Related
I'm new to asymmetric cryptography (public-private keys) and has a fundamental confusion:
I understand that once a person has broadcast his public key to the network, the following communications become safe using the public-private key paradigm.
However, how do you make sure the public key received is valid at the first place? For example, if Bob wants to establish a secure communication with Alice, with Eve eavesdropping in the middle, how do you make sure that Bob receives the real public key from Alice, instead of the fake public key forged by Eve?
Thanks!
Cheers,
M.
Public Key Infrastructure (PKI).
You have a third-party trusted authority that issues certificates to different people/companies. You don't only trust the people, but also the Certification Authority (CA).
The Certification Authority must ensure and validate that the people/company that is buying a certificate is in fact who it claims to be.
The verification is done by signing a the certificate using a private key (from this CA), then both peers in the connection will check that the certificate was signed by a trusted CA and validate the connection.
In you example, Bob will sign the certificate in a CA that Alice trusts.
If Eve tries to sign a certificate in this CA, claiming to be Bob, this will be rejected, because the CA will validate its authenticity. Try to buy a client certificate here to see: https://www.verisign.com/
Another example is your browser, it only shows that a trusted connection is done with StackOverflow, because it trust on Let´s Encrypt, which issued the StackOverflow.com certificate.
Every browser has some default CAs that are already trusted.
The public key would be signed by another authority. Check if this authority is genuine and renowned. If it is unknown then try to further check its signing authority and see if its a renowned one.
The concept of trusting this public key is based on basing your inherent trust in authority which signs this certificate. Signatures are mathematically verifiable so they cannot be forged unless there's an issue with implementation or mathematical algorithm itself.
So in a nutshell, try to see the signing authority of the certificate and if it is something you trust.
The certificate authorities(CA) or web of trust(WOT) model shall help you in ensuring the authenticity of public key.
The Certificate authority is a centralized entity that issues digital certificate that certifies the ownership of a public key by the named subject of the certificate. It acts as a trusted 3rd party, trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.
The web of trust is a decentralized trust model to establish the authenticity of the binding between a public key and its owner . In a Web of Trust, everybody is a kind of CA. Every user signs certificates for whoever he wants. It relies on value of trust or trust relationships between regular users.
Web Of Trust model operates such that if we verify that A's certificate is actually for A and we verify that B's certificate is from B, A and B can both verify that C is in fact C. Now, when C want's to interact with us, he can provide his certificate which is trusted by both A and B. Since we trust A and B , we can conclude that it is highly probable that C is actually C. This works since we expect that A and B weren't both working together and C had to have convinced them both that he was ok.
I want to understand what self signed certificate means.
any explanation is appreciated.
Self Signed Certificates are types of SSL certificates that are generated by an independent person (such as yourself), rather than generated by a Certificate Authority.
Many organizations are tempted to use self-signed SSL Certificates instead of those issued and verified by a trusted Certificate Authority mainly because of the price difference. Unlike CA issued certificates, self-signed certificates are free of charge. What most users are not aware of is that self-signed certificates can end up costing them more in the long run.
While self-signed SSL Certificates also encrypt customers' log in and other personal account credentials, they prompt most web servers to display a security alert because the certificate was not verified by a trusted Certificate Authority. Often the alerts advise the visitor to abort browsing the page for security reasons.
In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure.
It means that the people who are providing the certificate are the same people the certificate is being issued to, usually done this way because it is free.
It is best to have a certificate provided by a trusted Certificate Authority however, It will cost money, but is more trustworthy.
How does the client ensure the ssl certificate that the server send is the true owner of the certificate? How does it prevent a hacker from cloning, for example, the google ssl certificate, and trick me that he is the google site during the handshaking? can the hacker clone the certificate and modify the domain or ip info from network packet to trick people?
An SSL certificate for e.g. www.google.com is signed by a 3rd party named a Certificate Authority (CA). In the case of google that 3rd party is currently "GeoTrust Global CA". Too look up who it is, you need to inspect the certificate (browsers typically will let you do that rather easily, but each has their own way)
That links the certificate with the name "www.google.com".
Your client(s) have a list of CAs they trust on your behalf. That list is either maintained by the vendor of your OS and/or by the creator of your client/browser.
So how does the client know it's talking to the right server ?
The certificate is signed by a CA it trusts, the certificate is for the name the client wants to connect to, and the server delivered proof it knows the corresponding secret key to the public key that's in the certificate.
A hacker who would copy a valid certificate from www.google.com and place it on their own machine would only have the public key and not have the private key.
A hacker who would try to get their certificate request signed by a reputable CA would get rejected because they cannot proof to own the google.com domain. And hence the name would not match.
A hacker who would sign their own certificate request, would fail as their self-built CA is not in the trusted list.
A hacker who would break into google's servers and copy the secret key somehow, could pass muster for a while, but once the folks at Google detect it, they would contact their CA and revoke the certificate.
Now this process is the weak point in most implementations as these revoked certificates are published by the CA as Certificate Revocation Lists (CRLs) or as an OCSP (Online Certificate Status Protocol) service, but clients typically take the shortcut and do not validate that a certificate has not been revoked.
