Wednesday, August 19, 2009

create SSL certificates with OpenSSL on the command line?

openssl genrsa -des3 -passout pass:yourpassword -out /path/to/your/key_file 1024

openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /path/to/your/key_file -out /path/to/your/csr_file -days 365

openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /path/to/your/key_file -in /path/to/your/csr_file -out /path/to/your/crt_file -days 365

openssl rsa -passin pass:yourpassword -in /path/to/your/key_file -out /path/to/your/key_file2

chmod 400 /path/to/your/key_file2

Monday, August 17, 2009

what is SSL

Netscape created the first version (1.1) of the SSL protocol in 1994 and since then it has evolved and the final version 1.3 has been accepted as a standard in the web community for secure wire transfers. SSL is used to send data in encrypted data over the wire. Encryption is necessary when you are sending sensitive data like any funds transaction, credit card related data, or any data in this world that you feel should be secured from an unautherised access and should reach in safe hands.

SSL is meant to ensure that your data reaches the safe hands. How does it all happens but? Before we can actually discuss the process lemme tell you some key terms that are you need to know for better understanding of the whole of the process.

Certificate: A certificate or digital certificate is an electronic document that is used to establish trust between the two parties (client and server) who want to communicate on the wire. It has following information which is used in establishing the authenticity and trust between two parties:

  • Information about the owner of the certificate, like e-mail address, owner’s name
  • Certificate usage, duration of validity
  • Resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information.

Lets also have a look at how beautiful a certificate look:

Certificate:

Data:
Version: 3 (0×2)
Serial Number: 1 (0×1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FJ, ST=Fiji, L=harpreet, O=SOPAC, OU=ICT, CN=SOPAC Root CA/Email=administrator@harpreet.com
Validity
Not Before: Nov 20 05:47:44 2001 GMT
Not After : Nov 20 05:47:44 2002 GMT
Subject: C=DI, ST=DIRECT, L=sardar, O=DIRECT, OU=ICT, CN=www.directi.com/Email=administrator@harpreet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a:
9b:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36:
b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4:
7a:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86:
08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd:
94:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25:
da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e:
42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a:
6c:14:e2:ae:62:e7:6b:30:e9
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F
X509v3 Authority Key Identifier:
keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6
DirName:/C=FJ/ST=Fiji/L=Suva/O=SOPAC/OU=ICT/CN=SOPAC Root CA/Email=administrator@harpreet.com
serial:00
Signature Algorithm: md5WithRSAEncryption
34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd:
aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57:
2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96:
34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62:
e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5:
0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06:
ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af:
bc:5a
—–BEGIN CERTIFICATE—–
MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox
DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww
CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B
CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy
MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD
VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD
Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv
cGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB
0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI
2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2
JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ
YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl
uh/anje+40U+m67lpqGBj6SBjDCBiTELMAkGA1UEBhMCRkoxDTALBgNVBAgTBEZp
amkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQwwCgYDVQQLEwNJQ1Qx
FjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0
cmF0b3JAc29wYWMub3JnggEAMA0GCSqGSIb3DQEBBAUAA4GBADSN+2ULhVviRAnw
VTE7KSv0/apf27gRGsarM2dZwQTeNN8IVy7GYNz31OLxc5dXI1ACY/x4ljSzysQb
xUzIFmm7nEp+ABlIYuJRqzr6/YjN4J3vZ1Da/ksTxQyM/K1ute5A4/00EJ+tNL3b
Bu0JPfKmgSJjFtyuMwxw/Qpsr7xa
—–END CERTIFICATE—–

Besides the above information, you can notice that there is a public key information also in the certificate.

Public Key / Private Key: The key is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the having the key pairs. This is the key using which the data to be transferred on wire is encrypted. The process is known as Public-key cryptography, or asymmetric cryptography. By asymmetric we mean that the keys used to encrypt and decrypt the message are different. The private key is nothing different than the public key, the only difference being, as the name suggests, it is always kept secret. The message encrypted with the public key can only be decrypted using the private key and vice versa.

Now after knowing all these terms, I would like to pen down the simple steps in which the whole encryption/decryption process happens:

  1. A client (browser) requests a secure page (https).
  2. The web server first sends it’s public key enclosed within a certificate.
  3. The client checks that the certificate was issued by a trusted party (usually a trusted Certificate Authority), that the certificate is still valid, and that the certificate is related to the site contacted.
  4. The client uses the public key of the certificate to encrypt the data and sends it to the server.
  5. Teh server decrypts the message using the private key.
  6. The server then process the request and encrypts the result data using its private key and sends it back to the client.

The above type of encryption mechanism is known as Asymmetric Cryptography as the keys which are involved in encryption and decryption are different. But there is a flaw in the above process. The data that is being sent by the server back to the client, can be decrypted by any of the clients who have ever contacted the server. This is because all those clients would have the public key of the certificate (as you know the public key is distributed openly with the certificate). So basically the above process just offered one way protection of the data.

In order to solve this problem, the above process need to be modified a little. The solution is to have some key that only the client and the server know about and is unique for every single session. This is achieved by the process called Key Exchange. In this process after receiving the public key for the first time from the server certificate, the client generates a random key and encrypts it using the public key. This key is then sent to the server which server decrypts and thus they have a key which only the lint and the server know about. Any further communication between the client and the server happens using this key thereafter. That is the server then uses that key to encrypt the message sent to the client and the does the client. In fact the same key is used to decrypt the messages. So the same key is used for encryption and decryption both. And therefore this process is also known as Symmetric Cryptography. Since the same key is used this process o communication is relatively faster than the asymmetric one.

For the symmetric encryption, the above process is changed as follows:

4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted HTTP data.

5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and HTTP data.

6. The web server sends back the requested html document and HTTP data encrypted with the symmetric key.

7. The browser decrypts the HTTP data and html document using the symmetric key and displays the information.

SSL Limitations:

  1. Point to Point Security: SSL only offers point to point security rather than end-to-end. By end to end we mean that when the data needs to go form one one end to the other passing through various nodes in between, where in the data needs to be processed by each node then it requires cumbersome task of encrypting and decrypting data at each point where any processing is required till the data reaches the final destination.
  2. Acts at the Transport layer and not on the Message layer: This means that SSL provides security only as long as the data is in the wire i.e. online and as soon as the is downloaded on the physical disk, the security is lost.
  3. Its atomic encryption: In SSL if you want to encrypt or secure a part of a long file and keep the rest as such, then it is not possible. It either does the whole data encryption or does not do at all for the whole data.