Pages

Thursday, July 2, 2020

Certificates

Problem:
Without the cert , GET request is un-encrypted so anyone can sniff the conversation.

The solution is encryption.

There are two types of encryptions.
Symmetric
Asymmetric

In case of Symmetric encryption, the same key is used for encryption and decryption, but the issue is how to share this key with peers.

If you are sharing it through internet, anyone can pick it up and the intruder will have hold of all communications going in the background

To avoid this, public key encryption is used to share symmetric key

Here is the process.
  • The server will have 2 keys (private and public)
  • The client will have symmetric key
  • Initially client will communicate with sever to establish a connection. No key is shared
  • The server responds with its public key
  • The client will encrypt its symmetric key with the server's public key and sent encrypted key to server
  • The server will decrypt it using its private key. Now both client and server will have same a symmetric key
  • If anyone sniffs, they will get encrypted symmetric key and there is no way to decrypt it as a server will only have a private key.
  • Post this, GET request is used.

This is very old method which is no more used for PFS reason

Problem: How the client will verify that the public key belongs to real server?
There is no way to know that it belongs to the actual server. To verify identify of the server, the certificate is used. The certificate proves that the public key belongs to the actual server.

Certificate Authority(CA) issues the certificate.
  • First server communicates with CA to get signed cert.
  • The server will share its public key to CA and ask it to sign the cert
  • CA signs server public key with its own private key which is also called Digital signature
  • This cert will also be linked to intermediate certs(having public key) and root cert(self signed)
  • When the server send all chain certificate to the client, the first thing avclient does is verifies the server cert

How to validate CA?
  • Server cert will have its public key and signature
  • The client will check first which CA is used. It will use that CA public key to decrypt the signature.
  • Decrypted key should match with the public key of server.
  • The client will also verify CA cert by going to root. With root CA public key encrypt the public key of the intermediate cert and verify if signature is matching
  • Root cert is self-signed and it is already store/installed in  your PC
  • If root expires, you will get an error message as - untrusted root.

    RSA Digital Signatures
    The current signing procedures of digital signatures are not simply implemented by public key operations. In fact, a modern digital signature is based on a hash function and a public key algorithm, as illustrated below.



The signature process is as follows:
  1. The signer makes a hash, or fingerprint, of the document, which uniquely identifies the document and all its contents.
  2. The signer encrypts the hash with only the private key of the signer.
  3. The encrypted hash, which is known as the signature, is appended to the document.
The verification process is as follows:
  1. The verifier obtains the public key of the signer.
  2. The verifier decrypts the signature using the public key of the signer. This step unveils the assumed hash value of the signer.
  3. The verifier makes a hash of the received document, without its signature, and compares this hash to the decrypted signature hash. If the hashes match, the document is authentic. The match means that the document has been signed by the assumed signer and has not changed since it was signed.





PKI 
electronic certificate contains public key that allows data to be encrypted that can only be decrypted using the private key. for eg if you had a certificate from microsoft.com, you could use this certificate to encrypt data so that people at Microsoft could decrypt it.
The next part of electronic cert is digital signature. This proves that certificate is from a trusted source and its not fake. The digital signature also provides a checksum like function to the digital certificate. That is, it can be used to check if certificate has been altered. 
The first point to understand with the digital signature is the hash value. The hash value is a value that represent the certificate. The hash is calculated by putting the certificate through a mathematical function to produce a value. A simple hash function would be to add each byte in a file together to obtain a single number, of course the hash function used in certificates is more complex than this. The hash value is then put through a mathematical function using the private key to generate a digital signature. This digital signature is then added to the certificate. Now that the digital signature is added to the certificate, it can be used later to check that the certificate has not been altered or damaged. 

Hash -> private key -> digital signature
Digital Signature -> public key -> Hash 

To check the certificate, the digital signature is put through a mathematical function using a public key. The result of this should be the original hash value. If this value is not obtained, the person knows the certificate is corrupt or has been tampered with. The has function is a one way process which means you cannot use the hash value to generate the original cert. This essentially means that even though the private key is used in the process, it is not possible to use the digital signature to obtain the private key. So what exactly does the digital signature do ?
First it provides a method for checking the identity, for example if you had a certificate that was issued to cisco.com, the name of the website could be included as a field in a certificate. When the cert is downloaded to a client computer, the client computer checks the name on the cert to see if it matches the website that they are trying to access. If it does the cert will be used. 
You can see that if another website also obtained this cert and attempted to use it, the cert would be rejected as the name in the cert and website do not match. Remember that cert is essentially a file with data in it , so it is an easy process to change the name in the cert. If this were to occur and an attempt was made to use the cert, the digital signature come into play. Notice that when a modified cert is used the digital signature will not match the data in the cert and cert will be rejected. This is how a certificate can be used to prove identity and how they protect themselves from being tampered with. The next question that arises is, if you were given a digital cert, would you trust this cert? Certificate work off a trust mode. To  illustrate this, consider an example that occurs often in the real world. In this example, let’s say you have the company Microsoft. Microsoft makes operating systems as we know and you want to buy a laptop that work with windows 8. In order to do this, you find a laptop and see that the laptop has a sticker on it saying windows 8 compatible. Even though the laptop is not made by Micorsoft, you can be assured that because it has this sticker, Windows 8 will work in this laptop. 
So what has happened here . You are trusting that the manufacturer of the laptop has put the sticker on the laptop because their laptop works with windows 8. You are trusting Microsoft that they will not allow a sticker like this to be put on a laptop that would not run windows 8. Thus you can see how one trusts the other and the person who purchases the laptop must trust both.

