This note will research how information is sent and received from an enterprise. What is channel level security? what is message level security? What is SSL? What is Mutual Auth? What are certificates? How is this handled in SOAP? How is this handled in REST? and perhaps more on those lines.

With this research I have learned what PKI is, What public and private keys are, what signatures are, what certificates are, what CA certificates, what SSL certificates are, how web servers manage their certificates, how web browsers manage their CA certificates, what self signing is, and more...

Companies, Books, Tools, and Online Resources.

satya - 1/13/2015, 10:38:01 AM

SSL, MutualAuth, Certificates

SSL, MutualAuth, Certificates

Search for: SSL, MutualAuth, Certificates

satya - 1/13/2015, 10:39:05 AM

How is MQ Secured?

How is MQ Secured?

Search for: How is MQ Secured?

satya - 1/13/2015, 10:40:43 AM

This looks like a nice article to start with

This looks like a nice article to start with

satya - 1/13/2015, 10:43:34 AM

What is SSL?

What is SSL?

Search for: What is SSL?

satya - 1/13/2015, 10:43:50 AM

How is SSL different from SSL with Mutual Authentication?

How is SSL different from SSL with Mutual Authentication?

Search for: How is SSL different from SSL with Mutual Authentication?

satya - 1/13/2015, 10:44:16 AM

Mutual SSL authentication

Mutual SSL authentication

Search for: Mutual SSL authentication

satya - 1/13/2015, 10:44:44 AM

1-way SSL 2-way authentications

1-way SSL 2-way authentications

Search for: 1-way SSL 2-way authentications

satya - 1/13/2015, 10:53:14 AM

Understand certificates first

Understand certificates first

satya - 1/13/2015, 12:24:57 PM

Understand public keys first

An entity can publish a (public) key

This public key can be used by any number of consumers to encrypt data using that key

Only the owner of the public key can decrypt the data.

This is the intent of the public key

satya - 1/13/2015, 12:25:21 PM

Key concepts


Keys (public/private)
Signatures
Certificates

satya - 1/13/2015, 3:54:28 PM

Some recommendations I have got to read on

http://www-inst.eecs.berkeley.edu/~cs161/fa05/Notes/cs161.0926.pdf

http://en.wikipedia.org/wiki/Transport_Layer_Security

satya - 1/13/2015, 3:57:47 PM

Use of public keys in upstream traffic

Server publishes a single public key for all clients

Many clients send messages to a server

A client can be sure no other client can understand that message including the client itself

Example will be a million browsers sending data to a given web server

No other web server can understand this traffic

No other web client or interceptor can understand this traffic

Call it the encryption principle

Controlled by a server

satya - 1/13/2015, 4:11:17 PM

Reverse Pattern

A server publishes a key for everyone to see and get

Very many servers can then send a message to a client

The client can take each encrypted message and see which key opens it

If a key opens a message then that message must have come from the respective server

Then the message is a "signature" of that server

satya - 1/13/2015, 4:21:10 PM

Message Digest

Message Digest

Search for: Message Digest

satya - 1/13/2015, 4:23:18 PM

Message Digest

Easy to compute

Attach it to the long message

Probably encrypted using keys the digest

Stops tampering the original message

Saves likely the need to encrypt the whole message

satya - 1/13/2015, 4:56:57 PM

Here is a PDF from IBM to see if that helps

Here is a PDF from IBM to see if that helps

satya - 1/13/2015, 4:59:05 PM

How does a client trust a certificate authority?

How does a client trust a certificate authority?

Search for: How does a client trust a certificate authority?

satya - 1/14/2015, 10:18:18 AM

Where are trusted CAs kept in a browser?

Where are trusted CAs kept in a browser?

Search for: Where are trusted CAs kept in a browser?


Mozilla Firefox: Edit / Preferences / Advanced / Certificates / Manage Certificaes / Authorities
Internet Explorer: Extras / Internet options / Content / Certificates / Trusted Root CAs

satya - 1/14/2015, 10:27:56 AM

Explanation of certs from Microsoft

Explanation of certs from Microsoft

satya - 1/14/2015, 10:30:08 AM

self signed certificates

self signed certificates

Search for: self signed certificates

satya - 1/14/2015, 10:33:28 AM

Structure of a digital certificate

Structure of a digital certificate

Search for: Structure of a digital certificate

satya - 1/14/2015, 10:35:33 AM

There is some information here

There is some information here

satya - 1/14/2015, 10:38:44 AM

A PDF: Understanding certs

A PDF: Understanding certs

satya - 1/14/2015, 10:39:13 AM

Basic structure


the name of the user/entity being certified
the public key of the user/entity
the name of the certification authority
a digital signature

satya - 1/14/2015, 10:39:32 AM

Notice that the public key of the authority is not part of the certificate

Notice that the public key of the authority is not part of the certificate

satya - 1/14/2015, 10:46:58 AM

This is probably a better read from MSDN

This is probably a better read from MSDN

satya - 1/14/2015, 10:47:11 AM

Summary of that

Version number The version of the X.509 standard to which the certificate conforms.

