Generating Digital Certificate Using Openssl

Question: Discuss about theGenerating Digital Certificate Using Openssl. Answer: Introduction SSL,TSL Secure Sockets Layer (SSL) as well as its succeeded, the Transport Layer Security (TLS), both termed as SSL, are used to provide secured communication over the internet, and it is considered as a cryptographic protocols. Many websites are equipped with the TLS for securing the communication in between the servers and client, who is trying to access the data. TLS protocol is proposed standard of IETF (Internet Engineering Task Force), defined, initially, in the year 1999 and later updated in 2008, as RFC 5246 and again as RFC 6176, in 2011. The standard is based on the SSL specification. Uses TSL protocol has the following objectives and goals. To provide the privacy of the data To provide the integrity of data Benefits TLS protocol benefits the client server communication, by preventing the tampering and eavesdropping. Between Two Applications, Communicating among the Computers. When the server and client are communicated through the communication security protocol, TLS, the following properties will be gained by the server and client. The data and communication between the server and the client would be encrypted, through the symmetric cryptography and so the connection is considered to be private. The communication is established only through the key and the key becomes the symmetric encryption and these are generated uniquely, for each and every connection. The generation of the key is dependent upon, a shared secret, which is negotiated and generated, before the session is started for communication, through TLS handshake protocol. Initially, the server and client communicate and negotiate about the details, regarding the algorithm of the encryption and cryptographic keys for using and only after this process, the first byte of data will start transmitting and sharing. Here, the negotiation and communication about the shared secret is also kept reliable and secure from the attackers or hackers. Both the parties of communication are identified only through authentication done through the public-key cryptography. Though the authentication is sometimes kept optional it is usually done by the server. Each and every message transferred between the server and client are maintained to be reliable, as message integrity is maintained, with the help of the message authentication code, for preventing the alteration or undetected loss of the data, while transmission. The communication can be secured with additional privacy property, like forward secrecy that would prevent any possibiltiies of disclosing the encryption keys in the future to decrypt the recorded communication of the TLS, done in the past. The TLS active certificates are monitored by Netcraft and according to it, the leading certificate authority in this domain is Symantec. Application When the TLS certificates are installed, the protocols are implemented over the layer called transport layer protocols that encrypt protocol data, related to the protocol, like FTP, HTTP, XMPP, NNTP, etc. Uses The primary use and benefit of the TLS protocol is the secured communication of the World Wide Web traffic that is established in between the web browser and website that are encoded with the protocol of HTTP. Compatibility The digital certificates that are created by the year 2016, can be installed with the versions that are latest, like TLS 1.0, 1.1 and 1.2. The protocol can be enabled and used in several browsers as the following. Google Chrome Google Android OS Browser Mozilla Firefox Microsoft Internet Explorer Microsoft Edge Microsoft Internet Explorer Mobile Microsoft Edge Opera Apple Safari Support There are many libraries that can be supportive to the TLS or SSL, as the following. OpenSSL JAVA Secure Socket Extension MatrixSSL LibreSSL Gnu TLS Botan Mbed TLS Network Security Services RSA Bsafe SChannel Secure Transport OS X ShartkSSL WolfSSL Protection The digital certificates can provide the protection from the following attacks imposed over the SSL or TSL. Renegotiation attack Protocol downgrade attack BEAST Attack Cross-protocol attacks Downgrade attacks, like Logjam attack and FREAWK attack CRIME and BREACH attack Padding timing attacks POODLE attack RC4 Attack Truncation attack Forward Secrecy Forwards secrecy is an important parameter and property of the system of cryptography. This parameter is used to ensure that a derived session key from combination of the private and public keys doesnt get compromised, in case any of the private keys, in case it is compromised possibly in the future. Client-Server Communication With Tls Protocol Client server communication can be done with or without the protocol, TLS. However, for the security concerns, client would ask the server to setup the connection of a TLS. Client communicates it in two different ways. One way is using a TLS connection port number. And another way is using a mechanism that is protocol specific. If the server is enabled to setup TLS connection, both the server and client will start negotiating the stateful connection, initiated by the procedure called handshaking. The client and server would come to an agreeable point, with reference to various following parameters. Initially, client connects a server, which is TLS enabled, requesting for a secured connection. It presents cipher suites supported