2013/08/14

DIGITAL CERTIFICATES

What is digital certificate

  • An electronic document which uses a digital signature to bind together a public key with an identity information such as the name of a person or an organization, their address, and so forth
  • The certificate can be used to verify that a public key belongs to an individual

Contents of a typical digital certificate

  • Serial Number: Used to uniquely identify the certificate.
  • Subject: The person, or entity identified.
  • Signature Algorithm: The algorithm used to create the signature.
  • Issuer: The entity that verified the information and issued the certificate.
  • Valid-From: The date the certificate is first valid from.
  • Valid-To: The expiration date.
  • Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...).
  • Public Key: The public key to encrypt a message to the named subject or to verify a signature from the named subject.
  • Thumbprint Algorithm: The algorithm used to hash the certificate.
  • Thumbprint: The hash itself to ensure that the certificate has not been tampered with

Public and private key - Asynchronous encryption

  • Use of these keys allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key. 
  • It also allows protection of the confidentiality and integrity of a message, by public key encryption, encrypting the message using the public key, which can only be decrypted using the private key.

Asymmetric key encryption

Source: http://cxf.apache.org

Protection of the authenticity

Source: http://cxf.apache.org

SSL

  • the most common use of digital certificate
  • allows to communicate over secure connection
  • it's layer between transport (TCP/IP) and presentation (HTTP) layer
  • data is encrypted and then decrypted
SSL addresses the following security considerations:
  1. Authentication – server will present his certificate, it verify that server (site) is who and what it claims to be. Server may request clients certificate too.
  2. Confidentiality – data can be read by third party but it cannot be deciphered
  3. Integrity – SSL helps guarantee that data will not be modified

SSL sub protocols

Source: http://beefchunk.com

Establishing connection

Source: http://beefchunk.com

SSL, PCT, TLS and WTLS (not SSH)

  • SSL v2.0 Released by Netscape Communications in 1994. The main goal of this protocol was to provide security for transactions over the World Wide Web. Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use:
    • weak MAC construction, possibility of forcing parties to use weaker encryption, no protection for handshakes, possibility of an attacker performing truncation attacks
  • PCT v1.0 Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0, and was aimed to replace SSL.
  • SSL v3.0 Released in 1996 by Netscape Communications. SSL v3.0 solved most of the SSL v2.0 problems, and incorporated many of the features of PCT. Pretty quickly become the most popular protocol for securing communication over WWW.
  • TLS v1.0 (also known as SSL v3.1) Published by IETF in 1999 (RFC 2246). This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. It is important to note that although TLS is based on SSL, it is not a 100% backward compatible with its predecessor. IETF did some security improvements. The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.
  • WTLS "Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier. It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices.  However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol, which is much more secure -- mainly because there is no need for decryption and re-encryption of the traffic at the WAP gateway.

SSL installation

Before we can use SSL with Tomcat for example, we need to install the following:
  1. A server certificate keystore
  2. An HTTPS connector

Creating the server certificate

To create a server certificate follow these steps:
  1. Create the keystore.
  2. Export the certificate from the keystore.
  3. Sign the certificate.
  4. Import the certificate into a trust-store

Generating server certificate

keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
  • Generates the server keystore keystore.jks
  • Generates a key pair (a public key and associated private key)
  • Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain

Importing the Certificate

Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. 

keytool -import -alias root -keystore keystore-file.abc -trustcacerts -file received-file.abc

After that you can proceed with importing your Certificate.

keytool -import -alias tomcat -keystore keystore-file.abc -trustcacerts -file received-file.abc

Displaying certificates

To print out the content of a keystore entry, use the following command: 

keytool -list -keystore keystore.jks

To display the contents of a certificate stored in a file, use the following command:

keytool -printcert -file server.cer

Install HTTPS connector

Add following lines into $CATALINA_HOME/conf/server.xml configuration file
<-- Define an SSL HTTP/1.1 Connector on port 8443--> 
<Connector className="org.apache.catalina.connector.http.HttpConnector" 
  port="8443" minProcessors="5" maxProcessors="75" 
  enableLookups="true" acceptCount="10" debug="0" 
  scheme="https" secure="true" clientAuth="false" 
  protocol="TLS" </Connector>

Export the certificate from keystore

keytool -export -alias server-alias -storepass changeit -file server.cer -keystore keystore.jks

Certificate Signing Request (CSR)

keytool -certreq -keyalg RSA -alias server-alias -file certreq.csr -keystore keystore.jks

References

  • http://www.securityfocus.com/infocus/1818
  • http://www.root.cz/clanky/ssl-autentizacia-s-webovym-serverom-apache/
  • http://slacksite.com/apache/certificate.php
  • http://en.wikipedia.org/wiki/Public_key_certificate
  • http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html
  • http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html

▼ Click here to say thanks ▼

2 comments :

  1. Thanks for this explanation. This is all what I wanted to know about digital certificates. You have mentioned and described all about this latest technique.
    digital certificates

    ReplyDelete