9/10/2011

1
LP TRNH WEB HNG JAVA
Bi 17: SSL
Ging vin: ThS. Trnh Tun t
B mn CNPM
Email: trinhtuandat.bk@gmail.com/dattt@soict.hut.edu.vn
B mn Cng ngh Phn mm
Vin CNTT & TT
Trng i hc Bch Khoa H Ni
1 DatTT-DSE-SOICT-HUST
Ni dung
1. SSL l g?
2. Certificate l g?
3. Trnh duyt v Certificates
4. JSSE
5. H tr SSL trong Tomcat
6. Cc bc ci t/cu hnh SSL HTTPS
Connector trn Tomcat
2 DatTT-DSE-SOICT-HUST
1. SSL l g?
3 DatTT-DSE-SOICT-HUST
SSL (Secure Socket Layer)
4 DatTT-DSE-SOICT-HUST
Secure Socket Layer (SSL)
Cho n nay, SSL thng tr cc cng ngh
security trn web
L giao thc m bo security, hot ng
trn tng Transport
HTTPS: HTTP over SSL
S dng nhiu trong e-commerce, cc dch
v web nhy cm cn m bo security
qua nhiu nm s dng
5 DatTT-DSE-SOICT-HUST
SSL chy trn tng TCP
source:java.sun.com
6 DatTT-DSE-SOICT-HUST
9/10/2011
2
Ti sao cn SSL? SSL cung cp ...
Bo mt-Confidentiality (Privacy)
Ton vn d liu-Data integrity (Tamper-proofing)
Xc thc server-Server authentication (Chng minh
minh 1 server ng nh n tuyn b)
S dng c bit trong B2C transaction
(Ty chn) xc thc client
c yu cu trong B2B (hoc mi trng dch v Web,
trong program giao tip vi program)
7 DatTT-DSE-SOICT-HUST
SSL v Security Keys
S dng kha public/private key (phi i
xng) to cc kha b mt (i xng)
Kha mt sau c s dng m mt
(encrypt) d liu
SSL operation c ti u ha v hiu nng: S
dng kha i xng m mt d liu nhanh
hn nhiu so vi kha phi i xng
8 DatTT-DSE-SOICT-HUST
Trao i kha trong SSL
Server
Client connects
Server sends its
certificate
Client sends encrypted premaster key
Create session key for further
communication using premaster key
9 DatTT-DSE-SOICT-HUST
Cc bc trao i kha SSL
SSL client kt ni vi mt SSL server
Server sau gi certificate ca n, trong c cha public
key
Client sau to 1 kha ngu nhin (premaster key) v s
dng public key ca server m mt kha ngu nhin
Client sau gi premaster key c m mt cho server
Server sau gii m mt (ch c server c private key mi
gii m mt c) v s dng premaster key gii m
c to mt kha phin b mt (secret session key)
Sau , c client & server s dng kha phin b mt
giao tip
10 DatTT-DSE-SOICT-HUST
Thng nht thut ton gii m mt
Khng phi tt c clients & server u dng
cng cc thut ton m mt & xc thc
SSL client v SSL server phi thong lng
c thut ton m & gii m mt (cipher
suites) trong sut qu trnh bt tay
handshake chun b lm vic
Kt ni 2 bn s khng thnh cng nu khng c
chung thut ton
11 DatTT-DSE-SOICT-HUST
Giao thc bt tay SSL
(SSL Handshake Protocol)
12 DatTT-DSE-SOICT-HUST
9/10/2011
3
SSL v Encryption (m mt)
Chng ta ch cn certificate ca server
truyn c d liu c m mt
V vy, khng cn ci t client certificate trn
trnh duyt ca mnh gi s th tn dng 1
cch an ton (vi privacy & data integrity mong
mun)
13 DatTT-DSE-SOICT-HUST
SSL v Authentication
Xc thc server (Server authentication)
Server cn phi cung cp certificate ca n cho
client xc thc n vi client
Mt Web server thng c mt certificate k bi
mt CA & cung cp cho cc client ca n
Xc thc client (Client authentication)
Client cn cung cp certificate ca n cho 1
server xc thc chnh n vi server
Xc thc ln nhau (Mutual authentication)
14 DatTT-DSE-SOICT-HUST
SSL v Authentication (1)
Trong giao tip trnh duyt ni chuyn vi
web server, ch cn c xc thc server
VD: khi gi s th tn dng cho server, user
mun m bo server ng nh n tuyn b
Trong mi trng B2B, cn phi c c xc
thc client
Server mun m bo rng n ang ni chuyn
vi client c danh tnh c xc thc
15 DatTT-DSE-SOICT-HUST
SSL v Security cho ng dng Web
Password c m mt truyn T trnh
duyt n web server
Tng qut: cc d liu m mt c truyn
GIA trnh duyt v web server
Xc thc Server
c hon thnh trc khi truyn cc d liu
di dng m mt
Xc thc Client
t dng
16 DatTT-DSE-SOICT-HUST
2. Certificates v tin ch
Keytool
17 DatTT-DSE-SOICT-HUST
Certificate l g?
