#engageug Fun With SHA2 Certs by Gabriella Davis Technical Director - The Turtle Partnership [email protected] 1
#engageug
Fun With SHA2 Certs
by Gabriella Davis Technical Director - The Turtle Partnership
1
#engageug 2
Who Are We?• Adminofallthingsandespeciallyquitecomplicatedthingswherethefunis
• Workingwithsecurity,healthchecks,singlesignon,designanddeploymentofDomino,ST,Connectionsandthingsthattheytalkto
• Stubbornandrelentlessproblemsolver
• LivesinLondonabouthalfofthetime• [email protected]• twitter:gabturtle
#engageug
This is Betty
3
Betty gets emails telling her to click on a link and give her password
Betty knows the internet is scary. She always clicks the link
She likes to shop and bank online
#engageug
This is Hank
4
He needs to keep Betty’s money safe. Hank knows Betty will click on the link
Hank owns a bank
.. and that it will be his fault if her money goes missing
#engageug
This is Jazz
5
Jazz is cool
Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers
Jazz is a system administrator
Jazz doesn’t sleep much
#engageug
This is Harry
6
Harry is a jerk with no morals
He only cares about getting money and causing disruption
#engageug
Encryption
7
Hi Betty ! Hi Betty !181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4
It’s all about the key. How strong is it? How secure is it? Is it even the right key?
#engageug
Encryption Algorithms, Protocols & Strengths
8
• The SSL protocol has been deprecated and replaced with TLS • The last version of SSL is still vulnerable
• SHA, SHA2, AES, DES, TLS • all are different methods of encrypting data • the key strength is how complex the key used is • Old or compromised algorithms such as SHA or AES are no
longer considered secure enough to use • Using lower key strengths to create certificates makes them
more vulnerable to brute force attacks
#engageug
Man in the middle
Hi Betty ! Bye Betty!
181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4
Bye BettyHi Betty !
#engageug
Other Common Session Hijacking Attacks
10
• Sidejacking • stealing session cookies • unencrypted login information is particularly vulnerable
• Evil Twin • fake wifi networks that are designed purely to steal data
• Sniffing • Reading data traffic on a network using readily available tools
#engageug
Why Is This A Growing Problem?
11
• Too many old algorithms with weaknesses still around • Computing power can now break keys with a low strength in hours • Hacking is a playground often about disruption more than theft • As fast as one weakness is updated, another is found
• that’s if Jazz had time and resources to keep everything up to date
• Obscurity is not security • Just because you don’t think you’re important enough doesn’t
mean you aren’t a target • In fact targets are usually random not planned
• This isn’t a movie
#engageug
So We Need The Strongest Certificate That Uses The Best Algorithm & Is
Kept Up To Date
How Do We Do That?
12
#engageug
Certificate Structures• Certificate authorities • Private keys • Trusted roots • Generating a certificate
• You’ll need a keyfile • You’ll need a request with all the details of your certificate • You’ll need the trusted roots and intermediate certificates
or your CA • You’ll need the final certificate itself
13
#engageug 14
#engageug 15
#engageug 16
#engageug
With SHA2 & Strong Keys
Hi Betty ! Hi Betty!
181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4
!
***
#engageug
File Extensions For Certificates• More Acronyms
• Certificate formats • PEM (….. BEGIN CERTIFICATE….)