So how does this all relate to cert?
Certificate use the same type of trust mode. At the top you have a cert authority. In this example i will use the cert authority Verisign. Verisign has been around for a long time and is well trusted on the internet. A certificate authority job is to issue cert. These cert could be used for users, computers, devices and web pages. let’s say ciscoTraining wants to get a cert for their web page. To do this they obtain a cert from Verisign which would allow a visitor to the ciscoTraining web site to use encrypted SSL. 
Before Verisign would issue a cert to ciscoTraining a number of checks are performed. These checks include checking who registered the domain name and a number of checks on the business. This helps prevent cert being issued to individuals who want to use the cert for illegal activities. For example, if someone attempted to obtain a certificate for M1crosoft.com, notice that i has been changed to 1, this would be denied. What this essentially means is that if you use a cert from Verisign, you can be assured that a number of checks has been performed before the cert was issued. If it is possible for a cert to be issued to a company that is doing the wrong thing, but at least you can be assured that some checks have been performed to determine that they are a valid company. 

The next question is what happens when a user connects to the ciscoTraining website  and obtain the cert? How does it know it is valid and from Verisign and why would it trust and thus use this cert? By default, a number of cert are installed on the client computer when the operating system is installed. These include a Verisign cert. Since the cert is installed locally in the OS, the OS will trust any cert issued from verisign. When the cert is downloaded from ciscoTraining, the digital signature is used in the cert to determine a number of different things. First that the cert has not been tampered with and the website matches the website in the cert. Using the local cert installed in the OS, windows can check the cert obtained from ciscoTraining to see if it is in fact a Verisign cert. You can start to see how the cert trust model works. The computer must trust the CA that the cert came from just like you would trust an organization like Harvard University. Cert work the same way, you need to trust who issued the cert in order to start using it. While surfing on internet if we see error “problem with website security cert” this means a website that windows does not trust. This essentially means no cert is installed locally on the computer or the site has not been placed in the exception list. What this essentially means from a user’s prospective is that windows has not been configured to trust cert from this source. In this case, the user can take the risk and accept the cert and hope for the best  or not to open a web site. Although CA like Verisign are trusted by windows by default, you may want to use your own CA. Besides having a complete control over the CA, cert from the companies like Verisign do cost money. If you have your own CA you can issue as many cert as you wish at no cost besides the costs for the OS and h/w to run it on. 

When deploying a cert infra this will often be done at number of different levels. At the top you will have a root CA. The root CA will issue cert to subordinate or 2nd level CA. Often what will happen after the root CA has issued cert to second level authorities, the root CA will be taken offline. Since the root CA holds the private key that effectively is the key to the entire cert infra, this should be protected. In some cases, a company will install the root CA on removable media. Once the root CA is not needed any more, the removable media is placed in a safe until it is needed again. The second level CA’s are free to issue cert without the root CA, so the system will work fine even though the root CA is offline. Having the root CA offline helps keep it secure. The 2nd level CA will often issue cert to users and computers. For eg a cert may be issued to a user so their identity can be checked when using a VPN connection. It is also possible to have additional levels of CA if your org requires it. 

1st level (Root CA)
2nd level  (Users cert) and (computer cert)
3rd level (VPN)  (Email) (web1) and (web2 )

In this eg, let us consider what happens when a computer attempts to connect to a web server. The cert for that website will be downloaded to the client, but will the client trust that cert? In order for the cert to automatically be trusted, a cert from the root CA needs to be installed locally on the client computer. Once this cert is installed on the computer , the computer will trust any cert automatically that comes from any CA in this hierarchy. If root CA is trusted by the client, any of the child CA’s will be trusted automatically. 

certificate basically contains:
-who issued the cert
-who the cert is issued to 
-valid to
-public key
-digital signature






asymmetric keys can also be used for signing data
want to achieve following things:
data is not changed during transmission
If both hashes matched, then we are sure data is send my the owner of the corresponding private key. Nobody can create encrypted hash that can be decrypted with different public key.
Verification of signature is done using public key
This exactly happens when server sends certificate to client. Each certificate contains the signature of the owner of the certificate. The signature is verified exactly this way.


RSA overview:
Remember key length is always same for public and private keys.
Always key-pair is generated. You can't generate only public keys. It is single entity
When you feel private key is comprised, new keys should be generated and re-create certificate

PKI
components involved: 
CA, intermediate CA, public keys of CA. Every entity in PKI includes Public key

##use case of certificate
secure website
built vpn and send data securely 

Certificate Overview:
Information about owner
Information about issuer
Signature (signed by issuer)
public key (is always belongs to the owner of certificate)

