SSL security Secure Sockets Layer

SSL security

Secure Sockets Layer • • Used to establish secure network links Based on Open SSL Also supports HTTPS NET+OS version supports some authentication

Connection Process • Client connects to server • Server authenticates with client • Client and server negotiate encryption protocol • Encrypted link is established

Authentication • Authentication means making sure the server is who it says it is • Server gives client a certificate • Certificates often come from a “trusted” machine • Client checks certificate against a database

NET+OS 6 Authentication • NET+OS provides an API to generate a selfsigned certificate • Can also use other certificates if available • NET+OS server side will send the certificate to the client when connection is established • NET+OS client ignores certificates

Encryption • Client and server negotiate an encryption protocol and a key when the connection is established • Algorithm and key are used by each side to scramble data sent over the network, and to descramble data received • Strength of encryption is determined by the length of the key used

Supported Encryption Protocols • Date Encryption Standard (DES) with 56 -bit key • Triple DES with 112 -bit key • Advanced Encryption Standard (AES) with a 128 bit key • AES with 256 -bit key • DES and AES developed by National Institute of Standards and Technology (NIST)

NASSLX 50 Generate • Used to generate an authentication certificate • Caller provides a name for certificate and serial number • Date and time certificate will start to be valid • Date and time certificate will no longer be valid • Function returns certificate information

NASSLAccept • Used by servers to accept a connection from a client • Must be passed certificate information • Authenticates with client (gives it the certificate) • Establishes an encrypted connection • Example application is NASSLSVR

NASSLAccept 1. Use socket() to open the socket 2. Use bind() to bind an address 3. Use listen() to listen for a connection request 4. Use accept() to accept connection at TCP level 5. Use NASSLAccept() to secure the connection

NASSLConnect • Used by clients to create a secure connection to a server • Negotiates encryption protocol • Ignores certificate sent by server • Future version may examine certificate

NASSLConnect 1. 2. 3. 4. Use socket() to open a socket Use bind() to set an address (if desired) Use connect() to connect at TCP level Use NASSLConnect() to secure the connection

Operations after Connected • Both NASSLConnect() and NASSLAccept() return socket descriptors • Use send() and recv() with the returned descriptors to communicate • Shutdown connection by closing socket returned by NASSLConnect() or NASSLAccept()

Secure HTTP • Compliant with standard HTTPS • Transfers HTTP data over an SSL connection • Integrated with AWS and BWS

HSStart. Server. Secure • Starts a secure HTTP server • Certificate and list of encryption protocols to support are passed to the function • Can support HTTPS only, or both HTTP and HTTPS

HTTPStart. Server. Secure • Build web pages as normal using Pbuilder • Set up access levels as normal with NAset. Sys. Access() • Use HSStart. Server. Secure to start the server • Example application NAHTTPS

Licensing Issues • Encryption software is considered an armament by the US government • Severe restrictions apply when distributing software in source form • Severe restrictions apply when distributing binary software that supports long keys • Cannot distribute software in any form to terrorists and some countries