PKI

PKI (public key infrastructure) is a hybrid of symmetric and asymmetric encryption. The handshake uses asymmetric encryption to exchange the secret key used for symmetric encryption. Once the secret key is exchanged, the rest of the communication uses symmetric encryption. Better performance can be enjoyed with increased security. PKI is a hierarchical model which is comprised of the following components:

  • Certificate Authority (CA): Issues certificates for requests. It can be in-house or a trusted third party such as Verisign, or COMODO.
  • Registration Authority (RA): Performs background checks on the requests received from end points to avoid issuing certificates to a bogus entity.
  • Certificate Revocation List (CRL): A list of the certificates which are no longer trustworthy.
  • End point entities: They make requests for certificates to prove their identities.
  • Certificates Repository: The repository contains a list of issued certificates. End point entities can retrieve them to verify corresponding servers. For end users, it’s usually located in the web browser.

How SSL/TLS works

SSL (Secure Socket Layer) is a secure communication protocol that provides privacy and reliability between two servers or applications. SSL version 3.0 is the current version used in the internet community. But because of recent attacks like POODLE on SSL 3.0, it is now advised to remove the usage of SSL 3.0 altogether and configure TLS for secure transmission of data. TLS (Transport Layer Security) is designed to provide a complete cryptographic security layer to the confidential information transmitting between servers.TLSis built onto two layers i.e. TLS record protocol and the Handshake protocol.

Now since we understand what SSL and TLS are at the very basic, now we will learn about how communication takes place between clients and servers over secure channels.

Let’s use PayPal homepage as an example. In the below screenshot there’s a green padlock icon located at the start of the URL bar. Clicking on it will show you the certificate details. HTTPS indicates that the connection is secured over SSL or TLS.

Here are the steps taken between a client and a server.

  1. The client makes a request over SSL.
  2. The server responds with a certificate.
  3. Local certificates are stored in the browser. The browser will validate the certificate with a local certificate. If the certificates aren’t in the browser, certificate details are requested from the signing CA.
  4. After validating the server certificate, the browser retrieves a public key from it. The public key is stored in the certificate.
  5. The browser will generate a random session key, and encrypt the packet with the public key of the server and send it to it.
  6. The server receives the request, and decrypts the packet using its private key.
  7. Further communication will take place using that random session key.

Certificate Inspection

Here’s a sample certificate issued from COMODO.

Certificate Parameters

  1. Signature algorithm: It’s used to sign the certificate.
  2. Issuer: The CA which has certified the certificate.
  3. Valid From and Valid To: The certificate’s validity period.
  4. Public key: The most important aspect. Since the certificate is public, it contains the public key.

  5. The private key corresponding to the public key is only controlled by the client.
  6. Key usage determines the usage of the public key.

Certificate Creation

We’ll learn how to create a certificate using open source tools GnuPG and Kleopatra.

“GnuPG is an OpenPGP standard which provides features like encryption and signing data, communication, provides a versatile key management system for all kinds of public key directories.”

“Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers.”

Certificate Creation using GnuPG

After installing GnuPG , the first step is to learn how to create a certificate. Open GnuPG and Kleopatra. Here’s Kleopatra’s Certificate Administration screen. It shows all the certificates being created in GnuPG.

There are two types of certificates that can be created, X.509 and PGP. The difference is that in OpenPGP key pairs can be created locally and certified by anyone. In X.509, certificates needs to be certified by a Central Certification Authority (CA).

Create a OpenPGP certificate

  1. Click on File > New Certificate
  2. Select OpenPGP key pair.

  3. Enter your name and email address.

  4. Click on advanced settings to select the functionality and the key strength. We selected 2048 bit RSA, for signing and encryption.

  5. Click on “OK”.
  6. Confirm the details below, and click on “Create Key.”

    030415_2204_Cryptograph10.png

  7. Enter a passphrase and click “OK”. Quality measure indicates the strength of your passphrase.

    030415_2204_Cryptograph11.png

  8. If the passphrase is accepted and all the required details are entered, a key pair is created. A 40 digit fingerprint is generated. OpenPGP is displayed. This fingerprint identifies the certificate as well as the user.

    030415_2204_Cryptograph12.png

Next after creating a fingerprint, make a backup of the private certificate.

  1. Click on “Make a backup of your key pair”.
  2. Select the path where the public and private key pair should be exported.

    030415_2204_Cryptograph13.png

  3. Here’s message to confirm that a secret key has been successfully exported.

030415_2204_Cryptograph14.png

Here’s how to create a X.509 certificate. A X.509 certificate needs to be signed from a Certificate Authority. We’ll use cacert.org, a non-commercial CA.

Creation of X.509 certificate

  1. Click on File > New certificate
  2. Click on X.509 certificate.
  3. Enter the following details.

    030415_2204_Cryptograph15.png

  4. Click on next.

    030415_2204_Cryptograph16.png

  5. Enter a passphrase and click “OK”. Quality measure indicates the strength of your passphrase.

    030415_2204_Cryptograph17.png

  6. If your passphrase is secure enough and all the required details are filled, you’ll see this message.

    030415_2204_Cryptograph18.png

The request has to be sent to a CA by saving the key pair to a file in a p10 format or by sending the request directly in an email attachment.

To view the details of the certificate, double click on the certificates that are listed in Kleopatra.

030415_2204_Cryptograph19.png

We can change the certificate’s passphrase and the expiry date.