Installing Openssl
Openssl is supported in windows as well

Install on Ubuntu

Ubuntu:~# openssl
OpenSSL> 
OpenSSL> 
OpenSSL> ^Z
[1]+  Stopped                 openssl
Ubuntu:~# 
Ubuntu:~# 
Ubuntu:~# openssl genrsa
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................+++++
.......................+++++
e is 65537 (0x010001)
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3WI6nPC92AvH3m1sO26yg/6vJCYpc3E7AOpSf/ogGmm8Zs/9
cQxm9uYquMc8GyXZEjjOsTcznB72YQb4eDX1lFEbqhTQLlsmnuKxuye0kVTL16tY
EZ8gwZSK7MlO/jZfjLiVo8WcDZ7ZcBCXEajFOITO+a5/+946M+eK5v7IurmFdPHs
/m9Nuv8mVg+fZ6OwSIrb9wlOWWfYuzV+ivrW/zxel9uYwMUUgqVytgI0WQPmOcmU
uF+2IZ91AFU1QO6MdHR8LOQAVPnFEpLBsmXke15574ASaj47hN7oL4LxH1LrDQ9C
awyRAt1iBlMYlqszeRZk3EpCtB6wgUl2BF+kIQIDAQABAoIBAQC3pDAy15DjkoIt
hF9vvZff3niyZ+WimZ70V2wwNPBEeMmMD6SRDlSrIqr1tG+rpW23q9/pKX1qWFTQ
j9O1BC2+5rkoETPQAFS9IBeGxJ0IoWqmcMARfgrSCcJkQWmBfuEr/kJDJD0bH1YH
m/t07qcLB0AZ5iLMb7+gJsYWb+ta19aKxSb+Lj7HoCkbMMKeh3sgJ3u5dPOlN6Y/
/hD4pQ3BhxJ2iXw7Bii7FNsgLRxBrwMFzTwwP63oyIdLFv6AHAEODGmUuvMfypJ1
4UAoeg9YRuDS0cw6k6fOxVxKZ3TGqDiuEj5Vo6tkUoaFXzysbjztha+MzOvwgKCN
GIEXgcMxAoGBAP4l1XwKvLE6aeXwAjRNMcdzGbiEUhHjd/ZGKYjJXObb2Gt6ZMSE
OoUwGNqkJeHc/KHzEfhEeWkuH2FhrviM2Sj+bxH8xvVAtEWs5YqKxX7uzFOJKb58
kqzNVmLRhC2mCg2Jrii8EqzeVKJ5lqzLA9ZkR8oLGJXzIxje27/f726rAoGBAN7/
REo1nit1axMGmgVCqzNoPMZk1JinFV7oh1mcq4a9G2mMWhdT8XF2KRxZn+nDFMmh
mYVL2ttjBEk/Yo1JvhjXjAmSn4or6+cubphSUTrWPzDry/aOfg6tYAv9N47WB0M8
UO/n45p00q9Z7VQZ9cpP9Wbf5xmBlAIbMzJT94hjAoGAPfEwsBPZ24Q2LUGq995c
pJTsDunJKuz63v5Ivzr8tpOcks144+Cqdq27UQay6PK4bCxXE+B0iusf4NczEwcZ
IoGoxoSKZVoI1faG15Zs/jvrduy2TOQFx7IgPON9yLZwOs50sR7tmk5x6EukKqcs
X0N/r8G2k014H2apvoEw1RMCgYEAjw88hE85la/SbXZCwTUwF967fpuZOAWY1DZg
/sBf2iTfvSrpcSXNM3kWjrWAvbsFTwV5M+aiFTTEvykG1JWGevFtSYbjCwV6ZemH
0fidXB2ulHfxdc+cV1Yq1AYy6lOsfRno4r/laGWh9BTBCL9Oy+fYC5OA8wAKL/+7
LIJpvvkCgYAOOdpF9YywHcFCWnPw7iIM/PjgfrDptzUTFiTgCCa7y2cITW8LltbI
zyf6Cw/xpTMxA48R3wh9C8Bs9T6LO/YQdJ2MgzRIVAhA2s+/LAaU6F8JHyXm4ZkI
IbdrIC8vJaI1Gt7F/dFYEP8MOAPyS27W2mSgNnlLGykUcuSsBGFpHQ==
-----END RSA PRIVATE KEY-----
Ubuntu:~# 

As anyone can have access of this private private key as it is exposed here. Thats not what we want to achieve.

One of the option is we can encrypt is private key

Ubuntu:~# openssl genrsa -aes256
Generating RSA private key, 2048 bit long modulus (2 primes)
.................+++++
...........+++++
e is 65537 (0x010001)
Enter pass phrase:
Verifying - Enter pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,89969904BC218A78A70E2CF592B0B9D3

