During an SSL handshake with client authentication, is the client certificate encrypted when it is transmitted by the browser to the server? In other words does the symmetric key exchange occur BEFORE the client certificate is transmitted? I assume it is else a listener could steal the certificate right?
With TLS 1.3 both server and client certificates are encrypted, with TLS 1.2 and lower they are send in clear.
I assume it is else a listener could steal the certificate right?
A certificate is usually not considered secret information. Only the private key matching the public key in the certificate is secret, but this private key is not transmitted.
Related
QUESTION: The initial request/response HTTPS communication between client and server are not encrypted, except for the CA certificate in the response?
If so, what prevents a hacker from seeing the initial client request to the server, and intercept the response from the server,
containing its CA certificate, decrypting the certificate with the CA's public key, get the server's public key in the certificate,
and use it to encrypt its own symmetric key and send to the server, thereby bypassing the client, and establishing a bogus dialog between hacker and server?
This question has already been answered here.
TL;DR
What you are defining is a Man-In-The-Middle attack on SSL, and this can happen only if one of SSL preconditions is broken.
I'm doing my best to understand mutual SSL. One question I can't find a good answer to is why you need to create a key pair on the client instead of just providing a public client certificate.
So far I understand the following (very oversimplified):
Regular SSL:
The server has a key pair and sends the public part (certificate) so the client can use that public key to encrypt messages so they can share a symmetric key and eventually secure all communication.
To verify that the server is actually the server the issuer of the certificate has to be trusted (in a truststore) of the client by default.
Mutual SSL:
Exactly the same, only this time the server asks the client to authenticate itself.
The client sends its public certificate, which is verified against some kind of list of "known certificates" on the server. If it matches, communication can continue.
I don't understand why I have to include the entire key pair (the private part as well) in the key store I use on the client side. Where is the client's private key used in the process?
The server has a key pair and sends the public part (certificate) so the client can use that public key to encrypt messages so they can share a symmetric key and eventually secure all communication.
That's not the main point of the server certificate and with modern key exchange methods (i.e. Diffie-Hellman) the certificate is not involved at all in the key exchange. What you describe is only true for the obsolete RSA key exchange.
The main point of the certificate is to be used for authentication. Authentication means that the server proves that it owns the provided certificate and then that the client verifies that the certificate matches its expectations, i.e. issued by a trusted CA, expected subject/SAN, not expired etc.
The proof of ownership is done by signing some data (which is at least in part provided by the peer, i.e. client) with the private key matching the public key in the certificate. The peer (client) then can verify this signature using the public key of the certificate and if the verification passes the other side (server) is obviously in possession of the secret private key which means it owns the certificate.
With a client certificate used in mutual authentication the procedure is exactly the same, only with switched roles. That's why the private key is needed on the client side.
What type of certificates or keys are exchanged between a client and a server when it loads a webpage or website ?
Only the server's public key and the client's public key are exchanged.
The following occurs when a browser is connection to an HTTPS enabled website / service:
Client Hello
The client sends the SSL version number, cipher settings, session-specific data.
Server Hello
The server responds with the SSL version number, cipher settings, and the Server’s Certificate (Public Key).
Authentication and Pre-Master Secret
The client now authenticates the server certificate, and depending on the cipher the client creates a pre-master secret for the session.
The client encrypts data with the server's public key and sends the encrypted pre-master secret to the server.
Decryption and Master Secret
The server now uses its private key to decrypt the pre-master secret.
Both the server and client perform steps to generate the master secret with the agreed cipher.
Generate Session Keys
Both the client and the server now use the master secret to generate the session keys. The session keys are symmetric keys used to encrypt and decrypt information exchanged during the session.
Encryption with Session Key
At this point both server and client exchange messages to inform that future messages will be encrypted.
In short, there are 4 keys involved. The server's public and private key and the client's public and private key. The client gives it's public key to the server and the server gives it's public key to the client. The private keys are never transmitted or shared with anyone, they remain on the client and server, thus they are private.
Usually certificates are signed by a third party such as GoDaddy or Verisign. This gives the client reassurance that the server who issued the public key to the client is indeed who they say they are. (However beware, there is always the possibility of man in the middle attacks)
What I understand so far:
The CA(Certificate authority) has a key and builds a certificate using that key
The server has a key and builds a csr(Certificate Signing Request) with that key
Then using both the CA crt and key as well as the server csr the CA builds a server certificate
To authenticate a server the client uses the CA (its certificate) like this:
4.1. The client receives the server certificate
4.2. The client verifies that this certificate is authenticated by the certificate of the CA that it has (using the public key of the CA), it also verifies that the serial number of this certificate is not in the CRL (certificate revocation list)
4.3. The client generates a symmetric key and encrypts it using the public key giving by the server and sends it to the server
4.4. All communication starting from now is then encrypted using this symmetric key
Here is where I am still a bit confused:
The client uses the CA public key to verify the server certificate in step 4.2 but how does a match occur since the client only has the certificate of the CA? I mean unless the server csr passed to the CA has the same information verified by the client as the crt of the CA that the client has, how can a match occur?
Since anyone can have the server certificate I am assuming the only step that insures that only the server can communicate with the client is step 4.3 where only the server can have the symmetric key because only the server has the private key so only it can decrypt this encrypted symmetric key. Is this correct?
I am also not sure of all the steps or if I missed any steps.
I found an answer (How are ssl certificates verified?) that responds to the first part of my question then luckily someone posted a link in the comments that answers the rest: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
I aks myself if it is possible to copy the server certificate to another server to misuse it. Example: An attacker visits https website X and copies the X.509 certificate. He placed the stolen X.509 certificate on his own server and would like being trustworthy.
Of course, the attacker does not have the private key, but the private key is only required to decrypt the encrypted message from the client. In terms of authentification there is no reason to be doubtfully. Or?
The server responses with the X.509 certificate. The client receives the certificate and validates successfully using the stored root certificates. Why should the server not be authentificated? Only when the client sends an encrypted message using the public key the server is not able to decrypt the message - because he does not own the private key.
It is right so far?
Only when the client sends an encrypted message using the public key the server is not able to decrypt the message - because he does not own the private key.
The server also needs the private key to sign messages being sent to the client.
The SSL/TLS handshake protocol itself effectively involves such an authenticated message being sent to the client. If the private key is unavailable then this step will fail before any 'real' payload message gets sent.
Why should the server not be authentificated?
The certificate is tied to a domain name.
The web browser will download the certificate and validate it. One of the steps in the validation is to compare the domain the certificate is for to the domain that the browser actually downloaded it from. If there is a mismatch (and there will be, since the attacker is on their own domain, not the original site's domain) then the browser will present the user with a certificate error and ask them to make the call about whether or not to accept it.
You're probably used to seeing this in action on bad web server configurations. Ever seen an error saying, "This certificate was intended for www.example.com" when you were trying to visit "example.com"?
Of course, the attacker does not have the private key, but the private key is only required to decrypt the encrypted message from the client.
Public/private key pairs have other uses than that. In this case, the private key signs the certificate and the public key verifies it. There is no encryption involved. (What you described is more like a normal encryption scheme, like RSA.)
No, the certificate is a pubic element and it is just a way to bind a public key to a name (here, a DNS name). During the authentication process (in the TLS protocol) the server sends its certificate along with signs some data with the associated private key. In order to verify that the server is the legitimate owner of the certificate, the client have to verify the validity of this signature with the sent certificate. A rogue server can try to use the certificate but without the private key it cannot prove it is the real holder.