SSL Intro,Installation, How SSL Works, Analysis


by : Antonius www.cr0security.com

SSL Introduction

SSL stands for Secure Sockets Layer and is an encryption standard that is commonly used to encrypt tcp packet between your server and customer computer. The importance of
SSL is obvious when you own a website that requires your users to enter sensitive information, so the packet will be encrypted.

Below is a typical SSL Operation between a web browser and a server :

   A browser attempts to connect to a web site secured with SSL. The browser requests that the web server identify itself.
   The server sends the browser a copy of its SSL certificate.
   The browser checks whether it trusts the SSL certificate. If so, it sends a message to the server.
   The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
   Encrypted data is shared between the browser and the server.

Some Protocols that Support SSL ?

http -> https (port 443)
ftp -> ftps (port 989 or 990)
Smtp -> smtp ssl (port 465)
and so on ...

Below is typical operation of client and server using ssl:
Without Resume

or
With Resume (http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html)
Installing Apache With SSL Support

We're gonna install openssl the open source toolkit for SSL on linux.

#wget -c http://www.openssl.org/source/openssl-1.0.1c.tar.gz
#tar zxvf openssl-1.0.1c.tar.gz
#cd openssl-1.0.1c
#./config
#make && make install

by default openssl elf binary will be located at /usr/local/ssl/bin/openssl

#/usr/local/ssl/bin/openssl
OpenSSL> version
OpenSSL 1.0.1c 10 May 2012
OpenSSL> cr0
openssl:Error: 'cr0' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dh
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
gendh             gendsa            genpkey           genrsa
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              req
rsa               rsautl            s_client          s_server
s_time            sess_id           smime             speed
spkac             srp               ts                verify
version           x509

Message Digest commands (see the `dgst' command for more details)
md4               md5               mdc2              rmd160
sha               sha1

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       base64            bf
bf-cbc            bf-cfb            bf-ecb            bf-ofb
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb
des               des-cbc           des-cfb           des-ecb
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb
des-ofb           des3              desx              idea
idea-cbc          idea-cfb          idea-ecb          idea-ofb
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb

OpenSSL>

Installing Apache
We're going to install apache 2.4.3, before that install apr & apr utils:

installing apr

#wget -c http://apache.mirrors.hoobly.com//apr/apr-1.4.6.tar.gz
#tar zxvf apr-1.4.6.tar.gz
#cd apr-1.4.6;./configure
#make && make install


intalling apr-utils

#wget -c http://apache.mirrors.hoobly.com//apr/apr-util-1.4.1.tar.bz2
#tar jxvf apr-util-1.4.1.tar.bz2
#cd apr-util-1.4.1;./configure --with-apr=/usr/local/apr
#make && make install


Next installing apache :

#wget -c http://mirror.cogentco.com/pub/apache//httpd/httpd-2.4.3.tar.bz2
#tar jxvf httpd-2.4.3.tar.bz2
#cd httpd-2.4.3
#./configure --enable-ssl --enable-so --with-ssl=/usr/local/ssl/
#make && make install

Now we need to configure apache to support SSL, First open up httpd.conf (in this tutorial, it's on /usr/local/apache2/conf). Uncomment this line:

Include conf/extra/httpd-ssl.conf

and this uncomment this line to load mod_ssl shared object

LoadModule ssl_module modules/mod_ssl.so

and uncomment this line to load mod_socache_shmcb shared object:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

having a nice look at conf/extra/httpd-ssl.conf
conf/extra/httpd-ssl.conf

SSLEngine on
#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt"
#SSLCertificateFile "/usr/local/apache2/conf/server-ecc.crt"

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"


Then we need to provide server.crt and server.key

Generate server.key

#/usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........................++++++
.............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
/usr/local/apache2/conf#


Enter your pass phrase.
then we need to generate server.csr

/usr/local/apache2/conf#/usr/local/ssl/bin/openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:banteng
Locality Name (eg, city) []:tangerang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cr0security
Organizational Unit Name (eg, section) []:jasaplus
Common Name (e.g. server FQDN or YOUR name) []:cr0security
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:jasaplus