GdQNWnI1ZOSpRMtQFhTRxzxV5FBZaPkvnMqmNSZTV7qXl+JPjyXJ5+bqIH3uQGFR
39UceSVBN91hOEuhvhu7tYawi78xXRw/aco9iB/pHgbRJZy2qJUPTdtFMXH4Lg2d
o/oqKyh8RzwYQTY9RFBhUuaNVAhmJtevn/3OY/ahj5VoSHZ4PxLi/a4SAwZ41/mI
xGD5F5NT/Nl1++WXZUk+vDhSuti+BTGYsfYi6Iz73mpQ5nEzov05huSO6z7Z4BYp
G2mI29jjy2ZtogXamsCXRs4/aBVOPcrK5gEz1uwL3+AX/hNReJyGA8QRA2H6TY8P
DiU8KVP2+4cRUJPs+FuvX7kmW8iitRxwL5FbcqMW+dQ+hdvwKqig3GLnfCzG7h10
W/Lv83h2QUcG0jh6r0aqjoj2Ahm/hy+bZcOGoz8URDsL2wauqPrGEVRPwB4w/cOC
5D9a7rNDSxOeGMATJ0spkVkCQP2eNo08cXDK1zuoX3EmoGaD98xPNizOM1GEczAK
tsCeDEYUDONQ7pAdTtfSQJI9lUCjDdcklciGEumd5dFImRLMcgpmaF9PLCuomT4P
Jaj5iLsuyzmrSP/cA7My68SXqzytERWwX16GpWB8fi5THu7gg9mZxnoV8LHfhrq8
+F9MjLBsLbMjr6mv4hadqCcKEX5Hdxa7JZjpWj/8QiZa5GIQF8nf5rx0Logy4GpB
9D/xjY/33hlfWs2eXWF6Dtunqfi1WCfvj1U45upFzqidDufxf8k6fYJ4oBorXHcc
OB9Mz7CVDqw1sVAKjHpF7EWSXfRjHkwmrWEogDiIIuhakNvwuypiq7USPTnFashi
1VoPa04eL5H6cq3rIJCxljEQGm7kJ5rPzQBCMMb9sPfm0ZjCpjES+2EacZ8pY7vn
CM46tivo+4bjYuHOdagL3kUbmMeC8grSLFrxkyxmKvk75H+H7iPW+m5BZKsrmkjX
HVlc2lHm2V4az+rpxfuB5hKoeJJsy9PjeWWwazvTp/SVoF0qNGOGBfnrfwTY+p1E
u+YWvu3zuenT7QRIEXz4N2daouT0hF3n+nZuZ0zMonY6A0YAg4o5hAdDqN4pG9qc
+r3ZyvQUgonszj6NfwU2pM0X+QohpWbgQkM+pjAGRPMbVEGH+IouaVC0E9NuxLMh
5AifTxIMsSUpE+FhWAXpVH4vxcwGD3X1q5Gf4UIB8myI9/rUyjGAUtFro2yzPvEW
dTXA9q6u+cPlp3kekqd4V0F4sJrZ9txKSdLLH8cLn/stiGJnTA8ZSnNFFZ2oLgJS
ioIe6Pt+JTE3yyLNm28dn/1WBssA7qBDURTHRTmAGmOgsaWgA1GQaOJoi6+ab6UO
hsP6hRnBRsQT034UxYCDToqg6q351rDanzZorj06BOMvlQYpaDbMve7SQObACxmc
FvsB8bB7WB2Ojfv7j+9Pf8mel2z4g17FHIfRWxRqDQ5IPUV93ayWXYnKLIG9SI2c
7leiMJmB7ovgpXNS+wDEcTaWZf+TV41KpvV5DdZ2w87QRRMN8mfXmYkcmC/bHUF6
No0i8HQsHIv+4My438F7wzdQNTdV2QUqRIyol/m92sdj1xz47Q9Ln1z1o61N2KBo
-----END RSA PRIVATE KEY-----
Ubuntu:~# 

This pass phrase is used to encrypt the private key

if you see here, private key is encrypted using AES-256-CBC
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,89969904BC218A78A70E2CF592B0B9D3


It's upto us which encryption key(aes,des,3des) we want to use to encrypt private key

Ubuntu:~# openssl genrsa -des3
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
..............................................................+++++
e is 65537 (0x010001)
Enter pass phrase:
Verifying - Enter pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8E114F068E08574A

yba6/AEmbkJdDIJimzNeNs8/zuhPtyImZNn5LvEuchQ/QI1ZrzUG9uZbIf4YMjR+
uCTQOIWBnynbsqow2YyKbuE/gC+gINOXiuR18DwtWPfo5oyqfLs7jAXquN+D50Yh
XQZLq7QnEfzHgA/Q6qMxStzkYAAlqDcsYlLEpsA0Iii18uxfTl0zSDp+352JcEG1
xO8fCyiO+NjFGRbMIa0fuEJ3eglsUzrxnKwY1HFSLOImY5l4XIJ/q2y7GGfZDXuE
FyhM9/+x3i4GXahYfyUjvcOC4I4+yumq47zS6UDTIdRP6CLMWH8FFiXx0/G0rjY4
I+Ko+9TzrcL3Z8Zo5N+a/9FuOmr9d90+ZHJIFSGSRcoYXEdeYeaY3V6iFhN5jByY
CNIohxF5Z9Kun47hbffQmStllUkLyM5rgsUNZd9MZmMKmpxJzZR0Oaxf5gSSMQKO
ng4drLo2A8yistlte3PPk4FE3K4walF2pH11hCt2uTdoQRoD/vpahOLreY97Ornf
qGcQV+ktpB1dkacQlUT6ZeQSWyfENZefxQBxmrydKymLdB0vifa3KEG9DSWoAYBU
rsaLpqMi/E9FUm908mZ229bBB5/qNcTLPHzvQH7newtGKxqObx2S4EfjPx17y5L4
iPdTnOPBdVeb05PRfwyVkFZ88xk0zVcCyPlpJDZI9I/j6KSX9J8mtfQxTNTMQsO1
/VwktTY05yr+P0vosErBV3BpyEESeacLAZXUBW4lOB7rd1qW1sy3Ki5MRPgwnv8i
GpsdfzEmkmBDiUe7RmJ1ojpXPjLVBB5vA22KL18G8jsbj0NAsfq8BEhPaspJFRO6
fn5w8TSrafRmkZF1IGuQtm4ff0tVUSbX+hT5qjEj0mHBrpOGPWvG1gNwbpBh3a9g
zGHCLE0E5ZNGqKnaPe8nMaMrVG4x4jPzBjiWBdI+itSRv6hKskQl8bv+5KPS1mFq
S9s1JnV84k/WGkmJxlJ+nVS57feQTAFfg27W38ADi0ZMj5yVlmnUsdABO9QD1D3Q
F5l1i6lzEwS/FfEshA2fRyFEGHGP8JckwRRmI/873Jz3ELyzTCCkQu7B/PLaQjYC
OEl9rUUBJQqjJ5M+MJNYgPusnyAta4MnFg17BBW3JWdJTYTnzH6bNMYUDCRXp9R2
oaAEQG8jLZrAV4dUdPcE7zCdI9hz0bFiz7WKaELwSvLGDAeRgqLMeZrkuDahf/Ry
GZvKPwidsOcHgMka7OFThB4h2ts9BtAgp/F69n2KXhFkVbbYw4jPhd9zvI4FONhu
xTK0MrMapg++10P+kSbtV7rtKUYiuOQwpe/MdJzKBbWnflF6RXyS7l5T2fWWhnoJ
coBhWqzlwszoms8OaAT2TKj1nDjv6tqGvZ+Qo4TNMTI+UVbOaXoMC884j7wDaixU
/Uaaa5vqPI7Vxo7llWTuzMHS7gMkZakJb989J5aMNmAYaHGATWv5RaQxSJjaUltc
xKhCwLGbYzWt1vG9saXDz2+bFY9utIt1kcItuKmjvRsNLM6dckH+moHsDElCMypc
y9YCF10+U6a8RLgdX+JuK9Bj5eoIUBA8zRciF005YbQnr/aoFGtcXA==
-----END RSA PRIVATE KEY-----
Ubuntu:~# 

