transport  End­to­End Connections  and Reliability Network  Path Determination and  Host Layers Maarten Mulders (@mthmulders)#tlsformortals
  • 6. H SSL TLS SSL 1.0 never released SSL 2.0 1995 - 2011 (POODLE) SSL 3.0 1996 - 2014 (POODLE) TLS 1.0 1999 - 2011 (BEAST) TLS 1.1 2006 TLS 1.2 2008 TLS 1.3 2018 Maarten Mulders (@mthmulders)#tlsformortals
  • 7. D What's the issue?! Maarten Mulders (@mthmulders)#tlsformortals
  • 8. H 1. public/private key encryption 2. signed certificates 3. certificate authorities Maarten Mulders (@mthmulders)#tlsformortals
  • 9. 1 P P K E Maarten Mulders (@mthmulders)#tlsformortals
  • 10.
  • 11.
  • 12. M 1. Select two prime numbers: 2. Calculate product: 3. Select random number < product: 4. Find d, so that a. b. c. d. p = 11, q = 17 p ∗ q = 187 e = 3 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 (d ∗ 3) − 1 mod (10 ∗ 16) = 0 320 mod 160 = 0 (321 − 1) mod 160 = 0 (107 ∗ 3) = 321 ⇒ d = 107 Maarten Mulders (@mthmulders)#tlsformortals
  • 13. N , P Q 1. 2. Find d, so that Pretty hard without knowing and ! As soon as we know , calculating is trivial (again). p ∗ q = 299, e = 5 (d ∗ e) − 1 mod (p − 1) ∗ (q − 1) = 0 p q p = 13, q = 23 d = 317 Maarten Mulders (@mthmulders)#tlsformortals
  • 14. For big enough and , finding those factors will cost an eternity! So we can distribute and even ! p q p ∗ q e Maarten Mulders (@mthmulders)#tlsformortals
  • 15. L "G" p ∗ q = 187, e = 3, G ⇒ 7 = = 3437 e 7 3 343 mod 187 = 156 Maarten Mulders (@mthmulders)#tlsformortals
  • 16. L "156" Since we know and , we can calculatep q d = 107 = ≈ 4.6 ∗156 d 156 107 10 234 mod 187 = 7156 107 7 ⇒ G Maarten Mulders (@mthmulders)#tlsformortals
  • 17.
  • 18. N Client Server 1 ClientHello → 2 ← ServerHello 3 ← Certificate 4 ← ServerKeyExchange 5 ← ServerHelloDone 6 ClientKeyExchange → 7 ChangeCipherSpec → 8 Finished → 9 ← ChangeCipherSpec 10 ← Finished Maarten Mulders (@mthmulders)#tlsformortals
  • 19. D No-one is eavesdropping! Maarten Mulders (@mthmulders)#tlsformortals
  • 20. 2 S C Maarten Mulders (@mthmulders)#tlsformortals
  • 21. A certificate contains: Serial Number Subject Validity Usage Public Key Fingerprint Algorithm Fingerprint Maarten Mulders (@mthmulders)#tlsformortals
  • 22. But wait... anyone could create a certificate! So we also need Signature Algorithm Signature Issuer ... and a way to sign certificates. Maarten Mulders (@mthmulders)#tlsformortals
  • 23.
  • 24. A signature is a mathematical relationship between a message , a private key and a public key . It consists of two functions: 1. signing function 2. verifying function So, given and and knowing , we can tell if is indeed signed by . x sk pk t = f (sk, x) [accept, reject] = g(pk, t, x) x t pk x sk Maarten Mulders (@mthmulders)#tlsformortals
  • 25. 3 C A Maarten Mulders (@mthmulders)#tlsformortals
  • 26. An entity that issues digital certificates, certifying the ownership of a public key by the subject of the certificate. Maarten Mulders (@mthmulders)#tlsformortals
  • 27. I John ? Alice So, who is John, anyway? Many John's in todays browsers and operating systems! “I can trust you, because I trust John, and John trusts Alice, and Alice trusts you. Maarten Mulders (@mthmulders)#tlsformortals
  • 28. Top-notch security procedures, including "key ceremonies" Maarten Mulders (@mthmulders)#tlsformortals
  • 29.
  • 30.
  • 32. W Google blacklists 247 certificates in Chromium Microsoft removes the DigiNotar root certificate from all supported Windows-releases * Mozilla revokes trust in the DigiNotar root certificate in all supported versions Apple issued Security Update 2011-005 Update Certificate Revocation Lists (although these are self-Maarten Mulders (@mthmulders)#tlsformortals
  • 33. D Trust (for what it's worth) Maarten Mulders (@mthmulders)#tlsformortals
  • 34. T , T T Maarten Mulders (@mthmulders)#tlsformortals
  • 35. Simple HTTP client with TLS support: curl ­v ­k <address> Troubleshoot trust issues and see certificates being used: openssl s_client ­showcerts ­servername <address> ­ connect <address>:443 Troubleshoot supported protocols, ciphers, ...: nmap ­­script ssl­enum­ciphers ­p 443 <address> Maarten Mulders (@mthmulders)#tlsformortals
  • 36. JVM S ­Djavax.net.ssl.trustStore=<file> Denotes where a truststore can be found: a file that contains trusted certs. ­Djavax.net.ssl.trustStorePassword=changeit is the password to that file. Maarten Mulders (@mthmulders)#tlsformortals
  • 37. JVM S ­Djavax.net.ssl.keyStore=<file> Denotes where a keystore can be found: a file that contains public and/or private keys. ­Djavax.net.ssl.keyStorePassword=changeit is the password to that file. Maarten Mulders (@mthmulders)#tlsformortals
  • 38. JVM S ­Djavax.net.debug=ssl[:flag] Include debug logging for TLS handshake and connections. Additional flags: record session sessioncache pluggability plaintext handshake defaultctx keymanager data packet keygen sslctx trustmanager verbose Maarten Mulders (@mthmulders)#tlsformortals
  • 40. P - 1. Don't use SSL! Use TLS v1.2 or v1.3. 2. Be careful whom you trust! 3. When in doubt, open your toolbox: openssl, curl, nmap and Portecle Maarten Mulders (@mthmulders)#tlsformortals
  • 41. Q P D I Router by unknown author Maarten Mulders (@mthmulders)#tlsformortals