Agenda
- Transport security
- X.509 Certificates
- Setting up TLS endpoints
- HTTP authentication framework
- APIs & Tools
- Resources
Transport Security
- HTTPS == HTTP over TLS
- RFC 1818
- Tunnels unprotected HTTP and adds
- server authentication
- integrity protection
- replay protection
- confidentiality
X.509 Certificates
Simplified SSL Handshake
Where to Get Certificates From?
- Buy
- Verisign etc…
- Corporate PKI
- Windows Certificate Services
- Create yourself
- makecert.exe
- OpenSSL
Creating a Root Certificate
makecert.exe
-r // self signed
-n "CN=DevRoot" // name
-pe // exportable
-sv DevRoot.pvk // name of private key file
-a sha1 // hashing algorithm
-len 2048 // key length
-b 01/21/2010 // valid from
-e 01/21/2030 // valid to
-cy authority // certificate type
DevRoot.cer // name of certificate file
Creating an SSL Certificate
makecert.exe
-iv DevRoot.pvk // file name of root priv key
-ic DevRoot.cer // file name of root cert
-n "CN=web.local" // name
-pe // mark as exportable
-sv web.local.pvk // name of private key file
-a sha1 // hashing algorithm
-len 2048 // key length
-b 01/21/2010 // valid from
-e 01/21/2020 // valid to
-sky exchange // certificate type
web.local.cer // name of certificate file
-eku 1.3.6.1.5.5.7.3.1 // extended key usage
Setting up SSL
- Establish trust
- Windows certificate store
- Bind SSL certificate to port / host name
- IIS
- netsh.exe
- httpconfig.exe
HTTP Authentication Framework
- Whenever authentication is required
- Status code of 401 indicates unauthorized
- WWW-Authenticateresponse header indicates preferred authentication method
Authentication for HTTP-based Services
- Credentials transmitted (typically) via Authorizationheader
- e.g. Basic authentication, access tokens…
- sometimes other means (query string, cookie…)
No comments:
Post a Comment