This note will research how information is sent and received from an enterprise. What is channel level security? what is message level security? What is SSL? What is Mutual Auth? What are certificates? How is this handled in SOAP? How is this handled in REST? and perhaps more on those lines.
With this research I have learned what PKI is, What public and private keys are, what signatures are, what certificates are, what CA certificates, what SSL certificates are, how web servers manage their certificates, how web browsers manage their CA certificates, what self signing is, and more...
Companies, Books, Tools, and Online Resources.
satya - 1/13/2015, 10:38:01 AM
SSL, MutualAuth, Certificates
SSL, MutualAuth, Certificates
satya - 1/13/2015, 10:40:43 AM
This looks like a nice article to start with
satya - 1/13/2015, 10:43:50 AM
How is SSL different from SSL with Mutual Authentication?
How is SSL different from SSL with Mutual Authentication?
Search for: How is SSL different from SSL with Mutual Authentication?
satya - 1/13/2015, 10:44:16 AM
Mutual SSL authentication
Mutual SSL authentication
satya - 1/13/2015, 10:44:44 AM
1-way SSL 2-way authentications
1-way SSL 2-way authentications
satya - 1/13/2015, 12:24:57 PM
Understand public keys first
An entity can publish a (public) key
This public key can be used by any number of consumers to encrypt data using that key
Only the owner of the public key can decrypt the data.
This is the intent of the public key
satya - 1/13/2015, 12:25:21 PM
Key concepts
Keys (public/private)
Signatures
Certificates
satya - 1/13/2015, 3:54:28 PM
Some recommendations I have got to read on
satya - 1/13/2015, 3:57:47 PM
Use of public keys in upstream traffic
Server publishes a single public key for all clients
Many clients send messages to a server
A client can be sure no other client can understand that message including the client itself
Example will be a million browsers sending data to a given web server
No other web server can understand this traffic
No other web client or interceptor can understand this traffic
Call it the encryption principle
Controlled by a server
satya - 1/13/2015, 4:11:17 PM
Reverse Pattern
A server publishes a key for everyone to see and get
Very many servers can then send a message to a client
The client can take each encrypted message and see which key opens it
If a key opens a message then that message must have come from the respective server
Then the message is a "signature" of that server
satya - 1/13/2015, 4:23:18 PM
Message Digest
Easy to compute
Attach it to the long message
Probably encrypted using keys the digest
Stops tampering the original message
Saves likely the need to encrypt the whole message
satya - 1/13/2015, 4:56:57 PM
Here is a PDF from IBM to see if that helps
satya - 1/13/2015, 4:59:05 PM
How does a client trust a certificate authority?
How does a client trust a certificate authority?
Search for: How does a client trust a certificate authority?
satya - 1/14/2015, 10:18:18 AM
Where are trusted CAs kept in a browser?
Where are trusted CAs kept in a browser?
Search for: Where are trusted CAs kept in a browser?
Mozilla Firefox: Edit / Preferences / Advanced / Certificates / Manage Certificaes / Authorities
Internet Explorer: Extras / Internet options / Content / Certificates / Trusted Root CAs
satya - 1/14/2015, 10:27:56 AM
Explanation of certs from Microsoft
satya - 1/14/2015, 10:30:08 AM
self signed certificates
self signed certificates
satya - 1/14/2015, 10:33:28 AM
Structure of a digital certificate
Structure of a digital certificate
satya - 1/14/2015, 10:39:13 AM
Basic structure
the name of the user/entity being certified
the public key of the user/entity
the name of the certification authority
a digital signature
satya - 1/14/2015, 10:39:32 AM
Notice that the public key of the authority is not part of the certificate
Notice that the public key of the authority is not part of the certificate
satya - 1/14/2015, 10:46:58 AM
This is probably a better read from MSDN
satya - 1/14/2015, 10:47:11 AM
Summary of that
Version number The version of the X.509 standard to which the certificate conforms.
Serial number A number that uniquely identifies the certificate and is issued by the certification authority.
Certificate algorithm identifier The names of the specific public key algorithms that the certification authority has used to sign the digital certificate.
Issuer name The identity of the certification authority who actually issued the certificate.
Validity period The period of time for which a digital certificate is valid and contains both a start date and an expiration date.
Subject name The name of the owner of the digital certificate.
Subject public key information The public key that is associated with the owner of the digital certificate and the specific public key algorithms associated with the public key.
Issuer unique identifier Information that can be used to uniquely identify the issuer of the digital certificate.
Subject unique identifier Information that can be used to uniquely identify the owner of the digital certificate.
Extensions Additional information that is related to the use and handling of the certificate.
Certification authority's digital signature The actual digital signature made with the certification authority's private key using the algorithm specified in the certificate algorithm identifier field.
satya - 1/14/2015, 10:52:33 AM
Here is how messages are encrypted: Note the use of session key
Message is captured.
Public key is retrieved from the recipient's digital certificate.
One-time symmetric session key is generated.
Encryption operation is performed on the message using the session key.
