secure & authentication by lai hieu - exo sea
DESCRIPTION
This presentation comes from eXo Platform SEA by Lai Trung HieuTRANSCRIPT
www.exoplatform.com
Copyright 2011 eXo Platform
Secure & Authentication of communication
Lai Trung HieuCollaboration Team
2www.exoplatform.com
Copyright 2011 eXo Platform
Introduction
3www.exoplatform.com
Copyright 2011 eXo Platform
DNS Spoofing
4www.exoplatform.com
Copyright 2011 eXo Platform
5www.exoplatform.com
Copyright 2011 eXo Platform
Website security indicators
https://www.google.com/support/chrome/bin/answer.py?answer=95617&hl=en-US
6www.exoplatform.com
Copyright 2011 eXo Platform
Agenda
Secure & AuthenticationDigital certificate & PKIAn example conversationJava security architecture overvieweXo platform implementation
www.exoplatform.com
Copyright 2011 eXo Platform
Secure & Authentication
8www.exoplatform.com
Copyright 2011 eXo Platform
SSL story
SSL was invented by Netscape Communications in 1994.
May 1996, Internet Engineering Task Force (IETF) start to research TLS to be standardize SSL protocol.
TLS then became an IETF standards track protocol.
January 1999 TLS, 1.0 (SSL 3.1) first published in RFC 2246 1999 to be update version for SSL 3.0.
April 2006, TLS 1.1 (SSL 3.2)
August 2008 TLS 1.2 (SSL 3.3)
9www.exoplatform.com
Copyright 2011 eXo Platform
TLS/SSL fundamental
Based on public key cryptography
10www.exoplatform.com
Copyright 2011 eXo Platform
Applications
Web browsing Electronic mail Internet faxingInstant messaging Voice-over-IP
www.exoplatform.com
Copyright 2011 eXo Platform
Digital certificate & PKI
12www.exoplatform.com
Copyright 2011 eXo Platform
Copyright 2010 eXo Platform SAS
Digital certificate
Electronic document which uses a digital signature to bind a public key with an identity
13www.exoplatform.com
Copyright 2011 eXo Platform
ConfidenceIntegrityAuthenticateTo identify who is who on the Internet?
Issuer’s nameEntity namepublic keyExpired dateUsages
14www.exoplatform.com
Copyright 2011 eXo Platform
Public key infrastructure
Public & private key concept
15www.exoplatform.com
Copyright 2011 eXo Platform
www.exoplatform.com
Copyright 2011 eXo Platform
An example conversation
17www.exoplatform.com
Copyright 2011 eXo Platform
Introduction
{Some thing} information to be exchanged
{Something}key information encrypted by key
Digest[Something] make a digest for information
18www.exoplatform.com
Copyright 2011 eXo Platform
Digital signature
Nobita: Hi, Are you Doraemon?
Doraemon: Nobita, It’s me Doraemon!
{digest[Nobita, It’s me Doraemon!!]}Doraemon’private key
19www.exoplatform.com
Copyright 2011 eXo Platform
Exchange keys
Nobita: Hi, Are you Doraemon?
Doraemon: Nobita, It’s me Doraemon!
Here is my public key.
Nobita: Show me your evidence!
Doraemon: Nobita, It’s me Doraemon!
digest[Nobita, It’s me Doraemon!!]}Doraemon’private key
20www.exoplatform.com
Copyright 2011 eXo Platform
Digital certificate
Nobita: Hi, Are you Doraemon?
Doraemon: Nobita, It’s me Doraemon!
Here is my digital certificate.
Nobita: Show me your evidence!
Doraemon: Nobita, It’s me Doraemon!
digest[Nobita, It’s me Doraemon!!]}Doraemon’private key
21www.exoplatform.com
Copyright 2011 eXo Platform
Nobita: Hi, Are you Doraemon?
Xeko: Nobita, It’s me Doraemon!
Here is my digital certificate.
Nobita: Show me your evidence!
Xeko : ???
22www.exoplatform.com
Copyright 2011 eXo Platform
Exchange secret key(session key)
Nobita: Hi, Are you Doraemon?
Doraemon: Nobita, It’s me Doraemon!
Here is my digital certificate.
Nobita: Show me your evidence!
Doraemon: Nobita, It’s me Doraemon!
digest[Nobita, It’s me Doraemon!!]}Doraemon’private key
Nobita: Ok, Doreamon. Here is{secret key}Doraemon’s public key
Doraemon: {blah blah}secret-key
Nobita: {blah hihi}secret-key
www.exoplatform.com
Copyright 2011 eXo Platform
Java security architecture
overview
24www.exoplatform.com
Copyright 2011 eXo Platform
Copyright 2010 eXo Platform SAS
A set of APIs spanning major security areas:• Cryptography• Public key Infrastructure• Authentication• Secure communication• Access control
Basic Security Architecture
25www.exoplatform.com
Copyright 2011 eXo Platform
Copyright 2010 eXo Platform SAS
26www.exoplatform.com
Copyright 2011 eXo Platform
Cryptography
• Message digest algorithms• Digital signature algorithms• Symmetric bulk encryption • Symmetric stream encryption• Asymmetric encryption• Password-based encryption (PBE)• Elliptic Curve Cryptography (ECC)• Key agreement algorithms• Key generators• Message Authentication Codes (MACs)• (Pseudo-)random number generator
java.securityjava.crypto
•RSA and DSA signature algorithms•DES, AES, and ARCFOUR encryption algorithms•MD5 and SHA-1 message digest algorithms•Diffie-Hellman key agreement algorithm
27www.exoplatform.com
Copyright 2011 eXo Platform
Public Key Infrastructure
•Key and Certificate Storage•PKI Tools
• Keytool• Jarsignertool
28www.exoplatform.com
Copyright 2011 eXo Platform
Authentication
•LoginContext & LoginModule•Krb5LoginModule for authentication using Kerberos protocols•JndiLoginModule for username/password authentication using LDAP or NIS databases•KeyStoreLoginModule for logging into any type of key store, including a PKCS#11 token key store
29www.exoplatform.com
Copyright 2011 eXo Platform
Secure Communication
•SSL/TLS• javax.net.ssl.SSLSocket• javax.net.ssl.SSLEngine
•Simple Authentication and Security Layer (SASL)•GSS-API and Kerberos
30www.exoplatform.com
Copyright 2011 eXo Platform
Access Control
•Permissions•Policy•Access Control Enforcement
www.exoplatform.com
Copyright 2011 eXo Platform
eXo platform implementation
32www.exoplatform.com
Copyright 2011 eXo Platform
• User certificates management• OpenPGP/ SMIME support• Reply a topic by mail• And more….
www.exoplatform.com
Copyright 2011 eXo Platform
Q & A
www.exoplatform.com
Copyright 2011 eXo Platform
Thank you!