SlideShare a Scribd company logo

Ost ssl lec

Download as PPT, PDF
Kaustubh Joshi
Kaustubh Joshi

OST lecture 16/9/2014

Engineering
1 of 21
SSH / SSL Kaustubh Joshi September 15, 2014 1
 One of the primary goals of the ARPANET was remote access  Several different connections allowed  rlogin  rcp  rsh  All data was unencrypted  This was a different world than exists today. 2 Secure Shell September 15, 2014
 SSH is a UNIX-based command interface and protocol for securely accessing a remote computer  Suite of four utilities—slogin, ssh, sftp, and scp  Can protect against:  IP spoofing  DNS spoofing  Intercepting information  Sniffing  Tunneling 3 Secure Shell Contd. September 15, 2014
SSH Objectives  Protect data sent over the network  Negotiate an encryption algorithm between sender and receiver  Use that algorithm and a session key to encrypt / decrypt data sent  Provide site authentication  Use public key / fingerprint to ensure identity of remote host.  Relies on locally generated keys, so no certifying authority is generally available. September 15, 2014 4
SSH supported Graphical FTP Client https://filezilla-project.org/download.php?type=client September 15, 2014 5
Installation of SSL manually from terminal  Install mod_ssl  yum install mod ssl  Create an SSL Certificate  # cd /etc/pki/tls/certs # openssl genrsa -des3 -out apachekey.pem 2048  Generate a Certificate Signing Request (CSR)  # openssl req -new -key apachekey.pem -out apachekey.csr  Create the Web Server Certificate  # openssl ca -in apachekey.csr -out apachecert.pem September 15, 2014 6
Installation  Install SSL Certificate  # cp apachecert.pem /etc/pki/tls/http/ # cp apachekey.pem /etc/pki/tls/http/  # vi /etc/httpd/conf.d/ssl.conf  Listen 10.10.29.68:443  SSLRandomSeed startup file:/dev/urandom 1024  SSLRandomSeed connect file:/dev/urandom 1024  <VirtualHost www.nixcraft.com:443> SSLEngine On SSLCertificateFile /etc/pki/tls/http/apachecert.pem SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem SSLProtocolAll -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5 DocumentRoot "/var/www/html/ssl" ServerName www.nixcraft.com:443 </VirtualHost>  # mkdir -p /var/www/html/ssl  # vi /etc/httpd/conf/httpd.conf  <Directory /var/www/html/ssl> SSLRequireSSL SSLOptions +StrictRequire SSLRequire %{HTTP_HOST} eq "www.nixcraft.com" ErrorDocument 403 https://www.nixcraft.com/sslerror.html </Directory>  September 15, 2014 # service httpd restart 7
Installation  Firewall Configuration  /etc/sysconfig/iptables  -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT  # service iptables restart September 15, 2014 8
SSL in demoroot – vmware guestOS September 15, 2014 9
10 SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman SSL secure Send Serv_Pub_Key communication Serv_Pub_key(S_key) OK S_key(Uname,pwd) OK S_key(data) September 15, 2014
11 SSH Wireshark Trace September 15, 2014
Problems with Password Authentication Passwords can be guessed. Default allows multiple attempts against account  Only 1 account / password needs to be guessed  Alternate approach is to use public / private keys to authenticate user Public Key Authentication  Create public / private keypair Ensure that private Upload public key to server user account: ~.ssh/authorized_keys  ssh –o PreferredAuthentications=publickey server.example.org SSH Communications using public key September 15, 2014
SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman Serv_Pub_key(S_key) OK S_key(Uname) OK S_key(data) Send Serv_Pub_Key Client_Pub_key(Random) Client_Pri_key(msg) Hash(Random) SSH Communications using public key September 15, 2014
sFTP in Linux September 15, 2014 14
sFTP in Linux (contd.) September 15, 2014 15
sFTP in Linux (contd.) September 15, 2014 16
SSH Tunneling  Use SSH to create an encrypted channel between remote host and server  Use that encrypted channel to carry other traffic. September 15, 2014 17
SSH Tunneling ssh –L 12345:192.168.1.10:80 –l root homenet.net September 15, 2014
SSL/TLS Security  Depends on integrity of public key certificate  Public Key Infrastructure (PKI)  Components necessary to securely distribute public keys  Certificate Authorities: Organizations that certify the relationship between a public key and its owner.  Verisign,Thawte September 15, 2014 19
SSL/TLS Vulnerability SSL/TLS supports the concept of session renegotiation due to errors, requests, etc. This feature assumes that the renegotiation is with the original party, and any requests or messages transmitted before the renegotiation are combined (pre-pended) with the requests after renegotiation This behavior can be abused to allow man-in-the-middle attacks Demonstrated with https, but the vulnerability exists with any application that uses SSL/TLS September 15, 2014
Reference  sce.umkc.edu/~cotterr/it426_sp13/CS490ns_SSH_SSL_sp11_ bw.ppt  http://www.cyberciti.biz/faq/rhel-apache-httpd-mod-ssl-tutorial/ SSH  SSH Tutorial (http://www.suso.org/docs/shell/ssh.sdf)  www.openssh.org  UNIX Secure Shell – Carasik – McGraw-Hill, 1999  SSH Agent Forwarding (unixwiz.net/techtips/ssh-agent-forwarding.html) SSL  www.openSSL.org  RFCs – 2246, 3546  SSL Authentication Gap (SSL Gap) (http://www.phonefactor.com/sslgap )  TLS/SSL renegotiation vulnerability explained (http://www.g-sec.lu/practicaltls.pdf ) September 15, 2014 21

