Public Key Infrastructure (PKI) is the easiest and most efficient way to establish trust and security in computer networking. PKI is used bind public keys to user attributes that are used in various applications and protocols for digital signature, authentication, non-repudiation and S/MIME. PKI consist of two keys known as private and public keys. This combination of 2 keys is called a key pair. Private Key belongs to the individual security and should always be kept secure. The public key should be distributed to the participants of communication. One key is used to encrypt, and a corresponding/matching key is used to decrypt. If the public key is used for encryption, the associated private key is used for decryption. If the private key is used for encryption, the associated public key is used for decryption.For example in S/MIME, the private key is used to sign a document digitally so the author can be authenticated from the corresponding public key.
PKI and RSA (Rivest Shamir Adleman)
The most well-known algorithm being used on PKI is RSA. RSA algorithm supports key lengths from 512 bits to 16384 bits. When the high key length is used, it requires high processing speed. The standard for modern communication is RSA 2048 bits, and the same will be used in this article.
Security of RSA
Modern cryptography is mainly based on prime numbers. Similarly, an RSA key is composed of two prime numbers that should be very large otherwise it will compromise the RSA security.
Digital Certificate
The binding of a public key to a user along with personal details is called digital certificate. A digital certificate is an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner’s identity and associated permissions such as digital signature, non-repudiation, file system encryption, server authentication and client authentication, etc. Permissions define the usage for the certificate in operation. A public-key certificate consists of a data part and a signature part. The data part consists of the name of an entity, the public key corresponding to that entity, possibly additional relevant information (e.g., the entity’s Common Name, Organizational Unit, network address, a validity period for the public key, and various other attributes). The signature part consists of the signature of a certificate authority over the data part. A sample certificate with details is being shown in figures 1 and 2.
Figure: 1 Details of Digital Certificate
Figure: 2 Details of Digital Certificate
Components of PKI
Certificate Authorities (CA’s): These are responsible for issuing and revoking digital certificates to the users or subscribers. Registration Authorities (RA’s): These verify the binding between public keys and the identities of their holders. RAs conduct the initial verification of a potential subscriber’s/ user’s identity and/or attributes before a certificate is issued to the client. Subscribers/Users/Digital Certificate holders: People, computers, network devices or software agents that have been issued with certificates and can use them to sign digital documents. The standard currently in use for digital certificates is X.509 V3. Clients: These validate digital signatures and the certificates of the communicating parties. The clients may range from simple users to state of the art network devices.
Download ISO image file of Ubuntu 14 and install a copy of it in VMWare. Boot up Ubuntu with NAT Mode so that it shares the host’s IP address to access the internet.
Figure: 3 Network Mode Setting in VMWare.
Ping the guest VM machine from the host machine to check the machine connectivity. Ping internet from the guest VM machine to check the internet connectivity in the VM. From the terminal of Ubuntu Linux, Update the repositories by the following command apt-get update. Type apt-get install apache2 to install apache server. Type apt-get install ssh to install OpenSSH server. Type apt-get install openssl to install OpenSSL. Type /etc/init.d/apache2 start to start the Apache server in the guest VM. Type /etc/init.d/ssh start to start the SSH server in the guest VM. SSH server is a service that has to be enabled on the Linux machine so that Windows clients can copy files to/from the Linux machine. Type apt-get install wireshark to install Wireshark. Add Apache to boot startup by typing the command update-rc.d apache2 enable Add Apache to boot startup by typing the command update-rc.d ssh enable The IP of VM being used in this document is 192.168.1.133, and host IP is 192.168.1.1. From host machine, type telnet 192.168.1.133 22 on command prompt to check the connectivity with SSH server. Download and install WinSCP. This tool is used on windows to access the SSH server on the Linux machine and transfer the files to/from Linux machine. From host machine, start WinSCP. Click on New Site. Enter 192.168.1.132, Username & Password and click Connect. After successful connection, the file system of Linux machine will be explored.
Create a key for CA Certificate. Run openssl genrsa -out cakey.pem 2048 2048 Bit CA Key is stored into the file cakey.pem
Figure: 4 Generation of CA Private Key
Create a key for CA Certificate. Run openssl genrsa -in cakey.pem -noout -text
Figure: 5 Parameters of Private Key
Createca.cfgfor the configuration of the CA.
