Public Key Infrastructure

Public Key Infrastructure

  • Encryption

    • Symmetric

      • Uses the same secret key to encrypt and decrypt the message
    • Asymmetric

      • It deploys two keys, public key and private key
      • a public key known by everyone and a private key known only by the owner/receiver
      • a public key is used to encrypt the message and a private key is used to decrypt it or the other way around
  • Hashing

    • A given known input must always produce one known output
    • Once hashing has been done, it should be impossible to go from the output to the input
    • Different multiple inputs should give a different output
    • Modifying an input should mean a change in the hash

  • Digital Signature

    • Encrypted hashed-data

  • PKI

    • Certificate Authorities

      • Root CA
      • CA/Intermediate CA
      • Certificates
    • Certificate signed by CA

    • CA Certificate signed by Root CA

    • Root CA Certificate signed by Root Private Key

    • Full-chain

    • Self-signed Certificate

      • Signing a certificate with own Private Key
    • CA-signed Certificate

      • Certificate which is verified and endorsed/signed by a CA

      • CA is verified and endorsed/signed by a Root CA

  • Securing HTTP

    • Cipher Suites

      • Key Exchange Algorithm

        • RSA, DH, ECDH, DHE, ECDHE, or PSK
      • Authentication Algorithm

        • RSA, ECDSA, or DSA
      • Bulk Data Encryption Algorithm

        • AES, CHACHA20, Camellia, or ARIA
      • Message Authentication Code (MAC) Algorithm

        • SHA-256, and POLY1305
      • Example:

        • Key_Exchange-Authentication-Cipher(Algorithm_Strength-Mode)-Hash/MAC

        • ECDHE-ECDSA-AES128-GCM-SHA256

    • Key Exchange (RSA)

    • Lab: Exploring Cipher Suites

      • Client Side Ciphers

        • openssl ciphers -V 'ALL:eNULL'
      • Server Side Ciphers

        • nmap -sV --script ssl-enum-ciphers example.com
    • Certificate Format (X.509)

      • an International Telecommunication Union (ITU) standard defining the format of public key certificates

      • X.509 certificate binds an identity to a public key using a digital signature

      • Contains an identity (a hostname, or an organization, or an individual) and a public key

      • Base64

        • PEM - Privacy-Enhanced Email

          • Extensions: .pem, .crt, .ca-bundle
          • Base64 encoded DER files
        • PKCS#7 - Public Key Cryptography Standards

          • Extensions: .p7b, .p7s
          • Mostly used on Windows and Java Tomcat
          • Cannot store private keys, only primary and intermediate certificates
      • Binary

        • DER - Distinguished Encoding Rules

          • Extensions: .der, .cer
          • a binary encoding format, rarely used outside of Windows
        • PKCS#12

          • Extensions: .pfx, .p12
          • can include the entire SSL certificate chain and key pair in a single file
          • password-protected container
    • Lab: Nginx SSL/TLS Termination

      • Generating Self-signed certificate

        • Generate a Private Key

          • openssl genrsa -out server.key 2048
        • Extract a Public Key from the key pair

          • openssl rsa -in server.key -outform PEM -pubout -out public.pem
        • Create a Certificate Signing Request (CSR)

          • openssl req -key server.key -new -out server.csr -subj "/C=MM/CN=server.example.com" -addext "subjectAltName = DNS: www.example.com, DNS: web.example.com"
        • Generate a Certificate by signing the CSR with its own Private Key

          • openssl x509 -signkey server.key -in server.csr -req -days 365 -out server.crt
        • Generate a Certificate without CSR

          • openssl req -key server.key -new -x509 -days 365 -subj "/C=MM/CN=server.example.com" -addext "subjectAltName = DNS: www.example.com, DNS: web.example.com" -out server.crt
        • One liner Self-signed certificate

          • openssl req -newkey rsa:2048 -keyout server.key -x509 -days 365 -subj "/C=MM/CN=server.example.com" -addext "subjectAltName = DNS: www.example.com, DNS: web.example.com" -out server.crt
      • Signing a certificate with an own CA

        • openssl req -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 3650 -subj "/C=MM/ST=Yangon/L=Yangon/O=Know Your Linux/CN=KYL CA" -out ca.crt
          openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -CA ca.crt -CAkey ca.key -subj "/C=MM/ST=Yangon/L=Yangon/O=Know Your Linux/CN=*.example.com" -out server.crt
  • Troubleshooting Tips

    • Checking Certificate Expiry

      • openssl s_client -connect server.example.com:443 | openssl x509 -noout -dates
      • openssl x509 -in server.crt -noout -dates
    • Viewing Certificate Info

      • openssl x509 -in server.crt -noout -text
    • Checking Private Key's integrity

      • openssl rsa -in server.key -check -noout
    • Matching with Private Key and SSL/TLS Certificate

      • openssl x509 -noout -modulus -in server.crt
        openssl rsa -noout -modulus -in server.key
      • [ $(openssl x509 -noout -modulus -in server.crt) == $(openssl rsa -noout -modulus -in server.key) ] && echo Valid || echo Invalid
    • Checking supported TLS Version

      • openssl s_client -connect server.example.com:443 -servername server.example.com -tls1
        openssl s_client -connect server.example.com:443 -servername server.example.com -tls1_1
        openssl s_client -connect server.example.com:443 -servername server.example.com -tls1_2
        openssl s_client -connect server.example.com:443 -servername server.example.com -tls1_3
  • Encrypting a file with SSL/TLS Certificate

    • openssl smime -encrypt -aes256 -binary -in file.txt -out file.enc -outform PEM server.crt
      
      openssl smime -decrypt -in file.enc -out decrypted_file.txt -inkey server.key -inform PEM -binary
  • Signing a file using a SSL/TLS Certificate and Key

    • openssl dgst -sha256 -sign tls_private_key.key -out file.sig file.txt
      
      openssl dgst -sha256 -verify server.crt -signature file.sig file.txt