list and then the handshake procedure will be started. The hash function and cipher from the list is picked by the server, upon matching. Then the server notifies the decision of it to the client. The identification is then sent back to the client, in the form of digital certificate and public encryption key of the server. The client will then confirm the certificate validation and then proceeds further. The session keys are generated by the client for the secured connection, through Encrypting a random number with the public key of the server and the result is sent to the server. And the server will be able to decrypt the code, only with the use of the private key. Then both client and server use the random numbers for generating a key unique to the session for the following data encryption and decryption, while the session is going on. The client makes use of the Diffle-Hellman key exchange to generate the unique and random session keys towards the encryption and decryption, which benefit with forward secrecy. The procedure concludes the secured connection through the handshake and a secured connection will begin and continued till the end of the connection. The connection will not be created, if the handshake of the TLS is failed during any step, above. TLS has the basic component called certificates, which are digital certificates, specifically. Digital Certificate The objective of the digital certificate is to certify the public key ownership, by the subject name fo the certificate. Digital certificate is also called as a public key certificate. The certificate is an electronic document referred for the validity and ownership of the public key. The digital certificate or public key certificate contains the information, Information about the identity of the owner Information of the key Entity digital signature, which shows that the verified contents of the certificate are correct Once the signature is proved to be valid, the signer will be trusted by the certificate examining person. Then the key will be used for the communication. Here, the signer is typically a certificate authority or CA. most of the time it is a company that validates the company and issues the certificate to the company. So, the signer becomes the owner of the key, for typical self-signed certificate or possibly the endorsements or other users, whom the examiner trusts, upon verification and validation. Certificate Authority Here, the trust relationship, associated with this model is expressed in terms of the certificate authority, as third party that is trusted. The trust is won by both the party that relies over the certificate and the owner or subject of the certificate. Contents The contents of the usual and regular and typical digital certificates are the following key points. Serial number that is used to identify the certificate uniquely Subject, which is an entity or a person identified Signature Algorithm, which represents the algorithm that is used for signature creation Signature, which is the actual signature used to verify that it has come from the issuer Issuer, which is an entity that has been verified, in terms of the information and the cerfiticate that is issued Valid-from, which represents the data of the certificate that has been made available from the day Valid-to, which represents the date of expiration Public key Key-usage, which is used for the public key purpose, like signature, encipherment and certificate signing Thumbprint or fingerprint, which is the hash itself Thumbprint algorithm, which an algorithm used for hash the certificate of the public key Security Levels The digital certificates are usually installed for the commonly used website that are based on HTTPS. The security is represented and provided by the verification and validation of the TLS web server. The digital certification ensures the security of the website, by ensuring that the website is the same, for whom, it is claimed to be and also makes sure that it has no eavesdroppers. The security is implemented as a mandate feature of the electronic commerce websites. Certification The digital certificate can be obtained by any entity or an individual for his or her own website, by applying to the issuer, who provides the certificate. Typically, the issuer is the certificate authorities, who are the commercial certificates retailers. The applier has to provide the basic information of the website and preferably the details of the entity or the business, with the details, like name fo the website, email address for contact, detailed information about the compnay and the public key. Here, the private should not be sent, as there can be related issues with the server. Then the provider fo the certificate verifies all the information provided by the applicant and signs on the request and then would it signs the request and provides the public certificate. When the web browsing is performed, the public certificate that has been issued to the entity, is served to the browser, which connects the required website and the certificate proves to the web browser that the i t is believed by the provider that the certificate is issued to the real and truthful website owner. Validation The digital certificates can be validated at various levels. Domain Validation, in which the certificate is issued, if the purchaser and applicant is able to demonstrate the right to manage the domain name, administratively