Recommended

HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
Ssh
SshSsh
Ssh
Raghu nath
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
HTTPS: All you need to know
HTTPS: All you need to knowHTTPS: All you need to know
HTTPS: All you need to know
OVHcloud
 
SSH
SSHSSH
SSH
Zach Dennis
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 

Recommended

HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
Ssh
SshSsh
Ssh
Raghu nath
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
HTTPS: All you need to know
HTTPS: All you need to knowHTTPS: All you need to know
HTTPS: All you need to know
OVHcloud
 
SSH
SSHSSH
SSH
Zach Dennis
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Çağrı Çakır
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
Sourav Roy
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
nussbauml
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Baspally Sai Anirudh
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
Sarang Ananda Rao
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
dmp1304
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with Raccoon
Gloria Stoilova
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
Assem CHELLI
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
OSOCO
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
hannob
 
Ansible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hocAnsible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hoc
Raul Hugo
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
TLS
TLSTLS
TLS
Daniel Stenberg
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
extremeunix
 
SSL State of the Union
SSL State of the UnionSSL State of the Union
SSL State of the Union
Sander Temme
 
Snort
SnortSnort
Snort
bala150985
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
Amandeep Singh
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat Security Conference
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
Marc Cluet
 
Biotechnology Virtual Lab.Day 2a
Biotechnology Virtual Lab.Day 2aBiotechnology Virtual Lab.Day 2a
Biotechnology Virtual Lab.Day 2a
jmori1
 
Assignment 3 - Certification in Dispute Management
Assignment 3 - Certification in Dispute ManagementAssignment 3 - Certification in Dispute Management
Assignment 3 - Certification in Dispute Management
Jyotpreet Kaur
 

More Related Content

What's hot

Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
Sourav Roy
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
OSOCO
 

What's hot (20)

Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with Raccoon
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
Ansible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hocAnsible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hoc
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
TLS
TLSTLS
TLS
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
SSL State of the Union
SSL State of the UnionSSL State of the Union
SSL State of the Union
 
Snort
SnortSnort
Snort
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
 

Viewers also liked

Biotechnology Virtual Lab.Day 2a
Biotechnology Virtual Lab.Day 2aBiotechnology Virtual Lab.Day 2a
Biotechnology Virtual Lab.Day 2a
jmori1
 
