Part 1; Cryptography SSL/TLS Encryption
In this series , we will learn about SSL/TLS encryption, the processes, configurations and common errors.
Part one, this article will cover the introductory part of HTTP and HTTPs connection, types of SSL setups and basic Certificate configuration.
we will use TLS and SSL interchangeably
Introduction; HTTP protocol.
To understand SSL and TLS encryption we begin with a basic HTTP connection. Communication between web browsers and servers occurs using TCP/IP protocol that enhances a HTTP Connection. The connection is established through a TCP three way handshake.
(Source; Afteracademy)
- A user browsers the internet by creating a connection request to the
server (http:example.com) (SYN) - The Server responds with the requested content (SYN-ACK)
- The user is able to browse through the
contents (ACK)
A successful connection has been established.
What brought SSL;
HTTP connection had several security challenges such as man in the middle attacks where attackers could sniff the communication. Secure HTTP was introduced in 1995 to enhance data integrity, ensure privacy and authentication. The use of SSL has become a dominant security requirement for most of the websites and web applications with over 46 million sites as of 2019.
SSL Certificates enhance communication by adding an extra layer of cipher suites that are used for encryption and decryption between the clients and the servers. SSL uses the same process as HTTP connection. TLS is an advanced version created by the IETF in 1999.
SSL Handshake; (credits wolfSSL)
SSL/TLS Certificates Types
SSL certificates are x509 certificates generated and signed by a Certificate authority e.g comodo, godaddy, symantec or digicert.
- Domain Validation — Validates a domain that matches a specific public Key.
- Extended Validation — Validates a domain after the CA validates all the organization details through phone calls. It’s the most trustworthy certificate.
- Organization Validation — Validates a domain after an organization proves control over the domain.
HTTP and SSL created HTTPS.
The addition of SSL encryption to HTTP connection has enabled secure communications between a user and web server to avoid any man in the middle attacks. From the types above there are several ways one can create certificates that will be used for encryption.
Certificate Process;
There are three key parts of a certificate.
Private key
Certificate Sign Request
Certificat issued
Private Keys;
The private key that is generated by the server owner and will be used for encryption/decryption for servers that will be connecting to it. As the name suggests Private keys should be Private with 600 Permissions.
domain abc.target.com.pem
To generate private key;
openssl genrsa -des3 -out abc.target.com.pem 2048 - Generates the private key
Where;
- genrsa — Generate RSA private key
-des3 — Tripple Data encrytpion standard
-out — Give output of the request into
abc.target.com — Domain to be used
2048 — The bits in the private key.
Remove the passphrase from the Private Key
openssl rsa -in abc.target.com.pem -out abc.target.com.pem - removes the passphrase from the key.
Sample key generated.
-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAqYVJkwKydIrzGayAuPSE/OfxOOG2yqOOfaeNYMDIuy6DImiCTJsSZm2ieSs5vyLhtf1tE7hQywzjR74sTilc2K47FlVaz9IHTzQSFVj5/U/EfM3i1cXneCN06FZnM1CdKpnEjtsRdGVoOXQuzoQ3U7X2jUBDlPUAT2zYLPiCcvoarC5X8sz37tcS2QQLJHYe+Qn6FSyVNZuZRs5HfxVx+u9T+V9N3mXX/B+LJYBo4zH8usIYQNgwrH3u4UmykMLYCRJZgqlKsxmXSzZm69Im5yG9ooyuznDyZv1mf1nCLD9bBdCaW4WeE0SP2bslLBfX538L/nDuqTgy5OwoF4iFfq1Df3OoYO+0JaY70g==-----END RSA PRIVATE KEY-----(Redacted)
Certificate Signing Request (CSR);
Contains information that will be used to validate the certificate. Some of the details included are FQDN, email, Organization name, locality and country code.
CSRs can either be generated from private keys only or a public and private key.
From a private key
openssl req -new -key abc.target.com.pem -out abc.target.com.csr -sha256This is generated from a 2048 bit key.
Where;
- req- certificate request command
- key — specify the private key to be used
- out — output into abc.target.com.csr
- sha256 — specify the certificate to have a SHA 256 algorith
CSR created
-----BEGIN CERTIFICATE REQUEST-----MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQ0wCwYDVQQKDARUZXN0MREwDwYDVQQLDAhTZWN1cml0eTEXMBUGA1UEAwwOYWJjLnRhcmdldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCphUmTArJ0ivMZrIC49IT85/E44bbKo459p41gwMi7LoMiaIJMmxJm 06KCDAKjrPCGE3hQB29fMECGOA==-----END CERTIFICATE REQUEST-----(Redacted)
Generate from a private and private key;
openssl req -out abc.target.com.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key
Generate from a private key and existing SSL certificate;
openssl x509 -x509toreq -in certificate.crt -out abc.target.com.csr -signkey privateKey.key
Verify the csr file;
openssl req -in server.csr -noout -text
Signed Certificates;
Certificates can either be signed by a valid Certificate Authority or self-signed.
Valid Certificate Authority;
To be signed by a CA, Upload the CSR on the cert portal and generate certificates based on the years of validity needed. The current ssl validity industry standard is one year.
Certificate issued by godaddy
Certificate Authorities provides three certificates: a Leaf, Intermediate and root. The MD5 of the key file should match the output of the Certificate file (Leaf). The intermediate and root validate the certificate issuer/Authority.
Verify the crt and pem match. The output should be the same.
openssl x509 -noout -modulus -in cert.crt | openssl md5openssl rsa -noout -modulus -in privkey.txt | openssl md5
Self Signed certificate;
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout abc.target.com.pem -out abc.target.com.crt
Sample Certificate output
-----BEGIN CERTIFICATE-----MIIDszCCApugAwIBAgIUWl/jsv8j4YqnEs1H/7vv/u3t98cwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQKDANUc3QxETAPBgNVBAsMCFNlY3VyaXR5MRcwFQYDVQQDDA5hYmMudGFyZ2V0LmNvbTAeFw0yMjA0MTkwOTQwNDFaFw0yMzA0MTkwOTQwNDFaMGkxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEM3475TMPujYZuIV7n0XwsyZ3Gn40LN5O/Yo0acrMI/yX4eXA5lBC36XSSOPbL6VmsTQcj/eRvCg7PAgMBAAGjUzBRMB0GA1UdDgQWBBQWHMkII5EsBcplDKc1s+3N+DGhwTAfBgNVHSMEGDAWgBQWHMkII5EsBcplDKc1s+3N+DGhwTAPBgNVHRMBAf8EBTADU
grwfM5+du0oYDZ8Af4o0bhbZ5X9SsKX/YMEBUbNVXZ8uoCu4WXS8-----END CERTIFICATE-----(Redacted)
Verify the contents of the certificate;
openssl x509 -in abc.target.com.crt -text -noout - The x509 command expects a trusted certificate. Ie. signed by a valid CA.
Part Two; Certificate addition based on different platforms and applications.