Session key is encrypted using the recipient's public key.
Encrypted session key is included with the encrypted message.
Message is sent.
satya - 1/14/2015, 10:53:20 AM
Here is doing both tampering and encryption
Message is captured.
Hash value of the message is calculated.
Sender's private key is retrieved from the sender's digital certificate.
Recipient's public key is retrieved from the recipient's digital certificate.
Hash value is encrypted with the sender's private key.
Encrypted hash value is appended to the message as a digital signature.
One-time symmetric session key is generated.
Encryption operation is performed on the message using a session key.
Session key is encrypted using the recipient's public key.
Encrypted session key is included with the encrypted message.
Message is sent.
satya - 1/14/2015, 10:58:57 AM
Contrasting self signed certs with others
satya - 1/14/2015, 11:02:47 AM
Kaushal Panday: A key blog that talks of azure and certs
satya - 1/14/2015, 11:08:34 AM
This article shows how a self signed cert is installed as a trusted site
This article shows how a self signed cert is installed as a trusted site
satya - 1/14/2015, 11:10:40 AM
trusted certificate authorities: CA
trusted certificate authorities: CA
satya - 1/14/2015, 11:15:05 AM
Using self signed SSL certs from github
satya - 1/14/2015, 11:15:44 AM
Key ideas
Generate a root CA
Use the root CA to generate server certs
Install the root CA on clients
satya - 1/14/2015, 11:16:25 AM
Book: Network Security with OpenSSL
Book: Network Security with OpenSSL
satya - 1/14/2015, 11:21:07 AM
SSL Certificate and CA Certificate
SSL Certificate and CA Certificate
satya - 1/14/2015, 11:25:29 AM
Appears to be a good free book on SSL
satya - 1/14/2015, 11:29:04 AM
Knowing how a browser treats a self signed certificate is useful in understanding the nature
Knowing how a browser treats a self signed certificate is useful in understanding the nature
satya - 1/14/2015, 11:30:52 AM
My question is
There is a self signed SSL cert
There is a root CA cert
Are these different?
Does the browser get both from the web server in a self signing scenario?
Or they become one and the same?
Or a root CA cert is generated out of the SSL cert?
satya - 1/14/2015, 11:35:49 AM
Here is how to create a self signed SSL cert for Apache
satya - 1/14/2015, 11:41:03 AM
There are 2 public keys at play
The public key of the CA
The public key of the site
satya - 1/14/2015, 11:41:53 AM
What happens to the CA public key in a self signed SSL cert?
What happens to the CA public key in a self signed SSL cert?
Search for: What happens to the CA public key in a self signed SSL cert?
satya - 1/14/2015, 11:43:08 AM
How do browsers deal with self signed SSL certificates?
How do browsers deal with self signed SSL certificates?
Search for: How do browsers deal with self signed SSL certificates?
satya - 1/14/2015, 11:46:02 AM
How does a browser get access to a CA cert when presented with a self signed SSL cert?
How does a browser get access to a CA cert when presented with a self signed SSL cert?
Search for: How does a browser get access to a CA cert when presented with a self signed SSL cert?
satya - 1/14/2015, 11:49:06 AM
Here is a link with some info: SSL Certificate Not Trusted Error
Here is a link with some info: SSL Certificate Not Trusted Error
satya - 1/14/2015, 11:50:00 AM
Tell your browser to trust the self-signed certificate
Tell your browser to trust the self-signed certificate
Search for: Tell your browser to trust the self-signed certificate
satya - 1/14/2015, 11:55:56 AM
Do I need a CA to generate self signed SSL cert?
Do I need a CA to generate self signed SSL cert?
Search for: Do I need a CA to generate self signed SSL cert?
satya - 1/14/2015, 12:07:15 PM
How to install a non-trusted CA from an SSL certificate?
How to install a non-trusted CA from an SSL certificate?
Search for: How to install a non-trusted CA from an SSL certificate?
satya - 1/14/2015, 12:13:11 PM
How to install a non-trusted CA certificate?
How to install a non-trusted CA certificate?
satya - 1/14/2015, 12:21:29 PM
Search Youtube on Self Signed certs
satya - 1/14/2015, 3:23:03 PM
public key and signature in a self signed SSL certificate
public key and signature in a self signed SSL certificate
Search for: public key and signature in a self signed SSL certificate
satya - 1/14/2015, 3:24:15 PM
A good nomenclature of PKI infrastructure is here
satya - 1/14/2015, 3:26:29 PM
Public Keys and Certificates
Public keys are usually transmitted as Certificates.
satya - 1/14/2015, 3:28:54 PM
info
data - main data block
Data digest - digest of that data
Signature - privateky(data-digest)
Signed Data - data + signature
satya - 1/14/2015, 3:31:45 PM
Self-Signed Certificate
A Certificate issued by a party for itself.
The Subject and Issuer of such a Certificate are the same.
The Self-Signed Certificate contains the party Public Key and Signed using the Private Key of the same party.