Organization validation, in which the certificate is issued, only after ensuring that the applicant or purchaser can demonstrate the ability to manage the domain name and the existence of the organization, in terms of the legal entity Extended validation, in which the purchaser has to prove the identity of the organization, in terms of complete legal identity OPENSSL OpenSSL stands to be a software library developed for the applications. Which need more protection and security of the communication against the need to ascertain the partys identity at the other end. It is used widely by the web servers in the internet. The potential benefit of the OpenSSL can be implemented for a free of cost, as it is available through open source. So, any organization or even the individuals can implement the protocols of the SSL and TSL. The library functions are written using the C programming language and help implementing the basic cryptographic functions to provide many of the utility functions. OpenSSL is widely available for the operating systems, especially for the UNIX based and UNIX like operating systems, like Mac OS X, Linux, Solaris, etc. OpenSSL usually support many of the cryptographic algorithms, lie Ciphers, public-key cryptography and cryptographic hash functions. Generation Of Certificates The digital certificates can be created using many kinds of tools, like OpenSSL. Procedure Generating the Digital Certificate The first step of the procedure is the creation of the Certificate Authority (CA). Initially, this testing is required to be done with the help of the CA. the certificate is obtained usually from the certification authority companies, like VeriSign, DIgiCert, etc. This task is associated with requesting the digital certificate for the certificate authority. This task is quite similar for both the server and client and the difference being the values specified. Here, let us consider, a company called XYZ, which is the organization that has applied to become a certificate authority. Initially, a request is sent for the certificate to the CA make it signed, so that it becomes a CA. after XYZ becomes a certificate authority, it can start issuing the digital certificates to the servers and clients for the networks. These certificates that are generated by the XYZ, they are taken as site-signed certificates. These certificates can be generated by even individuals, to secure the personal network requirements. Create an openssl.cnf file or if it already existing, edit the same file. By default, it looks in /usr/lib/ssl/openssl.cnf, for the configuration. However, it is always good to add config ./opnessl.cnf to the OpenSSL CA commands or OpenSSL REQ for ensuring that the correct file is read by OpenSSL. Select the subdirectory of an app of the directory, in which it is built. Initialize the OpenSSL,$ openssl Now the commands are issued to request a digital certificate. Here, a RSA private key is created to generate a CSR (Certificate Signing Request), simultaneously. Eventually, messages are displayed and then there will be additional information prompted, based on the request done. When enter key is pressed, a default value is accepted. However, this default value can be changed by typing the respective information and pressing enter key. If the option, NODES is added in the OpenSSL command, during the digital certificate request creation, OpenSSL prompts for necessary password, before the access is allowed for the private key. Certificate signing request generation based on the certificate that is existing. The following tasks performed to generation of the digital certificate, for a server, client and CA based on the certificates existing. Then the digital certificates are to be generated using the OpenSSL commands, on UNIX. It has to use the values and arguments from the commands. Then the informational messages are displayed for the information needed, based on the request made. Again enter key is to be pressed to accept the default value or any other specific information can be given in place of the default value. Then the digital certificate generation is completed. Here, a self-signed certificate for a root CA digital certificate represent the digital certificate that gets private key signed to correspond the public key, present in the digital certificate. Digital certificates are usually signed using private key, except for the root CAs, corresponding to the public keys, which are related to the other certificate authorities. Checking the digital certificate by OpenSSL The digital certificate that is generated can be checked with the help of the command, openssl x509 text in filename.pem finally the digital certificate that is generated contains the necessary data that has been collected for generation of the digital signature, digital certificate timestamps and other necessary information. However, the generated digital certificate is unreadable, as it is encoded into the PEM format. Creating a certificate trust list through OpenSSL After digital certificates are created for the server, CA and the client, which is optional, then the OpenSSL client application is to be identified for the certificate authorities of one or more that are trusted and the list that is made is called the trust list. In case, the trust is needed for only one CA in the application of the client, the file name has to be specified for all the CAs digital certificates, which are