Create self-signed CA Certificate. Run openssl req -config ca.cfg -extensions ext -days 3650 -new -x509 -key cakey.pem -out cacert.crt -set_serial 01 -batch-text Double click the cacert.crt file to view the certificate.
basicConstraints = critical,CA:true subjectKeyIdentifier = hash [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] CN = Common Name CN_default=”Demo Certificate Authority” policy = policy_supplied [ policy_supplied ] CN = supplied Figure: 6 Details of CA Certificate
Figure: 7 Details of CA Certificate
For the creation of key and certificates of TLS Server, create a file tls_server.cfg
Create a server private key. Run openssl genrsa -out server.key 2048
[ ca ] default_ca = CA_default [ CA_default ] dir = . certs = $dir crl_dir = $dir/crl database = $dir/index.txt unique_subject = no new_certs_dir = $dir certificate = $dir/cacert.crt serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/cakey.pem RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 default_md = default preserve = yes [ req ] distinguished_name = req_distinguished_name req_extensions = req_ext string_mask = nombstr [ req_distinguished_name ] CN = ABC CN_default=”192.168.1.133″ policy = policy_supplied [ policy_supplied ] commonName = supplied [ req_ext] basicConstraints = critical,CA:false subjectKeyIdentifier = hash keyUsage = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 Figure: 8 Details of Server Private Key
Create a CSR (Certificate Signing Request) for the server key that was generated in previous step. Run openssl req -config tls_server.cfg -out server.csr -key server.key -new -batch Sign the CSR to create server certificate. Run openssl x509 -req -extfile tls_server.cfg -extensions req_ext -in server.csr -CA cacert.crt -CAkey cakey.pem -out server.crt -days 720 -set_serial 2 -text
Figure: 9 Details of Server Certificate
Figure: 10 Details of Server Certificate
Double click server.crt to view the server certificate.
Figure: 11 Details of Server Certificate
Create PKCS12/PFX bundle to encrypt the key and cert. It will input password two times. Remember this password because if this p12 file has to be used in Windows/Linux, then this password will be required.Runopenssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
Figure: 12 Export Server Key and Certificate to P12 format
Access the default Web Interface of Apache Server on Ubuntu Linux by typing http://192.168.1.133/
Figure: 13 Plain Web Server
All this communication was in plain and can be captured by any attacker. Open Wireshark and start capturing the traffic. Analyze the traffic between client and server by typing “ip.addr == 192.168.1.1 && ip.addr == 192.168.1.133” in the filter textbox. The unencrypted/plain page is visible in the figure.
Figure: 14 Plain Communication captured through Wireshark
We have to secure the above web server so that the contents are not visible to attackers and intruders.
Create directory by command mkdir /etc/apache2/certificates Go to certificates directory by cd /etc/apache2/certificates Login via WinSCP, copy cacert.crt, server.key and server.crt files to /etc/apache2/certificatesby commands
cp /home/maverick/cacert.crt /etc/apache2/certificates/
cp /home/maverick/server.key /etc/apache2/certificates/
cp /home/maverick/server.crt /etc/apache2/certificates/
Go to certificates directory by cd /etc/apache2/sites-enabled Create file ssl.conf and add contents
Run command to enable ssl in Apache a2enmod ssl Restart apache server by /etc/init.d/apache2 restart
CA certificate must be imported in the web browser else it will generate security warnings. <VirtualHost *:80> DocumentRoot /var/www/html/ ServerName 192.168.1.133 <VirtualHost *:443> DocumentRoot /var/www/html/ ServerName 192.168.1.133 SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/certificates/server.crt SSLCertificateKeyFile /etc/apache2/certificates/server.key SSLCACertificateFile /etc/apache2/certificates/cacert.crt
Import Certificates in Internet Explorer
Internet Explorer ->Tools ->Internet Options ->Content ->Certificates ->Trusted Root Certification Authorities ->Import->Browse (Select the cacert.crt file)->Import to Trusted Root Certification Authorities. Click Yes to the Security Warning.
