SlideShare a Scribd company logo

Fun With SHA2 Certificates

Gabriella Davis, profile picture
Gabriella Davis

The presentation by Gabriella Davis discusses the importance of using strong security certificates, particularly SHA-2, to protect sensitive data from vulnerabilities and hacking threats. It covers various topics including encryption algorithms, session hijacking attacks, and best practices for creating and managing SSL certificates in systems like Domino and WebSphere. The document emphasizes the necessity of keeping encryption methods up to date and maintaining a solid security strategy to mitigate risks associated with outdated algorithms and increasing computing power.

Technology
1 of 54
Downloaded 72 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#engageug Fun With SHA2 Certs by Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com 1
#engageug 2 Who Are We? • Admin of all things and especially quite complicated things where the fun is • Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to • Stubborn and relentless problem solver • Lives in London about half of the time • gabriella@turtlepartnership.com • twitter: gabturtle
#engageug This is Betty 3 Betty gets emails telling her to click on a link and give her password Betty knows the internet is scary. She always clicks the link She likes to shop and bank online
#engageug This is Hank 4 He needs to keep Betty’s money safe. Hank knows Betty will click on the link Hank owns a bank .. and that it will be his fault if her money goes missing
#engageug This is Jazz 5 Jazz is cool Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers Jazz is a system administrator Jazz doesn’t sleep much
#engageug This is Harry 6 Harry is a jerk with no morals He only cares about getting money and causing disruption
#engageug Encryption 7 Hi Betty ! Hi Betty !181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 It’s all about the key. How strong is it? How secure is it? Is it even the right key?
#engageug Encryption Algorithms, Protocols & Strengths 8 • The SSL protocol has been deprecated and replaced with TLS • The last version of SSL is still vulnerable • SHA, SHA2, AES, DES, TLS • all are different methods of encrypting data • the key strength is how complex the key used is • Old or compromised algorithms such as SHA or AES are no longer considered secure enough to use • Using lower key strengths to create certificates makes them more vulnerable to brute force attacks
#engageug Man in the middle Hi Betty ! Bye Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 Bye BettyHi Betty !
#engageug Other Common Session Hijacking Attacks 10 • Sidejacking • stealing session cookies • unencrypted login information is particularly vulnerable • Evil Twin • fake wifi networks that are designed purely to steal data • Sniffing • Reading data traffic on a network using readily available tools
#engageug Why Is This A Growing Problem? 11 • Too many old algorithms with weaknesses still around • Computing power can now break keys with a low strength in hours • Hacking is a playground often about disruption more than theft • As fast as one weakness is updated, another is found • that’s if Jazz had time and resources to keep everything up to date • Obscurity is not security • Just because you don’t think you’re important enough doesn’t mean you aren’t a target • In fact targets are usually random not planned • This isn’t a movie
#engageug So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date How Do We Do That? 12
#engageug Certificate Structures • Certificate authorities • Private keys • Trusted roots • Generating a certificate • You’ll need a keyfile • You’ll need a request with all the details of your certificate • You’ll need the trusted roots and intermediate certificates or your CA • You’ll need the final certificate itself 13
#engageug 14
#engageug 15
#engageug 16
#engageug With SHA2 & Strong Keys Hi Betty ! Hi Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 ! ***
#engageug File Extensions For Certificates • More Acronyms • Certificate formats • PEM (….. BEGIN CERTIFICATE….) • CRT • CER • KEY • DER binary • PFX or P12 • ….CSR (certificate signing request) 18
#engageug OpenSSL • An open source library of SSL and TLS cryptography • Available for most platforms • Developed and managed by https://www.openssl.org • repository for downloads on https://github.com/openssl/ openssl • Create certificates • Convert certificates • Extract certificates 19
