Applied CryptographyPowerPoint PresentationSSL Web ApplicationsSSL OverviewWriting a simple SSL ClientCreating a Truststore(1) Use keytool –genkey to create an RSA key pairSlide 8Slide 9(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)(3) Use keytool –import to place the certificate into a truststoreSlide 12Slide 13File OrganizationClient.javaSlide 16Slide 17Server.javaSlide 19Slide 20Slide 21Slide 22On the serverOn the clientWhat we have so far…For client authentication we need(1) Generate a key pair for the clientSlide 28(2) Extract a client certificate from the key pair(3) Copy the certificate to the server(4) Import the certificate into the server's truststoreSlide 32Slide 33(5) Have the server code trust the truststoreSlide 35Slide 36Slide 37Slide 38(6) Have the client code know about its own keysSlide 40Slide 41TestingTesting after deleting the server’s truststoreTesting after deleting the client’s truststoreConfiguring Tomcat for SSLSlide 46Slide 47Use admin tool to tell Tomcat about SSLSlide 49Slide 50Slide 51Slide 52Protecting A ServletVoterServlet.javaSlide 55Slide 56index.htmlSlide 58Slide 59Slide 60Slide 61Slide 62Web.xml deployment descriptorSlide 64Build.propertiesSend Vote With SOAP over HTTPS (Server Authentication)NoteOutput FirstOutput First – SOAP ClientSlide 70A SOAP CLIENT Using SSLSlide 72Slide 73Slide 74Slide 75Slide 76Slide 77Slide 78SOAP Servlet Using SSLSlide 80Slide 81Slide 82Slide 83Client Authentication(1) Generate a key set for the clientSlide 86(2) Generate a certificate from the keys(3) Place the client’s certificate into the server’s keystoreSlide 89(4) Tell Tomcat to authenticate clients(5) Tell the client to load its keys for SSLBut with the followingSlide 93Applied Cryptography 1Applied CryptographyMichael McCarthyApplied Cryptography 2“SOAP is going to open up a whole new avenue for security vulnerabilities” Bruce Schneier, June 2000Applied Cryptography 3SSL Web Applications•Server Authentication•Client Authentication•Configuring Tomcat for SSL•Writing a SSL servlet for a browser•Writing a SSL JAXM servlet for a SOAP client•XML Key ManagementApplied Cryptography 4SSL Overview• Performs secret key exchange like Diffie-Hellman• Data is encrypted with the exchanged key• Clients do not need to provide a certificate but may be required to by the server • Client authentication is typically done in the application layer• Servers must provide a certificate• Normally uses RSAApplied Cryptography 5Writing a simple SSL Client• All SSL client must have a truststore•If a client is to be verified by the server then the client needs a keystore as well as a trustore• The truststore- holds trusted certificates (signed public keys of CA’s)- is in the same format as a keystore- is an instance of Java’s KeyStore class- is used by the client to verify the certificate sent by the server-may be shared with othersApplied Cryptography 6Creating a Truststore(1) Use keytool –genkey to create an RSA key pair(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)(3) Use keytool –import to place the certificate into a truststoreApplied Cryptography 7(1) Use keytool –genkey to create an RSA key pairD:\McCarthy\www\95-804\examples\keystoreexamples>keytool -genkey -alias mjm -keyalg RSA -keystore mjmkeystoreEnter keystore password: sesameWhat is your first and last name? [Unknown]: Michael McCarthyWhat is the name of your organizational unit? [Unknown]: Heinz SchoolWhat is the name of your organization? [Unknown]: CMUApplied Cryptography 8What is the name of your City or Locality? [Unknown]: PittsburghWhat is the name of your State or Province? [Unknown]: PAWhat is the two-letter country code for this unit? [Unknown]: USIs CN=Michael McCarthy, OU=Heinz School, O=CMU,L=Pittsburgh, ST=PA, C=US correct? [no]: yesEnter key password for <mjm> (RETURN if same as keystore password): <RT>Applied Cryptography 9D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w Volume in drive D has no label. Volume Serial Number is 486D-D392 Directory of D:\McCarthy\www\95-804\examples\keystoreexamples[.] [..] mjmkeystoreApplied Cryptography 10(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)D:\McCarthy\www\95-804\examples\keystoreexamples>keytool -export -alias mjm -keystore mjmkeystore -file mjm.cerEnter keystore password: sesameCertificate stored in file <mjm.cer>D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w Volume in drive D has no label. Volume Serial Number is 486D-D392 Directory of D:\McCarthy\www\95-804\examples\keystoreexamples[.] [..] mjm.cer mjmkeystoreApplied Cryptography 11(3) Use keytool –import to place the certificate into a truststoreD:\McCarthy\www\95-804\examples\keystoreexamples>keytool -import -alias mjm -keystore mjm.truststore -file mjm.cerEnter keystore password: sesameOwner: CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=USIssuer: CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=USApplied Cryptography 12Serial number: 3e60f3ceValid from: Sat Mar 01 12:54:22 EST 2003 until: Fri May 30 13:54:22 EDT 2003Certificate fingerprints:MD5: 80:F4:73:23:4C:B4:32:4C:5F:E0:8A:B1:4D:1E:A3:0DSHA1: 19:06:31:54:72:ED:B8:D5:B3:CF:38:07:66:B5:78:1A:34:16:56:07Trust this certificate? [no]: yesCertificate was added to keystoreApplied Cryptography 13D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w Volume in drive D has no label. Volume Serial Number is 486D-D392 Directory of D:\McCarthy\www\95-804\examples\keystoreexamples[.] [..] mjm.cer mjm.truststore mjmkeystore 5 File(s) 2,615 bytesmjmkeystore will be placed in the server’s directorySSL will send the associated certificate to the clientmjm.truststore will be placed in the client’s directoryApplied Cryptography 14File OrganizationD:\McCarthy\www\95-804\examples\keystoreexamples>tree /fDirectory PATH listingVolume serial number is 0012FC94 486D:D392D:.├───clientcode│ mjm.truststore | Client.java│└───servercode mjmkeystore Server.javaApplied Cryptography 15Client.javaimport java.io.*;import javax.net.ssl.*;import java.net.*;import javax.net.*;public class Client {