SSh keys, Concept behind the SSL and TLS Certificates
To Understand different encryption types available while transferring data at rest
To secure the data transfer over the Internet or inside the organization, we need some mechanism to encrypt the data passing over the network. There are several concept used in data security industry, lets have look into each one of these concept and how to secure our data by encrypting through Ssh and SSL
Cryptography is a method of using advanced mathematical principles in storing and transmitting data in a particular form so that only those whom it is intended can read and process it.
Encryption is a key concept in cryptography — It is a process whereby a message is encoded in a format that cannot be read or understood by anyone
Encryption: It is the process of locking up information using cryptography. Information that has been locked this way is encrypted.
Decryption: The process of unlocking the encrypted information using cryptographic techniques.
Key: A secret like a password used to encrypt and decrypt information. There are a few different types of keys used in cryptography.
Steganography: It is actually the science of hiding information from people who would snoop on you. The difference between steganography and encryption is that the would-be snoopers may not be able to tell there’s any hidden information in the first place.
There are two types of encryption Algorithms which is Symmetric and Asymmetric
Symmetric Key Encryption
In Symmetric-key encryption the message is encrypted by using a key and the same key is used to decrypt the message which makes it easy to use but less secure. It also requires a safe method to transfer the key from one party to another.
Asymmetric Key Encryption
Asymmetric Key Encryption is based on public and private key encryption technique. It uses two different key to encrypt and decrypt the message. It is more secure than symmetric key encryption technique but is much slower
Public and Private Key
Public key is being a lock, it’s not actually a key, it’s a padlock you can make lots of copies of and distribute wherever you want.
Private Key as being the actual key which can be used to open the padlock that is stored on the other machine. Just like a regular key you keep it secret, safe, and out of the wrong hands.
Public keys can be placed anywhere but private keys never compromised
Ssh Keys for password less authentication
Public key authentication is a way of logging into an SSH/SFTP account using a cryptographic key rather than a password.
Public key authentication provides many benefits when working with large enterprises. For example, with SSH keys you can
Allow multiple developers to log in as the same system user without having to share a single password between them and make it easier for a single developer to log in to many accounts without needing to manage many different passwords.
Public and private keys work together and run ‘ssh-keygen’ — which produces both a private (id_rsa) and a public (id_rsa.pub) key for usage.
To generate an SSH key pair, run the command ssh-keygen.
It will look like this when you run it:
Server1:~ user1$ ssh-keygen
Generating public/private rsa key pair.
You’ll be prompted to choose the location to store the keys. The default location is good unless you already have a key. Press Enter to choose the default location.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Next, you’ll be asked to choose a password. Using a password means a password will be required to use the private key. It’s a good idea to use a password on your private key.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
After you choose a password, your public and private keys will be generated. There will be two different files. The one named id_rsa is your private key. The one named id_rsa.pub is your public key.
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
The public key placed any server in the network to authenticate using the user user1 without password
What is SSL?
SSL stands for Secure Sockets Layer, and it refers to a protocol for encrypting and securing communications that take place on the Internet. Although SSL was replaced by an updated protocol called TLS (Transport Layer Security) some time ago, “SSL” is still a commonly used term for this technology.
What is TLS?
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. When you buy an ‘SSL’ certificate from DigiCert, you can of course use it with both SSL and TLS protocols.
The main use case for SSL/TLS is securing communications between a client and a server, but it can also secure email, VoIP, and other communications over unsecured networks.
How does SSL/TLS work?
Secure communication begins with a TLS handshake, in which the two communicating parties open a secure connection and exchange the public key
During the TLS handshake, the two parties generate session keys, and the session keys encrypt and decrypt all communications after the TLS handshake
Different session keys are used to encrypt communications in each new session
TLS ensures that the party on the server side, or the website the user is interacting with, is actually who they claim to be
TLS also ensures that data has not been altered, since a message authentication code (MAC) is included with transmissions
TLS handshake uses Asymmetric encryption
What is an SSL certificate?