Next Step we need to make server.crt

/usr/local/apache2/conf#/usr/local/ssl/bin/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=ID/ST=banteng/L=tangerang/O=cr0security/OU=jasaplus/CN=cr0security/[email protected]
Getting Private key
Enter pass phrase for server.key:

and we're done

/usr/local/apache2/conf#ls
extra  httpd.conf  magic  mime.types  original  server.crt  server.csr  server.key
/usr/local/apache2/conf#

then start apache as follow

#/usr/local/apache2/bin/apachectl start
Apache/2.4.3 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
/usr/local/apache2/conf#

Don't forget to type pass phrase that you've created before (serer.key)

Analyzing SSL

Next, we're gonna analysis SSL Mechanism
As an example here I install apache and ssl on localost, where the interface is lo , let's first compare ssl and common http traffic:
First we''ll create a http traffic and capture using tcpdump

#tcpdump -A -i lo port 80 > http_form.txt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

As an example we create form.html at apache htdocs. Open up your browser and test type up a password for testing and type password: cr0security

Open up http_form.txt, we may see our password below in plain text :

17:58:11.683027 IP localhost.localdomain.37925 > localhost.localdomain.www: Flags [S], seq 3944971770, win 32792, options [mss 16396,nop,nop,TS val 6817422 ecr 0,nop,wscale
9], length 0
E..<{t@[email protected].........%.P.#}...............@....
h.........
17:58:11.683055 IP localhost.localdomain.www > localhost.localdomain.37925: Flags [S.], seq 3934910143, ack 3944971771, win 32768, options [mss 16396,nop,nop,TS val 6817422
ecr 6817422,nop,wscale 9], length 0
E..<..@.@.<..........P.%.....#}...........@....
h...h.....
17:58:11.683072 IP localhost.localdomain.37925 > localhost.localdomain.www: Flags [.], ack 1, win 65, options [nop,nop,TS val 6817422 ecr 6817422], length 0
E..4{u@[email protected].........%.P.#}........A.......
h...h..
17:58:11.683147 IP localhost.localdomain.37925 > localhost.localdomain.www: Flags [P.], seq 1:424, ack 1, win 65, options [nop,nop,TS val 6817422 ecr 6817422], length 423
E...{v@.@............%.P.#}........A.......
h...h..POST /form.html? HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1/form.html?
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

password=cr0security
17:58:11.683166 IP localhost.localdomain.www > localhost.localdomain.37925: Flags [.], ack 424, win 67, options [nop,nop,TS val 6817422 ecr 6817422], length 0
E..4.N@[email protected].%.....#.....C.......
h...h..
17:58:11.683584 IP localhost.localdomain.www > localhost.localdomain.37925: Flags [P.], seq 1:416, ack 424, win 67, options [nop,nop,TS val 6817422 ecr 6817422], length 415
E....O@[email protected].%.....#.....C.......
h...h..HTTP/1.1 200 OK
Date: Fri, 28 Sep 2012 10:58:11 GMT
Server: Apache/2.4.3 (Unix) OpenSSL/1.0.1c
Last-Modified: Fri, 28 Sep 2012 10:53:01 GMT
ETag: "77-4cac0dc12665d"
Accept-Ranges: bytes
Content-Length: 119
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

html>
form action=? method=post>
type your password :
input type=password name=password>input type=submit>
/form>

17:58:11.683598 IP localhost.localdomain.37925 > localhost.localdomain.www: Flags [.], ack 416, win 67, options [nop,nop,TS val 6817423 ecr 6817422], length 0
E..4{w@[email protected].........%.P.#....._...C.e.....
h...h..