usually private key should be stored in some file. For that we can use another option

Ubuntu:~# openssl genrsa -aes256 -out private.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................+++++
.....................................+++++
e is 65537 (0x010001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
Ubuntu:~# 

here we are storing private key in file name private.pem

Ubuntu:~# cat private.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,A1B3ED7617FD108DC8123B23581F3536

636qV6I3ih3nfpUkoMT12ggs+JjWazWpN1Y7Yt8CoMEL28VDhaMa6qGmQVUx9eGM
Oz7Lxl4V66Lb1lbHu2gEMdBqxwItY/rwjRCGyky31LX0VWbTQJtTVTd/mchbKwsQ
lDD4To00lUi9fhf8vlqdvnRyQ76dbf/x1Z2BeQST6G49cxlZYrYzvcRBDPaswAoj
PPUxw0bEnqebPNc+a3BhWR6rh05FM2x77QWptBom3Ch9WNVK7ZXakv3+VZ45q0Dy
ZDWWvP9Pm1uKRpA9Ls3hf2zjicTqiGd5vrSUaUQQ5Wx0GecPZsZPppVIh09kLVZ8
4gzSnq5xdPhxJd5mgJwVvBd1FMbfSYgduvvHfuISvjPQ6AcNlIlGy8g5VnGhX47m
hpcz9F8DbrN5Pgk2/uxjeYSnVu2mOiF9+ajdchfUo7bz6oLTrk8Vrn9+QaFSiRdq
3FKQTwRpfFOdey3uW5U+JiNlPIWIsxRWlTaVbdTT9pVQN8twTEqc2SBG893dOfNE
Y7FOkgY6/nUpka2kPzgV+62IwLMeSWaMe9h+88sfJnv3eecaUi9MzY3hZPflOmaP
feQjjrf3KMYA+/nnHts9vIo6c3jHDz0osF84rV17QFBkwkyPf0KP8OIb4dDr7tOn
MMnkvz27DBg9Edo881bD8Bcl3hOT3gdOZcYo7jgbULlG79/J2Wdw6t5pTJPX//Nf
njKepjvGPAIolXqabuLdKPTBTLa1/F7jPLElI7JMg+DMyxAuojCnfQYlTrUdSyJj
Mk4LHibuvxJJI8ccyi+zHaIyF0LOo3owpqqHWR54m6SAXf7ni1PtEWUeDmxjLFrv
UmrEJfkwZzSMj6UiHGsdtwQe9bcCk9+gua1GHunR5zEkyZdLEJwjL4BoaxUxwq02
j1S05lrIMRnhCH2168faUeewzMJ2yWEorIOimXHdArWM0ShIYk5jX/OTNTW5WbnR
azKQp7+LpSBJ0sD30tjVsITKQ2zrcyt6pEOtiaF49INrbouCX/RqOX4b36JZ/YKY
J6D3BuuRTs5fUOulgBCpPEjSYjmkkHT8kS9u3CYWWZ48dmWgxX2TSIQlnVjvZs3u
MzohvpxMytLjxRr+g/YY5fDQhGf3AOfJpwK8NB2J1BgPzHqva1/08Ifbbcln1BEZ
GNPDd56qzlCPZijm9QuPMvXYc2/GnGGAwV/QuCtjOPT20xhmqtAByQrH8FDY1571
OwNBxnVFI10lHgLChCQBQjg3cNoh5Jq7NLkN9pdB3LPokSwSglQ6u9q9ViBOmaWU
ydIw8PniEnR9ALbjFUWcwVdgyn/olLFgK78LseJFJZYyXvRdU9QlkOTeq94vvRmd
qjbS5NJlNdRGIYcbHQks99YmyV8w0KV/npe8RIh1WwGJfnfrHb/XvYs9fmc+rkFk
TrkiE72zogDmRP57ApAuZoEs79CZxhGomS0cwd8jKZvDCC3hhpGv3N7RkcxIHbXM
8L4EjI29Z6FWS1K/AayQBJJt2crk/hYYnSPvnA08DS8PmlaDxeT4FEiVD7WA4K6F
ciwHwhz+s7O2f3RHEnFGjEcw/OZEMTHBZF4ThQ9e9ogy2VBTBICe0AoJbE4h+GI8
-----END RSA PRIVATE KEY-----