to be trusted by the application of the client. The certificate authorities that are created can be primary, root or intermediate certificates. They are to be added with the file, listing in any order. This list can be created manually. Usually, .pem files are returned by OpenSSL, return .crt files of CA. The certificate authority files are concatenated together, instead of cutting and pasting the files manually, together, irrespective of the extension. For example, a primary certificate, root authority certificate and authority certificate file can be concatenated, all in a single file called PEM file. These files can be placed in any order. Since the digital certificates are unreadable, because of encoding, the file contents can be viewed, through the OpenSSL commands, for respective file types. If there are files stored or present in the DER format, for the digital certifcates, they must be converted in to the format of PEM. Certification verification in the trust chain through OpenSSL Servers and clients validate the digital certificates of each other after exchanging. The CA certificates required for validation of the server certificate do create or compose the trust chain. It is because the server certificate validation requires all of the CA certificates present in the trust chain are to be made available. These files can be either maintained as individual files or combined into a single file, all in one OpenSSL directory. The certificates that are signed can be verified using the OpenSSL command, by a recognized CA. in case, the certificate is recognized by the OpenSSL installation, or the signing authority and then everything gets checked out, such as signing chain, dates, etc. it displays simply OK message. Ending OpenSSL Finally, OpenSSL can be ended through quit command at the command prompt. Conclusion Digital certificates are the means of providing the safe web traffic for the websites. These digital certificates can be created by a very large scale organizations or simply an individual for protected and safe web traffic resulting to their websites. The digital certificates are associated with the SSL and TLS protocols, which are majorly used for protection of the communication and interaction of the server and client. OpenSSL is one of the easier ways and economical ways to generate the digital certificates for the website. References AlFardan, N, Bernstein, D, Paterson, K, Poettering, B and Schuldt, J,"On the Security of RC4 in TLS". Royal Holloway University of London AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N., 2013, On the Security of RC4 in TLS, . 22ndUSENIXSecurity Symposium. p.51 AlFardan, Nadhem J.; Bernstein, Daniel J.; Paterson, Kenneth G.; Poettering, Bertram; Schuldt, Jacob C. N. 2013, "On the Security of RC4 in TLS and WPA" Boneh, Dan, 1999, "Twenty Years of attacks on the RSA Cryptosystem".Notices of the American Mathematical Society46(2): Coppersmith, Don, 1997, "Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities".Journal of Cryptology10 Cormen, Thomas H., Leiserson, Charles E., Rivest, Ronald L.Stein, Clifford,2001, Introduction to Algorithms(2nd ed.). MIT Press and McGraw-Hill. Daignire, Florent."TLS "Secrets": What everyone forgot to tell you...", Matta Consulting Limited Dierks, T, Rescorla, E, August 2008,"The Transport Layer Security (TLS) Protocol, Version 1.2" Diffie, W.; Hellman, M.E. 1976, "New directions in cryptography".IEEE Transactions on Information Theory22 Diffie, W.;Hellman, M., 1976,."New directions in cryptography"(PDF).IEEE Transactions on Information Theory22 Diffie, Whitfield; van Oorschot, Paul C; Wiener, Michael J., 1992, ."Authentication and Authenticated Key Exchanges".Designs, Codes and Cryptography2 Goodin, Dan."Forbidden attack" makes dozens of HTTPS Visa sites vulnerable to tampering".Ars Technica. Cond Nast Hstad, Johan, 1986. "On using RSA with Low Exponent in a Public Key Network".Advances in Cryptology CRYPTO 85 Proceedings. Lecture Notes in Computer Science218 Hendric, William, 2015, "A Complete overview of Trusted Certificates - CABForum" Huang, L.S., Adhikarla, S, Boneh, D, Jackson, C, 2014, "An Experimental Study of TLS Forward Secrecy Deployments".IEEE Internet Computing(IEEE) Koblitz, N, 1987, A Course in Number Theory and Cryptography, Graduate Texts in Math., Second edition No. 114, Springer-Verlag, New York,., Leyden, John, 2013, "Step into the BREACH: New attack developed to read encrypted web data".The Registe Leyden, John, 2013, "Step into the BREACH: New attack developed to read encrypted web data".The Register Menezes, Alfred; van Oorschot, Paul C.; Vanstone, Scott A., October 1996, Handbook of Applied Cryptography. CRC Press Merkle, Ralph .C, April 1978, "Secure Communications Over Insecure Channels".Communications of the ACM21 Mller, Bodo, 2014, "This POODLE bites: exploiting the SSL 3.0 fallback".Google Online Security blog. Google Scholz, Florian, Shepherd, Eric."Math.random".Mozilla Developer Network Sepehrdad, P, Vaudenay, S, Vuagnoux, M, 2011, "Discovery and Exploitation of New Biases in RC4".Lecture Notes in Computer Science Smart, Nigel 2008, "Dr Clifford Cocks CB".Bristol University Thomas Y. C. Woo, Bindignavle, R, Su, S, andLam,S, S, SNP: An interface for secure network programmingProceedings USENIX Summer Technical Conference, June1994 Wiener, Michael J. 1990, "Cryptanalysis of short RSA secret exponents".Information Theory, IEEE Transactions on36