OpenSSL
By: Brian E. Lavender
Date: June 16, 2008
LuGOD presentation

This presentation is primarily based upon my current research into implementing SSL/TLS for the OSSIM project for
Google Summer of Code. I am not an expert in SSL/TLS, but I am doing this presentation to help solidify my understanding. Please make note if you see errors or holes. It contains a series of useful examples at its website.

http://www.opensslbook.com
Network Security with OpenSSL
John Viega, Mass Messier, Pravir Chandra
ISBN 0-596-00270-X
O'Reilly, 2002


OpenSSL is encryption over a TCP socket. It is crytography and PKI laid on top of a TCP socket connection. Version 3 for SSL is current version for SSL. There is an older version 2 for SSL, but it is not recommended. TLS is Transport Layer Security which was developed as the result of standardization of SSL. Both SSL and TLS is supported by OpenSSL. It provides the communication layer and the encryption and authentication on top of the communication layer. Authentication is performed using PKI.

What is PKI.

Certificate Authority
- Certificate is a signed public key.
- Private key to go along with it.
- RSA key can be used for signing and encryption
- DSA key can only used for signing

Create self signed key for Certificate authority. Certificate for certificate authority is widely distributed
Create Certificate Signing Request (CSR).
Certificate authority verifies signs CSR and returns

What SSL doesn't do.

Non repudation. Say Alice receives a message from Bob. After she receives the message she wants to show it to Charlie. It is possible that Bob can deny that he sent the message. With the PKI infrastructure it is easy to implement the nonrepudiation because both Bob and Alice have established certificates. Bob can sign the message before he encrypts using the SSL.

Different types of encryption

Block and stream ciphers for symetric encryption. Some are covered by patent or the names have trademark protection.
RC2, RC4, and RC5 are trademarks of RSA.

Stream
XOR, RC4 (tm)

Block
AES, IDEA, Triple DES, DESX, DES, CAST5, Blowfish, RC2 (tm), RC5 (tm)

Diffe Hellman
Method of doing private key exchange over an insecure channel using an ephemeral key ( a publicly avaialable key). Vulnerable to Man in the middle attack.

It is useful to understand socket programming without any of the SSL library,.

Socket Programming
According to Bruce Molay in "Understanding Unix/Linux Programming"

1. Ask kernel for a socket
2. Bind address to socket. Address is host, port
3. Allow incoming calls on socket
4. Wait for accept a call.


int sock_id, sock_fd;
struct sockaddr_in saddr;
FILE *sock_fpi;
char dirname[BUFSIZ];

// Create a socket
sock_id = socket( PF_INET, SOCK_STREAM, 0 );

// Bind it to an address
bzero( (void *)&saddr, sizeof(saddr) );
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(4444);
saddr.sin_family = AF_INET;
bind(sock_id, (struct sockaddr *)&saddr, sizeof(saddr))

// Set it to listen with a queue of 1.
listen(sock_id, 1);

// Accept the connection. Create a file pointer and read from it.
sock_fd = accept( sock_id, NULL, NULL );
sock_fpi = fdopen( sock_fd, "r" )
fgets( dirname, BUFSIZ - 5, sock_fpi)

Basic Socket programming using the OpenSSL API. OpenSSL uses a thing called BIOs, which is an abstraction
for handling input and output. BIOs can be chained together like a series of pipes. For example, data can be base64-encoded as it is written to a file. A BIO used for reading is known as a source BIO and one used for writing is a sink BIO. Only one source/sink BIO can exist in a chain.

BIO *abio, *cbio;
char buf[1024];
int nread

/* Create a socket BIO to listen for incoming connections on port 4444 */
abio = BIO_new_accept("4444");

// Place the socket into listening mode
BIO_do_accept(abio);

// Wait for an incoming connection
BIO_do_accept(abio);

// Get the bio for reading and writing
cbio = BIO_pop(abio);

// read up to 45 bytes into buf
nread = BIO_read(cbio, buf, 45);

Now to add SSL connection. This does not include any authentication.

// The cert file. It contains the certificate and the key.
#define CERTFILE "server.pem"

// SSL Context
SSL_CTX *ctx;
BIO *acc, *client; // BIO for listen and then connection
SSL *ssl; // SSL object
int err;

// Load a certificate chain. But we won't verify here
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
int_error("Error loading certificate from file");
// Load the private key
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
int_error("Error loading private key from file");

// set up a BIO for listening
acc = BIO_new_accept(PORT);
// wait for a connection
BIO_do_accept(acc);
// Get the connection
client = BIO_pop(acc);
// Tie the SSL object to it for reading a writing. Same BIO used for both.
SSL_set_bio(ssl, client, client);
// Read some data
err = SSL_read(ssl, buf , sizeof(buf) );
// Print it out.
fprintf(stdout, "%s", buf);