There are already answers about generating self signed certificate with openssl like this. However, what I want is a certificate that can do nothing but authenticate and encrypt the traffic to predefined websites.
A certificate generated by the following command
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
has basic constraint / certificate authority set to YES, meaning that it can be used to sign other certificates. Suppose that my domain is mystackoverflow.com, an attacker who steals my private key would not only be able to MITM the connection to mystackoverflow.com, but also facebook.com or google.com because he can sign forged certificates with the said private key and get trusted by my system.
So the question is, how do I minimize the power of this certificate so that it cannot sign additional keys, sign codes, encrypt emails or do anything other than protect https connection to a specific website?
I want is a certificate that can do nothing but authenticate and encrypt the traffic to predefined websites...
So the question is, how do I minimize the power of this certificate so that it cannot sign additional keys, sign codes, encrypt emails or do anything other than protect https connection to a specific website?
There are three parts to this question.
First is how to "authenticate and encrypt [stuff]". That's handled by Key Usage and Extended Key Usage. In particular, bits like digitalSignature (signing key exchange, like Diffie-Hellman), keyEncipherment (key transport, like RSA), serverAuth, etc.
Second is how not to mint certificates. For end entity certificates (i.e., server certificates), you remove the CA=true basic constraint and you remove the keyCertSign bits. You will still need a intermediate CA with the ability to sign end entity certificates because that's where the policy of "this CA can only issue for these names" is applied.
Third is how to apply a policy like "this CA can only issue for these names". Under the IETF's rules for PKIX in RFC 5280, you can do it in the CA certificate with the Name Constraints extension. See section 4.2.1.10 for details.
Under CA/Browser Forum rules, you can do it because they have policy objects. But I don't know how to do it under the CA/B (it may be the same as the IETF).
You have to be careful with the IETF gear. They have extensions, but they don't have policies. So you need to ensure you are working within and existing extension, and not forging new policy. See OID for certificates issued under IETF policy? on the PKIX mailing list for more details.
The CA/B Forum is significant because browsers follow the CA/B Forum rules, and not the IETF. And the CA/B Forum and IETF have different requirements in a few key areas. That's why a certificate created with OpenSSL (which follows IETF guidelines) fails to validate in Browsers (which follow CA/B Forum guidelines).
A certificate generated by the following command: openssl req ...
It used to be how to do it, but its not how to do it today. Today it produces a malformed certificate (which may or may not cause problems, depending on your user agent). For the question you cited, one answer in particular tells you why its incorrect and how to do it.
.. an attacker who steals my private key ..
So the question is, how do I minimize the power of this certificate so that it cannot sign additional keys, sign codes, encrypt emails or do anything other than protect https connection to a specific website?
If you fear that the attacker might steal the key to the certificate and then sign other things with it, then you should not create a self-signed certificate. Instead create first your own CA. Then create a leaf-certificate which can not be used to sign certificates and sign it by your own CA. Once this is done put the private key of the CA far far away (offline or even destroy it if you don't need it to sign more certificates).
With this setup an attacker could still steal the identity of the certificate if it gets its private key. But since this certificate is not a CA itself (unlike normal self-signed certificates) it can not be used to sign new certificates.
I've read about SSL protocol and now, I know how it encrypts data. But there is something I couldn't understand. With SSL , you're sure you're sending data to and getting data from correct server. But how?
I mean if I create a fake certificate and send it for requests of special website, how do browsers ( or other programs) detect the fake certificate?
Edit: I didn't mean to create a self-signed certificate. I meant how can someone validate my certificate if I create a certificate that its issuer and subject ,etc are something to real certificate! (the only things that are not real is Public key & signature)
TL;DR summary:
Validity of a server certificate is established by:
Host name verification
Verifying the signatures of the entire certificate chain
Performing additional checks on meta data for each certificate
Checking the revocation status of each of the certificates involved
Checking whether the self-signed root certificate of the chain is among the certificates that one trusts by default
Explanation
Let's assume you want to connect to https://mail.google.com (you can try this out in your browser!).
The (real) server will respond with a certificate that is issued to mail.google.com, i.e. in the 'Subject' field of the certificate you will find the Common Name (CN) 'mail.google.com' - cf. RFC 5280 for details on the fields of certificates. The fact that the subject is linked to the site URL is very important for the security of the whole model, and it is actively checked by your TLS implementation ("host name verification"), because otherwise there would be room for Man-In-The-Middle attacks. I.e. somebody could acquire an otherwise valid certificate and impersonate mail.google.com without you taking any notice of it.
In addition to the host name verification, your TLS implementation will also check the "validity" of the certificate. The whole procedure is rather complex and does include checking the trustworthiness of the certificate, but additionally a lot of other things will be checked, more on that in a minute.
