Scribd Logo
Upload

Welcome to Scribd!

  • SSL bảo mật

    Uploaded by

    nonameyoyo
    5 views8 pages
    SSL bảo mật

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SSL bảo mật

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views8 pages

    SSL bảo mật

    Uploaded by

    nonameyoyo
    SSL bảo mật

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    9/10/2011

    Ni dung

    B mn Cng ngh Phn mm


    Vin CNTT & TT
    Trng i hc Bch Khoa H Ni

    LP TRNH WEB HNG JAVA


    Bi 17: SSL

    Ging vin: ThS. Trnh Tun t


    B mn CNPM
    Email: trinhtuandat.bk@gmail.com/dattt@soict.hut.edu.vn
    DatTT-DSE-SOICT-HUST
    1

    1. SSL l g?
    2. Certificate l g?
    3. Trnh duyt v Certificates
    4. JSSE
    5. H tr SSL trong Tomcat
    6. Cc bc ci t/cu hnh SSL HTTPS
    Connector trn Tomcat

    DatTT-DSE-SOICT-HUST

    SSL (Secure Socket Layer)

    1. SSL l g?

    DatTT-DSE-SOICT-HUST

    DatTT-DSE-SOICT-HUST

    SSL chy trn tng TCP

    Secure Socket Layer (SSL)

    Cho n nay, SSL thng tr cc cng ngh


    security trn web
    L giao thc m bo security, hot ng
    trn tng Transport

    HTTPS: HTTP over SSL

    S dng nhiu trong e-commerce, cc dch


    v web nhy cm cn m bo security
    qua nhiu nm s dng
    DatTT-DSE-SOICT-HUST

    DatTT-DSE-SOICT-HUST

    source:java.sun.com

    9/10/2011

    SSL v Security Keys

    Ti sao cn SSL? SSL cung cp ...

    Bo mt-Confidentiality (Privacy)
    Ton vn d liu-Data integrity (Tamper-proofing)
    Xc thc server-Server authentication (Chng minh
    minh 1 server ng nh n tuyn b)

    S dng c bit trong B2C transaction

    (Ty chn) xc thc client

    S dng kha public/private key (phi i


    xng) to cc kha b mt (i xng)
    Kha mt sau c s dng m mt
    (encrypt) d liu

    c yu cu trong B2B (hoc mi trng dch v Web,


    trong program giao tip vi program)

    DatTT-DSE-SOICT-HUST

    SSL operation c ti u ha v hiu nng: S


    dng kha i xng m mt d liu nhanh
    hn nhiu so vi kha phi i xng

    DatTT-DSE-SOICT-HUST

    Cc bc trao i kha SSL

    Trao i kha trong SSL

    Client connects

    Server sends its


    certificate
    Client sends encrypted premaster key

    Create session key for further


    communication using premaster key

    SSL client kt ni vi mt SSL server


    Server sau gi certificate ca n, trong c cha public
    key
    Client sau to 1 kha ngu nhin (premaster key) v s
    dng public key ca server m mt kha ngu nhin
    Client sau gi premaster key c m mt cho server
    Server sau gii m mt (ch c server c private key mi
    gii m mt c) v s dng premaster key gii m
    c to mt kha phin b mt (secret session key)
    Sau , c client & server s dng kha phin b mt
    giao tip

    Server
    DatTT-DSE-SOICT-HUST

    10

    Giao thc bt tay SSL


    (SSL Handshake Protocol)

    Thng nht thut ton gii m mt

    DatTT-DSE-SOICT-HUST

    Khng phi tt c clients & server u dng


    cng cc thut ton m mt & xc thc
    SSL client v SSL server phi thong lng
    c thut ton m & gii m mt (cipher
    suites) trong sut qu trnh bt tay
    handshake chun b lm vic

    Kt ni 2 bn s khng thnh cng nu khng c


    chung thut ton

    DatTT-DSE-SOICT-HUST

    11

    DatTT-DSE-SOICT-HUST

    12

    9/10/2011

    SSL v Encryption (m mt)

    SSL v Authentication

    Chng ta ch cn certificate ca server


    truyn c d liu c m mt

    Xc thc server (Server authentication)

    V vy, khng cn ci t client certificate trn


    trnh duyt ca mnh gi s th tn dng 1
    cch an ton (vi privacy & data integrity mong
    mun)

    Xc thc client (Client authentication)

    DatTT-DSE-SOICT-HUST

    13

    DatTT-DSE-SOICT-HUST

    VD: khi gi s th tn dng cho server, user


    mun m bo server ng nh n tuyn b

    Trong mi trng B2B, cn phi c c xc


    thc client

    Password c m mt truyn T trnh


    duyt n web server
    Tng qut: cc d liu m mt c truyn
    GIA trnh duyt v web server
    Xc thc Server

    Server mun m bo rng n ang ni chuyn


    vi client c danh tnh c xc thc

    15

    c hon thnh trc khi truyn cc d liu


    di dng m mt

    Xc thc Client

    DatTT-DSE-SOICT-HUST

    14

    SSL v Security cho ng dng Web

    Trong giao tip trnh duyt ni chuyn vi


    web server, ch cn c xc thc server

    Client cn cung cp certificate ca n cho 1


    server xc thc chnh n vi server

    Xc thc ln nhau (Mutual authentication)

    SSL v Authentication (1)

    Server cn phi cung cp certificate ca n cho


    client xc thc n vi client
    Mt Web server thng c mt certificate k bi
    mt CA & cung cp cho cc client ca n

    t dng
    DatTT-DSE-SOICT-HUST

    16

    Certificate l g?

