HTTPS & SSL – What it is, how it works, and how to configure this godforsaken technology – Encryption

View Github Repository Open presentation in a new window

coacoas

See all presentation from coacoas

HTTPS & SSL – What it is, how it works, and how to configure this godforsaken technology – Encryption

0 0

ssl-tools-presentation

Quick and dirty, very entry-level presentation on encryption, SSL, and using openssl and keytool to generate keystores.

On Github coacoas / ssl-tools-presentation

HTTPS & SSL

What it is, how it works, and how to configure this godforsaken technology

Encryption

Symmetric Encryption

Message: HELLO
Key: AUJTK
Ciphertext: IZVFZ

The key is shared between all parties.

Encryption and decryption is very fast.

Asymmetric Encryption

Public Certificate Encrypts data Private Key Decrypts data
Anyone can have the public certificate. Only the private key can decrypt data.

I am not going into the math on this one.

So, how does it work?

HTTPS Handshake

Secure HTTPS request made

Sends Certificate

Client autnenticates certificate against trusted certificates

Acknowledge Certificate, provide encrypted shared key

Data continues being sent, using the symmetric key for encryptions

Vocabulary

Certificate Used for encryption and identity verification Private Key Used to decrypt values encrypted using the matching public certificate. Generated by the requesting entity. Certificate Signing Request (CSR) Used to request a signed certificate from a Certificate Authority (CA) Certificate Authority A trusted vendor that issues digital certificates. Self-signed Certificate A certificate not signed by a Certificate Authority. Used mostly for development.

Certificate Formats

PEM
-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgIHTqhITt5W5TANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
...
85sKysdk4OjNmeXGIauzQ60f0vUHNrTDToz3lOrybHcgOKPiguCJV4IVpKAr7vCq
5QyvPlRodJUCajhZISW3RmoFcBOQQInFv2qFXDpRIGmQUFIHiRBC0r2f5UP5a48=
-----END CERTIFICATE-----
DER

Binary formatted data

Certificate File Extensions

CRT

Encoding for public certificates. Can be either DER or PEM format. Most commonly seen in *nix systems.

CER

Practically synonymous with CER. Most commonly seen in Windows systems.

KEY

Typically used for private keys (PKCS#8). Can be either DER or PEM.

Tools

openssl

keytool

  • Used to work with Java Keystores
  • Distributed as part of the Java Runtime Environment
  • Available in \bridgegate\java\bin

Let's take a look

Cheat Sheet

Convert from DER to PEM

openssl x509 -in <file> -inform DER -out <target> -outform PEM

Import a certificate to a keystore

keytool -importcert -keystore <filename> -file <public cert filename> \
    [-alias <alias>]

Import a public/private key pair to a keystore

openssl pkcs12 -in <certificate> -inkey <key> -export -out <keystore.p12>

keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype pkcs12 \
    -destkeystore <keystore.jks> -srcalias <p12 alias> \
    -destalias <jks alias>

Cheat Sheet

Generate a self-signed certificate

keytool -keysize 2048 -genkey -alias <alias> -keyalg RSA -keystore <keystore.jks>

Generate a self-signed certificate with v3 extensions

openssl -genrsa -des3 -out <keyfile> 2048
openssl req -new -key <keyfile> -out <csrfile>
openssl x509 -req -days 3650 -in <csrfile> -inkey <keyfile> -out bg.crt \
        [-extfile <extensions]

Extensions file (valid values described at https://www.openssl.org/docs/apps/x509v3_config.html): 

basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyCertSign
extendedKeyUsage=serverAuth,clientAuth
authorityKeyIdentifier=keyid,issuer
subjectAltName=URI:bridgegatetest.com,URI:*.bridgegatetest.com

?