Refference :wikipedia

Encryption is the way to secure the communication between services or nodes in modern software paradigm.

But is

Modern cryptography

Public Key /Private key criptograpy (RSA)

Prior to that time, all useful modern encryption algorithms had been symmetric key algorithms, in which the same cryptographic key is used with the underlying algorithm by both the sender and the recipient, who must both keep it secret. All of the electromechanical machines used in World War II were of this logical class, as were the Caesar and Atbash ciphers and essentially all cipher systems throughout history. The ‘key’ for a code is, of course, the codebook, which must likewise be distributed and kept secret, and so shares most of the same problems in practice.

For two users of an asymmetric key algorithm to communicate securely over an insecure channel, each user will need to know their own public and private keys as well as the other user’s public key. Take this basic scenario: Alice and Bob each have a pair of keys they’ve been using for years with many other users. At the start of their message, they exchange public keys, unencrypted over an insecure line. Alice then encrypts a message using her private key, and then re-encrypts that result using Bob’s public key. The double-encrypted message is then sent as digital data over a wire from Alice to Bob. Bob receives the bit stream and decrypts it using his own private key, and then decrypts that bit stream using Alice’s public key. If the final result is recognizable as a message, Bob can be confident that the message actually came from someone who knows Alice’s private key (presumably actually her if she’s been careful with her private key), and that anyone eavesdropping on the channel will need Bob’s private key in order to understand the message.

Hashing

Hash functions can be used to verify digital signatures, so that when signing documents via the Internet, the signature is applied to one particular individual. Much like a hand-written signature, these signatures are verified by assigning their exact hash code to a person. Furthermore, hashing is applied to passwords for computer systems. Hashing for passwords began with the UNIX operating system. A user on the system would first create a password. That password would be hashed, using an algorithm or key, and then stored in a password file. This is still prominent today, as web applications that require passwords will often hash user’s passwords and store them in a database.

PGP (Pretty Good Privacy)

Modern cryptanalysis

TLS

Transport Layer Security (TLS)

https://www.slideshare.net/er_arun/transport-layer-security-tls-56241444"

Two protocols are dominant today for transport layer protocols providing security at the transport layer.

  1. SSL (Secure Socket Layer)
  2. TLS (Transport Layer Security

When a server and client communicate, TLS ensure that no that third party may eavesdrop or tamper with any message.

TLS is composed with two layers.

  1. The TLS Record Protocol

2. The TLS handshake protocol.

The TLS Record Protocol provide encription security with some encription methods like DES (Data Encryption Standard).

TLS Handshake protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged.

Handshake protocol

The Transport Layer Security (TLS)

  • Handshake Protocol is responsible for the authentication and key exchange necessary to establish or resume secure sessions. When establishing a secure session, the Handshake Protocol manages the following:
  • Cipher suite negotiation.
  • Authentication of the server and optionally, the client.
  • Session key information exchange.
  • Cipher Suite Negotiation The client and server make contact and choose the cipher suite that will be used throughout their message exchange. (Authentication & Encryption combination)
  • Authentication In TLS, a server proves its identity to the client. The client might also need to prove its identity to the server. PKI, the use of public/private key pairs, is the basis of this authentication. The exact method used for authentication is determined by the cipher suite negotiated.
  • Key Exchange The client and server exchange random numbers and a special number called the Pre-Master Secret. These numbers are combined with additional data permitting client and server to create their shared secret, called the Master Secret. The Master Secret is used by client and server to generate the write MAC secret, which is the session key used for hashing, and the write key, which is the session key used for encryption.

Hash for certificate verify messages in TLS

The TLS Handshake Protocol involves the following steps:

  • The client sends a “Client hello” message to the server, along with the client’s random value and supported cipher suites.
  • The server responds by sending a “Server hello” message to the client, along with the server’s random value.
  • The server sends its certificate to the client for authentication and may request a certificate from the client. The server sends the “Server hello done” message.
  • If the server has requested a certificate from the client, the client sends it.
  • The client creates a random Pre-Master Secret and encrypts it with the public key from the server’s certificate, sending the encrypted Pre-Master Secret to the server.
  • The server receives the Pre-Master Secret. The server and client each generate the Master Secret and session keys based on the Pre-Master Secret.
  • The client sends “Change cipher spec” notification to server to indicate that the client will start using the new session keys for hashing and encrypting messages. Client also sends “Client finished” message.
  • Server receives “Change cipher spec” and switches its record layer security state to symmetric encryption using the session keys. Server sends “Server finished” message to the client.
  • Client and server can now exchange application data over the secured channel they have established. All messages sent from client to server and from server to client are encrypted using session key.

