Securing Windows NT/2000 Servers for the Internet p age 293 C.4.1.4 4. Server Key Exchange The server sends the server key exchange message if the server has no certificate or if it has a certificate that is used only for signing. This might happen in one of three cases: • The server is using the Diffie-Hellman key exchange protocol. • The server is using RSA, but has a signature-only RSA key. • The server is using the Fortezza/DMS encryption suite. The key exchange message consists of the fields shown in Table C.3. Table C.3, Server Key Exchange Parameters Field Meaning For Diffie-Hellman key exchange: ServerDHParams params The server's Diffie-Hellman public value (Y s ). For RSA: ProtocolVersion client_version The most recent version of the SSL protocol supported by the client. opaque random[46] (Encrypted with server's RSA public key) 46 random bytes generated with a secure random number generator. For Fortezza/DMS: opaque y_c <0 128> The client's Y c value used in the Fortezza Key Exchange Algorithm (KEA). opaque r_c [128] The client's R c value used in the KEA. opaque wrapped_client_write_key [12] The client's write key, wrapped by the Fortezza's token encryption key (TEK). opaque wrapped_server_write_key [12] The server's write key, wrapped by the Fortezza's TEK. opaque client_write_IV [24] The initialization vector (IV) for the client write key. opaque server_write_IV [24] The IV for the server write key. opaque master_secret_IV [24] The IV for the TEK used to encrypt the premaster secret. block-ciphered opaque encrypted_pre_mater_secret [48] 48 bytes generated with a secure random number generator and encrypted using the TEK. Signatures may be RSA signatures, DSA signatures, or anonymous (in which case there are no signatures). Servers that have no signatures offer no protection against man-in-the-middle or server substitution attacks. SSL 3.0 defines three modes of Diffie-Hellman operations for the initial key exchange: Anonymous Diffie-Hellman In this mode, the server generates its Diffie-Hellman public value and the Diffie-Hellman parameters and sends them to the client. The client then sends back its client value. This mode is susceptible to the man-in-the-middle attack, because the server's parameters and public value are not authenticated. (In a man-in-the-middle attack, an attacker could simply conduct anonymous Diffie- Hellman with both parties.) Securing Windows NT/2000 Servers for the Internet p age 294 Fixed Diffie-Hellman In this mode, the server's certificate contains its fixed Diffie-Hellman parameters instead of an RSA or DSS public key. As SSL 3.0 allows only one key per server, a server that is configured to operate in fixed Diffie-Hellman mode cannot interoperate with SSL clients that expect to perform RSA key exchanges. Ephemeral Diffie-Hellman In this mode, the server generates its own Diffie-Hellman parameters, then uses a pre-existing RSA or DSS public key to sign the parameters, which are then sent to the client. This third mode appears to be the most secure SSL 3.0 operating mode. Netscape Navigator Versions 1, 2, and 3 do not implement Diffie-Hellman, but future versions of the product might. More programs may implement the algorithm in the future, however, as the Diffie-Hellman patent expires on March 30, 1997. C.4.1.5 5. Certificate Request If the server wishes to authenticate the client, it can send a Certificate Request to the client. Certificate Requests consist of five parts, shown in Table C.4. Table C.4, Certificate Request Message Field Meaning ClientCertificateType certificate_types<1 2 8 -1> The types of certificates requested by the server. Random random A random structure (consisting of a 32-bit timestamp and 28 bytes generated by a secure random number generator). SessionID session_id The session ID. This field is never empty. If it matches the session_id provided by the client in the ClientHello, it indicates that the previous SSL session will be resumed. Otherwise, the session_id of the new session is provided. CipherSuite ciper The cipher chosen by the server for this session. CompressionMethod compression_method The compression method chosen by the server for this session. C.4.1.6 6. Client Sends Certificate If requested by the SSL server, the client sends any certificates that were requested. If no certificate is available, the client sends the no certificate alert. It is up to the SSL server to decide what to do if a no certificate alert is received. The SSL server could continue the SSL transaction with an anonymous client. Alternatively, the SSL server could terminate the connection by sending a data handshake failure