What about public key? 
public key is also encoded here in private key

To extract public key from private key

Ubuntu:~# openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Enter pass phrase for private.pem:
writing RSA key
Ubuntu:~# 

To manipulate we use rsa, input file is private.pem in form of PEM, extract publick key in file public.pem

Ubuntu:~# cat public.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5GZRIoehZX97SG7Uzjf
u1tLNGWryopOcfjhyXkNMCy1NyHVaz4svUE0ZQ212T5w9eYXNzep8Xgc502F6DCY
oUngnBk/P9JLTsBJXyYGn5Y61i6C2BxFL/6+YOB8rtJlnjPbiUeDLGYmzkNziZe1
wCEvyzuR2bkUSW/CKg2zpV9xDbDHumK9v89QRkZVuxUZDlBXHTHJp0KEIF0UZWGK
Q7bNgrNpAzCFEzYMH3mPiEqbAZnS1orD0nQvsJuCwqGfLeS9rHzszoPLJqgEJXnO
FzyXlBcNfcVqYSQVKlBdGAz5Sh8shZncgq56d8rmqhQ3Ovck4hKDO4hfg53RrTJN
XwIDAQAB
-----END PUBLIC KEY-----
Ubuntu:~# 

Now we can share this key with anyone who want to communicate with you.

Note: asymmetric key are single entity so if you want to create another public key, you need to generate another key pair

