블로그 이미지
평범하게 살고 싶은 월급쟁이 기술적인 토론 환영합니다.같이 이야기 하고 싶으시면 부담 말고 연락주세요:이메일-bwcho75골뱅이지메일 닷컴. 조대협


Archive»


 

'양방향 SSL'에 해당되는 글 1

  1. 2013.09.24 SSL/TLS 관련 개념 링크 (1)
 

SSL/TLS 관련 개념 링크

아키텍쳐 /Security & IDM | 2013.09.24 00:36 | Posted by 조대협

http://www.javaworld.com/javaworld/jw-01-2001/jw-0112-howto.html

http://www.javaworld.com/jw-02-2001/jw-0216-howto.html

http://juntheater.tistory.com/entry/keytool%EB%A5%BC-%EC%9D%B4%EC%9A%A9%ED%95%9C-%ED%82%A4-%EC%83%9D%EC%84%B1

http://juntheater.tistory.com/entry/Java-SSL-%EA%B5%AC%ED%98%84


weblogic SSL Client sample

http://docs.oracle.com/cd/E11035_01/wls100/security/SSL_client.html

http://blog.palominolabs.com/2011/10/18/java-2-way-tlsssl-client-certificates-and-pkcs12-vs-jks-keystores/


PKI 관련 파일 명에 대한 개념 링크

http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file



Tomcat 2 way SSL (mutual SSL)

http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html



Self study memo

Public Key 기반의 암호화

암호화와 복호화키를 다른 키를 사용.

Private Key로 암호화 하고 Public Key 로 복호화를 함. Public Key는 공개되어도 상관 없음.

가장 널리 사용되는 Public Key 기반의 암호화 알고리즘으로는 RSA가 있음

 

인증서의 필요성

그러나 문제는 PKI 를 사용할 경우, 해커가 main in middle attack으로 pubic key를 가로챌 수 있다. 이를 방지하기 위해서, 3자의 공인된 인증 기관 (CA) public key를 등록하고, public key가 들어 있는 인증서(certification)을 발급 받아서 사용한다.

 

인증서 표준중, 많이 사용되는 인증서가 X.509 인증서 임


 

그외에 PGP(Pretty Good Privacy) Ceriticates SDSI (Simple Distributed Security Infrastructure)등이 있음.

 

인증서 Chain

상위 인증서가 하위 인증서에 대한 Public Key를 가지고 있음.

상위 인증서가

 

 

인증서 파일 포맷

PKCS

- X.509와 같은 인증서를 저장하기 위한 포맷 (PKCS12 is a password-protected format that can contain multiple certificates and keys)

CF. JKS

http://blog.palominolabs.com/2011/10/18/java-2-way-tlsssl-client-certificates-and-pkcs12-vs-jks-keystores/

 

 

인증서 파일 포맷은 크게

·         PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)

·         PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.

·         DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by anything in common usage. --> 확장자가 *.CER 경우, DER 인코딩된 X.509 바이너리이거나, Base 64 인코딩된 X.509 인증서임

 

3가지가 주류로 나뉘어짐

세부적으로 보면

·         .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.

·         .pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.

·         .key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.

·         .pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

A few other formats that show up from time to time:

·         .der A way to encode ASN.1 syntax, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem. Windows sees these as Certificate files. I've only ever run into them in the wild with Novell's eDirectory certificate authority.

·         .cert .cer A .pem formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

·         .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

 

 

주의!! - 전자 서명과 인증서는 개념이 다름

전자 서명 (Digital Signature) Private signature를 생성한 후에, public key를 이용하여 descrypt 하여, 문서의 유효성을 판단.

이때, public key에 대한 변조를 막기 위해서 인증서(Certification) 를 통해서 public key를 전달함

 

http://blog.naver.com/jasonalive?Redirect=Log&logNo=80008939065


양방향 SSL 을 E2E로 구현하는 것에 목표를 두자.


본인은 구글 클라우드의 직원이며, 이 블로그에 있는 모든 글은 회사와 관계 없는 개인의 의견임을 알립니다.

댓글을 달아 주세요

  1. noname 2015.10.15 00:49  댓글주소  수정/삭제  댓글쓰기

    Private Key로 암호화 하고 Public Key 로 복호화를 함: public key로 암호화를 하는게 아닌가요?