#engageug HERE BE TIGERS 20
#engageug Installing OpenSSL - For the brave • https://www.openssl.org/source/ • ftp://ftp.openssl.org/source/ previous version • ftp://ftp.openssl.org/source/old older versions • Download the compressed file and extract • Read the ReadME for instructions e.g run • INSTALL Linux, Unix, etc. • INSTALL.W32 Windows (32bit) • INSTALL.W64 Windows (64bit) • https://wiki.openssl.org/index.php/ Compilation_and_Installation 21
#engageug Installing OpenSSL Under Windows • I found the easiest solution (as an Admin) is to install the pre built Windows executable from Shining Light - there are other’s out there • https://slproweb.com/products/Win32OpenSSL.html • Download the most recent “lite” version • Currently 1.0.2f (Win32OpenSSL_Light-1_0_2f) 22
#engageug 23
#engageug 24
#engageug Installing OpenSSL For Linux • For Linux many distros come with a pre compiled version of OpenSSL • yum install openssl • each OS may have its own method for configuration 25
#engageug Let’s Create Some Certificates 26
#engageug Domino – Creating A SHA2 Certificate • Domino no longer uses the Secure Server Certificate database to generate keyfiles or merge certificates • We use a combination of OpenSSL and an IBM utility for Domino called kyrtool • download kyrtool from IBM Fixcentral http://ibm.co/ 1SAYX5E • copy it to your Notes or Domino program directory • The program files must be 9.0.1 FP3 or higher 27
#engageug Domino – Creating A SHA2 Certificate • We need to decide the size of the key pair we want to create • the larger the key pair the harder it is to decrypt • not all software systems support the largest key pairs • If using Windows set the environment variable for OpenSSL first • Set OpenSSL_Conf=c:opensslbinopenssl.cfg • verify openssl.cfg actually exists in that directory • To create a 4096 key pair • c:opensslbinopenssl genrsa -out mynewserver.key 4096 28
#engageug Create a Certificate Signing Request • When buying a new certificate this sends to your CA • openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr • note that we are requesting a SHA2 certificate • the CSR will be verified by the CA when you submit it so you can check that it’s right • if not you can recreate it by running the command again 29
#engageug 30
#engageug MyNewServer.CSR • -----BEGIN CERTIFICATE REQUEST----- • MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG • A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw • JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG • SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+ • CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp • R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/ • JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj • GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN • GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe • nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC • o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n • IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E • Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1 • 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE • H4btBohD7B6fiqdozsOsvN1s • -----END CERTIFICATE REQUEST----- 31
#engageug Now Comes The Domino Bit • We have to create a keyring file in a format Domino will be able to read • For that we use the kyrtool we downloaded from FixCentral • From your Notes program directory • kyrtool create -k c:notesdatamynewserver.kyr - p <passwordyouwanttouse> • this will create two files • mynewserver.kyr • mynewserver.sth (this is the stashed password that unlocks the keyring) 32
#engageug Nearly There… • We have our keyring file • We have sent our request for a certificate, generated off our new key pair to our CA • When the CA sends the certificate back we can merge the new certificate into our keyring file • we need to merge ALL the certificates, root, intermediate and server into a single “key” file • c:opensslbintype mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt 33
#engageug Last Step • We now add our new txt file with all the certificates in it into our new Domino keyring • c:ibmnoteskyrtool import all -k c:notesdata mynewserver.kyr -i c:opensslbinmynewserver.txt • That’s it. We now have a shiny keyring pair to use with our Domino server 34
#engageug Installing A SHA2 Certificate Under Domino • Install Using Internet Site Documents • The first keyring file in the Internet Site docs view that matches the server configuration “wins”. • Avoid too many wildcard or duplicate Internet Site Documents • What can you use it for • HTTPS (Traveler, Websites) • S/MIME (encrypted mail) • TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3) • DIIOP as of 9.0.1 FP5 35
#engageug More Domino SSL • Remove weak ciphers from the site documents • Add Disable_SSLV3=1 to the notes.ini on the server • Domino support TLS 1.2 now • SSL_DISABLE_TLS_10 • https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 36
#engageug Working With WebSphere Certificates • WebSphere installs with its own keystores for each cell and node you add • The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default • The cell keystores are found in • /profiles/Dmgr01/config/cells/{cellname}/trust.p12 • /profiles/Dmgr01/config/cells/{cellname}/key.p12 37
#engageug Accessing The SSL Configuration • Login to the WebSphere ISC • Security - SSL Certificate and Key Management 38
#engageug 39
#engageug Adding A New Certificate To WebSphere • Go to the CellDefaultTrustStore if the certificate existing on another server already you can “Retrieve from port” • Add your root and intermediate certificates here 40
#engageug Personal Certificate Request • The simplest way to generate a WAS certificate • create a CSR in WAS • “receive” it into WAS when sent from the CA • you can’t “receive” a certificate you didn’t request 41
#engageug WebSphere and 4096 Key Length Certificates • A 4096 certificate can generate an error when attempting to add to WebSphere • “RSA premaster secret” • You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported 42
#engageug The Unrestricted Policy Files • ibm.co/1JZGs3z 43
#engageug Exporting A Certificate From WebSphere • Export a WAS certificate so that it can be imported onto other systems • Such as a keyfile database generated by ikeyman and used by IBM HTTP Server 44
#engageug Working With Ikeyman • There are different versions of ikeyman that create keyfile databases recognised by different products • Look in the program directory for your installed product to find the right one • For IBM HTTP Server the file is in /IBM/HTTPServer/bin • On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface 45
#engageug Working With IKeyMan - Signer Certificates • Import the WebSphere certificate we extracted earlier • Add root and intermediate certificates 46
#engageug Working With IKeyman - Personal Certificates 47
#engageug Editing httpd.conf to add SSL configuration • Example content • LoadModule ibm_ssl_module modules/mod_ibm_ssl.so • Listen 0.0.0.0:443 • <VirtualHost *:443> • SSLEnable • SSLProtocolDisable SSLv2 • </VirtualHost> • KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb • SSLDisable • Restart IHS - use netstat to see if 443 is active and listening • Check IHS logs for SSL errors • If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate 48
#engageug SSL and Development • Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment. • If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment • Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server 49
#engageug Testing SSL On Your Site • https://www.ssllabs.com/ssltest/ 50
#engageug • You can’t stay ahead of the hackers but you must be vigilant and keep up • Have a plan for monitoring • Have a plan for lock down at the first appearance of exposure • Have a plan to fix the vulnerability • Have a plan to identify what information may be compromised • Have a plan to make that information of as little value as possible 51
#engageug Resources • Working with OpenSSL https://www.feistyduck.com/books/ openssl-cookbook/ • Creating SHA2 For Domino http://turtleblog.info/2015/06/22/ creating-sha-2-4096-ssl-certificates-for-domino/ • Unrestricted policy files for WebSphere http:// www-01.ibm.com/support/docview.wss? uid=swg21663373 52
#engageug My presentation with Mark Myers from LDC Via given at IBM Connect contains more information about specific SSL vulnerabilities such as POODLE, Heartbleed, Freak etc and is available on Slideshare http://bit.ly/1R6W9ck 53
#engageug Thank you Questions? 54

More Related Content

PDF
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
PPTX
Best Practice TLS for IBM Domino
Jared Roberts
 
PDF
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
PDF
Working With Sametime For Mobile Devices
Gabriella Davis
 
PDF
HTTP - The Other Face Of Domino
Gabriella Davis
 
PDF
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Bill Malchisky Jr.
 
PDF
Rock Solid Sametime for High Availability
Gabriella Davis
 
PPTX
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
Best Practice TLS for IBM Domino
Jared Roberts
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
Working With Sametime For Mobile Devices
Gabriella Davis
 
HTTP - The Other Face Of Domino
Gabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Bill Malchisky Jr.
 
Rock Solid Sametime for High Availability
Gabriella Davis
 
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 

What's hot (20)

PPTX
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
PDF
Planning and Completing an IBM Connections Upgrade
Gabriella Davis
 
PDF
IBM Traveler Management, Security and Performance
Gabriella Davis
 
PDF
Traveler management, security and performance
Gabriella Davis
 
PPTX
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
PDF
The Sametime Mobile Experience
Gabriella Davis
 
PDF
Becoming A Connections Administrator
Gabriella Davis
 
PDF
1084: Planning and Completing an IBM Connections Upgrade
Gabriella Davis
 
PDF
Attack all the layers secure 360
Scott Sutherland
 
PDF
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
PPTX
Notes, domino and the single sign on soup
Darren Duke
 
PDF
SmartCloud Administration Best Practices MWLUG 2016
David Hablewitz
 
PPTX
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
Deploy360 Programme (Internet Society)
 
PPTX
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
PPTX
Kali Linux Installation - VMware
Ronan Dunne, CEH, SSCP
 
PDF
Spnego configuration
Gabriella Davis
 
PPTX
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
PDF
Bh fed-03-kaminsky
Dan Kaminsky
 
PPTX
Whats new in Microsoft Windows Server 2016 Clustering and Storage
John Moran
 
PDF
A Guide To Sametime 9.0.1 Audio & Video
Gabriella Davis
 
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
Planning and Completing an IBM Connections Upgrade
Gabriella Davis
 
IBM Traveler Management, Security and Performance
Gabriella Davis
 
Traveler management, security and performance
Gabriella Davis
 
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
The Sametime Mobile Experience
Gabriella Davis
 
Becoming A Connections Administrator
Gabriella Davis
 
1084: Planning and Completing an IBM Connections Upgrade
Gabriella Davis
 
Attack all the layers secure 360
Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Notes, domino and the single sign on soup
Darren Duke
 
SmartCloud Administration Best Practices MWLUG 2016
David Hablewitz
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
Deploy360 Programme (Internet Society)
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Kali Linux Installation - VMware
Ronan Dunne, CEH, SSCP
 
Spnego configuration
Gabriella Davis
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Bh fed-03-kaminsky
Dan Kaminsky
 
Whats new in Microsoft Windows Server 2016 Clustering and Storage
John Moran
 
A Guide To Sametime 9.0.1 Audio & Video
Gabriella Davis
 
Ad

Similar to Fun With SHA2 Certificates (20)

PDF
Sullivan red october-oscon-2014
Cloudflare
 
PPTX
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
PPTX
BSides Hannover 2015 - Shell on Wheels
infodox
 
PPTX
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
VEXXHOST Private Cloud
 
PPTX
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
PPTX
Post-Quantum Cryptography… or how Kai almost hacked a banking app​
mparramon1
 
PDF
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
PDF
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
PPT
Encryption for Everyone
Coastal Pet Products, Inc.
 
PDF
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
PDF
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
PPTX
Cloud Device Insecurity
Jeremy Brown
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
PPTX
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
PPTX
A Technical Dive into Defensive Trickery
Dan Kaminsky
 
PPT
Dmk bo2 k8_ccc
Dan Kaminsky
 
PDF
Internet security
Antony Mathew
 
Sullivan red october-oscon-2014
Cloudflare
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
BSides Hannover 2015 - Shell on Wheels
infodox
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
VEXXHOST Private Cloud
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Post-Quantum Cryptography… or how Kai almost hacked a banking app​
mparramon1
 
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Encryption for Everyone
Coastal Pet Products, Inc.
 
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Cloud Device Insecurity
Jeremy Brown
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
A Technical Dive into Defensive Trickery
Dan Kaminsky
 
Dmk bo2 k8_ccc
Dan Kaminsky
 
Internet security
Antony Mathew
 
Ad

More from Gabriella Davis (20)

PDF
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
PDF
Engage2022 - Domino Admin Tips
Gabriella Davis
 
PDF
. Design Decisions: Developing for Mobile - The Template Experience Project
Gabriella Davis
 
PDF
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
PDF
Face Off Domino vs Exchange On Premises
Gabriella Davis
 
PDF
60 Admin Tips
Gabriella Davis
 
PDF
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
PDF
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
PDF
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
PDF
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
PDF
An introduction to configuring Domino for Docker
Gabriella Davis
 
PDF
How To Approach GDPR Preparation & Discovery
Gabriella Davis
 
PDF
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
PDF
Brand Yourself
Gabriella Davis
 
PDF
Home Working
Gabriella Davis
 
PDF
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
PDF
The Imposter Syndrome
Gabriella Davis
 
PDF
What's New in Notes, Sametime and Verse On-Premises
Gabriella Davis
 
PDF
An Introduction To Docker
Gabriella Davis
 
PDF
An Introduction To Docker
Gabriella Davis
 
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
Engage2022 - Domino Admin Tips
Gabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Face Off Domino vs Exchange On Premises
Gabriella Davis
 
60 Admin Tips
Gabriella Davis
 
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
An introduction to configuring Domino for Docker
Gabriella Davis
 
How To Approach GDPR Preparation & Discovery
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Brand Yourself
Gabriella Davis
 
Home Working
Gabriella Davis
 
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
The Imposter Syndrome
Gabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
Gabriella Davis
 
An Introduction To Docker
Gabriella Davis
 
An Introduction To Docker
Gabriella Davis
 

Recently uploaded (20)

PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Encapsulation theory and applications.pdf
gurumoop
 

Fun With SHA2 Certificates

  • 1. #engageug Fun With SHA2 Certs by Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com 1
  • 2. #engageug 2 Who Are We? • Admin of all things and especially quite complicated things where the fun is • Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to • Stubborn and relentless problem solver • Lives in London about half of the time • gabriella@turtlepartnership.com • twitter: gabturtle
  • 3. #engageug This is Betty 3 Betty gets emails telling her to click on a link and give her password Betty knows the internet is scary. She always clicks the link She likes to shop and bank online
  • 4. #engageug This is Hank 4 He needs to keep Betty’s money safe. Hank knows Betty will click on the link Hank owns a bank .. and that it will be his fault if her money goes missing
  • 5. #engageug This is Jazz 5 Jazz is cool Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers Jazz is a system administrator Jazz doesn’t sleep much
  • 6. #engageug This is Harry 6 Harry is a jerk with no morals He only cares about getting money and causing disruption
  • 7. #engageug Encryption 7 Hi Betty ! Hi Betty !181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 It’s all about the key. How strong is it? How secure is it? Is it even the right key?
  • 8. #engageug Encryption Algorithms, Protocols & Strengths 8 • The SSL protocol has been deprecated and replaced with TLS • The last version of SSL is still vulnerable • SHA, SHA2, AES, DES, TLS • all are different methods of encrypting data • the key strength is how complex the key used is • Old or compromised algorithms such as SHA or AES are no longer considered secure enough to use • Using lower key strengths to create certificates makes them more vulnerable to brute force attacks
  • 9. #engageug Man in the middle Hi Betty ! Bye Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 Bye BettyHi Betty !
  • 10. #engageug Other Common Session Hijacking Attacks 10 • Sidejacking • stealing session cookies • unencrypted login information is particularly vulnerable • Evil Twin • fake wifi networks that are designed purely to steal data • Sniffing • Reading data traffic on a network using readily available tools
  • 11. #engageug Why Is This A Growing Problem? 11 • Too many old algorithms with weaknesses still around • Computing power can now break keys with a low strength in hours • Hacking is a playground often about disruption more than theft • As fast as one weakness is updated, another is found • that’s if Jazz had time and resources to keep everything up to date • Obscurity is not security • Just because you don’t think you’re important enough doesn’t mean you aren’t a target • In fact targets are usually random not planned • This isn’t a movie
  • 12. #engageug So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date How Do We Do That? 12
  • 13. #engageug Certificate Structures • Certificate authorities • Private keys • Trusted roots • Generating a certificate • You’ll need a keyfile • You’ll need a request with all the details of your certificate • You’ll need the trusted roots and intermediate certificates or your CA • You’ll need the final certificate itself 13
  • 17. #engageug With SHA2 & Strong Keys Hi Betty ! Hi Betty! 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 181939FJFUETJDAJGD AKSGDAJKL1GDAJKGA DJKGLD90FD918405329 0532AJKGPAURWEOU4 ! ***
  • 18. #engageug File Extensions For Certificates • More Acronyms • Certificate formats • PEM (….. BEGIN CERTIFICATE….) • CRT • CER • KEY • DER binary • PFX or P12 • ….CSR (certificate signing request) 18
  • 19. #engageug OpenSSL • An open source library of SSL and TLS cryptography • Available for most platforms • Developed and managed by https://www.openssl.org • repository for downloads on https://github.com/openssl/ openssl • Create certificates • Convert certificates • Extract certificates 19
  • 21. #engageug Installing OpenSSL - For the brave • https://www.openssl.org/source/ • ftp://ftp.openssl.org/source/ previous version • ftp://ftp.openssl.org/source/old older versions • Download the compressed file and extract • Read the ReadME for instructions e.g run • INSTALL Linux, Unix, etc. • INSTALL.W32 Windows (32bit) • INSTALL.W64 Windows (64bit) • https://wiki.openssl.org/index.php/ Compilation_and_Installation 21
  • 22. #engageug Installing OpenSSL Under Windows • I found the easiest solution (as an Admin) is to install the pre built Windows executable from Shining Light - there are other’s out there • https://slproweb.com/products/Win32OpenSSL.html • Download the most recent “lite” version • Currently 1.0.2f (Win32OpenSSL_Light-1_0_2f) 22
  • 25. #engageug Installing OpenSSL For Linux • For Linux many distros come with a pre compiled version of OpenSSL • yum install openssl • each OS may have its own method for configuration 25
  • 26. #engageug Let’s Create Some Certificates 26
  • 27. #engageug Domino – Creating A SHA2 Certificate • Domino no longer uses the Secure Server Certificate database to generate keyfiles or merge certificates • We use a combination of OpenSSL and an IBM utility for Domino called kyrtool • download kyrtool from IBM Fixcentral http://ibm.co/ 1SAYX5E • copy it to your Notes or Domino program directory • The program files must be 9.0.1 FP3 or higher 27
  • 28. #engageug Domino – Creating A SHA2 Certificate • We need to decide the size of the key pair we want to create • the larger the key pair the harder it is to decrypt • not all software systems support the largest key pairs • If using Windows set the environment variable for OpenSSL first • Set OpenSSL_Conf=c:opensslbinopenssl.cfg • verify openssl.cfg actually exists in that directory • To create a 4096 key pair • c:opensslbinopenssl genrsa -out mynewserver.key 4096 28
  • 29. #engageug Create a Certificate Signing Request • When buying a new certificate this sends to your CA • openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr • note that we are requesting a SHA2 certificate • the CSR will be verified by the CA when you submit it so you can check that it’s right • if not you can recreate it by running the command again 29
  • 31. #engageug MyNewServer.CSR • -----BEGIN CERTIFICATE REQUEST----- • MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG • A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw • JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG • SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+ • CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp • R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/ • JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj • GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN • GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe • nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC • o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n • IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E • Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1 • 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE • H4btBohD7B6fiqdozsOsvN1s • -----END CERTIFICATE REQUEST----- 31
  • 32. #engageug Now Comes The Domino Bit • We have to create a keyring file in a format Domino will be able to read • For that we use the kyrtool we downloaded from FixCentral • From your Notes program directory • kyrtool create -k c:notesdatamynewserver.kyr - p <passwordyouwanttouse> • this will create two files • mynewserver.kyr • mynewserver.sth (this is the stashed password that unlocks the keyring) 32
  • 33. #engageug Nearly There… • We have our keyring file • We have sent our request for a certificate, generated off our new key pair to our CA • When the CA sends the certificate back we can merge the new certificate into our keyring file • we need to merge ALL the certificates, root, intermediate and server into a single “key” file • c:opensslbintype mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt 33
  • 34. #engageug Last Step • We now add our new txt file with all the certificates in it into our new Domino keyring • c:ibmnoteskyrtool import all -k c:notesdata mynewserver.kyr -i c:opensslbinmynewserver.txt • That’s it. We now have a shiny keyring pair to use with our Domino server 34
  • 35. #engageug Installing A SHA2 Certificate Under Domino • Install Using Internet Site Documents • The first keyring file in the Internet Site docs view that matches the server configuration “wins”. • Avoid too many wildcard or duplicate Internet Site Documents • What can you use it for • HTTPS (Traveler, Websites) • S/MIME (encrypted mail) • TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3) • DIIOP as of 9.0.1 FP5 35
  • 36. #engageug More Domino SSL • Remove weak ciphers from the site documents • Add Disable_SSLV3=1 to the notes.ini on the server • Domino support TLS 1.2 now • SSL_DISABLE_TLS_10 • https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 36
  • 37. #engageug Working With WebSphere Certificates • WebSphere installs with its own keystores for each cell and node you add • The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default • The cell keystores are found in • /profiles/Dmgr01/config/cells/{cellname}/trust.p12 • /profiles/Dmgr01/config/cells/{cellname}/key.p12 37
  • 38. #engageug Accessing The SSL Configuration • Login to the WebSphere ISC • Security - SSL Certificate and Key Management 38
  • 40. #engageug Adding A New Certificate To WebSphere • Go to the CellDefaultTrustStore if the certificate existing on another server already you can “Retrieve from port” • Add your root and intermediate certificates here 40
  • 41. #engageug Personal Certificate Request • The simplest way to generate a WAS certificate • create a CSR in WAS • “receive” it into WAS when sent from the CA • you can’t “receive” a certificate you didn’t request 41
  • 42. #engageug WebSphere and 4096 Key Length Certificates • A 4096 certificate can generate an error when attempting to add to WebSphere • “RSA premaster secret” • You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported 42
  • 43. #engageug The Unrestricted Policy Files • ibm.co/1JZGs3z 43
  • 44. #engageug Exporting A Certificate From WebSphere • Export a WAS certificate so that it can be imported onto other systems • Such as a keyfile database generated by ikeyman and used by IBM HTTP Server 44
  • 45. #engageug Working With Ikeyman • There are different versions of ikeyman that create keyfile databases recognised by different products • Look in the program directory for your installed product to find the right one • For IBM HTTP Server the file is in /IBM/HTTPServer/bin • On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface 45
  • 46. #engageug Working With IKeyMan - Signer Certificates • Import the WebSphere certificate we extracted earlier • Add root and intermediate certificates 46
  • 47. #engageug Working With IKeyman - Personal Certificates 47
  • 48. #engageug Editing httpd.conf to add SSL configuration • Example content • LoadModule ibm_ssl_module modules/mod_ibm_ssl.so • Listen 0.0.0.0:443 • <VirtualHost *:443> • SSLEnable • SSLProtocolDisable SSLv2 • </VirtualHost> • KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb • SSLDisable • Restart IHS - use netstat to see if 443 is active and listening • Check IHS logs for SSL errors • If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate 48
  • 49. #engageug SSL and Development • Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment. • If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment • Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server 49
  • 50. #engageug Testing SSL On Your Site • https://www.ssllabs.com/ssltest/ 50
  • 51. #engageug • You can’t stay ahead of the hackers but you must be vigilant and keep up • Have a plan for monitoring • Have a plan for lock down at the first appearance of exposure • Have a plan to fix the vulnerability • Have a plan to identify what information may be compromised • Have a plan to make that information of as little value as possible 51
  • 52. #engageug Resources • Working with OpenSSL https://www.feistyduck.com/books/ openssl-cookbook/ • Creating SHA2 For Domino http://turtleblog.info/2015/06/22/ creating-sha-2-4096-ssl-certificates-for-domino/ • Unrestricted policy files for WebSphere http:// www-01.ibm.com/support/docview.wss? uid=swg21663373 52
  • 53. #engageug My presentation with Mark Myers from LDC Via given at IBM Connect contains more information about specific SSL vulnerabilities such as POODLE, Heartbleed, Freak etc and is available on Slideshare http://bit.ly/1R6W9ck 53