Wednesday, 1 January 2020

Digital Signature

First, one needs to know the relationship between the keys in asymmetric cryptography (the public and the private) in order to understand how digital signatures work.
The public key is available to everyone. The private key is known only by the owner and can’t be derived from the public one. When something is encrypted with the public key, only the corresponding private key can decrypt it. Moreover, when something is encrypted with the private key, then anyone can verify it with the corresponding public key. Now, let’s return to the story of Mark and Kevin to better understand how it works.
Mark’s private key is used to encrypt the hash of the document. That encrypted hash is called a digital signature. Mark sends Kevin the document with the appended digital signature of the document. Kevin uses Mark’s public key to decrypt the digital signature. Then, Kevin calculates the hash of the document and compares it to the decrypted digital signature of the document, which is the hash of the document. When those hashes match, Kevin knows who the sender of the message really is, and exactly which message was sent. The property of non-repudiation is achieved by using a digital signature.
There’s one question remaining. How does Kevin know that the public key is really the one from Mark? There might be a man-in-the-middle introducing themselves as Mark. A digital certificate is used to solve that problem. Kevin gets the digital certificate from Mark, which includes Mark’s public key and his name. The certificate is digitally signed by the trusted Certificate Authority (CA) – the hash of the certificate is encrypted with the private key of the trusted CA. Kevin has the list of trusted CAs (with their public keys) in his operating system. It allows Kevin to verify that the public key actually belongs to Mark.

Wednesday, 1 February 2017

Create SSL or TLS Certificates with SubjectAltnames by openssl

Create SSL or TLS Certificates with SubjectAltnames by openssl

  • Privacy (stop looking at my password)
  • Integrity (assures data has not been changed in transit)
  • Trust (you are who you say you are, protect from identity theft)
These all three are required when you browse sites to buy stuffs or do banking and for trust also. When you visit Amazon,ebay,google,youtube etc. Your browser receive certificates each time you open browser i.e firefox,chrome etc.
After receiving a certificate from amazon.com it verify that certificate  with root ca certificates which are already embedded or pre-installed in your browsers to authenticate if this received certificate is original or fake(created by any hacker).
If you get an error regarding certificate is invalid. They you must not proceed as reason are following :-

1)      Check domain name properly. Is it Amazon.com(original) or Amaz0n.com(fake).
2)      Certificates may be expired (But Big organizations never delay in renewal).
3)      Sometimes hackers can hack DNS servers which can move your browser data to their website with
Same original name Amazon.com. but again browser will receive an invalid certificate error.
Because hacker can’t generate and give same certificate to browser  which being given by
Original amazon.com. it’s nearly impossible unless private key stolen from amazon’s server.
 countermeasures to this use secure DNS servers which are google dns servers 8.8.8.8. you can check on google.

Below tutorial shows how to create certificates for CA and also for other devices i.e for web server,application others etc.
CA is Certificate Authority. It act as trusted third party, it issues digitel certificates and it can also sign the certificate given by any organization (or company), So that customers around the world can trust that organization.

But you can also create Certificate Authority for your organization. Which can sign or issue certifcates for your internal VPN Servers,Web servers, Application Servers etc.

We will use here openssl tool to create certificates. It’s free tool(open source).


OpenSSL is a free utility that comes with  ubuntu and Unixes. You can also download a copy by searching on google.
  1. Create a private key
  2. Self-sign
  3. Install root CA on your various workstations
Once you do that, every device or server that going to provide secure connection via HTTPS just needs to have its own certificate created with the following steps:
  1. Create CSR for device
  2. Sign CSR with root CA key (CA private key)
You can have your own private CA (Certificate Authority )setup in less than an hour. And here’s how to do it 

Create the Root Certificate (CA Certificate)

          It’s easy to create CA certificate. Once you do these steps, you’ll end up with a CA certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various servers or devices which will further provide secure ssl connection to all users.
Creating CA private key with following command
 
Openssl genrsa –out CAprivatekey.pem 2048  


 2048 bit is good key size. You must keep this key very private. If someone gets hold of it, they can sign certificates with your private key and your browser will accept it.

If you want to set password then use following command

openssl genrsa -des3 -out CAprivatekey.pem 2048 

If you want Export the RSA Public Key to a File, This is not necessary

openssl rsa -in CAprivatekey.pem -outform PEM -pubout -out CApublickey.pem 

Now, create certificate and self-sign this certificate in one command.
 
openssl req -x509 -new -nodes -key CAprivatekey.pem -sha256 -days 1024 -out CAcert.pem 
while creating certificate which is in x509 format, it will ask your company details.
X.509 is a standard that defines the format of public key certificates
Once done, this is SSL certificate called CAcert.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. It should be installed on every browser in your company under “trusted root authorities”, so that browser can verify certificates received from internal webserver, internal applications with this CA certificate


Now, Create a Certificate for a internal device (i.e web server, application etc.)

Create private key with following command
 
openssl genrsa -out devicekey.pem 2048
Now, generate the Certificate Signing Request(csr)

 

openssl req -new -key deviceprivatekey.pem -out devicecert.csr

Again you will be asked details of your company.

 

Common Name (eg, YOUR name): 192.168.1.5
 
Important Note:

You need to be little careful while entring COMMON NAME. If you have not chosen doman name for your web server and users will open internal website of your company by putting ip address in browser’s address bar then you need to select ip address as COMMON NAME otherwise users shall receive security error in their browser.
But if you have a domain name such as example.com then select COMMON name equal to example.com.In one situation user may also get an security error in browser, if outgoing request is www.example.com. In this case, browser will get “example.com” on certificate which is not same as www.example.com, so common name should be “*.example.com”.
You might have seen it on internet, if you go and check facebook or google certificates, where COMMON name is “*.facebook.com”. But these organizations use multiple common names i.e. Subject Alternative Names in certificate exetension., this way user never receive security error in browser, either use facebook.com,fb.com or www.facebook.com. I will show in next section.

Now, time to sign device's certificate with CA key.

openssl x509 -req -in devicecert.csr -CA CAcert.pem -CAkey CAprivatekey.pem -CAcreateserial -out device_cert.pem -days 500 -sha256

"deviceprivatekey.pem" will act as private key of web server and "device_cert.pem" will act as public certificate embedded wih public key  

To add SubjectAltNames to CSR file, Follow below steps
1) Go to open /etc/ssl/openssl.cnf file.
2) Scroll down and alter or add some lines under v3_req section as follow:-

subjectAltName=@alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *example.com
DNS.3 = exp.com

then below command.

openssl req -new -key deviceprivatekey.pem -out devicecertsignreq.csr -reqexts v3_req -config /etc/ssl/openssl.cnf 

Now, from above command you have created certificate in CSR format to get it signed from CA authority. Now CA will sign this below certificate
devicecertdignreq.csr


With the help below commands you can sign csr certificate requests with all included SubjectAltNames :-

openssl x509 -req -in devicecertdignreq.csr -CA CAcert.pem -CAkey CAprivatekey.pem -CAcreateserial -out device_cert.pem -days 365 -sha256 -extensions v3_req -extfile /etc/ssl/openssl.cnf

----------------------------------------------------------------------------------------------------

Reference link :- http://www.zytrax.com/tech/survival/ssl.html