alert. Securing Windows NT/2000 Servers for the Internet p age 29 5 C.4.1.7 7. ClientKeyExchange The client can send one of three kinds of key exchange messages, depending on the particular public key algorithm that has been selected. These are shown in Table C.5. Table C.5, Server Key Exchange Parameter Field Meaning For Diffie-Hellman key exchange: opaque dh_Yc<1 2 16 -1> The client's Diffie-Hellman public value (Y c ). Signature signed_params The signature for the parameters. For RSA: ServerRSAarams params The server's RSA parameters. Structure signed_params The signature for the parameters. For Fortezza/DMS: ServerFortezzaParams params The server's Fortezza parameters. C.4.1.8 8. CertificateVerify If the client sends a public certificate that has signing capability (such as an RSA or a DSS certificate), the client now sends a CertificateVerify message. This message consists of two message authentication codes, one calculated with the MD5 algorithm and one calculated with SHA. They are: CertificateVerify.signature.sha_hash MD5(MAC_write_secret + pad2 + MD5(MAC_write_secret + pad_1 + seq_num + SSLCompressed.type + SSLCompressed.length + SSLCompressed.fragment)) CertificateVerify.signature.md5_hash SHA(MAC_write_secret + pad2 + SHA(MAC_write_secret + pad_1 + seq_num + SSLCompressed.type + SSLCompressed.length + SSLCompressed.fragment)) The handshake_messages refers to all handshake messages starting with the ClientHello up to but not including the CertificateVerify message. C.4.1.9 9. ChangeCipherSpec After the CertificateVerify is sent, the ChangeCipherSpec message is sent. After the message is sent, all following messages are encrypted according to the specified cipher suite and compressed according to the compression method. C.4.1.10 10. Finished Finally, both the SSL client and the server send finished messages. The finished message consists of the fields shown in Table C.6. Table C.6, Finished Message Field Meaning opaque md5_hash [16] A 16-byte MD5 hash code. opaque sha_hash [20] A 20-byte SHA hash code. The hash values are computed according to equations shown in Table C.6. The value hashed is computed from all of the information that has been previously sent. The finished message verifies that both the client and server are in proper synchronization. If they aren't, then the SSL link is terminated. Securing Windows NT/2000 Servers for the Internet p age 29 6 C.4.2 Application Data After the SSL Finished message is sent, application data is transported. All application data is divided into individual SSL record-layer messages. These messages are then compressed and encrypted according to the current compression method and cipher suite. C.5 SSLeay SSLeay is a freely available implementation of the Netscape 3.0 SSL protocol. It is the cryptographic engine that drives the Apache-SSL server. The SSLeay system installs in the directory /usr/local/ssl. It contains the following subdirectories: CA The certification authority directory, used if you wish to run your own CA. bin Contains the executable programs, which make up the SSLeay package. certs Holds the actual X.509 server public key certificates, used by SSL servers on your system. include The C language #include files needed for compiling other programs that use the SSLeay library packages. lib The actual C language libraries, which are linked with other programs that use SSLeay. private Holds the private key certificates used by the SSL servers on your system. SSLeay can be freely used outside the United States. Within the United States, its use is governed by the patents on public key cryptography. C.5.1 SSLeay Examples Michael Grant has created several small programs that demonstrate how to use SSLeay to create a secure SSL server and client. The programs run under Solaris 2.5. They are included here with his permission. Securing Windows NT/2000 Servers for the Internet p age 29 7 C.5.1.1 SSLeay Client Here is the program: /* client.c To compile: cc -g -c -I/usr/local/SSLeay-0.6.4/include client.c cc -g client.o -L/usr/local/SSLeay-0.6.4/lib -lssl -lcrypto -lsocket -lnsl -o client This program implements a simple client which connects to the server by a TCP/IP connection, and then starts SSL on the connection. It sends some data, then waits for some data (which it prints) and then disconnects. There are two arguments: hostname to connect to port number (which the server will tell you when it starts). You will need to supply a certificate for a CA. This is used in CAfile below. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include "buffer.h" #include "crypto.h" #include " /e_os.h" #include "x509.h" #include "ssl.h" #include "err.h" int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth, int error, char *arg); #define CAfile "demoCA/cacert.pem" #define CApath NULL main(int argc, char **argv) { int sock; /* The TCP/IP socket */ struct sockaddr_in server; struct hostent *hp; char buf[1024]; SSL_CTX *c_ctx=NULL; /* The Client's context */ SSL *c_ssl=NULL; /* The Client's SSL connection */ int rval; if (argc<2) { printf("usage: client hostname port#\n"); exit(1); } SSL_load_error_strings(); /* Create a new context. This holds information pertinent to the * client's SSL side of the connection. */ c_ctx=SSL_CTX_new(); if (c_ctx == NULL) { printf("SSL_CTX_new() failed\n"); } /* Tell SSL where the Certificate Authority files are located */ if ((!SSL_load_verify_locations(c_ctx,CAfile,CApath)) || (!SSL_set_default_verify_paths(c_ctx))) { fprintf(stderr,"SSL_load_verify_locations\n"); ERR_print_errors_fp(stderr); exit(1); } Securing Windows NT/2000 Servers for the Internet p age 29 8 /* Tell SSL to request the server's certificate when we connect. */ SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); /* Now we can create a basic TCP/IP connection */ if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } server.sin_family = AF_INET; if ((hp = gethostbyname(argv[1])) == NULL) { perror(argv[1]); exit(1); } memcpy((char *)&server.sin_addr, (char *)hp->h_addr, hp->h_length); server.sin_port = htons(atoi(argv[2])); if (connect(sock, (struct sockaddr *)&server, sizeof(server)) == -1) { perror("connect"); exit(1); } /* We now have a basic TCP/IP connection up. Now we start SSL * on this connection. */ /* Creates a new SSL connection. This holds information pertinent * to this connection. */ if ((c_ssl=SSL_new(c_ctx)) == NULL) { printf("SSL_new() failed\n"); exit(1); } /* Tell SSL that this connection is to use the socket we just * created above. */ SSL_set_fd(c_ssl, sock); /* Finally, start the SSL connection */ if (SSL_connect(c_ssl) < 1) { fprintf(stderr, "SSL_connect:"); ERR_print_errors_fp(stderr); exit(1); } /* Lets find out who the peer *really* is. We look though the * server's certificate to see who he says he is. */ { X509 *peer_x509; char *s = NULL; peer_x509 = SSL_get_peer_certificate(c_ssl); if (peer_x509==0) { fprintf(stderr, "SSL_get_peer_cert:"); ERR_print_errors_fp(stderr); exit(1); } s=(char *)X509_NAME_oneline(X509_get_subject_name(peer_x509)); if (s==NULL) { fprintf(stderr, "X509_NAME_oneline:"); ERR_print_errors_fp(stderr); exit(1); } printf("Server's subject name is '%s'\n', s);stderr } Securing Windows NT/2000 Servers for the Internet p age 299 /* Send some data to the server */ printf("sending data\n"); SSL_write(c_ssl,"hello from client",18); memset(buf, 0, sizeof(buf)); printf("waiting for data\n"); /* Now we receive some data from the server and print it out */ rval=SSL_read(c_ssl,buf,1024); printf(" >%s\n", buf); /* Close the SSL connection */ SSL_free(c_ssl); /* Close the TCP/IP socket */ close(sock); exit(0); } int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth, int error, char *arg) { char *s; s=(char *)X509_NAME_oneline(X509_get_subject_name(xs)); if (s != NULL) { if (ok) fprintf(stderr,"depth=%d %s\n",depth,s); else { fprintf(stderr,"depth=%d error=%d ok=%d %s\n", depth,error,ok,s); ERR_print_errors_fp(stderr); } Free(s); } return(ok); } C.5.1.2 SSLeay Server Here's what the output from server looks like: sun% ./server server ready waiting on port 43205 starting connection using RC4-MD5 cipher >hello from client ending connection And here is the source code: /* server.c To compile: cc -c -I/usr/local/SSLeay-0.6.4/include server.c cc server.o -L/usr/local/SSLeay-0.6.4/lib -lssl -lcrypto -lsocket -lnsl -o server This program implements a simple server which accepts TCP/IP connections, starts SSL on the connection, waits for some data (which it prints), sends some data back to the client, then waits for more data. When the connection is closed by the client, it continues to wait for a new connection. There are no arguments. When the server starts, it will tell you what port it is waiting on. This information is used to start the client. You will need to supply a certificate for a CA, the server's certificate, and the server's private key. These are used in CAfile, SERVER_CERT, and SERVER_KEY respectively below. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdio.h> #include <stdio.h> Securing Windows NT/2000 Servers for the Internet p age 300 #include <stdlib.h> #include <string.h> #include <errno.h> #include "buffer.h" #include "crypto.h" #include " /e_os.h" #include "x509.h" #include "ssl.h" #include "err.h" #define CAfile "demoCA/cacert.pem" #define CApath NULL #define SERVER_CERT "./server_cert.pem" #define SERVER_KEY "./server_key.pem" main() { int sock; /* The TCP/IP socket */ int length; struct sockaddr_in server; int fd; char buf[1024]; int rval; SSL_CTX *s_ctx=NULL; /* The Server's context */ SSL *s_ssl=NULL; /* The Server's SSL connection */ SSL_load_error_strings(); /* Create a new context. This holds information pertinent to the * client's SSL side of the connection. */ s_ctx=SSL_CTX_new(); if (s_ctx == NULL) { printf("SSL_CTX_new() failed\n"); } /* Tell SSL where the server's public certificate is */ if (SSL_CTX_use_certificate_file(s_ctx,SERVER_CERT, SSL_FILETYPE_PEM) == 0) { fprintf(stderr, "SSL_CTX_use_certificate_file:"); ERR_print_errors_fp(stderr); exit(1); } /* Tell SSL where the server's private key is */ if (SSL_CTX_use_RSAPrivateKey_file(s_ctx,SERVER_KEY, SSL_FILETYPE_PEM) == 0) { fprintf(stderr, "SSL_CTX_use_RSAPrivateKey_file:"); ERR_print_errors_fp(stderr); exit(1); } /* Tell SSL where the Certificate Authority files are located */ if ((!SSL_load_verify_locations(s_ctx,CAfile,CApath)) || (!SSL_set_default_verify_paths(s_ctx))) { fprintf(stderr,"SSL_load_verify_locations\n"); ERR_print_errors_fp(stderr); exit(1); } /* Now we create a socket and wait for a basic TCP/IP connection */ if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } server.sin_family = AF_INET; server.sin_addr.s_addr = INADDR_ANY; server.sin_port = 0; if (bind(sock, (struct sockaddr *)&server, sizeof(server)) == -1) { perror("bind"); exit(1); } length = sizeof(server); if (getsockname(sock, (struct sockaddr *)&server, &length) == -1) { perror("getsockname"); exit(1); } Securing Windows NT/2000 Servers for the Internet p age 301 printf("server ready waiting on port %d\n", ntohs(server.sin_port)); /* We now are ready to wait for a basic TCP/IP connection up. */ listen(sock, 5); while (1) /* Do this for each incoming TCP/IP connection */ { /* Accept the new TCP/IP connection */ if ((fd = accept(sock, NULL, NULL)) == -1) { perror("accept"); exit(1); } /* Creates a new SSL connection. This holds information * pertinent to this * connection. */ if ((s_ssl=SSL_new(s_ctx)) == NULL) { printf("SSL_new() failed\n"); exit(1); } /* Tell SSL that this connection is to use the socket we * just created above. */ SSL_set_fd(s_ssl, fd); /* Finally, start the SSL connection */ if (SSL_accept(s_ssl)<1) { fprintf(stderr, "SSL_accept failed\n"); ERR_print_errors_fp(stderr); SSL_free(s_ssl); close (fd); continue; } printf("starting connection using %s cipher\n", SSL_get_cipher(s_ssl)); do /* Do this until the client disconnects: */ { /* Receive data from the client and print it out */ rval = SSL_read(s_ssl,buf,1024); if (rval < 0) { fprintf(stderr, "SSL_read: %s\n", ERR_reason_error_string (ERR_get_error())); } if (rval==0) { printf("ending connection\n"); } else { /* If everything is OK, print out data received */ printf(" >%s\n", buf); /* Now send some data back to the client */ SSL_write(s_ssl,"hello from server",18); } } while (rval>0); /* Close the SSL connection */ SSL_free(s_ssl); /* Close the TCP/IP socket */ close (fd); } } Securing Windows NT/2000 Servers for the Internet p age 30 2 C.5.1.3 SSLeay CA Michael Grant has also put together a very simplified CA to create and sign the certificates needed for the demo client and server programs. The ca.conf file is included below. Here is the program's operation. First we create a configuration file and a directory to hold the certificates: % mkdir demoCA % cp ca.conf demoCA % cd demoCA % mkdir new_certs % touch index.txt % echo 01 > serial Now we create the private key and x509 certificate for the CA. The -x509 option makes this a self-signed certificate (issuer and subject are the same). % ssleay req -config ca.conf -x509 -new -keyout cakey.pem -out cacert.pem Generating a 1024 bit private key +++++ +++++ unable to write 'random state' writing new private key to 'cakey.pem' You are about to be asked to enter information that will be incorperated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [US]:US Organization Name (eg, company) [MegaWidget]:MegaWidget Organizational Unit Name (eg, section) [Eng]:Eng Common Name (eg, YOUR name) [Michael Grant]:CA % ls ca.conf cakey.pem new_certs/ cacert.pem index.txt serial Now we generate a request for a certificate and a private key for the server. This request could be emailed to the CA. % ssleay req -config ca.conf -new -keyout server_key.pem -out server_req.pem Generating a 1024 bit private key .+++++ +++++ unable to write 'random state' writing new private key to 'server_key.pem' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [US]:US Organization Name (eg, company) [MegaWidget]:MegaWidget Organizational Unit Name (eg, section) [Eng]:Eng Common Name (eg, YOUR name) [Michael Grant]:Michael Grant Server [...]