By default key length is 2048. let's generate key of another length


Ubuntu:~# openssl genrsa 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................................................................................++++
.................................................................................................................................................................................++++
e is 65537 (0x010001)
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAsg/KdQhE63cKkCO0zIt+0cgTbHjD+hELBGPl4RE85Limzck7
ce2OdWoRh67+OiqvYYk1ScKYdfw/YGHmwhw/wv1ts8NYnxyrdbqi1L7V8/Z9NJov
GZ9CDiNZTKdb/DdF9h6VC1vtTj7rDlv2GU6hjrx9fNG4+CDnIFfd7EaAKiEVl5Yf
l6oLLDvJLRDm3+PTrgP62IalX4cQjEC6iZJIrm3Ge/7S61aHo+ztCJyySWS3gri4
zNTTCnLidh0PkZiwKQQqFUSF1dl4W2c+8QZNjtB3RBKDJmDjegLEINkmosLRNuYG
gk9y2JdrJWqMswnZ04Y1IX8GBxxFoxRuLzd/QSXb/NKiX0l6uoDjz3o/yJugd3UT
ElnqUGoHLTr5ZEiIeimiH5Su+VNYpp5y0ZpOTaC007EYlU+Z0Z7TzHHrqHX0Pxya
4PolW0/FfTouaKfgUT7aVizU81T1qqYChXh3zDsCylbyPnBqApF5ZD3+lD9eA1kE
fXFagJqd00OXwBBlg69joMmxlQxjhu/8ujW/MqYqHwPRPCOIooFzplOPFHIXjfaM
xaOHDHLdfXbml1e6HWBZcRBafIdi7F3ec2U4b7PR2UN3N2lMKs5/R4xM815nlcPV
njdgIuQE/LIEE6wbwguo2vwbE0fHDUZiEuMYhcx9MtqJ5Yjb8DcEXhjjpQkCAwEA
AQKCAgBYsf7yPvU9qSVs2SxlOxMn4hay0JEmTjkDrdNDQjfn4obMOPHQdTmiCPzE
bomaZcrItfUCUdlp5AWZuAqfJD0qntx3T9YkI77QvPABMzIV/PEvM6JEjAz2R+ti
gHcUcl/6Eg/CAb96W2Lw2yQCRSW6mO+VLk6J4rHebYZQ/Gk5ExPTV2dTP9Oi7ADw
3ttyKOU3aCoaky9rHzdB9bg1cNWddXcKKsvbiFW2dP05bfxtDKtQhT0gYt7g9IsT
tLQdnUYamEVyJJjaBiKqvQogOziE7BiMowALLPYCv7/8cM6LAqn+Q6R4YqTdeMdZ
cvK0+DI16EMs9T4GarHRYwrjoCxVbHLKXMu5gTpzk0Ie8orCYb7YNiimQM72y2mQ
5g+4qKN23xNgGBCvVERmC7NcyghpCl5Kx6DyS4Puq4GWHdQQFcEH4VqWfjcinRvH
yyrqWZowZVBKpvBkfU/K2uyYWbLsnVWPDZiTjCKVjceGfRFb63u3k+klbzwbP/bG
3yTyrgK5jnrfFiHV6atNDdscm0gd0FZoDIHzZCBuVuHBISrGJBjqGBk/T0TggMRY
1v7F7/UxDorG2wF2XKqvpM0+BZZDCFFhu04o/gYLvjdixtzbGbhZqabj8H3ytil1
pEdw15EJxyO6s8EqZsfOYYnCgVFj3PocQOrp5838BJsqSTn/AQKCAQEA7NLioREb
nyYzOsZyeQ6BZeEsGQTrgzOVMwJk+8iDHVgkmRYcNBJ/mFkzbSY6JxpDnw/lJzEu
njQuZx9CUfsEwL3OACSB2jrMUJf11pxvnCV755KttzKs8Ie9RzJQUDgDdyLCvmxp
QsDa9RC0SRHwszWx8knMZ2bLG24G4X7QlYh0D3KiiUlbywD7KB3/myAeAS/EM/wJ
fOToNEd7Ta9+4tatsUEt9EHVaGX2d17FcfXHl7xtGwIesDQ8h31w5w9Vf4x2lkNm
yTFmwG5JmYsXpJ4DDB/ypZ96DX4zGsD0xCxMh5Km9WWv++DrLYIlWn0P3USJ/IeN
oj+/rWhu3/im4QKCAQEAwHrT2s23J2bNOeo/eX12kj+63TKG+CxzIP7l+H+1enxJ
h+c2rQZYrVTcpG5o978BZdCGIbvY/k8XLkLzupbjowK4I/Kg1XO/KvrU3iBSzPFr
zNtEXv5uFyse1uq4FXkxTdA7pDnR2QmS4sQjTJMrmTWWB2uoZuPvXqh8r6vW/2uh
fbM7xYRKIpiINiBYu8mBOGeU/+toMe/wmrqBx2W93Dy96kFtGVC+k2tuKPpsKIo9
7jl9hplPgyfYpJ1q5NMwaHKyHiqVKJfYt2VzHtr37byXekeIjVakjjDvfDLzH9lt
qC3fFh518+8wegD7NZfmJlGobYfsnhS2tVubn81LKQKCAQBGItptWxS0GGsZoAXs
5ifaVUprCnL5Q0CPf8kKbEKwYRdNoyetIEFbjCdXzvdv9y5JoDp8Vet5fPi1H6PT
haTNtCibEDTIvZsezzJGYcQIGW3NkjoSRFbFUV30BOmWKFCWatwD6zVtSJJP+6d4
8HA5ktBlcgewI9hJAlfVVmpNrsC4hnmucORXha3cHq5BccyRC2VvA9iHfX9rZDQX
OL86TNvZ3/TNHuYl6fSJO6775g87V9l0IzeVdZLriXHzbC4k/SNtsv5w3UmR+deg
OnpBDW7Xm2qQNF/AOTzHUpfqtTfg+sSpbnkk/mKH8sA/QUR+gjrfaAHBKGIK6B/W
AtzhAoIBACBLe4hWw8hEo2J4PzYvKtnW/49ljufM7XQ30HYlV1m5yMyYqr/VNMPA
XVTpgYsv7RgcKKU4U2w38Pe+HA7OilsrdaHyb7Hgvc6ET3sFiV8BksjIcWxO3EHe
5knBECnqL6+SpK8lVGRKCu8pYZLTjpkiOI3+Lj81N1B2jJUdC/HHKU1h6UF2tMmh
Nhl+y+SWJqxEFOfro4vdak1LxcKi+3wcZPENETUSKyeo+s69VbBnoYR6+OjAiGrF
IMBd+TVzice8ls4g7u3krGP5DZu7uaWV4wSNRAgS5YFGDKiWE9zgKlnxeGDJs5i+
JTATQhL37ZG4Wb4m9DiB2TYMrMvfMiECggEBAJG1lFEYuwCNYb9hRRpiq/xlz7Ok
grFGtRdurqGk4SIG2JKBwjCnAA/rGCX+KEFNDhl8y5RJxUeZ4MYvnP6SUwHV34gN
w+x0h4xwdhlhj80J2hplyLrA7271mlf+lVNVHTyE3K4UOrIgA34ZRq7xYMdP9meF
V24UitGDV9gb1eB2PT8DxW1Fk6AhYhi62zW507vTmxjnchlWGDhp8QjfkM/k3E55
kvnH12mDhzaBgD2tYyS75p1BOZhPym5CWxs1W03pGYUAMXoXojrZPvuTcfD/E4DO
2s+9ueNNMn1EW/a71QlBn0pNQ8Lf17Zj8M+dAGVEVU2Ho7+0s9KJxY7j44s=
-----END RSA PRIVATE KEY-----
Ubuntu:~# 



















signature means encrypted hash 
data is basically the certificate

Fingerprints are basically hashes of certificates

We will send data to the server after encrypting it with server's public key and server will decrypt it using corresponding private key

*.google.com

certificate is issued for google and its sub-domains

Signature algorithm used by CA to sign the certificate is SHA-256 with RSA encryption


List of DNS names under SAN means this certificate is allowed to be used for these many websites, This certificate can be used for google.com and all its sub-domains

This type of certificates are called multi-domain certificates. Single cert can be used for multiple domains

1. How web browsers trust Root CA?
##Root CA and root certificates in the OS
Globalsign is root CA. it is located top of cert chain. It's expiry is mentioned in cert
Here Subject Name and Issuer name has same information. GlobalSign has issued this cert to itself. Also called self signed cert

How web browser trusts self-signed certificate of the Root CA?
Each OS ships with the list of the pre-installed certificates of the Root CAs. In this case also, GlobalSign is located in OS. That's why web browser trust self-signed root Cert
 
Does the list of the trusted certificates includes certificates of the intermediate CAs?
No it is not required as OS trust root and root trust intermediate CAs so OS also trust intermediate CAs.

