Security, Part 2 (SSL)

Previous page
Table of content
Next page
I l @ ve RuBoard

You've already seen that you need to provide various types of security for the server itself. You also need to provide security for transactions between the customer and your site.

If you're doing e-commerce, you will really want to use SSL for at least the parts of the transaction in which you're passing private information back and forth. Setting up SSL under Apache is technically easy but administratively challenging.

HOW DOES SSL WORK?

To begin, you need to understand a little bit about PKI (that's public key infrastructure) and cryptography.

Modern cryptography is based on using a key to encrypt plain text into cyphertext. This is done using complex mathematical formulas and long keys. The key length is important because, if the key is too short, you could break the code by brute trial and error. (The hacker could just say, "Let me see, there are five possible keys, did one work? Did two work? ")

A 140-bit key has 2 140 possible values, which is a 1.4 followed by 42 zeros. Needless to say, that would take a while to break by exhaustive trial. But, for this example, let's assume that your key is a number between 1 and 10.

If the two of us could meet in advance and agree on a key to use, I could just send you the cyphertext and you would know that key 3 would give you the plain text. Unfortunately, it would be unreasonable to have one-to-one business relationships between every Web site and every possible customer, each with a secret key.

If I went to your Web site, you could assign me a key and then we could use that key for the rest of the conversation. Alas, so could any eavesdropper who tapped the line. We need some way to agree on a key that no one else can overhear.

For this, we can use public key cryptography. In this system, there are two keys: a public one and a private one. If I give you my public key, you (or anyone else) can encrypt a message using it. Butand this is the important bitno one can decrypt it except the owner of the private key.

Conversely, if I encrypt a message with my private key, anyone can decrypt it with my public key and get the plain text, but only I could have sent it. This is called a digital signature.

So, when your browser connects to secure.bfg.com using SSL, the first thing that happens is that the Web site sends its certificate to the browser. The certificate is the public key encrypted with the CA's private key. The browser checks to see whether the CA is on its list of registered CAs, which means that the browser has a copy of the CA's public key.

If the CA is not on the list, an obnoxious warning message about an unknown CA comes up. Otherwise, the browser uses the public key to decrypt the signed certificate. Inside is the public key for the Web server. The browser generates a one-time key, encrypts it with the server's public key, and then sends it back. Only the server can decrypt the one-time key because only the server has the private key.

Now both the server and the browser have a one-time key that they can use to talk to each other, and no one else could have overheard the conversation.

If you ever want to hear someone really laugh hard, tell a Web site developer that you need to have SSL up by the end of the day. The reason he'll be laughing so hard is that the physical paperwork side of SSL takes at least three days, if you're lucky. Take a walk through the process, and you'll see why.

First, you need choose a certificate authority (CA). This is the person who will certify that you are you and not some 15-year-old (I am tired of picking on 16-year-olds) operating out of her mom's kitchen.

DO YOU NEED A CA?

You can run Apache in SSL mode without getting the certificate signed by a CA. But anyone cruising to your site will get a nasty warning message on his browser that reads something like this:

"Information that you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate."

Needless to say, this will not be inspiring confidence in people to use their credit cards on your site.

This is also why you want to make sure that the certificate authority that you pick is well recognized by the browsers in use in the community. Because certificate authorities can't be added easily to older versions of browsers, the older ones might not recognize newer CAs.

It used to be that, as far as certificate authorities went, you had your choice of Verisign or Verisign. And it wasn't cheapyou were looking at about a $300 minimum cost.

Service still isn't cheap from Verisign; 40-bit encryption (which is a joke, from a security standpoint) costs $350, and 128-bit encryption costs nearly $900. That is quite an investment.

Luckily, there's now competition in the marketplace , and you can find CAs such as Equifax that offer 128-bit certificates for as little as $175.

The CAs have step-by-step instructions for each type of Web server. Here are the steps in the process of applying and installing a certificate for Books for Geeks in Linux.

Before starting this, though, you might be asking, "Why Linux?" For several reasons. First, configuring SSL under Windows is a complicated process requiring a C compiler and an installation of Perl. Second, it requires you to run Apache, which I've already mentioned doesn't integrate reliably with Tomcat under Windows. Finally, many industry insiders (including The Gartner Group) no longer consider Windows to be a secure platform for deploying Web applications, due to the numerous exploitable holes that have been found in the operating system. Windows makes a nice environment for developing your application, but when it comes time to deploy it, you will probably need to move to Linux.

  1. Make sure that OpenSSL has been installed. You're going to install this certificate on a Linux server, so you can install OpenSSL using rpmfind .

  2. Go to /etc/httpd/conf/ssl.key.

  3. Generate a server certificate with this command: 

     [root@bfg ssl.key]#  openssl genrsa   -des3   -out server.key 1024  Generating RSA private key, 1024 bit long modulus ............++++++ ..............++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

    NOTE

    Do not forget the password you enter. If you do, you're going to be really out of luck because you'll lose all ability to control your certificate.

  4. In a safe location, back up the server.key file that is produced.

  5. Issue the following command, which will generate a certificate request that you'll send to the CA. The input that you provide is shown in italics. 

     [root@linux ssl.key]#  openssl req   -new   -key server.key   -out server.csr  Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase:  [password]  You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:  US  State or Province Name (full name) [Some-State]:  New Hampshire  Locality Name (eg, city) []:  Salem  Organization Name (eg, company) [Internet Widgits Pty Ltd]:  Books For Geeks, Inc.  Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:  secure.bfg.com  Email Address []:  chiefgeek@bfg.com  Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

  6. Usually, the CA will have some way to upload the CSR (certificate request) to its Web site. Normally, it's just a copy and paste into a form. Upload it, and fill out the rest of the information, including who you are, how you're going to pay, and so on.

  7. Now the fun begins. You need to fax the CA proof of who you are, which usually involves either having a Dun and Bradstreet DUNS number or sending your articles of incorporation, business license, and so on. In a large corporation, it can take a day or two just to get this paperwork sent.

    NOTE

    You can get a DUNS number for free from Dun and Bradstreet's Web site; it takes around a week.

  8. Now you wait. Eventually (in a day or two, at best, or in a week, at worst), you'll be sent a certificate in the mail with instructions on how to unpack it.

  9. Now go into Apache's httpd.conf, enable SSL, enter the name of your certificate, and you're ready to roll. You can now surf to https ://secure.bfg.com/ with peace of mind.

By the way, if you want your Web server to start up automatically under Linux and you used a password when setting up your server key, you're going to have to enter the password manually every time the server reboots, which can be a little inconvenient at 4 A.M. You can modify the httpd script in init.d as follows to make the process automatic: 

 start() {         echo -n $"Starting $prog: "         daemon "$httpd `moduleargs` $OPTIONS < /etc/httpd/ssl.pass"         RETVAL=$?         echo         [ $RETVAL = 0 ] && touch /var/lock/subsys/httpd         return $RETVAL }

Of course, now you're storing your certificate password in plain text on the system. Life is full of trade-offs.

I l @ ve RuBoard

Previous page
Table of content
Next page
MySQL and JSP Web Applications. Data-Driven Programming Using Tomcat and MySQL
MySQL and JSP Web Applications: Data-Driven Programming Using Tomcat and MySQL
ISBN: 0672323095
EAN: 2147483647
Year: 2002
Pages: 203
Authors: James Turner
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Documenting Software Architectures: Views and Beyond
Postfix: The Definitive Guide
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Junos Cookbook (Cookbooks (OReilly))
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy