Slide 1

Slide 1 text

Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. @lizrice A Go programmer’s guide to Secure Connections Liz Rice

Slide 2

Slide 2 text

2 @lizrice

Slide 3

Slide 3 text

3 @lizrice

Slide 4

Slide 4 text

4 @lizrice A guide to TLS connections ■ As a Go programmer, how do I secure my connections? ■ What do these error messages mean? ■ What the hell are all these .crt, .key, .csr and .pem files?

Slide 5

Slide 5 text

5 @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Establishing identity is critical

Slide 6

Slide 6 text

6 @lizrice Hello, I’m Liz Hi! I’m your bank Great! Here’s $500 Encrypted traffic prevents interception

Slide 7

Slide 7 text

7 @lizrice

Slide 8

Slide 8 text

8 @lizrice HTTP(S) runs over TCP ■ Create TCP connection ■ TLS - encrypt TCP connection ▪ Skip if regular HTTP ■ Send HTTP packets on connection “hi” “hi” blah blah blah

Slide 9

Slide 9 text

9 @lizrice TCP connection 59.97.3.25:60401 27.193.43.2:8080 “Connection refused” = wrong port (nearly always)

Slide 10

Slide 10 text

10 @lizrice HELLO HELLO SYN ACK Verify certificate, then call VerifyPeerCertificate GetCertificate (or Certificate) HELLO DONE Generate Pre-Master Secret Generate session key from Pre-Master Secret Change cipher Symmetric encryption with session key FINISHED FINISHED Symmetric encryption with session key (encrypted with server key) blah blah blah Generate session key from Pre-Master Secret Verify certificate, then call VerifyPeerCertificate GetClientCertificate (or Certificate) Establishing TCP TLS Handshake

Slide 11

Slide 11 text

Keys and certificates

Slide 12

Slide 12 text

12 @lizrice Public / private key encryption ■ Public key can be freely distributed and is used to encrypt ■ Private key must be kept private and is used to decrypt “hello” “hello”

Slide 13

Slide 13 text

13 @lizrice Public / private key signatures ■ Private key must be kept private and is used to sign message ■ Public key is used to verify signature “hello” + = signature “hello” + signature “hello” + signature

Slide 14

Slide 14 text

14 @lizrice Sharing a public key Need a trusted authority in common “Certificate Authority” Hi, I’m Liz. Here’s my public key. Why should I believe you?

Slide 15

Slide 15 text

15 @lizrice This is to certify that liz-server has public key abcdef X.509 certificate ■ Subject name ■ Subject’s public key ■ Issuer (CA) name ■ Validity Certificate signed by issuer (CA) CA

Slide 16

Slide 16 text

16 @lizrice Subject Name ■ Your certs should use Subject alternative names (SAN) ■ Common Name deprecated in 2000 ■ Can ignore in Go 1.11 with GODEBUG setting

Slide 17

Slide 17 text

Creating keys & certificates

Slide 18

Slide 18 text

18 @lizrice Trusted Certificate Authorities ■ Like Let’s Encrypt ■ Known in system certificate pools ■ Create a Certificate Signing Request ■ openssl req -key private-key -new -out csr ■ For public-facing domains ■ Not for internal components in a distributed system

Slide 19

Slide 19 text

19 @lizrice CLI tools ■ openssl ■ See contents of certificate: openssl x509 -text ■ Doesn’t easily support SANs (Subject Alternative Names) ■ cfssl ■ Comprehensive toolkit ■ mkcert ■ Local development ■ Installs CA into your system & browsers ■ minica ■ Easy generation of key & certs

Slide 20

Slide 20 text

20 @lizrice

Slide 21

Slide 21 text

Mutually-authenticated TLS (mTLS)

Slide 22

Slide 22 text

Takeaways

Slide 23

Slide 23 text

23 @lizrice To establish your identity You will need: ■ A private key ■ A certificate for your identity The other end needs to trust the Certificate Authority that signed your certificate. This may require appending the CA’s certificate.

Slide 24

Slide 24 text

24 @lizrice Setting up a secure connection Server: ■ ListenAndServeTLS(cert, key) ■ or TLSConfig.Certificates ■ or TLSConfig.GetCertificate Client: ■ tls.Dial ■ or make HTTP request to “https” ■ May need to add CA cert to TLSConfig.RootCAs ■ TLSConfig.InsecureSkipVerify ■ Don’t check server’s certificate

Slide 25

Slide 25 text

25 @lizrice Mutually authenticated TLS Server ■ TLSConfig.ClientAuth: tls.RequireAndVerifyClientCert ■ May need to add CA cert in TLSConfig.ClientCAs Client ■ TLSConfig.Certificates ■ or TLSConfig.GetClientCertificate

Slide 26

Slide 26 text

26 @lizrice File extensions Inconsistently used ■ Information type : .crt for certificate, .key for private key... ■ Or file format: .pem PEM files are base64-encoded and tell you what they contain ■ openssl can tell you about the contents

Slide 27

Slide 27 text

27 @lizrice Common error messages ■ Connection refused ■ Check you’re connecting to the right port ■ Certificate signed by unknown authority ■ Received a certificate, but it’s not trusted ■ Examine CA in certificate to see if it should be known to receiver ■ Remote error ■ It’s the other end that’s complaining

Slide 28

Slide 28 text

Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved. @lizrice github.com/lizrice/secure-connections

Slide 29

Slide 29 text

openssl

Slide 30

Slide 30 text

30 @lizrice openssl.org Welcome to OpenSSL! OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.

Slide 31

Slide 31 text

31 @lizrice OpenSSL for keys & certificates ■ openssl genrsa # generate private key ■ openssl req # CSRs ■ openssl req -new # generate CSR ■ openssl req -x509 # generate X.509 certificate ■ openssl x509 # read X.509 certs ■ openssl x509 -req # generate signed cert from CSR