• CRT • CER • KEY
• DER binary • PFX or P12
• ….CSR (certificate signing request) 18
#engageug
OpenSSL• An open source library of SSL and TLS cryptography • Available for most platforms • Developed and managed by https://www.openssl.org
• repository for downloads on https://github.com/openssl/openssl
• Create certificates • Convert certificates • Extract certificates
19
#engageug
HERE BE TIGERS
20
#engageug
Installing OpenSSL - For the brave• https://www.openssl.org/source/
• ftp://ftp.openssl.org/source/ previous version • ftp://ftp.openssl.org/source/old older versions
• Download the compressed file and extract • Read the ReadME for instructions e.g run
• INSTALL Linux, Unix, etc. • INSTALL.W32 Windows (32bit) • INSTALL.W64 Windows (64bit)
• https://wiki.openssl.org/index.php/Compilation_and_Installation
21
#engageug
Installing OpenSSL Under Windows• I found the easiest solution (as an Admin) is to install the pre built
Windows executable from Shining Light - there are other’s out there • https://slproweb.com/products/Win32OpenSSL.html • Download the most recent “lite” version
• Currently 1.0.2f (Win32OpenSSL_Light-1_0_2f)
22
#engageug 23
#engageug 24
#engageug
Installing OpenSSL For Linux
• For Linux many distros come with a pre compiled version of OpenSSL
• yum install openssl • each OS may have its own method for configuration
25
#engageug
Let’s Create Some Certificates
26
#engageug
Domino – Creating A SHA2 Certificate• Domino no longer uses the Secure Server Certificate
database to generate keyfiles or merge certificates • We use a combination of OpenSSL and an IBM utility for
Domino called kyrtool • download kyrtool from IBM Fixcentral http://ibm.co/
1SAYX5E • copy it to your Notes or Domino program directory
• The program files must be 9.0.1 FP3 or higher
27
#engageug
Domino – Creating A SHA2 Certificate• We need to decide the size of the key pair we want to create
• the larger the key pair the harder it is to decrypt • not all software systems support the largest key pairs
• If using Windows set the environment variable for OpenSSL first
• Set OpenSSL_Conf=c:\openssl\bin\openssl.cfg • verify openssl.cfg actually exists in that directory
• To create a 4096 key pair • c:\openssl\bin\openssl genrsa -out mynewserver.key
409628
#engageug
Create a Certificate Signing Request • When buying a new certificate this sends to your CA • openssl req -new -sha256 -key mynewserver.key -out
mynewserver.csr • note that we are requesting a SHA2 certificate • the CSR will be verified by the CA when you submit it so
you can check that it’s right • if not you can recreate it by running the command again
29
#engageug 30
#engageug
MyNewServer.CSR• -----BEGIN CERTIFICATE REQUEST-----
• MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG
• A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw
• JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG
• SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+
• CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp
• R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/
• JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj
• GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN
• GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe
• nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC
• o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n
• IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E
• Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1
• 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE
• H4btBohD7B6fiqdozsOsvN1s
• -----END CERTIFICATE REQUEST-----
31
#engageug
Now Comes The Domino Bit• We have to create a keyring file in a format Domino will be
able to read • For that we use the kyrtool we downloaded from FixCentral • From your Notes program directory
• kyrtool create -k c:\notes\data\mynewserver.kyr -p <passwordyouwanttouse>
• this will create two files • mynewserver.kyr • mynewserver.sth (this is the stashed password that
unlocks the keyring)
32
#engageug
Nearly There…• We have our keyring file • We have sent our request for a certificate, generated off our
new key pair to our CA • When the CA sends the certificate back we can merge the
new certificate into our keyring file • we need to merge ALL the certificates, root, intermediate
and server into a single “key” file • c:\openssl\bin\type mynewserver.key server.crt
intermediate.crt root.crt >mynewserver.txt
33
#engageug
Last Step• We now add our new txt file with all the certificates in it into
our new Domino keyring • c:\ibm\notes\kyrtool import all -k c:\notes\data
\mynewserver.kyr -i c:\openssl\bin\mynewserver.txt
• That’s it. We now have a shiny keyring pair to use with our Domino server
34
#engageug
Installing A SHA2 Certificate Under Domino• Install Using Internet Site Documents
• The first keyring file in the Internet Site docs view that matches the server configuration “wins”.