2. How chain of trust is built?
When root CA sign intermediate CA, it trusts intermediate CA
Root CA take intermediate CA. Hash intermediate CA. encrypt it and sign with root private key
root CA also add its information as issuer in intermediate cert
Add serial no of cert
Intermediate CA will sign end user certificate

How end user certificate was securely signed by private key of the intermediate CA?
Signing occurs on the intermediate CA server. With it's private key it securely sign CSR (certificate signing request) received from end user
Signing happens on machine where private key is located.

3. When certificate is considered invalid?
##Verifying chain of certificates
How certificate is verified?
Webserver sends own certificate and certificates of all intermediate CAs. After this verification starts on your price. Client will start with server certificate
First computer looks at current date and time. It should fall within the certificate validity interval
Next is check of signature.Computer looks at issuer info. if intermediate CA are involved it will be send to you by server else root CA will be pre-installed on system.
Take public key of intermediate server and verify the signature. If signature was verified successfully trust between intermediate CA and End user is established.
Now you trust that intermediate CA has signed server cert. 
Next Intermediate CA signature must be verified?
There are only root CA pre-installed on OS certificate store. To verify this find certificate with Owner Info in root CA equal to Issuer info in the intermediate CA cert.
Verify intermediate CA certificate signature using the public key found in the root CA cert
If signature was verified successfully trust between Root CA and Intermediate CA is established
Now we trust root CA, intermediate Ca and user certificate. identity of the End user (for example web serevr )was successfully verified

verify SSL cert and cert chain?
online site to verify ssl cert and its chain for websites
https://www.geocerts.com/ssl-checker
This will provide you all details about certificate.













Summary:
PKI is say rules algorithms and protocols that allow you to build trust relationship between different entities, the certification authorities and intermediate CA and end users
Every entity owns public key and based on those relationship we build the trust
Each certificate contains side blocks as information about owner, information about its signature.
Also certificate may include list of subject alternative names that specify domains where certificate may be used
Each entity on PKI has its own certificate
Root CA signs using its private key certificates of Intermediate authorities and reality usually every root CA has many  intermediate CAs
Root CA usually does not sign end user cert it signs cert of Intermediate CA and Intermediate Ca themseleves are responsible for signing end user cert(web server)
Next verification of chain of trust, when you open a connection to any web server, it not just provide its certificate but also Intermediate cert and some time root cert as well
Root cert are located in special secured store in each OS. They are trusted by default. So we also trust all cert which are signed by root CA
That's how chain of trust works.

Certificate domain scopes
Single domain: cert may be used only at single domain and common name in cert that has single fomain
wild card: common name is with *. Valid for domain and its sub domains
multi-domain: valid for multiple domains and multiple sub-domains for such domains
multi-domain certs are most expensive


SSL, TLS, HTTPS
certificate is used to established trust between web browser and web server
But the cert is not used itself for encryption of data between the web browser and webserver
Thats where SSL and TLS protocols comes into picture
Both ssl and tls are crytographics protocols used to encryption of data
Certificate doesn't depend on specific protocol (TLS or SSL) and could be used for both.






















How TLS session is established?
TLS session setup using wireshark?
Cipher suites will includes all protocols that will be used for generation of secure key for encryption of data and for authentication of data
Hash is used here for integrity check and for authentication of sender of data key

In server cert there are two cert, one is server cert and another is intermediate CA cert
Root CA is not send to browser as it is expected that it should be pre-installed on the client system

Overview of cipher suites:
How key is generated without Diffie Hellmen algorithm?
Delivering key using RSA with DH. What are drawbacks?
If anyone get private key of server, he will be able to decrypt the key and can access entire communication between thjhis web server and client
RSA keypair should only be used for authentication of web server. It should not be used for encryption of any sensitive data like in case of secure key for data encryption

How key is generated using Diffie Hellmen algorithm?
Allows you to generate keys over insecure public connection. But nobody else can generate same keys on both sides
DH algorithm uses one-way function. Even if you know the result of the function, you are not able to retrive the parameters used inside the function

How Diffie Hellmen algorithm works?
Mod operation?
it is remainder of divison of two numbers.It is one way function. Even if you know result(remainder) and divider, you won't be able to get actual numerator as there are infinite such numbers
Two site generated two sets of keys public and private
In this example both public keys are generated on one side in order to minimize quantity of messages sent between two sites
Only two message one from Alice to Bob and other from Bob to Alice
After that both sides generate same keys
a and b are private keys so are not send over the unsecure network

Elliptic curve cryptography overview:
A G are two numbers generated by  Alice 
B and G are two numbers generated by Bob
a and b are private keys of Alice and Bob
Alice send A and G to Bob
Bob send B to Alice
In case of ECDHE, authentication is not done. So MITM attack can happen
This can be avoided using signature algorithm




Why self signed certificate is not trusted?
Because there was no such certificate in key chain store on my computer. You will not find certificate with common name (*) under System roots in key chain.
Thats why browser doesn't trust this cert.









Free domains overview

https://github.com/

Github is a service that allows you to store your repositories in a single place and those repositories may be avialable for anyone in the world and repositories are actually projects that you alone or together with other developers develop

free hosting site: https://nawlekha.github.io/
domain: nawlekha.github.io  ## sub-domain of github

now we have setup custom domain and for free hosting we used github pages
Now lets verify TLS cert which also free for this site.

For AES protocol there are two modes of operations
FCM: Galois/Counter mode
CBC: Cipher Block Chaining

Free domain will be always sub-domain of other domains

For live website we need to have paid domain

for free ssl certs:
https://www.sslforfree.com/


No comments:

Post a Comment