Mt certificate ging nh 1 bng li xe in t
Mt certificate c tch hp ch k c m
mt, v GN NH l khng th gi mo
Certificate c th c mua t (c k bi) mt
CA (Certificate Authority) ni ting nh Verisign
(phi mt ph)
Nu khng cn xc thc, tc l ch mun an ton
cho d liu khi c m mt, c th t k vo
certificate ca mnh
18 DatTT-DSE-SOICT-HUST
9/10/2011
4
Server Certificate l g?
L mt certificate cha thng tin v server
Kha cng khai (public key) ca server
Cc thng tin khc
Web server phi c certificate cho cc giao
tip vi bn ngoi
Do vy, phi ci t SSL v HTTPS connector cho
Tomcat thc hin cc giao tip SSL
19 DatTT-DSE-SOICT-HUST
Ti sao cn Server Certificate?
Cho php xc thc server
Xc nhn danh tnh ca server cho client
Client cn truy cp c ti server certificate
Server gi server certificate - 1 bc trong qu
trnh bt tay to kha SSL (SSL key handshake)
HTTPS service ca Tomcat s khng lm vic cho
n khi ci t server certificate
20 DatTT-DSE-SOICT-HUST
3. Trnh duyt v certificates
21 DatTT-DSE-SOICT-HUST
Netscape: Certificates ca cc CA
22 DatTT-DSE-SOICT-HUST
Netscape: Certificates ca cc Websites
23 DatTT-DSE-SOICT-HUST
Netscape: Certificates ca nhng ngi
khc
24 DatTT-DSE-SOICT-HUST
9/10/2011
5
Netscape: Certificates do chnh mnh ci
t
25 DatTT-DSE-SOICT-HUST
4. JSSE
26 DatTT-DSE-SOICT-HUST
JSSE l g?
L Java API h tr SSL (Secure Sockets
Layer)
Trong J2SE 1.4
SSL 3.0 v TLS 1.0
H tr
M mt-Encryption
Xc thc server-Server authentication
Ty chn xc thc client-client authentication
Ton vn d liu-Data integrity
27 DatTT-DSE-SOICT-HUST
Ti sao cn JSSE?
100% ci t bng Java
tru tng ha (& trong sut ha) cc
thut ton m mt phc tp gim thiu
cc l hng bo mt cho LTV
D s dng pht trin cc ng dng an
ton (secure application)
28 DatTT-DSE-SOICT-HUST
JSSE Framework
Cung cp 2 gi java.security v java.net
Cung cp 2 gi javax.net v javax.net.ssl
M rng cc lp socket, qun l kha, ...
29 DatTT-DSE-SOICT-HUST
SunJSSE Provider
L b JSSE i km trong JDK 1.4.1
c ci t theo kin trc Java
Cryptography Architecture
Ci t SSL v3.0 v TLS v1.0, cng nh cc
b m SSL v TLS ph bin
getSupportedCipherSuites
getEnabledCipherSuites
setEnabledCipherSuites
30 DatTT-DSE-SOICT-HUST
9/10/2011
6
Lp trnh JSSE: Server Side
import java.io.*;
import javax.net.ssl.*;
public class Server {
int port = portNumber;
SSLServerSocket server;
try {
SSLServerSocketFactory factory =
(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
server =
(SSLServerSocket)factory.createServerSocket(portNumber);
SSLSocket client = (SSLSocket) server.accept();
// Create input and output streams as usual
// send secure messages to client through the
// output stream
// receive secure messages from client through
// the input stream
} catch(Exception e) {
}
}
31 DatTT-DSE-SOICT-HUST
Lp trnh JSSE: Client Side
import java.io.*;
import javax.net.ssl.*;
public class Client {
...