Assignment 3 - Certification in Dispute Management
Assignment 3 - Certification in Dispute ManagementAssignment 3 - Certification in Dispute Management
Assignment 3 - Certification in Dispute Management
Jyotpreet Kaur
 
Уригард
УригардУригард
Уригард
Елена Шальнова
 
Мой город - Кострома, №17
Мой город - Кострома, №17Мой город - Кострома, №17
Мой город - Кострома, №17
Мой город
 
Cornell Notes + Abbreviations
Cornell Notes + AbbreviationsCornell Notes + Abbreviations
Cornell Notes + Abbreviations
jmori1
 
Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...
Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...
Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...
leonvit2005
 
Рекомендации по оформлению презентационного материала
Рекомендации по оформлению презентационного материалаРекомендации по оформлению презентационного материала
Рекомендации по оформлению презентационного материала
АО "Самрук-Казына"
 
التطهير العرقي والإبادة الجماعية الشركسية - الجزء الأول
التطهير العرقي والإبادة الجماعية الشركسية - الجزء الأولالتطهير العرقي والإبادة الجماعية الشركسية - الجزء الأول
التطهير العرقي والإبادة الجماعية الشركسية - الجزء الأول
Walid Hakouz
 

Viewers also liked (20)

Biotechnology Virtual Lab.Day 2a
Biotechnology Virtual Lab.Day 2aBiotechnology Virtual Lab.Day 2a
Biotechnology Virtual Lab.Day 2a
 
Assignment 3 - Certification in Dispute Management
Assignment 3 - Certification in Dispute ManagementAssignment 3 - Certification in Dispute Management
Assignment 3 - Certification in Dispute Management
 
Уригард
УригардУригард
Уригард
 
D 151120 4_u_source_product_v062 kopie
D 151120 4_u_source_product_v062 kopieD 151120 4_u_source_product_v062 kopie
D 151120 4_u_source_product_v062 kopie
 
Pay it forward 2
Pay it forward 2Pay it forward 2
Pay it forward 2
 
Мой город - Кострома, №17
Мой город - Кострома, №17Мой город - Кострома, №17
Мой город - Кострома, №17
 
Cornell Notes + Abbreviations
Cornell Notes + AbbreviationsCornell Notes + Abbreviations
Cornell Notes + Abbreviations
 
Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...
Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...
Ο ΡΟΛΟΣ ΤΩΝ ΕΚΠΑΙΔΕΥΤΙΚΩΝ ΜΕΤΑΡΡΥΘΜΙΣΕΩΝ ΣΤΗ ΣΥΣΤΑΣΗ ΤΟΥ ΦΟΙΤΗΤΙΚΟΥ ΠΛΗΘΥΣΜΟΥ...
 
古き良き街 「 京都 」
古き良き街 「 京都 」古き良き街 「 京都 」
古き良き街 「 京都 」
 
Puy chosuantai2
Puy chosuantai2Puy chosuantai2
Puy chosuantai2
 
Pda
PdaPda
Pda
 
Veiliger door gezond verstand - Presentatie Safe@schools 27 mei 2014
Veiliger door gezond verstand - Presentatie Safe@schools 27 mei 2014Veiliger door gezond verstand - Presentatie Safe@schools 27 mei 2014
Veiliger door gezond verstand - Presentatie Safe@schools 27 mei 2014
 
Slums
SlumsSlums
Slums
 
Digg power point
Digg power pointDigg power point
Digg power point
 
Economía de Bizkaia: Encuesta de Coyuntura Industrial - Nov. - Dic. 2015
Economía de Bizkaia: Encuesta de Coyuntura Industrial - Nov. - Dic. 2015Economía de Bizkaia: Encuesta de Coyuntura Industrial - Nov. - Dic. 2015
Economía de Bizkaia: Encuesta de Coyuntura Industrial - Nov. - Dic. 2015
 