Self-Signed Certificates can be trusted only if other parties explicitly include them into their lists of "trusted authorities".
satya - 1/14/2015, 3:41:54 PM
What is CommuniGate Pro
What is CommuniGate Pro
satya - 1/14/2015, 3:54:08 PM
CommuniGate Pro and Instant Messaging
CommuniGate Pro and Instant Messaging
satya - 1/14/2015, 5:14:35 PM
Key topics I have learned
Terminology
***************
PKI
Public Key
Private Key
Session Key
Data Digests
Signatures
Certificate
Certificate Authority (CA)
Self signed certificates
Non-trusted CA
Root CA
SSL Cert
CA Cert
1-way SSL
2-way SSL
TLS
Concepts
*********
A Cert (SSL Cert) is basically a public key distributed by a CA
CA cert is a public key of the CA to verify an SSL Cert and its pulbic key
Servers keep SSL certs obtained from CA
Clients keep trusted CA certs
Browsers preload CA certs
Browsers can be loaded with non-trusted certs
Browsers use a server SSL cert to encode data
Browsers can add self signed certs to trust servers
Two kinds of public keys: Public key of the CA and public key of the Server
Structure of a certificate
Both CA cert and server SSL cert has the same structure
It is usually Digests that are signed with private keys
Digest is recalculated to compare it to the decoded signature
There are no good comprehensive links to get all this in one place
May be read the OpenSSL book
Key places to look
*******************
See how SSL certs are generated from CA
See how self signed certs are made
See how different browsers are preloaded with CAs
satya - 1/14/2015, 5:16:01 PM
Can I do SSL or TLS at the OS level?
Can I do SSL or TLS at the OS level?
Search for: Can I do SSL or TLS at the OS level?
So that two machines can communicate for all their needs and need not worry about all socket communications. This will allow all traffic such as JDBC, HTTP, FTP etc.
satya - 1/14/2015, 5:16:21 PM
What is message level security in SOAP, REST, MQ?
What is message level security in SOAP, REST, MQ?
Search for: What is message level security in SOAP, REST, MQ?
satya - 1/14/2015, 5:18:42 PM
Can the same PKI public key be used both to encrypt and decrypt a signature?
Can the same PKI public key be used both to encrypt and decrypt a signature?
Search for: Can the same PKI public key be used both to encrypt and decrypt a signature?
For example in a self signed cert, is the single public key used to decrypt the signature that is signed with a private key of the signer? is the same public key used to encrypt the data to be sent to the server?
satya - 1/14/2015, 5:21:03 PM
This is precisely the question asked at this SOF
satya - 1/14/2015, 5:34:47 PM
How is public key used to verify a signature?
How is public key used to verify a signature?
satya - 1/15/2015, 9:12:17 AM
Role of Public Key in PKI?
Role of Public Key in PKI?
Search for: Role of Public Key in PKI?
May be....
To encrypt
To Verify
satya - 1/15/2015, 9:43:07 AM
Role of Private Key in PKI?
Role of Private Key in PKI?
Search for: Role of Private Key in PKI?
May be
To decipher (decrypt)
To sign (encrypt)
satya - 1/15/2015, 9:46:22 AM
Public Key vs Private Key
Public Key vs Private Key
satya - 1/15/2015, 9:47:50 AM
This is a good article that talks about this
This is a good article that talks about this
This goes to show that public and private keys are mutual and can encrypt and decrypt each other.
satya - 1/15/2015, 9:57:09 AM
Competitors to Comodo
Competitors to Comodo
satya - 1/15/2015, 9:58:34 AM
Comodo GoDaddy GeoTrust
Comodo GoDaddy GeoTrust
satya - 1/15/2015, 9:58:59 AM
Comodo Verisign Thawte Digicert
Comodo Verisign Thawte Digicert
satya - 1/15/2015, 9:59:48 AM
Public key Encrypt Verify
Public key Encrypt Verify
satya - 1/15/2015, 10:03:13 AM
This is a really good PDF document on how Public and Private keys work: PDF
satya - 1/15/2015, 10:05:32 AM
This is another excellent article from Mozilla Development Network. Do Read!
This is another excellent article from Mozilla Development Network. Do Read!
Internet Security Issues Encryption and Decryption Digital Signatures Certificates and Authentication Managing Certificates Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign-On Object Signing
satya - 1/15/2015, 10:08:56 AM
Here is a set of security related articles from Mozilla
satya - 1/15/2015, 11:05:02 AM
Some book names
OpenSSL from O'Reilly
SSL and TLS: Theory and Practice [Book]
SSL and TLS: Designing and Building Secure Systems [Book]
Bulletproof SSL and TLS [Book]
Implementing SSL / TLS Using Cryptography and PKI [Book]
SSL & TLS Essentials: Securing the Web [Book]
SSL and Remote Access VPNs [Book]
OpenVPN. Ursprung und TLS/ SSL [Book]
SSL VPN: Understanding, Evaluating, and Planning Secure, Web-based
Protocols for Secure Electronic Commerce, Second Edition [Book]
Apache Security [Book]