Hash for finished messages in TLS.

Change cipher spec protocol.

Alert Protocol

Resuming a Secure Session by Using TLS

  • The client sends a “Client hello” message using the Session ID of the session to be resumed.
  • The server checks its session cache for a matching Session ID. If a match is found, and the server is able to resume the session, it sends a “Server hello” message with the Session ID.
  • Note If a session ID match is not found, the server generates a new session ID and the TLS client and server perform a full handshake.
  • Client and server must exchange “Change cipher spec” messages and send “Client finished” and “Server finished” messages.
  • Client and server can now resume application data exchange over the secure channel.

Record Protocol — — — — — — — — — — — — — — — — — — — — — — -

  • The Transport Layer Security (TLS) Record protocol secures application data using the keys created during the Handshake. The Record Protocol is responsible for securing application data and verifying its integrity and origin. It manages the following:
  • 1. Dividing outgoing messages into manageable blocks, and reassembling incoming messages.
  • 2. Compressing outgoing blocks and decompressing incoming blocks (optional).
  • 3. Applying a Message Authentication Code (MAC) to outgoing messages, and verifying incoming messages using the MAC. 4. Encrypting outgoing messages and decrypting incoming messages.

Payload from upper layer.

When the Record Protocol & Handshake protocols are completed, the outgoing encrypted data is passed down to the Transmission Control Protocol (TCP) layer for transport.

Certificate Generation and HTTPS

Development Environment with https Test Environment with openssl and letsencript.

Certificate generation with open ssl

Required Certificate file creation with our own CA

Certificate Generation

openssl genrsa -des3 -out rootCA.key 4096
//if you don’t want password verification
openssl genrsa -out rootCA.key 4096
Create and Self sign the root certificate creation
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Interactive #################
Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:western
Locality Name (eg, city) []:colombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lsf
Organizational Unit Name (eg, section) []:copper
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:tharanga.rajapaksha@gmail.com

Do above with configuration
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -subj "/C=LK/ST=western/O=lsf, Inc./CN=local.com" -out rootCA.crt
Updating Root CA in the local machine
mkdir /usr/local/share/ca-certificates/extra
cp rootCA.crt /usr/local/share/ca-certificates/extra/rootCA.crt
update-ca-certificates
Output ######################
root@rainloop:/cert# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Create my domain key
openssl genrsa -out example.com.key 2048
Create CSR (Certificate Signing Request)
openssl req -new -sha256 -key example.com.key -subj "/C=SL/ST=western/O=lsf, Inc./CN=example.com" -out example.com.csr
openssl req -in example.com.csr -noout -text
openssl x509 -req -in example.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out example.com.crt -days 500 -sha256

Following steps to be followed for apache https conversion

a2enmod ssl

We put the default-ssl site available creating a symbolic link

ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

Now we edit the file default-ssl (or default-ssl.conf for new version) we have just enabled

nano /etc/apache2/sites-enabled/000-default-ssl.conf

End of Edit

and we change the two lines relative to SSLCertificate as follow :

/etc/apache2/sites-enabled/000-default-ssl

SSLCertificateFile /etc/apache2/ssl/server.crt

SSLCertificateKeyFile /etc/apache2/ssl/server.key

Now restart apache server

/etc/init.d/apache2 restart

Let’s Encript using lesencript free CA

A Free Solution

The recommended way to get a certificate from Let’s Encrypt is to use Certbot which is an ACME client.

Refferences:

https://www.macstrategy.com/article.php?211#install_letsencrypt

https://medium.com/@meeramarygeorge/create-php-mysql-apache-development-environment-using-docker-in-windows-9beeba6985

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

https://certbot.eff.org/lets-encrypt/ubuntutrusty-apache

Checking dns

http://dns-record-viewer.online-domain-tools.com/

A Simple Setup and Installation Script for Let’s Encrypt SSL Certificates

Installing nginx webserver with letsencript

Non interactive way to generate keys using lets encrypt to automate key generation.

certbot-auto --non-interactive --agree-tos --text --rsa-key-size 4096 --email admin@copper.opensource.lk --webroot-path /var/www/html/site/ --apache --help plugins \
--domains "copper.opensource.lk"
// how to give these parameters in docker file for configuationscertbot certonly \
--standalone \
--non-interactive \
--agree-tos \
--email YOUR_CERTIFICATE_EMAIL \
--domains copper.opensource.lk \

Certificate Formats

For an in-depth approach to this topic, feel free to check the X.509 article on Wikipedia and the comprehensive definition of X.509 certificate and CRL in a Request for Comments (RFC) publication by Internet Engineering Task Force (IETF).