    2. Certificates v tin ch
    Keytool

    DatTT-DSE-SOICT-HUST

    17

    Mt certificate ging nh 1 bng li xe in t


    Mt certificate c tch hp ch k c m
    mt, v GN NH l khng th gi mo
    Certificate c th c mua t (c k bi) mt
    CA (Certificate Authority) ni ting nh Verisign
    (phi mt ph)
    Nu khng cn xc thc, tc l ch mun an ton
    cho d liu khi c m mt, c th t k vo
    certificate ca mnh
    DatTT-DSE-SOICT-HUST

    18

    9/10/2011

    Server Certificate l g?

    L mt certificate cha thng tin v server

    Ti sao cn Server Certificate?

    Kha cng khai (public key) ca server


    Cc thng tin khc

    Web server phi c certificate cho cc giao


    tip vi bn ngoi

    Do vy, phi ci t SSL v HTTPS connector cho


    Tomcat thc hin cc giao tip SSL

    DatTT-DSE-SOICT-HUST

    Cho php xc thc server

    19

    Xc nhn danh tnh ca server cho client


    Client cn truy cp c ti server certificate
    Server gi server certificate - 1 bc trong qu
    trnh bt tay to kha SSL (SSL key handshake)
    HTTPS service ca Tomcat s khng lm vic cho
    n khi ci t server certificate

    DatTT-DSE-SOICT-HUST

    20

    Netscape: Certificates ca cc CA

    3. Trnh duyt v certificates

    DatTT-DSE-SOICT-HUST

    21

    22

    Netscape: Certificates ca nhng ngi


    khc

    Netscape: Certificates ca cc Websites

    DatTT-DSE-SOICT-HUST

    DatTT-DSE-SOICT-HUST

    23

    DatTT-DSE-SOICT-HUST

    24

    9/10/2011

    Netscape: Certificates do chnh mnh ci


    t

    4. JSSE

    DatTT-DSE-SOICT-HUST

    25

    DatTT-DSE-SOICT-HUST

    JSSE l g?

    L Java API h tr SSL (Secure Sockets


    Layer)
    Trong J2SE 1.4

    H tr

    Ti sao cn JSSE?

    SSL 3.0 v TLS 1.0

    M mt-Encryption
    Xc thc server-Server authentication
    Ty chn xc thc client-client authentication
    Ton vn d liu-Data integrity
    DatTT-DSE-SOICT-HUST

    100% ci t bng Java


    tru tng ha (& trong sut ha) cc
    thut ton m mt phc tp gim thiu
    cc l hng bo mt cho LTV
    D s dng pht trin cc ng dng an
    ton (secure application)

    27

    DatTT-DSE-SOICT-HUST

    JSSE Framework

    M rng cc lp socket, qun l kha, ...

    L b JSSE i km trong JDK 1.4.1


    c ci t theo kin trc Java
    Cryptography Architecture
    Ci t SSL v3.0 v TLS v1.0, cng nh cc
    b m SSL v TLS ph bin

    DatTT-DSE-SOICT-HUST

    28

    SunJSSE Provider

    Cung cp 2 gi java.security v java.net


    Cung cp 2 gi javax.net v javax.net.ssl

    26

    29

    getSupportedCipherSuites
    getEnabledCipherSuites
    setEnabledCipherSuites
    DatTT-DSE-SOICT-HUST

    30

    9/10/2011

    Lp trnh JSSE: Client Side

    Lp trnh JSSE: Server Side


    import java.io.*;
    import javax.net.ssl.*;

    import java.io.*;
    import javax.net.ssl.*;

    public class Server {


    int port = portNumber;
    SSLServerSocket server;
    try {
    SSLServerSocketFactory factory =
    (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
    server =
    (SSLServerSocket)factory.createServerSocket(portNumber);
    SSLSocket client = (SSLSocket) server.accept();

    public class Client {


    ...
    try {
    SSLSocketFactory factory = (SSLSocketFactory)
    SSLSocketFactory.getDefault();
    server =
    (SSLServerSocket)factory.createServerSocket(portNumber);
    SSLSocket client =
    (SSLSOcket) factory.createSocket(serverHost, port);

