Transcript Introduction to Python

Data Encryption using SSL
Topic 5, Chapter 15
Network Programming
Kansas State University at Salina
SSL





Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
Based on public certificates and private keys
Certificates may be either self signed or verified by
one of a few trusted Certificate Authorities (CA)
Often used with HTTP (https://www...)
Can be used with SMTP, ssh, scp, any client server
communication.
Python has basic SSL client capability. OpenSSL
module provides more. Re-worked in Python 2.6 to
also include server side support.
How it works
1.
2.
3.
4.
5.
Client and server establish socket
connection
Server sends public certificate to client
To verify authenticity of the server, client
may validate the certificate with one a few
trusted certificate authorities
Client encrypts the message using the
public key and sends it to the server
Server receives the message and decrypts
it using the private key
Public / Private Keys

The keys are a matched pair





Messages encrypted with the public key can only
be decrypted with the private key
Having the public key will not help decrypt a
message
Keys may be self signed for private activities
Public servers usually have purchased
certificates
In many cases, especially with HTTP, the
message is only encrypted from client to
server. Thus, the credit card number is
usually ‘X’ed out in the receipt.
Self Signing a certificate
1010 timber:~/openssl> openssl req -new -out certfile.pem -keyout keyfile.pem
Generating a 1024 bit RSA private key
........++++++
................................................++++++
writing new private key to 'keyfile.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Kansas
Locality Name (eg, city) [Newbury]:Salina
Organization Name (eg, company) [My Company Ltd]:Kansas State University
Organizational Unit Name (eg, section) []:Engineering Technology
Common Name (eg, your name or your server's hostname) []:timber.sal.ksu.edu
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Public Certificate and Private Key
1011 timber:~/openssl> cat certfile.pem
-----BEGIN CERTIFICATE REQUEST----MIIB7DCCAVUCAQAwgasxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZLYW5zYXMxDzAN
BgNVBAcTBlNhbGluYTEgMB4GA1UEChMXS2Fuc2FzIFN0YXRlIFVuaXZlcnNpdHkx
HzAdBgNVBAsTFkVuZ2luZWVyaW5nIFRlY2hub2xvZ3kxGzAZBgNVBAMTEnRpbWJl
ci5zYWwua3N1LmVkdTEaMBgGCSqGSIb3DQEJARYLdGltQGtzdS5lZHUwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAOTRJmntlJy7cf3N3yW0/1jSUoWROlVkaZfg
Aojz59gKlEDMLtVn2DKYDexWe0AUV9gBEpHTguX5Vi322IpPjOvO/3n1kHrdgD5L
Nnc9tYYe5fF0RKzisRz7HKu6aXXY6dNFJMVRj7cTg4uSh7IS5lJvDCjohEnPJYzF
2g8mSoSBAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQC1BjorEY98HkW7ceyH9s3d
EcFy6uFKXP2hFjCEesrW+N8lMdyrXYbyxffdE6ZpMEcNoYS9S0wxuwg1f7WjI/3S
y+fA2yviU+7c7blBd7r/r8uaviJB3uMWTgWKdnKBsnqBRvUQcytSrflzANV0MHIq
tVhFOv/lfqxQIha0m6BFQw==
-----END CERTIFICATE REQUEST----1012 timber:~/openssl> cat keyfile.pem
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F7FFBD69A863B27B
oq2s6YBa+6XVk+sfhFwYQixYQnP1wDDPVFpf+gdFTQUZ7qkG+qeR23z9LqEiTm1H
E5ZB8TW3m1PC8Bhz8EansTV9/Q2AqpgWduytuKX9mo1nEwjTQPx7vZpnb+JrcGB2
Ew2qp4NfU1sYVpXV+KO66TunsTdhvNyV1fH8r6Dgk9xruNfvoUB0WRRKDGZ17iaP
1GeGPnQWWDC7WWE2LYugz/LW5BSoZtwdYf2U/48F/SvAgf1MyPUExwBqYRinzjdo
PP9MXMGPHJQJ9PLeGnIRqUAAU2p0NJB8tb8ZrwFWpK4Aa1B3I9cNiMa42L0mfcax
Y10+0MMq4UcAIHkfdIOBbRN8m9lpM3haeAs9ppAewyG3MKII2DC+FsEsdYIBWRhL
Mfi3WcUOwqrVHLL2Qf1d4QZS9MkYZahvKsz3iYGZkw2Le/BXy+0/esLFnCjDhEOA
NLLrVRcpo+82bKjjeQf4yTxL6w++HmfWsWSSGgD+BLWx6geVDZsUS65XaNsUsHQ7
PPi2taqaTu+rHKbYBoTdZUi3gUHhzH5NlWBvOe3tyWMVtid+GgmI418ib5uOikYL
c//IjhwrVzUL4+9raSVcHqFn+kOX/bGxbDzr5vJSJSDFfff2dwYAFvsPYK2ka5gZ
rYdq2tGjrEQycNXksOqsVGv4JEsuEacXeQRpVqh6AOVEWbC0eTUA1bjo9wM6aywi
FIqgr0lLIE7lvL9rW8mkPQ9Tl9lwrLZfqB3vcfmstDXfQqH/A9VEgjhbNHnJkZ3n
MihuBRizFEbK/kZRbk0yVMiFU6HltIJUgJ5b06bLEpcz6wlHSBBxhA==
-----END RSA PRIVATE KEY-----
Programming SSL

Client Side





Limited support in built-in socket module
ssl = socket.ssl( socket )
Two methods: read(), write()
Create wrapper to make easier to use – see
basic-wrap.py
Server Side


Need either additional module or version 2.6 or
later of Python
See example on next slide
Python 2.6 ssl module
server side example
while True:
newsocket, fromaddr = bindsocket.accept()
connstream = ssl.wrap_socket(newsocket,
server_side=True,
certfile="mycertfile",
keyfile="mykeyfile",
ssl_version=ssl.PROTOCOL_TLSv1)
deal_with_client(connstream)