Serial number A number that uniquely identifies the certificate and is issued by the certification authority.

Certificate algorithm identifier The names of the specific public key algorithms that the certification authority has used to sign the digital certificate.

Issuer name The identity of the certification authority who actually issued the certificate.

Validity period The period of time for which a digital certificate is valid and contains both a start date and an expiration date.

Subject name The name of the owner of the digital certificate.

Subject public key information The public key that is associated with the owner of the digital certificate and the specific public key algorithms associated with the public key.

Issuer unique identifier Information that can be used to uniquely identify the issuer of the digital certificate.

Subject unique identifier Information that can be used to uniquely identify the owner of the digital certificate.

Extensions Additional information that is related to the use and handling of the certificate.

Certification authority's digital signature The actual digital signature made with the certification authority's private key using the algorithm specified in the certificate algorithm identifier field.

satya - 1/14/2015, 10:52:33 AM

Here is how messages are encrypted: Note the use of session key

Message is captured.

Public key is retrieved from the recipient's digital certificate.

One-time symmetric session key is generated.

Encryption operation is performed on the message using the session key.

Session key is encrypted using the recipient's public key.

Encrypted session key is included with the encrypted message.

Message is sent.

satya - 1/14/2015, 10:53:20 AM

Here is doing both tampering and encryption

Message is captured.

Hash value of the message is calculated.

Sender's private key is retrieved from the sender's digital certificate.

Recipient's public key is retrieved from the recipient's digital certificate.

Hash value is encrypted with the sender's private key.

Encrypted hash value is appended to the message as a digital signature.

One-time symmetric session key is generated.

Encryption operation is performed on the message using a session key.

Session key is encrypted using the recipient's public key.

Encrypted session key is included with the encrypted message.

Message is sent.

satya - 1/14/2015, 10:58:57 AM

Contrasting self signed certs with others

Contrasting self signed certs with others

satya - 1/14/2015, 11:02:47 AM

Kaushal Panday: A key blog that talks of azure and certs

Kaushal Panday: A key blog that talks of azure and certs

satya - 1/14/2015, 11:08:34 AM

This article shows how a self signed cert is installed as a trusted site

This article shows how a self signed cert is installed as a trusted site

satya - 1/14/2015, 11:10:40 AM

trusted certificate authorities: CA

trusted certificate authorities: CA

Search for: trusted certificate authorities: CA

satya - 1/14/2015, 11:15:05 AM

Using self signed SSL certs from github

Using self signed SSL certs from github

satya - 1/14/2015, 11:15:44 AM

Key ideas

Generate a root CA

Use the root CA to generate server certs

Install the root CA on clients

satya - 1/14/2015, 11:16:25 AM

Book: Network Security with OpenSSL

Book: Network Security with OpenSSL

Search for: Book: Network Security with OpenSSL

satya - 1/14/2015, 11:21:07 AM

SSL Certificate and CA Certificate

SSL Certificate and CA Certificate

Search for: SSL Certificate and CA Certificate

satya - 1/14/2015, 11:25:29 AM

Appears to be a good free book on SSL

Appears to be a good free book on SSL

satya - 1/14/2015, 11:29:04 AM

Knowing how a browser treats a self signed certificate is useful in understanding the nature

Knowing how a browser treats a self signed certificate is useful in understanding the nature

satya - 1/14/2015, 11:29:11 AM

Here is how ie does this

Here is how ie does this

satya - 1/14/2015, 11:30:52 AM

My question is

There is a self signed SSL cert

There is a root CA cert

Are these different?

Does the browser get both from the web server in a self signing scenario?

Or they become one and the same?

Or a root CA cert is generated out of the SSL cert?

satya - 1/14/2015, 11:35:49 AM

Here is how to create a self signed SSL cert for Apache

Here is how to create a self signed SSL cert for Apache

satya - 1/14/2015, 11:41:03 AM

There are 2 public keys at play


The public key of the CA
The public key of the site

satya - 1/14/2015, 11:41:53 AM

What happens to the CA public key in a self signed SSL cert?