try {
SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
server =
(SSLServerSocket)factory.createServerSocket(portNumber);
SSLSocket client =
(SSLSOcket) factory.createSocket(serverHost, port);
// Create input and output streams as usual
// send secure messages to server through the
// output stream receive secure
// messages from server through the input stream
} catch(Exception e) {
}
}
32 DatTT-DSE-SOICT-HUST
5. H tr SSL trong Tomcat
33 DatTT-DSE-SOICT-HUST
SSL cho Tomcat
Cn cc module sau
JSSE (Java Secure Socket Extension)
Server certificate keystore
v mt HTTPS connector
LTV cn phi ci t v cu hnh SSL HTTPS
connector trn Tomcat
34 DatTT-DSE-SOICT-HUST
JSSE
C trong tutorial Java WSDP
<JWSDP-Install>/common/jsse.jar
http://homepage.mac.com/iamnot/eden-
pub/how2BuildServer/install_jwsdp.html
Cung cp gi th vin h tr SSL/TLS (jsse.jar)
SSL h tr m mt, xc thc server, ton vn thng
ip trn giao thc b giao thcTCP/IP
D liu truyn trn tng ng dng c bo mt vi bt
k giao thc no (HTTP, FTP, Telnet, ...)
Da trn k thut bo mt Certificate (Public v
Private key)
35 DatTT-DSE-SOICT-HUST
6. Cc bc ci t v cu
hnh SSL trn Tomcat
36 DatTT-DSE-SOICT-HUST
9/10/2011
7
B1. Sinh kha private & public v Server
certificate (t k)
keytool -genkey -keyalg RSA -alias tomcat
-keystore <keystore_filename>
Nhp password, tn y (fully-qualified
name) ca server,
37 DatTT-DSE-SOICT-HUST
1.1 V d: s dng keytool
C:\>keytool -genkey -keyalg RSA -alias tomcat -keystore
\tmp\keyfile.keystore
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: sun
What is the name of your organization?
[Unknown]: mde
What is the name of your City or Locality?
[Unknown]: burlington
What is the name of your State or Province?
[Unknown]: ma
What is the two-letter country code for this unit?
[Unknown]: us
Is CN=localhost, OU=sun, O=mde, L=burlington, ST=ma, C=us correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
38 DatTT-DSE-SOICT-HUST
B2. Cu hnh SSL Connector &
khi ng li Tomcat
Mc nh, SSL HTTPS b TT trn Tomcat
LTV c th bt (enable) v cu hnh mt SSL
HTTPS Connector trn cng 8443 theo 1 trong 2
cch sau
Qua Admintool
Sa (thc cht l b comment cho phn t SSL
connector) <JWSDP_HOME>/conf/server.xml nh m t
trong
<JWSDP_HOME>/docs/tutorial/doc/WebAppSecurity6.html#68482
Khi ng li Tomcat
39 DatTT-DSE-SOICT-HUST
B2.1-Admintool
40 DatTT-DSE-SOICT-HUST
B2.2 Phn t SSL Connector trong
server.xml
<!-- SSL Connector on Port 8443 -->
<Connector
className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443"
minProcessors="5"
maxProcessors="75"
enableLookups="false"
acceptCount="10"
connectionTimeout="60000"
debug="0"
scheme="https"
secure="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFa
ctory"
clientAuth="false" protocol="TLS" />
</Connector>
41 DatTT-DSE-SOICT-HUST
B3. Xc nhn SSL ci t
T trnh duyt, g ng dn:
https://localhost:8443/
Cng 8443 l ni SSL connector c to
42 DatTT-DSE-SOICT-HUST
9/10/2011
8
B3.1 V d: Xc nhn SSL ci t
43 DatTT-DSE-SOICT-HUST
B3.2 V d: Xc nhn SSL ci t
44 DatTT-DSE-SOICT-HUST
B3.3 V d: Xc nhn SSL ci t
45 DatTT-DSE-SOICT-HUST
B3.4 V d: Xc nhn SSL ci t
46 DatTT-DSE-SOICT-HUST
B3.5 V d: Xc nhn SSL ci t
47 DatTT-DSE-SOICT-HUST