notes

advertisement
Notes
May 31st, 2007
Ankita Teli
Objective: This class’ main objective was to install SSL certificate on our computer, so
that sites can communicate over ‘https’ rather than ‘http’.
There are number of companies in market that work as ‘Certifying Authority’ (CA is
the short form). These companies issue Digital certificate and other companies will use this
certificate.
The most popular CAs in today’s market is: Verisign & Thawte.
--- ‘Go Daddy’ has tried to expand their business by selling domain, hosting sites & email &
becoming CA. But its not considered as authorized CA by the browsers.
The problem is for CA to actually be established they have to get browser companies
to acknowledge that they actually are certifying authority. The way that it works is a website
designer or say administrator buy certificate from one of the CAs, and then they send us the
certificate.
Idea behind Encryption: When we go to any so called ‘secure’ website, we have two
things in mind. (1). It is the authenticate website where we intend to go (somebody is not
spoofing the site) and (2). Whatever information we submit is encrypted & securely
transmitted to that website only. So only that particular website (where we transmit info) can
retrieve the transmitted information and decrypt it.
How we know that we are buying certificate from actual CA? : The browser has built
in certificate for that particular CA. When we transmit information to that CA, our information
will be encrypted by certificate our browser has. So, it’s very important that browser need to
know which one are established CAs.
How we can communicate securely with CA and request for a certificate? :
We have CA’s
public key
Our
website
CA has its own
private key
Send msg, encrypted
with CA’s public key
Certificate
Authority
website
Send msg back, encrypted with
CA’s private key
As shown above, suppose we want to buy a certificate from some authorized CA. We have
that CA’s public key (everybody can have that key as its public). So, we send them message,
encrypted with their public key, requesting for a certificate. Then, CA decrypts this message
with its own private key & sends us back a certificate, encrypted with their public key. We get
the message and we can decrypt it with public key we have.
Now the problem is, everybody can have CA’s public key, so anybody can decrypt that
message and get our certificate.
We generate
temp key
Send msg, encrypted
with temp key
Our
website
Certificate
Authority
website
Send permanent private key
encrypted with temp key
So, here what happens? We generate temp key and send message encrypted with this
temporary key. When CA receives this message and then they generate permanent private
key for us. When they send us this perm private key, our temp key encrypts key.
Now, we are maintaining this temp key on our side, so it depends totally on us to keep
secret of temp key on our side.
This is an overview of ENCRIPTION. This works on backend.
Whenever we transmit data over https, it gets encrypted on both sides.
Client
Encrypted
Decrypted
Data sent
Over https
Server
Decrypted
Encrypted
Like, for bank website, they send account number but its encrypted, so there are no chances
that anybody can get those data along the way. Also, there is a reason they don’t show whole
account number or credit card number on the website because you might using public
computer and somebody walking by can see the number.
Although you want your website to be secure, you should not keep all the pages secure. It
increase load on the server and your website will be slow down. What we generally see on Ecommerce websites is they don’t have all the pages incepted until we hit ‘buy now’, then they
will take us to the secure https page.
Installing certificate:
Installing a certificate is different for each web server or application server
you use. We will install one for tomcat assuming that tomcat is working as web server. SSL is
installed on web server not on application server.
We are not going to go to some CA and purchasing certificate, because it costs
money. They are maintaining our key and keeps it safe. That’s the reason CA are among the
highest of sites that gets hacked or attempted to be hacked. So, they have very heavy
security on their sites.
Get information about how to install certificate:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Go to: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Scroll down the page, look for heading ‘Configuration’
As we already have installed JDK on our computer, we can skip this first step.
Go to the command prompt.
Go to directory where your JDK is installed and go to bin directory.
type -> keytool -genkey -alias tomcat -keyalg RSA, hit enter.
It will ask for keystore password, enter –> changeit
It will ask for your name, organization unit, organization, city, state, country
enter answers accordingly. Type ‘yes’, if you have entered all info correctly.
This will generate one .keystore file on your computer. Check where .keystore
file is generated in your computer. Using all above information we entered
generated the key.
Remember where this .keystore file generated, or for convenience create
some folder and store .keystore file in that.
Go to your Tomcat/conf and open server.xml. Find out line contains ‘Define a
SSL HTTP/1.1 Connector on port 8443’ and uncomment that code.
Also, add text keystoreFile=”where_you_have_stored_keystoreFile” at the end
of tag. It should look like: <….clientAuth="false" sslProtocol="TLS"
keystoreFile=” where_you_have_stored_keystoreFile” />
Start tomcat up, open any of your file like below:
https://localhost:8443/baseball.html
When you will try to open the page, you will get a poop-up. Its because the
certificate we generated is not from Authorized CA. Continue by hitting ‘yes’
and you will be able to see the page with secure communication.
You are all set. 
Flash, installing SSL are the topics you don’t need to learn for CS420 or CS520. We learn
these because these are interesting. But topics like JSTL, JDBC we need to learn.
Announcements:





Final Exam: Tuesday 5th June from 7:30 to 9:30PM
Format: almost same as midterm. Questions around 20%, programming 15%.
Comprehensive exam, more preference on 2nd half quarter. Programming with
JSTL may be or may not be there, but questions for JSTL will be there
Last quarter final exam can be helpful.
OBJECTIVE of CS320 is to expand knowledge of cs120 & cs122, get idea of 3tier applications and create 3-tier applications.
Download