Certificates: Difference between revisions

← Older edit

Certificates (view source)

Revision as of 20:24, 16 August 2022

5,806 bytes added , 1 year ago

→‎Troubleshooting

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 21:53, 2 December 2019 (view source) Amanjosan2008 (talk \| contribs) (→‎X.509 Certificate) ← Older edit		Latest revision as of 20:24, 16 August 2022 (view source) Amanjosan2008 (talk \| contribs) (→‎Troubleshooting)
(4 intermediate revisions by the same user not shown)
Line 2: __TOC__ <br /> = Public-key cryptography = Asymmetric cryptography is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security. In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key. ;Digital Signature A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender's corresponding public key can combine the same message and the supposed digital signature associated with it to verify whether the signature was valid, i.e. made by the owner of the corresponding private key. ;Prime Numbers & Encryption Product of 2 large random Prime Numbers is the backbone of Encryption. 11 x 17 = 187 Cracking the encryption means figuring out the 2 factors. Using Brute Force it takes decades with today's computers. If 2 numbers are known (a private key), it takes a split second. The numbers in largest known prime number: 17,425,170. The Public key is made up in part by calculating the number of integers that share no common factors that are less than the product of 2 Prime Numbers. = X.509 Certificate = Line 18 ⟶ 41: This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority. The ~~certification~~Certification ~~authority~~Authority issues a certificate binding a public key to a particular distinguished name. An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed. Line 41 ⟶ 64: Certificate Signature Algorithm Certificate Signature The serial number must be unique for each certificate issued by a specific CA. = OpenSSL = Line 107 ⟶ 133: * Cert tools: https://www.sslshopper.com/ssl-certificate-tools.html = Misc = <pre> A session symmetric key between two parties is used only once. The symmetric (shared) key in the Diffie-Hellman method is K = g xy mod p. In public-key cryptography, everyone has access to everyone’s public key; public keys are available to the public. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R 1 = 7 3 mod 23 = 21. 2. Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R 2 = 7 6 mod 23 = 4. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 4 3 mod 23 = 18. Bob calculates the symmetric key K = 21 6 mod 23 = 18. The value of K is the same for both Alice and Bob; g xy mod p = 7 18 mod 35 = 18. Public Announcement: The naive approach is to announce public keys publicly. Bob can put his public key on his website or announce it in a local or national newspaper. When Alice needs to send a confidential message to Bob, she can obtain Bob’s public key from his site or from the newspaper, or even send a message to ask for it. This approach, however, is not secure; it is subject to forgery. For example, Eve could make such a public announcement. Before Bob can react, damage could be done. Eve can fool Alice into sending her a message that is intended for Bob. Eve could also sign a document with a corresponding forged private key and make everyone believe it was signed by Bob. The approach is also vulnerable if Alice directly requests Bob’s public key. Eve can intercept Bob’s response and substitute her own forged public key for Bob’s public key. ---- CSR has a Public Key. CA signs it. Certificate is a proof of public key. Encrypt using public key & receiver decrypts using private key. There are two types of certificate authorities (CAs), root CAs and intermediate CAs. Certificate 1 - Issued To: example.com; Issued By: Intermediate CA 1 Certificate 2 - Issued To: Intermediate CA 1; Issued By: Intermediate CA 2 Certificate 3 - Issued To: Intermediate CA 2; Issued By: Intermediate CA 3 Certificate 4 - Issued To: Intermediate CA 3; Issued By: Root CA Root CA certificates, on the other hand, are "Issued To" and "Issued By" themselves, For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. Installing an intermediate CA signed certificate on a web server or load balancer usually requires installing a bundle of certificates. The CA will also provide a so called intermediate CA file or chain certificate. It proves that your chosen CA is trusted by one of the root CAs. You will need the intermediate CA certificate as 'chain' certificate in your clientssl profile. Nonce is Number Once ---- In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of the private key. In the Diffie–Hellman key exchange scheme, each party generates a public/private key pair and distributes the public key. After obtaining an authentic copy of each other's public keys, Alice and Bob can compute a shared secret offline. The shared secret can be used, for instance, as the key for a symmetric cipher. ---- Public-key encryption, in which a message is encrypted with a recipient's public key. The message cannot be decrypted by anyone who does not possess the matching private key, who is thus presumed to be the owner of that key and the person associated with the public key. This is used in an attempt to ensure confidentiality. Digital signatures, in which a message is signed with the sender's private key and can be verified by anyone who has access to the sender's public key. This verification proves that the sender had access to the private key, and therefore is likely to be the person associated with the public key. This also ensures that the message has not been tampered with, as any manipulation of the message will result in changes to the encoded message digest, which otherwise remains unchanged between the sender and receiver. </pre>