Figure: 15 Add CA Certificate to Windows Store
Double click the cacert.crt file to view the certificate.
Figure: 16 CA Certificate in MS Windows
Import Certificates in Mozilla Firefox
Import CA Certificate in Mozilla Firefox ->Tools ->Options ->Advanced ->Encryption ->View Certificates ->Authorities ->Import ->Browser for cacert.crt ->Check all 3 options.
Figure: 17 Import CA Certificate in Mozilla Firefox Store If we open the server certificate, then it opens correctly because we have added its CA certificate in Windows store. The CA chain is verified correctly as shown in the figure.
Figure: 18 Server Certificate Chain Verification
Access the default Web Interface of Apache Server on Ubuntu Linux by typing https://192.168.1.133/
Figure: 19 Secure Web Server on HTTPS
All this communication was encrypted and cannot be captured by any attacker. Open Wireshark and start capturing the traffic. Access the web page again to generate the traffic. Analyze the traffic between client and server by typing “ip.addr == 192.168.1.1 && ip.addr == 192.168.1.133” in the filter textbox. The encrypted traffic is visible in the figure.
Figure: 20 Encrypted Traffic captured in Wireshark
Web server traffic has been secured from attackers and intruders.
The ciphers being used for the communication are:
Connection encrypted through AES Galois Counter Mode ECDHE_RSA was used as the secure key exchange mechanism between client and server.
Figure: 21 Details of Encryption Mechanisms on Web Server
Web server traffic has been secured from attackers and intruders.
Create a user private key. Run openssl genrsa -out UserAPrivate.key 2048
Figure: 22Generate User Private Key
Open the private key to verify that command was run successfully. Run vim UserAPrivate.key
Figure: 23Check Private Key
Generate corresponding public key. Run openssl rsa -in UserAPrivate.key -out UserAPublic.key -outform PEM -pubout
Figure: 24Generate Public Key
Open the public key to verify that command was run successfully. Run vim UserAPublic.key
Figure: 25Verify Public Key As it was discussed before in the article that one key is used to encrypt, and a corresponding/matching key is used to decrypt. If the public key is used for encryption, the associated private key is used for decryption achieving confidentiality.
Create a plain text file. Run echo “This file has some text. It will be used for Encryption and Decryption” > file.txt
Figure: 26Create Plain text file
Encrypt the plain text file with the public key. Run openssl rsautl -encrypt -inkey UserAPublic.key -pubin -in file.txt -out encfile.txt
Figure: 27Encrypt with Public Key
Open the encrypted file to view the contents. Run vim encfile.txt
Figure: 28View Encrypted Text
Decrypt the file with the private key. Run openssl rsautl -decrypt -inkey UserAPrivate.key -in encfile.txt -out fileDecrypted.txt
Figure: 29Decrypt with Private Key
View the decrypted file; actual contents have to be decrypted successfully. Run cat fileDecrypted.txt
Figure: 30Verify Decrypted Output
The actual plain text has been recovered successfully.
As it was discussed before in the article that one key is used to encrypt, and a corresponding/matching key is used to decrypt. If the private key is used for encryption, the associated public key is used for decryption achieving authentication.
Create a plain text file. Run echo “This file has some text. It will be used for Encryption and Decryption” > file.txt
Figure: 31 Create Plain text file
Encrypt the plain text file with the private key. Run openssl rsautl -inkey UserAPrivate.key -sign -in file.txt -out fileSigned.txt
Figure: 32 Encrypt with Private Key
Open the encrypted file to view the contents. Run vim fileSigned.txt
Figure: 33 View Signed File
Decrypt the file with the public key. Run openssl rsautl -inkey UserAPublic.key -pubin -in fileSigned.txt
Figure: 34 Decrypt with Public Key
The actual plain text has been recovered successfully.
https://www.openssl.org/docs/manmaster/apps/rsautl.html http://krisjordan.com/essays/encrypting-with-rsa-key-pairs https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html https://gist.github.com/colinstein/de1755d2d7fbe27a0f1e https://linuxconfig.org/easy-way-to-encrypt-and-decrypt-large-files-using-openssl-and-linux http://stackoverflow.com/questions/14327517/openssl-rsa-using-a-public-key-to-decrypt