Notes May 31st, 2007 Ankita Teli Objective: This class’ main objective was to install SSL certificate on our computer, so that sites can communicate over ‘https’ rather than ‘http’. There are number of companies in market that work as ‘Certifying Authority’ (CA is the short form). These companies issue Digital certificate and other companies will use this certificate. The most popular CAs in today’s market is: Verisign & Thawte. --- ‘Go Daddy’ has tried to expand their business by selling domain, hosting sites & email & becoming CA. But its not considered as authorized CA by the browsers. The problem is for CA to actually be established they have to get browser companies to acknowledge that they actually are certifying authority. The way that it works is a website designer or say administrator buy certificate from one of the CAs, and then they send us the certificate. Idea behind Encryption: When we go to any so called ‘secure’ website, we have two things in mind. (1). It is the authenticate website where we intend to go (somebody is not spoofing the site) and (2). Whatever information we submit is encrypted & securely transmitted to that website only. So only that particular website (where we transmit info) can retrieve the transmitted information and decrypt it. How we know that we are buying certificate from actual CA? : The browser has built in certificate for that particular CA. When we transmit information to that CA, our information will be encrypted by certificate our browser has. So, it’s very important that browser need to know which one are established CAs. How we can communicate securely with CA and request for a certificate? : We have CA’s public key Our website CA has its own private key Send msg, encrypted with CA’s public key Certificate Authority website Send msg back, encrypted with CA’s private key As shown above, suppose we want to buy a certificate from some authorized CA. We have that CA’s public key (everybody can have that key as its public). So, we send them message, encrypted with their public key, requesting for a certificate. Then, CA decrypts this message with its own private key & sends us back a certificate, encrypted with their public key. We get the message and we can decrypt it with public key we have. Now the problem is, everybody can have CA’s public key, so anybody can decrypt that message and get our certificate. We generate temp key Send msg, encrypted with temp key Our website Certificate Authority website Send permanent private key encrypted with temp key So, here what happens? We generate temp key and send message encrypted with this temporary key. When CA receives this message and then they generate permanent private key for us. When they send us this perm private key, our temp key encrypts key. Now, we are maintaining this temp key on our side, so it depends totally on us to keep secret of temp key on our side. This is an overview of ENCRIPTION. This works on backend. Whenever we transmit data over https, it gets encrypted on both sides. Client Encrypted Decrypted Data sent Over https Server Decrypted Encrypted Like, for bank website, they send account number but its encrypted, so there are no chances that anybody can get those data along the way. Also, there is a reason they don’t show whole account number or credit card number on the website because you might using public computer and somebody walking by can see the number. Although you want your website to be secure, you should not keep all the pages secure. It increase load on the server and your website will be slow down. What we generally see on Ecommerce websites is they don’t have all the pages incepted until we hit ‘buy now’, then they will take us to the secure https page. Installing certificate: Installing a certificate is different for each web server or application server you use. We will install one for tomcat assuming that tomcat is working as web server. SSL is installed on web server not on application server. We are not going to go to some CA and purchasing certificate, because it costs money. They are maintaining our key and keeps it safe. That’s the reason CA are among the highest of sites that gets hacked or attempted to be hacked. So, they have very heavy security on their sites. Get information about how to install certificate: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Go to: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Scroll down the page, look for heading ‘Configuration’ As we already have installed JDK on our computer, we can skip this first step. Go to the command prompt. Go to directory where your JDK is installed and go to bin directory. type -> keytool -genkey -alias tomcat -keyalg RSA, hit enter. It will ask for keystore password, enter –> changeit It will ask for your name, organization unit, organization, city, state, country enter answers accordingly. Type ‘yes’, if you have entered all info correctly. This will generate one .keystore file on your computer. Check where .keystore file is generated in your computer. Using all above information we entered generated the key. Remember where this .keystore file generated, or for convenience create some folder and store .keystore file in that. Go to your Tomcat/conf and open server.xml. Find out line contains ‘Define a SSL HTTP/1.1 Connector on port 8443’ and uncomment that code. Also, add text keystoreFile=”where_you_have_stored_keystoreFile” at the end of tag. It should look like: <….clientAuth="false" sslProtocol="TLS" keystoreFile=” where_you_have_stored_keystoreFile” /> Start tomcat up, open any of your file like below: https://localhost:8443/baseball.html When you will try to open the page, you will get a poop-up. Its because the certificate we generated is not from Authorized CA. Continue by hitting ‘yes’ and you will be able to see the page with secure communication. You are all set. Flash, installing SSL are the topics you don’t need to learn for CS420 or CS520. We learn these because these are interesting. But topics like JSTL, JDBC we need to learn. Announcements: Final Exam: Tuesday 5th June from 7:30 to 9:30PM Format: almost same as midterm. Questions around 20%, programming 15%. Comprehensive exam, more preference on 2nd half quarter. Programming with JSTL may be or may not be there, but questions for JSTL will be there Last quarter final exam can be helpful. OBJECTIVE of CS320 is to expand knowledge of cs120 & cs122, get idea of 3tier applications and create 3-tier applications.