password will be viewed in plain text: password=cr0security

Next we're making a check on ssl

#tcpdump -A -i lo port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
18:14:32.841725 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [S], seq 2155966806, win 32792, options [mss 16396,nop,nop,TS val 7062712 ecr
0,nop,wscale 9], length 0
E..<..@[email protected]....@....
k.........
18:14:32.841759 IP localhost.localdomain.https > localhost.localdomain.32871: Flags [S.], seq 2162057015, ack 2155966807, win 32768, options [mss 16396,nop,nop,TS val
7062712 ecr 7062712,nop,wscale 9], length 0
E..<..@.@.<............g.._7..qW.....;....@....
k...k.....
18:14:32.841777 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [.], ack 1, win 65, options [nop,nop,TS val 7062712 ecr 7062712], length 0
E..4..@[email protected].._8...A. .....
k...k..
18:14:32.842023 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [P.], seq 1:369, ack 1, win 65, options [nop,nop,TS val 7062712 ecr 7062712], length 368
E.....@[email protected].._8...A.......
R...Ad5....... ....9>Hs+..d$...E...z.f....q.N...H...
......9.8.......5...    .....E.D.3.2...........A...../.........
....
................#..@."O....m$.m.        ...Y....(/*..
@..j..O{..i......e.N.....s..V....'F|m1...X?w...3.C..C...*....../[n.pg1.......b..p.+I.&.y.u68.G..!..k.........6...(g.oy...,B...|.?.G?uU..M.....-{.^.+.U_g..y...6.@u..
18:14:32.842043 IP localhost.localdomain.https > localhost.localdomain.32871: Flags [.], ack 369, win 67, options [nop,nop,TS val 7062712 ecr 7062712], length 0
E..4..@[email protected].._8..r....C.......
k...k..
18:14:32.842767 IP localhost.localdomain.https > localhost.localdomain.32871: Flags [P.], seq 1:146, ack 369, win 67, options [nop,nop,TS val 7062712 ecr 7062712], length
145
E.....@[email protected].._8..r....C.......
+.{>.).0..y>.M...>^9.....C.m*..a...z._.h;H!.r....X ....9>Hs+..d$...E...z.f....q.N......................0Y6a.%Xb..Hz....Q..B......
18:14:32.842787 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [.], ack 146, win 67, options [nop,nop,TS val 7062712 ecr 7062712], length 0
E..4..@[email protected]..._....C.......
k...k..
18:14:32.846219 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [P.], seq 369:918, ack 146, win 67, options [nop,nop,TS val 7062713 ecr 7062712], length
549
E..Y..@[email protected]..._....C.N.....
z.H..L..xK......?:>q.Z.2....M.Y....-..y....g.l4.s.C.3...*..?...;.....t..).X...q8"9..+...g....Ah.=SS..f...X|w....zx..I.....nh.YE<.+..1...........1.:U..A.=.!..q..u....o......:\....<...G8...H....t.juB..?..-.h.0(.t
@".f.g...4.kl.!.9.L.5.G..<(.....g...}.......l..f..O..y*LW;u."..g_..d.7...X..*....
18:14:32.846941 IP localhost.localdomain.https > localhost.localdomain.32871: Flags [P.], seq 146:620, ack 918, win 69, options [nop,nop,TS val 7062713 ecr 7062713], length
474
E.....@[email protected].._...t....E.......
k...k......@f][..!..S......Y..<..b.v.;.....':.n..a..="" 4..3.m3.y..}...9.s:.........<$".....z.*.q..53...fp.......j....=""
.....2%...9rj..y.[y.2..s.f....k..j...by.o..$z..i;.4i.s.nj..gh...........i..k.t.v%{.yy@+17.rlh%e..h.4.d..p.uz\.o5.d="" 18:14:32.883615="" ip=""
localhost.localdomain.32871=""> localhost.localdomain.https: Flags [.], ack 620, win 69, options [nop,nop,TS val 7062723 ecr 7062713], length 0
E..4..@[email protected].......
k...k..
18:14:37.848156 IP localhost.localdomain.https > localhost.localdomain.32871: Flags [F.], seq 620, ack 918, win 69, options [nop,nop,TS val 7063964 ecr 7062723], length 0
E..4..@.@..>...........g..a...t....E.,.....
k...k..
18:14:37.848519 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [P.], seq 918:955, ack 621, win 69, options [nop,nop,TS val 7063964 ecr 7063964], length
37
E..Y..@[email protected].....
k...k...... ...&x.O.XIzH.a.7..a....,m..J....
18:14:37.848615 IP localhost.localdomain.32871 > localhost.localdomain.https: Flags [F.], seq 955, ack 621, win 69, options [nop,nop,TS val 7063964 ecr 7063964], length 0
E..4..@[email protected].....
k...k..
18:14:37.848636 IP localhost.localdomain.https > localhost.localdomain.32871: Flags [.], ack 956, win 69, options [nop,nop,TS val 7063964 ecr 7063964], length 0
E..4..@.@..=...........g..a...u....E.-.....
k...k..

As we can see with ssl our tcp packet is encrypted. You may also use tshark for testing, here you may look at the different between ssl and http traffic

tshark capture common http traffic



tshark capture ssl traffic

References

   http://www.thawte.com/resources/getting-started/how-ssl-works/index.html

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.