If you view Google Mail's certificate in your browser, you will notice that there are actually three certificates shown:
mail.google.com
Thawte SGC CA
Class 3 Public Primary Certification Authority (VeriSign)
The model is that there are a few (well, unfortunately not so few anymore) trusted root certificate authorities ("root CAs") that either you could choose on your own or (more likely) that come preconfigued with your software (e.g. browser) that are blindly trusted. These trusted authorities form the anchors of the entire trust model of "PKI" (Public Key Infrastructure). The basic idea is that the trusted entities may issue certificates to other authorities and grant them permission to again issue certificates (these authorities are called intermediate certificate authorities). The intermediate CAs may again recursively apply this procedure up to a certain point, the number of intermediate CAs between an actual end entity certificate and a root CA certificate is generally limited.
At one point, an intermediate CA will issue certificates to an "end entity" ("mail.google.com" in our example). Now the process of issuing a certificate actually means that the party requesting a certificate will create a public/private key pair first, and use them to authenticate a certificate request that is sent to the certificate authority. The issuing authority creates a certificate for the subordinate entity (either intermediate CA or end entity) by "signing" that certificate using its own private key using an asymmetric algorithm such as RSA and by additionally including the public key of the requesting party within the newly generated certificate. The root CA possesses a so called self-signed certificate, i.e. the root CA is the only authority that may sign their own certificate and include their own public key. The private key remains hidden at all times, of course.
The recursive nature of the certificate issuing process implies that for each end entity certificate there is a unique way of establishing a "chain" of certificates that leads up to a root certificate authority. Now when you are presented with an end entity certificate while trying to connect to a TLS-secured site, the following procedure will be applied recursively until you end up with a root CA certificate:
Find the certificate of the authority that issued the certificate to be validated (see RFC 5280 for details). If none is found: exit with error.
Take the public key of the issuing certificate and verify the signature of the to-be-validated certificate using this public key.
Check a lot of additional things such as whether the certificate has neither expired nor is it not valid yet, "policy constraints", "key usages", "extended key usages"... (again, the gory details are in the RFC).
Certificate revocation status (more on that later)
If all checks were positive, you will ultimately end up with a certificate being self-signed, i.e. where the subject is also the issuer (such as the VeriSign certificate in our example). Now the last thing you have to verify is whether this certificate is among those that you blindly trust: if it is, all is well and the connection will succeed, if it is not, the connection attempt will be rejected.
As if this were not complicated enough already, the checks described so far do not handle cases where once valid certificates suddenly become rogue, examples being cases where a certificate is stolen or private keys are compromised (think of Comodo and DigiNotar). In these cases, the normal procedure is to "revoke" those certificates gone bad, that is you want to mark them as being invalid starting from a distinct point in time (they will expire at some point anyway, but for the remainder of that period they shall already be marked as invalid). For these cases, CAs have the possibility to issue CRLs (a catalog of certificates declared as invalid) or OCSP responses (information for one or in rare cases a set of certificates) that provides clients with information whether a given certificate has been marked as invalid or not. The revocation status needs to be checked for all certificates in a chain, should one of them be marked as invalid then the end entity certificate cannot be trusted and the connection must be rejected as well.
SSL certificates are signed by a certificate authority (CA), which is someone the user already trusts (or more likely, the people who designed their operating system trusts).
The CA digitally signs the certificate using public key encryption. The basic explanation is that the CA has a "private key", and a "public key" that everyone knows. Via some math I don't understand, the CA can create a signature using its private key which can easily be verified with its public key (but the public key can't be used to create a new signature).
When you get an SSL certificate from a server, you get the server's public key, and a signature from a CA saying that it's valid (along with some other info). If you know and trust that CA, you can check the signature and determine if it's valid. You can also use a certificate revocation list to make sure it wasn't revoked.
So basically, you can recognize a bad SSL certificate because it isn't signed by a certificate authority that you trust.
Any fake certificate you create will be a self-signed certificate.
The browser will display big scary warnings when connecting to a site with a self-signed certificate which the user will promptly ignore.
In order to avoid warnings, you need a certificate signed by a certificate authority that the browser trusts, such as VeriSign.
These companies will hopefully make sure that you actually own the domain for the certificate they're signing.
Re: Edit: You can only create a non-self-signed certificate if you get it signed from a trusted CA.
They will refuse to sign a certificate for a different subject.
Process from my understanding:
server sends servers public key
server sends certificate (all information encrypted by trusted CA with their private key)
Your PC decrypts certificate with public key (built into OS from trusted CA)
Your PC hashes (with sha1 and sha256) the servers public key
Your PC compares the hashes of servers public key with certificate stored hash, if not same browser will block site
Your PC compares allowed domains from certificate and the domain, if not allowed, if not same browser will block site
Your PC compares valid date from certificate and your date, if not valid browser will block site.
To fake this you would either need to:
obtain a CA private key (extremely hard to get),
be a CA,
be part of the 5 eyes (Government intelligence agency alliance) and ask a CA for their private key
So if you see a padlock in the address bar you are almost always safe.
Certificates work because they follow a chain of trust. Certificates have a chain of one or more issuers that are trusted; this chain is the backbone of why it works at all. Browsers and nearly all SSL certificate libraries do this chain check, or at least provide the option to.
Self-signed certificates (or those issued by chains that end in a self-signed certificate) would fail this check.