Once you’ve got your certificate files, seeing your file extension will allow you to know what’s in the file, and which file fits best your needs.

*.pem, *.crt, *.ca-bundle, *.cer, *.p7b, *.p7s files contain one or more X.509 digital certificate files that use base64 (ASCII) encoding. You get one of those in a zip file downloaded from your user account, or receive such file from the Certificate Authority.

Use this SSL Converter to convert SSL certificates to and from different formats such as pem, der, p7b, and pfx. Different platforms and devices require SSL certificates to be converted to different formats. For example, a Windows server exports and imports .pfx files while an Apache server uses individual PEM (.crt, .cer) files. To use the SSL Converter, just select your certificate file and its current type (it will try to detect the type from the file extension) and then select what type you want to convert the certificate to and click Convert Certificate. For more information about the different SSL certificate types and how you can convert certificates on your computer using OpenSSL, see below.

PEM Format

Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

PKCS#7/P7B Format

PKCS#12/PFX Format

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

OpenSSL Commands to Convert SSL Certificates on Your Machine

OpenSSL Convert PEM

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

If you need to convert a Java Keystore file to a different format, it usually easier to create a new private key and certificates but it is possible to convert a Java Keystore to PEM format.

Creating a .pem File for SSL Certificate Installations

.pem SSL Creation Instructions

This article contains multiple sets of instructions that walk through various .pem file creation scenarios.

Creating a .pem with the Entire SSL Certificate Trust Chain

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt).
  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
  3. The Primary Certificate — your_domain_name.crt
  4. The Intermediate Certificate — DigiCertCA.crt
  5. The Root Certificate — TrustedRoot.crt
  6. Make sure to include the beginning and end tags on each certificate. The result should look like this:
  7. — — -BEGIN CERTIFICATE — — —
    (Your Primary SSL certificate: your_domain_name.crt)
    — — -END CERTIFICATE — — —
    — — -BEGIN CERTIFICATE — — —
    (Your Intermediate certificate: DigiCertCA.crt)
    — — -END CERTIFICATE — — —
    — — -BEGIN CERTIFICATE — — —
    (Your Root certificate: TrustedRoot.crt)
    — — -END CERTIFICATE — — -
  8. Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Creating a .pem with the Server and Intermediate Certificates

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt).
  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
  3. The Primary Certificate — your_domain_name.crt
  4. The Intermediate Certificate — DigiCertCA.crt
  5. Make sure to include the beginning and end tags on each certificate. The result should look like this:
  6. — — -BEGIN CERTIFICATE — — —
    (Your Primary SSL certificate: your_domain_name.crt)
    — — -END CERTIFICATE — — —
    — — -BEGIN CERTIFICATE — — —
    (Your Intermediate certificate: DigiCertCA.crt)
    — — -END CERTIFICATE — — -
  7. Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Creating a .pem with the Private Key and Entire Trust Chain

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt).
  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
  3. The Private Key — your_domain_name.key
  4. The Primary Certificate — your_domain_name.crt
  5. The Intermediate Certificate — DigiCertCA.crt
  6. The Root Certificate — TrustedRoot.crt
  7. Make sure to include the beginning and end tags on each certificate. The result should look like this:
  8. — — -BEGIN RSA PRIVATE KEY — — —
    (Your Private Key: your_domain_name.key)
    — — -END RSA PRIVATE KEY — — —
    — — -BEGIN CERTIFICATE — — —
    (Your Primary SSL certificate: your_domain_name.crt)
    — — -END CERTIFICATE — — —
    — — -BEGIN CERTIFICATE — — —
    (Your Intermediate certificate: DigiCertCA.crt)
    — — -END CERTIFICATE — — —
    — — -BEGIN CERTIFICATE — — —
    (Your Root certificate: TrustedRoot.crt)
    — — -END CERTIFICATE — — -
  9. Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

Creating Binary Certificate files.

dhparam.pem Generation

We can do this by typing:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This may take a few minutes, but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem that we can use in our configuration.