    // Create input and output streams as usual


    // send secure messages to client through the
    // output stream
    // receive secure messages from client through
    // the input stream
    } catch(Exception e) {
    }

    // Create input and output streams as usual


    // send secure messages to server through the
    // output stream receive secure
    // messages from server through the input stream
    } catch(Exception e) {
    }
    }

    }
    DatTT-DSE-SOICT-HUST

    31

    DatTT-DSE-SOICT-HUST

    32

    SSL cho Tomcat

    Cn cc module sau

    5. H tr SSL trong Tomcat

    DatTT-DSE-SOICT-HUST

    33

    JSSE (Java Secure Socket Extension)


    Server certificate keystore
    v mt HTTPS connector

    LTV cn phi ci t v cu hnh SSL HTTPS


    connector trn Tomcat

    DatTT-DSE-SOICT-HUST

    34

    JSSE

    C trong tutorial Java WSDP

    Cung cp gi th vin h tr SSL/TLS (jsse.jar)


    SSL h tr m mt, xc thc server, ton vn thng
    ip trn giao thc b giao thcTCP/IP

    6. Cc bc ci t v cu
    hnh SSL trn Tomcat

    <JWSDP-Install>/common/jsse.jar
    http://homepage.mac.com/iamnot/edenpub/how2BuildServer/install_jwsdp.html

    D liu truyn trn tng ng dng c bo mt vi bt


    k giao thc no (HTTP, FTP, Telnet, ...)

    Da trn k thut bo mt Certificate (Public v


    Private key)
    DatTT-DSE-SOICT-HUST

    35

    DatTT-DSE-SOICT-HUST

    36

    9/10/2011

    B1. Sinh kha private & public v Server


    certificate (t k)

    1.1 V d: s dng keytool


    C:\>keytool -genkey -keyalg RSA -alias tomcat -keystore
    \tmp\keyfile.keystore
    Enter keystore password: changeit
    What is your first and last name?
    [Unknown]: localhost
    What is the name of your organizational unit?
    [Unknown]: sun
    What is the name of your organization?
    [Unknown]: mde
    What is the name of your City or Locality?
    [Unknown]: burlington
    What is the name of your State or Province?
    [Unknown]: ma
    What is the two-letter country code for this unit?
    [Unknown]: us
    Is CN=localhost, OU=sun, O=mde, L=burlington, ST=ma, C=us correct?
    [no]: yes

    keytool -genkey -keyalg RSA -alias tomcat


    -keystore <keystore_filename>
    Nhp password, tn y (fully-qualified
    name) ca server,

    DatTT-DSE-SOICT-HUST

    37

    Enter key password for <tomcat>


    DatTT-DSE-SOICT-HUST
    (RETURN if same as keystore password):

    B2. Cu hnh SSL Connector &


    khi ng li Tomcat

    B2.1-Admintool

    Mc nh, SSL HTTPS b TT trn Tomcat


    LTV c th bt (enable) v cu hnh mt SSL
    HTTPS Connector trn cng 8443 theo 1 trong 2
    cch sau

    Qua Admintool
    Sa (thc cht l b comment cho phn t SSL
    connector) <JWSDP_HOME>/conf/server.xml nh m t
    trong

    38

    <JWSDP_HOME>/docs/tutorial/doc/WebAppSecurity6.html#68482

    Khi ng li Tomcat
    DatTT-DSE-SOICT-HUST

    39

    DatTT-DSE-SOICT-HUST

    B2.2 Phn t SSL Connector trong


    server.xml
    <!-- SSL Connector on Port 8443 -->
    <Connector
    className="org.apache.coyote.tomcat4.CoyoteConnector"
    port="8443"
    minProcessors="5"
    maxProcessors="75"
    enableLookups="false"
    acceptCount="10"
    connectionTimeout="60000"
    debug="0"
    scheme="https"
    secure="true">
    <Factory
    className="org.apache.coyote.tomcat4.CoyoteServerSocketFa
    ctory"
    clientAuth="false" protocol="TLS" />
    DatTT-DSE-SOICT-HUST
    41
    </Connector>

    40

    B3. Xc nhn SSL ci t

    T trnh duyt, g ng dn:

    Cng 8443 l ni SSL connector c to

    https://localhost:8443/

    DatTT-DSE-SOICT-HUST

    42

    9/10/2011

    B3.1 V d: Xc nhn SSL ci t

    DatTT-DSE-SOICT-HUST

    B3.2 V d: Xc nhn SSL ci t

    43

    B3.3 V d: Xc nhn SSL ci t

    DatTT-DSE-SOICT-HUST

    DatTT-DSE-SOICT-HUST

    44

    B3.4 V d: Xc nhn SSL ci t

    45

    DatTT-DSE-SOICT-HUST

    46

    B3.5 V d: Xc nhn SSL ci t

    DatTT-DSE-SOICT-HUST

    47

    You might also like