ของหายาก อยากรู้เข้ามาดู
ของหายาก อยากรู้เข้ามาดูของหายาก อยากรู้เข้ามาดู
ของหายาก อยากรู้เข้ามาดู
 
Tugas 4 Kode SMTP & kelemahannya
Tugas 4 Kode SMTP & kelemahannyaTugas 4 Kode SMTP & kelemahannya
Tugas 4 Kode SMTP & kelemahannya
 
05974812
0597481205974812
05974812
 
Рекомендации по оформлению презентационного материала
Рекомендации по оформлению презентационного материалаРекомендации по оформлению презентационного материала
Рекомендации по оформлению презентационного материала
 
التطهير العرقي والإبادة الجماعية الشركسية - الجزء الأول
التطهير العرقي والإبادة الجماعية الشركسية - الجزء الأولالتطهير العرقي والإبادة الجماعية الشركسية - الجزء الأول
التطهير العرقي والإبادة الجماعية الشركسية - الجزء الأول
 

Similar to Ost ssl lec

Ssh
SshSsh
Ssh
gh02
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)
Alastair Irvine
 

Similar to Ost ssl lec (20)

Rhel5
Rhel5Rhel5
Rhel5
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
SSL self signed deployment on Ubuntu 16.04
SSL self signed deployment on Ubuntu 16.04SSL self signed deployment on Ubuntu 16.04
SSL self signed deployment on Ubuntu 16.04
 
Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
 
Ssh
SshSsh
Ssh
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
SSh_part_1.pptx
SSh_part_1.pptxSSh_part_1.pptx
SSh_part_1.pptx
 
Meeting 5.2 : ssh
Meeting 5.2 : sshMeeting 5.2 : ssh
Meeting 5.2 : ssh
 
HTTPS
HTTPSHTTPS
HTTPS
 
Squid server
Squid serverSquid server
Squid server
 
Remote1
Remote1Remote1
Remote1
 
tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdf
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 

Recently uploaded

Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 

Recently uploaded (20)

