Broad types of cryptography 4 Symmetric cryptography - both sides share the same key 4 Asymmetric (public key) cryptography - each side has a different key 6
Public Key Cryptography 4 Solves the key distribution problem 4 Algorithms typically based on hard math problems 4 Fills two roles 4 Digital signatures 4 Key exchange 7
Digital Signatures 4 Allows a public verification key to be published 4 A signer keeps the private signing key 4 Messages from the signer can be verified 4 Also protects integrity 8
Key Exchange 4 Asymmetric crypto is far slower than symmetric cryptography 4 Uses asymmetric to setup a shared key, so both sides can switch to symmetric 9
RSA Security 4 Company founded by Ron Rivest, Adi Shamir, Leonard Adleman 4 Built to develop crypto based products and standards 4 Held patent on RSA Algorithm until September 2000 11
ASN.1 4 Abstract syntax notation, one 4 Describes a tree structure 4 Typically use Distinguished Encoding Rules (DER) 4 Binary format 4 Canonical representation 13
PEM Files 4 Privacy Enhanced Mail (PEM) 4 Never really used 4 Base64 encoded DER data 4 Have headers that describe the contents 4 -----BEGIN CERTIFICATE----- 4 The "preferred" format for OpenSSL 14
File extensions 4 Never well established 4 The extension may describe the format but not the contents (.pem, .der) 4 Or it may describe the contents but not the format (.cer, .crt, .key) 15
OpenSSL 4 Fork of SSLeay 4 Created by Eric A. Young 4 Forked when he went to work for RSA Security 4 By far the most popular open source TLS/SSL library 16
Generate an RSA Key $ openssl genrsa -out demo.pem Generating RSA private key, 2048 bit long modulus ...............................+++ .....................+++ e is 65537 (0x10001) 18
X.509 Certificate 4 Format for digital certificates 4 Uses ASN.1 for the basic file format 4 Wraps public key 4 Specifies subject of certificate and issuer 4 Contents are digitally signed by issuer 4 Lists lifetime of validity 31
Generate a certificate request $ openssl req -new -key demo.pem -out demo.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) []:Chicago Organization Name (eg, company) [Internet Widgits Pty Ltd]:PayPal Organizational Unit Name (eg, section) []:Braintree Common Name (e.g. server FQDN or YOUR name) []:demo.braintreepayments.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 37
sslyze $ sslyze --regular www.braintreepayments.com:443 ... SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 204.109.13.115:443 ------------------------------------------------------------------- ...snip... * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches Google CA Store (09/2015): OK - Certificate is trusted Java 6 CA Store (Update 65): OK - Certificate is trusted Microsoft CA Store (09/2015): OK - Certificate is trusted Apple CA Store (OS X 10.10.5): OK - Certificate is trusted Mozilla NSS CA Store (09/2015): OK - Certificate is trusted Certificate Chain Received: ['www.braintreepayments.com', 'Symantec Cl... ... 45
Random Notes 4 OpenSSL does not ship with any root certificates 4 Operating systems and browsers do 4 On Linux these are generally gathered from the Mozilla list 4 OpenSSL on OS X 4 Contains special patches which cause it to fall back to the OS X keystore 4 The version is super old 46
Client Hello 4 Protocol the client wants (i.e. TLS 1.2) 4 Ciphers the client supports 4 Extensions (introduced after TLS 1.0 but in a compatible way) 4 Server Name Indication (SNI) 50
Server Name Indication 4 Allows a client to tell a server which vhost they want 4 Without it, every hostname needs its own IP 4 Can be expensive for hosting 4 Host information is sent after TLS handshake (HTTP Host Header) 4 SNI support is still not 100% 51
Client Certificate [optional] 4 Server asks for client to provide a certificate 4 Indicates what parameters would be allowed 4 Clients sends its own certificate and any intermediate 55
4 Hostname verification is protocol dependent 4 OpenSSL doesn't have it built in 4 Also, some people just turn it off: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 63
Recommendations 4 Do ensure you're validating connections 4 Lean on a framework/library if possible 4 But check that it also does the right thing 4 Setup and automated test to validate this setting 67
jtdowney
oracle4engineer
etaroid
cimadai
minorun365
k1low
biwashi
poteboy
nwiizo
leveragestech
knsg16
destraynor
aarron
kevinliebholz
smashingmag
tmm1
kneath
mza
geeforr
ufuk
addyosmani
cromwellryan
cassininazir