An SSL certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without an SSL certificate, a website’s traffic can’t be encrypted with TLS.
Technically, any website owner can create their own SSL certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.
How does a website get an SSL certificate?
Website owners need to obtain an SSL certificate from a certificate authority, and then install it on their web server (often a web host can handle this process). A certificate authority is an outside party who can confirm that the website owner is who they say they are. They keep a copy of the certificates they issue.
Certificate Authority, few names
Below are the few CA vendors provides certificates
Comodo SSL, symentec,DigiCert,RapidSSL,GlobalSign,GoDaddy
What’s a Public Certificate Authority?
A Public CA is, unsurprisingly, a certificate authority that provides services to the general public. Any organization providing CA services to you that you’re not affiliated with is a public CA.
Publicly trust SSL/TLS certificates are used for public-facing website projects (e.g., websites, landing pages, microsites, etc.) and are needed in order to avoid browser warnings. A public certificate can be used to secure either server-to-client or server-to-server communication and can only be issued by a trusted certification authority (CA).
What’s a Private Certificate Authority?
Private CAs, also called local CAs, are self-hosted certificate authorities usually meant for internal use.
Private certificates are used to secure any internal network and can be issued by either a trusted CA or any organization that runs their own internal PKI(Private Key Infrastructure). They can only secure server-to-server communication for IP addresses and non-registered domains — in other words, URLs that can only be seen by a contained user group.
What’s a Certificate Signing Request (CSR)?
A certificate signing request (CSR) contains the most vital information about an organization and domain.
Usually, CSR and key pair generated locally on the server where the SSL certificate will be installed. However, that is not mandatory. CSR and key pair can be generated on one server and install the certificate on another.
How to Generate a CSR
Certificate signing requests (CSR) are generated with a pair of keys — a public and private key. Only the public key is sent to a Certificate Authority and included in the SSL certificate, and it works together with private key to encrypt the connection.
Before moving to CSR and generate certificates, let me introduce open source SSL certification tool “OpenSSL”
What is OpenSSL?
OpenSSL is a widely-used tool for working with CSR files and SSL certificates and is available for download on the official OpenSSL website. It is an open-source implementation tool for SSL/TLS
Example 1: Generate a CSR
The first thing to do would be to generate a 2048-bit RSA key pair locally. This pair will contain both your private and public key.
To generate a public and private key with a certificate signing request (CSR), run the following OpenSSL command:
openssl req –out certificatesigningrequest.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key
Once CSR with a key pair generated, it is challenging to see what information it contains as it will not be in a human-readable format. It can easily decode the CSR on the server using the following OpenSSL command:
openssl req -in server.csr -noout –text
Example 2: Generate a CSR for an Existing Private Key
It is recommended to issue a new private key whenever generating a CSR. If, for any reason, to generate a certificate signing request for an existing private key, use the following OpenSSL command:
openssl req -out CSR.csr -key privateKey.key -new
Example 3: Generate a CSR for an Existing Certificate and Private Key
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
One unlikely scenario in which this may come in handy is to renew the existing certificate, but neither the organization nor the certificate authorities have the original CSR. This will extract information about domain and organization from the SSL certificate and use it to create a new CSR
Example 4: Generate a Self-Signed Certificate
A self-signed certificate is usually used for test and development environments and on an intranet. Let’s generate a self-signed certificate using the following OpenSSL command:
openssl req -newkey rsa:2048 -nodes -keyout domain.key-x509 -days 365 -out domain.crt
The –days parameter is set to 365, meaning that the certificate is valid for the next 365 days. The x509 parameter indicates that this will be a self-signed certificate. A temporary CSR is generated, and it is used only to gather the necessary information.
Note : above examples taken from openssl site to illustrate the openssl command. Install and configure the openssl package, please visit openssl.com
Data Center, Cloud and Security Consultant - Design, Architecting, Penetration testing and Review with hands on Python, Rust, PowerShell, Azure Automation, Ansible, Terraform, API and other tools