Scribd Logo
Upload

Welcome to Scribd!

  • SSL

    Uploaded by

    Goswamiji
    32 views35 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views35 pages

    SSL

    Uploaded by

    Goswamiji

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 35

    WebSphere MQ

    MQ and SSL

    Neil Kolban IBM Corp kolban@us.ibm.com

    October 31st 2002

    2002 IBM Corporation

    WebSphere MQ

    Overview
    Part I Overview of security goals and SSL Part II The MQ SSL story

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Security
    Goals of security
    Confidentiality Message integrity Endpoint Authentication

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Encryption (1)
    Encryption
    Data confidentiality Plain text vs Cipher text

    Plaintext

    Cyphertext

    Plaintext

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Encryption (2)
    Encryption
    Data confidentiality Plain text vs Cipher text
    Plain A B C D E F G H I Z Cipher T M I N Q C D B A R

    Encryption
    E(Plain) = Cipher Example: E(HEAD) = BQTN

    Decryption
    D(Cipher) = Plain Example: D(BQTN) = HEAD

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Cipher keys (1)

    Encryption

    Decryption

    Plaintext

    Ciphertext

    Plaintext

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Cipher keys (2)


    Keys
    Shared secret key Symmetric cryptography Common algorithms DES RC2 RC4
    Plain A B C D E F G H I Z Cipher K=1 T M I N Q C D B A R Cipher K=2 N T Y C P S U L E M Cipher K=n O W E T S C I N F H

    Encryption
    E(Plain, Key) = Cipher E(HEAD, 2) = LPNC

    Decryption
    D(Cipher, Key) = Plain D(LPNC, 2) = HEAD

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Public Key Cryptography (1)


    Public key Private key

    Encryption

    Decryption

    Plaintext

    Ciphertext

    Plaintext

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Public Key Cryptography (2)


    Two keys
    One public (known to everyone) One private (known only to you) Common algorithms RSA Diffie-Hellman Asymmetric cryptography

    E(Plain, Keypublic) = Cipher D(Cipher, Keyprivate) = Plain Keys are asymmetric Relatively expensive to use

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Security
    Goals of security
    Confidentiality Message integrity Endpoint Authentication

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Message Digest (1)


    Input arbitrary length message Output fixed length string Attributes
    Irreversibility Collision resistance

    Other names for this


    Hashing Checksum

    Common algorithms
    MD5 SHA

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Message Digest (2)


    H(Message) = HashData H(Message1) H(Message2) Message1 Message2

    Message
    Digest

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Digital Signature (1)


    Digital Signature built from
    Message Digest Public key encryption

    Used to prove that a message has not been tampered with.

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Digital Signature (2)

    h
    Private Key

    Private Key

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Digital Signature (3)

    h
    Public Key

    ?
    h

    Public Key

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Security
    Goals of security
    Confidentiality Message integrity Endpoint Authentication

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Man in the middle attack

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Certificate Authority

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Certificates
    Issued by CA
    VeriSign Entrust CyberTrust etc

    Contains
    Subject Name Issuer Name X.500 distinguished names

    X.509
    Common certificate exchange format

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Security
    Goals of security
    Confidentiality Message integrity Endpoint Authentication

    Implement this design and you have SSL!!

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Part II MQ and SSL

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Data movement between queue managers

    Queue Manager

    No SSL

    Queue Manager

    Queue Manager

    With SSL

    Queue Manager

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Adding SSL Support

    Queue Manager

    Channel

    Queue Manager

    TCP/IP

    Link

    TCP/IP

    Queue Manager

    Channel

    Queue Manager

    SSL

    Encryption

    SSL

    TCP/IP

    Link

    TCP/IP

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    MQ SSL Implementations
    Supports SSL V3.0 Implemented using:

    Java Windows Unix z/OS

    JSSE (Java Secure Socket Extension) SChannel ??? System SSL

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Channel Security
    SSL can be used across channels All kinds of channels supported
    Sender Receiver Cluster Client Etc

    Specified on a per channel basis

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Key questions
    Which CipherSpec shall be used?
    Cost of security Performance characteristics

    Is client authentication required?


    Uni or bidirectional authentication

    Names of accepted peers.


    Limit the names of channel initiators (SSL clients)

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Channel definitions
    SSL either enabled or disabled by channel definition New parameters for channel definitions
    Cypher spec (SSLCIPH) DNs allowed (SSLPEER) Client authentication required (SSLCAUTH)

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    SSLCipherSpec (SSLCIPH) Channel attribute


    Name of the Cipher specification to use If blank, no SSL Same attribute value required on both ends of the channel
    CipherSpec name NULL_MD5 NULL_SHA RC4_MD5_EXPORT RC4_MD5_US RC4_SHA_US RC2_MD5_EXPORT DES_SHA_EXPORT RC4_56_SHA_EXPORT1024 DES_SHA_EXPORT1024 TRIPLE_DES_SHA_US TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA Hash algorithm MD5 SHA MD5 MD5 SHA MD5 SHA SHA SHA SHA SHA SHA Encryption algorithm None None RC4 RC4 RC4 RC2 DES RC4 DES 3DES AES AES Encryption bits 0 0 0 40 128 128 40 56 56 128 128 256

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    SSLClientAuth (SSLCAUTH) - Channel attribute


    Requestor to form channel considered the SSL Client Defines if certificate from client is needed to form channel Values:
    Required Client authentication required Optional Client authentication optional

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    SSLPeerName (SSLPEER) - Channel attribute


    Distinguished names of the allowed partners

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Obtaining certificates
    Certificates obtained from Commercial CA Certificates for test environments
    OpenSSL MakeCert Java 1.4 Keytool IKeyMan

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Certificate Stores
    Certificates stored in key repositories Queue manager SSLKeyRepository (SSLKEYR) attributes specifies Queue Managers location of its own certificate MQ Client uses the MQSSLKEYR environment variable to specify location of certificate store

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    The amqmcert command


    Used to manage MQSeries certificate store Adds certificates to store Removes certificates from store Lists certificates in store Assigns certificate to queue manager

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    Performance
    Nothing for nothing Extra CPU overhead for encrypted data No official IBM numbers yet published Performance expected to be equivalent to moving same quantity of data over base SSL implementation
    Possibly better due to single handshake and reuse Overhead based on ciphersuite employed

    WebSphere MQ & SSL

    2002 IBM Corporation

    WebSphere MQ

    References
    MQ Security Manual SSL and TLS Eric Rescorta Java Secure Socket Extension (JSSE) Reference Guide Web sites
    http://home.netscape.com/eng/ssl3/ssl-toc.html

    WebSphere MQ & SSL

    2002 IBM Corporation

    You might also like