• Avoid too many wildcard or duplicate Internet Site Documents
• What can you use it for • HTTPS (Traveler, Websites) • S/MIME (encrypted mail) • TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and
POP3) • DIIOP as of 9.0.1 FP5
35
#engageug
More Domino SSL• Remove weak ciphers from the site documents • Add Disable_SSLV3=1 to the notes.ini on the server • Domino support TLS 1.2 now
• SSL_DISABLE_TLS_10 • https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
36
#engageug
Working With WebSphere Certificates• WebSphere installs with its own keystores for each cell and
node you add • The keystores are created and owned by IBM and have the
hostname of the server you’re installing onto by default • The cell keystores are found in
• /profiles/Dmgr01/config/cells/{cellname}/trust.p12 • /profiles/Dmgr01/config/cells/{cellname}/key.p12
37
#engageug
Accessing The SSL Configuration• Login to the WebSphere ISC • Security - SSL Certificate and Key Management
38
#engageug 39
#engageug
Adding A New Certificate To WebSphere• Go to the CellDefaultTrustStore if the certificate existing on another server
already you can “Retrieve from port” • Add your root and intermediate certificates here
40
#engageug
Personal Certificate Request
• The simplest way to generate a WAS certificate
• create a CSR in WAS • “receive” it into WAS when
sent from the CA • you can’t “receive” a
certificate you didn’t request
41
#engageug
WebSphere and 4096 Key Length Certificates
• A 4096 certificate can generate an error when attempting to add to WebSphere
• “RSA premaster secret” • You need to add the unrestricted policy files to WebSphere
for the 4096 certificates to be imported
42
#engageug
The Unrestricted Policy Files
• ibm.co/1JZGs3z
43
#engageug
Exporting A Certificate From WebSphere• Export a WAS certificate so that it can be imported onto
other systems • Such as a keyfile database generated by ikeyman and
used by IBM HTTP Server
44
#engageug
Working With Ikeyman• There are different versions of ikeyman that create keyfile
databases recognised by different products • Look in the program directory for your installed product to
find the right one • For IBM HTTP Server the file is in /IBM/HTTPServer/bin • On Linux you’ll need to configure X11 forwarding if you don’t
have a graphical interface
45
#engageug
Working With IKeyMan - Signer Certificates• Import the WebSphere certificate we extracted earlier • Add root and intermediate certificates
46
#engageug
Working With IKeyman - Personal Certificates
47
#engageug
Editing httpd.conf to add SSL configuration• Example content
• LoadModule ibm_ssl_module modules/mod_ibm_ssl.so • Listen 0.0.0.0:443 • <VirtualHost *:443>
• SSLEnable • SSLProtocolDisable SSLv2 • </VirtualHost>
• KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb • SSLDisable
• Restart IHS - use netstat to see if 443 is active and listening
• Check IHS logs for SSL errors • If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of
the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate
48
#engageug
SSL and Development• Despite the initial pain see if you can get a proper production
SSL certificate to use on your development environment. • If you can not (for cost reasons) ensure you create a self cert
that is EXACTLY the same type as your production environment
• Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server
49
#engageug
Testing SSL On Your Site• https://www.ssllabs.com/ssltest/
50
#engageug
• You can’t stay ahead of the hackers but you must be vigilant and keep up
• Have a plan for monitoring • Have a plan for lock down at the first appearance of
exposure • Have a plan to fix the vulnerability • Have a plan to identify what information may be
compromised • Have a plan to make that information of as little value as
possible
51
#engageug
Resources• Working with OpenSSL https://www.feistyduck.com/books/
openssl-cookbook/ • Creating SHA2 For Domino http://turtleblog.info/2015/06/22/
creating-sha-2-4096-ssl-certificates-for-domino/ • Unrestricted policy files for WebSphere http://
www-01.ibm.com/support/docview.wss?uid=swg21663373
52
#engageug
My presentation with Mark Myers from LDC Via given at IBM Connect contains
more information about specific SSL vulnerabilities such as POODLE,
Heartbleed, Freak etc and is available on Slideshare http://bit.ly/1R6W9ck
53
#engageug
Thank you
Questions?
54