... be used to transmit to the web browser a unique serial number used to track every download of every labeled document However, the two countries might adopt slightly different monitoring extensions As one extension would have a URL of http://censorship.gov.cn/monitoring.html and the other would have a URL of http://censorship.gov.sg/monitoring.html, the two extensions would not conflict even though they... are dozens of security- related WWW pages with pointers to other information Some pages are comprehensive, and others are fairly narrow in focus The ones we list here provide a good starting point for any browsing you might do You will find most of the other useful directories linked into one or more of these pages, and you can then build your own set of "bookmarks." E.1.3.1 Applied Cryptography This... Telephony legislation, and public policy on encryption Schneier, Bruce Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition New York, NY: John Wiley & Sons, 1996 The most comprehensive, unclassified book about computer encryption and data privacy techniques ever published E.2.5 General Computer Security Amoroso, Edward Fundamentals of Computer Security Technology Englewood... mail program This huge book will give you tips on configuring it more securely Custer, Helen Inside Windows NT Seattle, WA: Microsoft Press, 1993 A thorough overview of how Windows NT works and how the components fit together Garfinkel, Simson and Gene Spafford Practical UNIX & Internet Security, Second Edition Sebastopol, CA: O' Reilly & Associates, 1996 Nearly 100 0 pages of UNIX and network security, ... and complete introduction to computer security at the level of a college text Carroll, John M Computer Security , Second Edition Stoneham, MA: Butterworth Publishers, 1987 Contains an excellent treatment of issues in physical communications security Pfleeger, Charles P Security in Computing, Second Edition Englewood Cliffs, NJ: Prentice Hall, 1996 A good introduction to computer security E.2.6 Network... simply because you read it on the network does not mean that the information is correct for your system or environment, does not mean that it has been carefully thought out, does not mean that it matches your site policy, and most certainly does not mean that it will help your security Always carefully evaluate the information you receive before acting on it Following are some of the major mailing lists... stateOrProvinceName = organizationName = organizationalUnitName commonName emailAddress # For the 'anything' policy # At this point in time, you # types [ policy_anything ] countryName stateOrProvinceName = localityName organizationName = organizationalUnitName organizationalUnitName commonName emailAddress = = = = match optional match optional supplied optional must list all acceptable 'object' = optional... under "Software Resources" are drawn from COAST's tools.abstracts file, and we gratefully acknowledge their permission to use this information To find out more about COAST, point a WWW viewer at their web page: http://www.cs.purdue.edu/coast Note that the COAST FTP archive does not contain cryptographic software because of the export control issues involved However, nearly everything else related to security. .. Sendmail to protect them from SMTP-based attacks You should install smap if you run sendmail at your site The toolkit is designed so that you can pick and choose only the pieces you need; you don't have to install the whole thing The pieces you do install share a common configuration file, however, which makes managing configuration changes somewhat easier You can get the toolkit from ftp://ftp.tis.com/pub/firewalls/toolkit/... discussions of improvements, bugs, fixes, and so on among people using the toolkit; send email to fwall-users-request@tis.com to subscribe to this list E.1.4.15 trimlog David Curry's trimlog is designed to help you manage log files It reads a configuration file to determine which files to trim, how to trim them, how much they should be trimmed, and so on The program helps keep your logs from growing . <errno.h> #include "buffer.h" #include "crypto.h" #include " /e_os.h" #include "x509.h" #include "ssl.h" #include "err.h". (transmit-as "r") (name "Rating") (label (name "G") (value 0) (icon "icons/G.gif")) (label (name "PG") (value 1) (icon "icons/PG.gif")). "PG-13") (value 2) (icon "icons/PG-13.gif")) (label (name "R") (value 3) (icon "icons/R.gif")) (label (name "NC-17") (value 4) (icon "icons/NC-17.gif"))))