certificate management - unipi.it · security in networked computer systems certificate management...

Certificate Management

Security in Networked Computer Systems Certificate Management with OpenSSL

Certification Authority

● A main problem in asymmetric cryptography is to be sure that a certain

subject uses a certain cryptographic quantity.

● For example, be sure that the server reachable at a certain domain

“www.server.com” uses a certain public key.

● Only sending the public key over Internet is not safe, because a man in the

middle could change it.

● We need a trusted third entity called certification authority (CA).● Everyone trusts the CA.● Everyone knows the CA's public key.● The CA releases signed certificates, which bind a given subject to a given

cryptographic quantity.

● The most common type of certificates are public key certificates, which bind

a given subject (usually an Internet domain or a company) to a given public

key.


Certification Authority

● Before releasing the certificate, the CA makes sure that the subject really

exists and really owns that cryptographic quantity (validation process).

● Two main types of validation:● Domain validation

The CA makes sure that the subject controls a particular Internet domain.

● Extended validation (EV certificate)

In addition to domain validation, the CA also makes sure that the subject

physically exists, and is really who is meant to be.

Firefox/Chrome: Internet Explorer:

Firefox/Chrome: Internet Explorer:

There are two types of certificates: certificates with domain validation and certificates with extended validation (EV certificates). With domain validation, the CA only assures that the requesting subject owns a particular Internet domain. Usually it is done by sending a challenge email to an email server running on that domain. The subject proves to own the domain by responding to the email. This type of certificates costs 369€ (1 year) by Symantec, but far less with cheaper CA's.

With extended validation, the CA assures the physical existence and the identity of the requesting subject. In particular, three checks must be performed: (i) legal existence; (ii) physical existence; (iii) operational existence (that is, the subject is a still-operating company). The extended validation requires a face-to-face identification with a CA's employee, a notary, or a lawyer. An EV certificate costs 849€ (1 year) by Symantec. Not all CA's are permitted to issue EV certificates. Web browsers usually signals the presence of an EV certificate with green colors (a green lock in Firefox/Chrome, a green address bar in Internet Explorer).


OpenSSL CA

● OpenSSL includes a basic CA software

openssl ca

● The OpenSSL CA software is not meant to be a professional application.● It is very user-hostile and error-prone.● You should use more advanced, GUI-based CA software in the real life:

– xca → Front-end of OpenSSL CA, runs on Linux, Windows, Mac OS, open-source.

– EJBCA (Enterprise Java Bean Cer5ficate Authority) → Java-based, open-source.

– Windows Server → Can be configured to act as a CA, closed-source.

– SimpleAuthority → Free up to 4 users, runs on Linux, Windows, Mac OS, closed-

source.

OpenSSL provides for an extremely basic, command-line certification authority software. The OpenSSL CA is good for teaching, but it is not meant to be used for professional activity, because it is very user-hostile and error-prone. Other, more advanced CA software exists, like xca, EJBCA, Windows Server CA, SimpleAuthority, etc.


OpenSSL CA Set Up

● Create the CA's directory (e.g. '~/my_ca/') with two subdirectories:● <CA's dir>/newcerts → For the issued cer5ficates.● <CA's dir>/private → For the CA's private key.

● Inside the CA's directory, create an empty certificate database:

touch index.txt

● … and initialize to 1 the certificate serial counter and the CRL serial counter:

echo '01' > serialecho '01' > crlnumber

● Make a copy of the OpenSSL CA default configuration file in your CA's

directory.● You will find the OpenSSL CA default configuration file in '/etc/ssl/openssl.cnf'

for Ubuntu, or in '<Cygwin dir>/usr/ssl/openssl.cnf' for Cygwin.

● Tell to OpenSSL to read your configuration file by setting the environment

variable 'OPENSSL_CONF':

export OPENSSL_CONF=<CA's dir>/openssl.cnf

Follow these instructions in order to set up the OpenSSL CA. In a professional setting, the directory holding the CA's private key should be accessible only to the CA user (i.e. the one issuing certificates).


OpenSSL CA Set Up

● The OpenSSL configuration file (openssl.cnf) is organized in sections.

● Each section has a case-sensitive name in square brackets:

[section_name]

● Each section contains a set of case-sensitive keys with an associated value:

key_name = value

● Comments are preceded by '#' character:

# This is a comment


OpenSSL CA Set Up

● Edit your openssl.cnf file.

● Inside the [CA_default] section, you should change:● dir = <CA's directory (absolute path)>

To set up the OpenSSL CA's directory.● certificate = $dir/ca_cert.pem

To let OpenSSL CA find its own root certificate.● private_key = $dir/private/ca_prvkey.pem

To let OpenSSL CA find its own private key.● policy = policy_anything

Otherwise, OpenSSL CA will refuse to certify subjects belonging to

organizations different from the CA itself.


