아키텍쳐 /Security & IDM

SSL/TLS 관련 개념 링크

Terry Cho 2013. 9. 24. 00:36

http://www.javaworld.com/javaworld/jw-01-2001/jw-0112-howto.html

http://www.javaworld.com/jw-02-2001/jw-0216-howto.html

http://juntheater.tistory.com/entry/keytool%EB%A5%BC-%EC%9D%B4%EC%9A%A9%ED%95%9C-%ED%82%A4-%EC%83%9D%EC%84%B1

http://juntheater.tistory.com/entry/Java-SSL-%EA%B5%AC%ED%98%84


weblogic SSL Client sample

http://docs.oracle.com/cd/E11035_01/wls100/security/SSL_client.html

http://blog.palominolabs.com/2011/10/18/java-2-way-tlsssl-client-certificates-and-pkcs12-vs-jks-keystores/


PKI 관련 파일 명에 대한 개념 링크

http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file



Tomcat 2 way SSL (mutual SSL)

http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html



Self study memo

Public Key 기반의 암호화

암호화와 복호화키를 다른 키를 사용.

Private Key로 암호화 하고 Public Key 로 복호화를 함. Public Key는 공개되어도 상관 없음.

가장 널리 사용되는 Public Key 기반의 암호화 알고리즘으로는 RSA가 있음

 

인증서의 필요성

그러나 문제는 PKI 를 사용할 경우, 해커가 main in middle attack으로 pubic key를 가로챌 수 있다. 이를 방지하기 위해서, 3자의 공인된 인증 기관 (CA) public key를 등록하고, public key가 들어 있는 인증서(certification)을 발급 받아서 사용한다.

 

인증서 표준중, 많이 사용되는 인증서가 X.509 인증서 임


 

그외에 PGP(Pretty Good Privacy) Ceriticates SDSI (Simple Distributed Security Infrastructure)등이 있음.

 

인증서 Chain

상위 인증서가 하위 인증서에 대한 Public Key를 가지고 있음.

상위 인증서가

 

 

인증서 파일 포맷

PKCS

- X.509와 같은 인증서를 저장하기 위한 포맷 (PKCS12 is a password-protected format that can contain multiple certificates and keys)

CF. JKS

http://blog.palominolabs.com/2011/10/18/java-2-way-tlsssl-client-certificates-and-pkcs12-vs-jks-keystores/

 

 

인증서 파일 포맷은 크게

·         PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)

·         PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.

·         DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by anything in common usage. --> 확장자가 *.CER 경우, DER 인코딩된 X.509 바이너리이거나, Base 64 인코딩된 X.509 인증서임

 

3가지가 주류로 나뉘어짐

세부적으로 보면

·         .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.

·         .pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.

·         .key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.

·         .pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

A few other formats that show up from time to time:

·         .der A way to encode ASN.1 syntax, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem. Windows sees these as Certificate files. I've only ever run into them in the wild with Novell's eDirectory certificate authority.

·         .cert .cer A .pem formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

·         .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

 

 

주의!! - 전자 서명과 인증서는 개념이 다름

전자 서명 (Digital Signature) Private signature를 생성한 후에, public key를 이용하여 descrypt 하여, 문서의 유효성을 판단.

이때, public key에 대한 변조를 막기 위해서 인증서(Certification) 를 통해서 public key를 전달함

 

http://blog.naver.com/jasonalive?Redirect=Log&logNo=80008939065


양방향 SSL 을 E2E로 구현하는 것에 목표를 두자.


그리드형