S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

Ost ssl lec

  • 1. SSH / SSL Kaustubh Joshi September 15, 2014 1
  • 2.  One of the primary goals of the ARPANET was remote access  Several different connections allowed  rlogin  rcp  rsh  All data was unencrypted  This was a different world than exists today. 2 Secure Shell September 15, 2014
  • 3.  SSH is a UNIX-based command interface and protocol for securely accessing a remote computer  Suite of four utilities—slogin, ssh, sftp, and scp  Can protect against:  IP spoofing  DNS spoofing  Intercepting information  Sniffing  Tunneling 3 Secure Shell Contd. September 15, 2014
  • 4. SSH Objectives  Protect data sent over the network  Negotiate an encryption algorithm between sender and receiver  Use that algorithm and a session key to encrypt / decrypt data sent  Provide site authentication  Use public key / fingerprint to ensure identity of remote host.  Relies on locally generated keys, so no certifying authority is generally available. September 15, 2014 4
  • 5. SSH supported Graphical FTP Client https://filezilla-project.org/download.php?type=client September 15, 2014 5
  • 6. Installation of SSL manually from terminal  Install mod_ssl  yum install mod ssl  Create an SSL Certificate  # cd /etc/pki/tls/certs # openssl genrsa -des3 -out apachekey.pem 2048  Generate a Certificate Signing Request (CSR)  # openssl req -new -key apachekey.pem -out apachekey.csr  Create the Web Server Certificate  # openssl ca -in apachekey.csr -out apachecert.pem September 15, 2014 6
  • 7. Installation  Install SSL Certificate  # cp apachecert.pem /etc/pki/tls/http/ # cp apachekey.pem /etc/pki/tls/http/  # vi /etc/httpd/conf.d/ssl.conf  Listen 10.10.29.68:443  SSLRandomSeed startup file:/dev/urandom 1024  SSLRandomSeed connect file:/dev/urandom 1024  <VirtualHost www.nixcraft.com:443> SSLEngine On SSLCertificateFile /etc/pki/tls/http/apachecert.pem SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem SSLProtocolAll -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5 DocumentRoot "/var/www/html/ssl" ServerName www.nixcraft.com:443 </VirtualHost>  # mkdir -p /var/www/html/ssl  # vi /etc/httpd/conf/httpd.conf  <Directory /var/www/html/ssl> SSLRequireSSL SSLOptions +StrictRequire SSLRequire %{HTTP_HOST} eq "www.nixcraft.com" ErrorDocument 403 https://www.nixcraft.com/sslerror.html </Directory>  September 15, 2014 # service httpd restart 7
  • 8. Installation  Firewall Configuration  /etc/sysconfig/iptables  -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT  # service iptables restart September 15, 2014 8
  • 9. SSL in demoroot – vmware guestOS September 15, 2014 9
  • 10. 10 SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman SSL secure Send Serv_Pub_Key communication Serv_Pub_key(S_key) OK S_key(Uname,pwd) OK S_key(data) September 15, 2014
  • 11. 11 SSH Wireshark Trace September 15, 2014
  • 12. Problems with Password Authentication Passwords can be guessed. Default allows multiple attempts against account  Only 1 account / password needs to be guessed  Alternate approach is to use public / private keys to authenticate user Public Key Authentication  Create public / private keypair Ensure that private Upload public key to server user account: ~.ssh/authorized_keys  ssh –o PreferredAuthentications=publickey server.example.org SSH Communications using public key September 15, 2014
  • 13. SSH Client SSH Server SSH2? SSH2 Diffie-Helman, etc? Diffie-Helman Serv_Pub_key(S_key) OK S_key(Uname) OK S_key(data) Send Serv_Pub_Key Client_Pub_key(Random) Client_Pri_key(msg) Hash(Random) SSH Communications using public key September 15, 2014
  • 14. sFTP in Linux September 15, 2014 14
  • 15. sFTP in Linux (contd.) September 15, 2014 15
  • 16. sFTP in Linux (contd.) September 15, 2014 16
  • 17. SSH Tunneling  Use SSH to create an encrypted channel between remote host and server  Use that encrypted channel to carry other traffic. September 15, 2014 17
  • 18. SSH Tunneling ssh –L 12345:192.168.1.10:80 –l root homenet.net September 15, 2014
  • 19. SSL/TLS Security  Depends on integrity of public key certificate  Public Key Infrastructure (PKI)  Components necessary to securely distribute public keys  Certificate Authorities: Organizations that certify the relationship between a public key and its owner.  Verisign,Thawte September 15, 2014 19
  • 20. SSL/TLS Vulnerability SSL/TLS supports the concept of session renegotiation due to errors, requests, etc. This feature assumes that the renegotiation is with the original party, and any requests or messages transmitted before the renegotiation are combined (pre-pended) with the requests after renegotiation This behavior can be abused to allow man-in-the-middle attacks Demonstrated with https, but the vulnerability exists with any application that uses SSL/TLS September 15, 2014
  • 21. Reference  sce.umkc.edu/~cotterr/it426_sp13/CS490ns_SSH_SSL_sp11_ bw.ppt  http://www.cyberciti.biz/faq/rhel-apache-httpd-mod-ssl-tutorial/ SSH  SSH Tutorial (http://www.suso.org/docs/shell/ssh.sdf)  www.openssh.org  UNIX Secure Shell – Carasik – McGraw-Hill, 1999  SSH Agent Forwarding (unixwiz.net/techtips/ssh-agent-forwarding.html) SSL  www.openSSL.org  RFCs – 2246, 3546  SSL Authentication Gap (SSL Gap) (http://www.phonefactor.com/sslgap )  TLS/SSL renegotiation vulnerability explained (http://www.g-sec.lu/practicaltls.pdf ) September 15, 2014 21