Creating the Root Certificate

● The CA must create the CA's key pair and a self-signed root certificate for

CA's public key.● cd <CA's dir>● openssl req -x509 -newkey rsa:1024 -keyout

private/ca_prvkey.pem -days 365 -out ca_cert.pemThis command:

– generates a new 1024-bit RSA key pair,

– asks the user to choose a password,

– asks the user for the CA's distinguished name (Country name, State or Province

name, organization name, etc.),

– stores the private key in 'private/ca_prvkey.pem' (protected by the password),

– creates a self-signed root certificate which binds the public key to the CA's name

(validity: 365 days from now),

– stores the root certificate in 'ca_cert.pem'.

● openssl x509 -in ca_cert.pem -text -nooutThis command prints the self-signed root certificate.

These commands create the CA's key pair (RSA 1024-bit, low security) and the self-signed root certificate.

The openssl req command has two functions: (1) create a root certificate (when invoked with -x509 option), and (2) create a certificate request (when invoked without -x509 option). The other options are sufficiently self-explanatory.

The openssl x509 command manages x509-format certificates. The options -text -noout are for printing them on screen in textual format (-text), and not in PEM format (-noout).


Requesting a Certificate

Subject CA

1. Create a key pair

2. Create a signed

certificate request3. Send the

certificate

request

4. Domain

(or extended)

validation

5. Create a signed

certificate6. Send the

certificate

To obtain a certificate, a subject must first create a certificate request, signed with the subject's private key, and send it to the CA.


Requesting a Certificate

● A subject (for example Alice) creates a key pair and a certificate request for

the public key.● cd <Alice's dir>● openssl req -newkey rsa:1024 -keyout alice_prvkey.p em

-out alice_creq.pemThis command:

– generates a new 1024-bit RSA key pair,

– asks the user to choose a password,

– asks the user for Alice's distinguished name,

– stores the private key in 'alice_prvkey.pem' (protected by the password),

– creates a certificate request signed with Alice's private key,

– stores the certificate request in 'alice_creq.pem'.

● openssl req -in alice_creq.pem -text -nooutThis command prints Alice's certificate request.

These commands create the subject's key pair (RSA 1024-bit, low security) and the certificate request.

The openssl req -in command prints the certificate request on screen.


Issuing a Certificate

● The CA (after having checked Alice's true identity) creates Alice's certificate.● cd <CA's dir>● openssl ca -in alice_creq.pem

This command:– creates a new certificate for Alice (the password of the CA's private key is required),

– stores the certificate in '<CA's dir>/newcerts/<serial>.pem',

– updates the 'index.txt' database and 'serial' file.

These commands create the certificate. The openssl ca command is the main command for OpenSSL CA management.


Revoking a Certificate

● If Alice's private key gets compromised, or if Alice's company stops

operating, then the CA revokes Alice's certificate.● cd <CA's dir>● openssl ca -revoke newcerts/<serial>.pem

This command– updates the 'index.txt' database to indicate that the certificate has been revoked,

– updates the 'crlnumber' file.

● Then, the CA publishes a new certificate revocation list (CRL).● openssl ca -gencrl -out crl.pem

This command:– generates a CRL signed by the CA (the password of the CA's private key is required),

– stores the CRL in 'crl.pem'.

● openssl crl -in crl.pem -text -nooutThis commands prints a CRL.

These commands put Alice's certificate in a certificate revocation list (CRL).


Loading Certificates and CRL's

● #include <openssl/x509.h>

● X509 (data structure)

Represents an x509-compliant certificate.

● X509_CRL (data structure)

Represents an x509-compliant CRL.

● X509* PEM_read_X509(FILE* fp, NULL, NULL, NULL);

Allocates an x509 certificate and loads it from a PEM file.● fp → File where to read from (opened with fopen()).● It returns the X509 structure (or NULL if error).

● X509_CRL* PEM_read_X509_CRL(FILE* fp, NULL, NULL, NULL);

Allocates an x509 CRL and loads it from a PEM file.● fp → File where to read from (opened with fopen()).● It returns the X509_CRL structure (or NULL if error).


Parsing a Certificate

● X509_NAME* X509_get_subject_name(X509* cert);

Returns the distinguished name of the subject.● cert → The cer5ficate.● It returns an X509_NAME structure representing the distinguished name.

● X509_NAME* X509_get_issuer_name(X509* cert);

Returns the distinguished name of the certificate issuer.● cert → The cer5ficate.● It returns an X509_NAME structure representing the distinguished name.