What happens to the CA public key in a self signed SSL cert?

Search for: What happens to the CA public key in a self signed SSL cert?

satya - 1/14/2015, 11:43:08 AM

How do browsers deal with self signed SSL certificates?

How do browsers deal with self signed SSL certificates?

Search for: How do browsers deal with self signed SSL certificates?

satya - 1/14/2015, 11:46:02 AM

How does a browser get access to a CA cert when presented with a self signed SSL cert?

How does a browser get access to a CA cert when presented with a self signed SSL cert?

Search for: How does a browser get access to a CA cert when presented with a self signed SSL cert?

satya - 1/14/2015, 11:49:06 AM

Here is a link with some info: SSL Certificate Not Trusted Error

Here is a link with some info: SSL Certificate Not Trusted Error

satya - 1/14/2015, 11:50:00 AM

Tell your browser to trust the self-signed certificate

Tell your browser to trust the self-signed certificate

Search for: Tell your browser to trust the self-signed certificate

satya - 1/14/2015, 11:52:40 AM

Here is how it happens on ie9

Here is how it happens on ie9

satya - 1/14/2015, 11:55:56 AM

Do I need a CA to generate self signed SSL cert?

Do I need a CA to generate self signed SSL cert?

Search for: Do I need a CA to generate self signed SSL cert?

satya - 1/14/2015, 11:59:42 AM

Here is that question on SOF

Here is that question on SOF

satya - 1/14/2015, 12:02:23 PM

OpenSSL.org

OpenSSL.org

satya - 1/14/2015, 12:07:15 PM

How to install a non-trusted CA from an SSL certificate?

How to install a non-trusted CA from an SSL certificate?

Search for: How to install a non-trusted CA from an SSL certificate?

satya - 1/14/2015, 12:13:11 PM

How to install a non-trusted CA certificate?

How to install a non-trusted CA certificate?

Search for: How to install a non-trusted CA certificate?

satya - 1/14/2015, 12:17:10 PM

Youtube: Configuring SSL with IIS

Youtube: Configuring SSL with IIS

satya - 1/14/2015, 12:21:29 PM

Search Youtube on Self Signed certs

Search Youtube on Self Signed certs

satya - 1/14/2015, 3:23:03 PM

public key and signature in a self signed SSL certificate

public key and signature in a self signed SSL certificate

Search for: public key and signature in a self signed SSL certificate

satya - 1/14/2015, 3:24:15 PM

A good nomenclature of PKI infrastructure is here

A good nomenclature of PKI infrastructure is here

satya - 1/14/2015, 3:26:29 PM

Public Keys and Certificates

Public keys are usually transmitted as Certificates.

satya - 1/14/2015, 3:28:54 PM

info


data - main data block
Data digest - digest of that data
Signature - privateky(data-digest)
Signed Data - data + signature

satya - 1/14/2015, 3:31:45 PM

Self-Signed Certificate

A Certificate issued by a party for itself.

The Subject and Issuer of such a Certificate are the same.

The Self-Signed Certificate contains the party Public Key and Signed using the Private Key of the same party.

Self-Signed Certificates can be trusted only if other parties explicitly include them into their lists of "trusted authorities".

satya - 1/14/2015, 3:41:54 PM

What is CommuniGate Pro

What is CommuniGate Pro

Search for: What is CommuniGate Pro

satya - 1/14/2015, 3:54:08 PM

CommuniGate Pro and Instant Messaging

CommuniGate Pro and Instant Messaging

Search for: CommuniGate Pro and Instant Messaging

satya - 1/14/2015, 5:14:35 PM

Key topics I have learned


Terminology
***************
PKI
Public Key
Private Key
Session Key
Data Digests
Signatures
Certificate
Certificate Authority (CA)
Self signed certificates
Non-trusted CA
Root CA
SSL Cert
CA Cert
1-way SSL
2-way SSL
TLS

Concepts
*********
A Cert (SSL Cert) is basically a public key distributed by a CA
CA cert is a public key of the CA to verify an SSL Cert and its pulbic key
Servers keep SSL certs obtained from CA
Clients keep trusted CA certs
Browsers preload CA certs
Browsers can be loaded with non-trusted certs
Browsers use a server SSL cert to encode data
Browsers can add self signed certs to trust servers
Two kinds of public keys: Public key of the CA and public key of the Server
Structure of a certificate
Both CA cert and server SSL cert has the same structure
It is usually Digests that are signed with private keys
Digest is recalculated to compare it to the decoded signature
There are no good comprehensive links to get all this in one place
May be read the OpenSSL book

Key places to look
*******************
See how SSL certs are generated from CA
See how self signed certs are made
See how different browsers are preloaded with CAs

satya - 1/14/2015, 5:16:01 PM

Can I do SSL or TLS at the OS level?

Can I do SSL or TLS at the OS level?

Search for: Can I do SSL or TLS at the OS level?

So that two machines can communicate for all their needs and need not worry about all socket communications. This will allow all traffic such as JDBC, HTTP, FTP etc.

satya - 1/14/2015, 5:16:21 PM

What is message level security in SOAP, REST, MQ?

What is message level security in SOAP, REST, MQ?

Search for: What is message level security in SOAP, REST, MQ?

satya - 1/14/2015, 5:18:42 PM

Can the same PKI public key be used both to encrypt and decrypt a signature?

Can the same PKI public key be used both to encrypt and decrypt a signature?

Search for: Can the same PKI public key be used both to encrypt and decrypt a signature?

For example in a self signed cert, is the single public key used to decrypt the signature that is signed with a private key of the signer? is the same public key used to encrypt the data to be sent to the server?

satya - 1/14/2015, 5:21:03 PM

This is precisely the question asked at this SOF

This is precisely the question asked at this SOF

satya - 1/14/2015, 5:34:47 PM

How is public key used to verify a signature?

How is public key used to verify a signature?

Search for: How is public key used to verify a signature?

satya - 1/14/2015, 5:40:22 PM

Read this as well

Read this as well

satya - 1/15/2015, 9:12:17 AM

Role of Public Key in PKI?

Role of Public Key in PKI?

Search for: Role of Public Key in PKI?

May be....


To encrypt
To Verify

satya - 1/15/2015, 9:43:07 AM

Role of Private Key in PKI?

Role of Private Key in PKI?

Search for: Role of Private Key in PKI?

May be


To decipher (decrypt)
To sign (encrypt)

satya - 1/15/2015, 9:46:22 AM

Public Key vs Private Key

Public Key vs Private Key

Search for: Public Key vs Private Key

satya - 1/15/2015, 9:47:50 AM

This is a good article that talks about this

This is a good article that talks about this

This goes to show that public and private keys are mutual and can encrypt and decrypt each other.

satya - 1/15/2015, 9:52:55 AM

Security products from Comodo

Security products from Comodo

satya - 1/15/2015, 9:57:09 AM

Competitors to Comodo

Competitors to Comodo

Search for: Competitors to Comodo

satya - 1/15/2015, 9:58:34 AM

Comodo GoDaddy GeoTrust

Comodo GoDaddy GeoTrust

Search for: Comodo GoDaddy GeoTrust

satya - 1/15/2015, 9:58:59 AM

Comodo Verisign Thawte Digicert

Comodo Verisign Thawte Digicert

Search for: Comodo Verisign Thawte Digicert

satya - 1/15/2015, 9:59:48 AM

Public key Encrypt Verify

Public key Encrypt Verify

Search for: Public key Encrypt Verify

satya - 1/15/2015, 10:03:13 AM

This is a really good PDF document on how Public and Private keys work: PDF

This is a really good PDF document on how Public and Private keys work: PDF

satya - 1/15/2015, 10:05:32 AM

This is another excellent article from Mozilla Development Network. Do Read!

This is another excellent article from Mozilla Development Network. Do Read!

Internet Security Issues
Encryption and Decryption
Digital Signatures
Certificates and Authentication
Managing Certificates

Types of Certificates
SSL Protocol
Signed and Encrypted Email
Form Signing
Single Sign-On
Object Signing

satya - 1/15/2015, 10:08:56 AM

Here is a set of security related articles from Mozilla

Here is a set of security related articles from Mozilla

satya - 1/15/2015, 11:01:17 AM

TLS, SSL Books

TLS, SSL Books

Search for: TLS, SSL Books

satya - 1/15/2015, 11:05:02 AM

Some book names


OpenSSL from O'Reilly
SSL and TLS: Theory and Practice [Book]
SSL and TLS: Designing and Building Secure Systems [Book]
Bulletproof SSL and TLS [Book]
Implementing SSL / TLS Using Cryptography and PKI [Book]
SSL & TLS Essentials: Securing the Web [Book]
SSL and Remote Access VPNs [Book]
OpenVPN. Ursprung und TLS/ SSL [Book]
SSL VPN: Understanding, Evaluating, and Planning Secure, Web-based 
Protocols for Secure Electronic Commerce, Second Edition [Book]
Apache Security [Book]