● char* X509_NAME_oneline(X509_NAME* name, NULL, 0);

Allocates and returns a NULL-terminated string containing a one-line

representation of a distinguished name, in the following form:

/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com

The string must be freed afterwards with free().● name → The dis5nguished name to convert.● It returns the allocated NULL-terminated string.


Certificate Verification

storeroot

cert

root

cert

root

cert ...

CRL

other

cert

other

cert

other

cert ...

Bob's

cert

Alice

verification

OK/fail

● A store is a collection of CA's root certificates, other trusted certificates, and

a CRL. Everything that is in the store is considered trusted by the subject.

● When a subject (Alice) wants to verify another subject's identity (Bob), she

compares it with her store.

● If it is possible to verify Bob's certificate from Alice's store, then Alice will

consider Bob's certificate as verified.

The logical representation of an encryption is a function, taking a key and a variable-sized plaintext as input, and returning a variable-sized ciphertext as output.

Implementing encryption and decryption in this way is not efficient neither practical. It is not efficient because if the plaintext is big, we have to maintain in memory a big quantity of data at once. It is not practical because sometimes we do not have the entire plaintext/ciphertext at the time we must encrypt/decrypt it. This is typical in encrypted communications.

The majority of cryptographic libraries uses incremental functions, which update an encryption context step-by-step. This is done in higher-level languages as well, for example Java and C#.


Building a Store

● #include <openssl/x509_vfy.h> → Undocumented!

● X509_STORE (data structure)

Represents a store.

● X509_STORE* X509_STORE_new();

Allocates an empty store and returns it.● It returns the allocated store (or NULL if error).

● void X509_STORE_free();

Deallocates a store.

● int X509_STORE_add_cert(X509_STORE* s, X509* x);

Adds a trusted certificate to the store.● s → The store.● x → The cer5ficate to add.● It returns 1 on success, non-1 on error.


Building a Store

● int X509_STORE_add_crl(X509_STORE* s, X509_CRL* x);

Adds a trusted CRL to the store.● s → The store.● x → The CRL to add.● It returns 1 on success, non-1 on error.

● void X509_STORE_set_flags(s, X509_V_FLAG_CRL_CHECK);

Tells the store to use the CRL.● s → The store.


Verifying a Certificate

● X509_STORE_CTX (data structure)

Represents a context for certificate verification.

● X509_STORE_CTX* X509_STORE_CTX_new();

Allocates a new certificate-verification context.● It returns the allocated context (or NULL if error).

● int X509_STORE_CTX_init(X509_STORE_CTX* ctx, X509_STORE* s, X509* cert, NULL);

Initializes the certificate-verification context.● ctx → The context.● s → The store.● cert → The cer5ficate to verify.● It returns 1 on success, non-1 on error.


Verifying a Certificate

● int X509_verify_cert(ctx);

Verifies a certificate.● It returns 1 if the certificate has been verified, 0 if it cannot be verified, <0 if

some other error.

● void X509_STORE_CTX_free(X509_STORE_CTX* ctx);

Deallocates a certificate-verification context.


Loading a Password-Protected Private Key

● EVP_PKEY* PEM_read_PrivateKey(FILE* fp, NULL, NULL, "passw0rd");

Allocates a private key and loads it from a PEM file protected by password.● fp → File where to read (opened with fopen()).● "passw0rd" → NULL-terminated sring represen5ng the password.● It returns the EVP_PKEY structure (or NULL if error).● The OpenSSL internal table of algorithm names must be created.

● OpenSSL_add_all_algorithms();

Creates the internal table of algorithm names and adds to it all the

algorithms. It must be invoked at the beginning of the program.

● EVP_cleanup();

Destroys the internal table of algorithm names. It must be invoked at the

end of the program.

This API function loads a password-protected PEM file holding a private key.


Extracting the Public Key from a Certificate

● Usually we give to the other party only our certificate, not our public key.

The public key can be extracted from the certificate.

● EVP_PKEY* X509_get_pubkey(X509* cert);

Extracts the public key from a certificate.● cert → The cer5ficate.● It returns the EVP_PKEY structure representing the public key (or NULL if error).


Final Exercise

● Set up the OpenSSL CA.● Create the CA's key pair.● Create a CA's self-signed root certificate.

● Create the server's key pair, request a certificate for it.

● Create the client's key pair, request a certificate for it.

● Issue the certificates for the server and the client.

● Modify the exercise of lab session #5 to:● Accept password-protected private keys.● Build up a minimal store with the CA's root certificate and CRL.● Load the certificate of the peer, and extract the public key from it.● Verify the peer's distinguished name.● Verify the peer's certificate.

certificate management - unipi.it · security in networked computer systems certificate management...

Documents