#SSL Basics
Secure Socket Layer (SSL) is a mechanism to allow information to be securely communicated. Specifically, it is a cryptographic protocol that enables two parties such as a web server and a browser to exchange information securely by encrypting it before sending and decrypting it upon receipt. It is based on the X.509 standards.
##Symmetric and Asymmetric Encryption Encrypting and decrypting requires a secret like a password, which is known as a key. There are two types of key, symmetric and asymmetric. If a symmetric key is used it means that the same key is used to encrypt and decrypt the message. Asymmetric keys consist of a private and public key. The message sender encrypts the message using their private (secret) key and the message receiver can decrypt the message using the senders public key.
Asymmetric keys require more processing resources than symmetric keys. The problem is that to communicate using symmetric keys both parties have to have the symmetric keys first and the question is how to transfer the symmetric key securely. SSL resolves this problem by using a asymmetric key to transfer the symmetric key and then use the symmetric key for the rest of the session.
##Typical Communication Flow
A typically flow would be the following:
- The client (web browser) connects to the https website
- The server sends its SSL Certificate (public key) to the client
- The client validates the certificate
- The client generates a random symmetric key and encrypts it using the public key in the Certificate
- The client sends the encrypted symmetric key to the server
- The server uses its private key to decrypt the symmetric key
- The server and client encrypt all further traffic using the symmetric key
- At the end of the session the symmetric key is discarded
##OpenSSL OpenSSL is an implementation of SSL. OpenSSL is both a toolkit and a library that implements SSL.
###Create a Key OpenSSL supports the X.509 standard and can be used to create keys.
####Create a Private Key
The openssl genkey command will generate a key. We can specify the algorithm we want to use. The usual choice is RSA as this can generate larger keys up to 4096 bits. We then change the access permissions on the newly created private.key to keep it secret.
openssl genkey -algorithm rsa -out private.key
chmod 400 private.key
####Extract the Corresponding Public Key
openssl pkey -in private.key -pubout -out public.pem
The .pem stands for Privacy Enhanced Mail file format which is a base64 encoding. You can specify other formats too, such as
der which is a binary equivalent or pem. You can use pem keys with X.509.
You can further secure a private key by encrypting it with a triple-DES symetric key.
openssl pkey -in private.key -des3 -out private-enc.key
In this case you will be asked to give a passphrase for an encrypted key whenever it is used, making it less useful on servers. You can remove the passphrase using:
openssl pkey -in private-enc.key -out private.key
##Certificates Keys need to be certified so that they can be trusted. Otherwise anyone could give you a set of keys and say they are from your bank and decrypt all your details since they have the private key. To trust a certificate is needs to be certified. Certificates are normally certified by third party Certification Authority such as Verisign, Comodo, Twate etc but the can also be self certified. To certify a certificate the Certification Authority (CA) signs with their private key to indicate that they have validated the ownership of the keys.
Note: there is a concept of a certification chain. So a certificate may be certified by an authority that is itself certified by a higher authority. Eventually this will lead back to a self signed certificate which is called the Root Authority. These Root Authorities are implicitly trusted by all the main browsers.
###Certificate Signing Request (CSR) To verify that the keys are yours you need to get the certificate signed. You can use OpenSSL to create a Certificate Signing Request.
openssl req -new -key private.key -out request.csr
This will request some information to help identify you, but the most important is the Common Name. This must match the domain that the certificate is for. The other fields can be filled is as desired. You can enter a period . for a blank field.
Once the certificate signing request is created you will need to submit it to a certificate authority to get it signed. Each authority may have different procedures but it often requires pasting the csr file contents into a form on the certificate authority's website.
Note: if you omit the -key parameter then it will automatically generate a new private key and you will be prompted to supply the required information.
###Self-Signed Certificates Sometimes for testing or internal use, a self-signed certificate is all you need (you do trust yourself, don't you?). You can create one using a similar method to before.
openssl req -new -key private.key -x509 -out mycert.crt
The x509 option causes a certificate to be output instead of a csr. As before you will be required to fill in identity details. You can also add further parameters like -days which changes the certificates validity from a 30 day default.
Self-signed certificates are useful for development, testing and internal use. To use them in the wider world they need to be certified.
It is possible to use your own certificate (which has been certified by a trusted CA or self-signed) to sign a new certificate. In this situation, we are taking the certificate request (request.csr) and using mycert.crt as the certificate authority and our private.key to sign the request.
openssl x509 -req -in request.csr -CA mycert.crt -CAKey private.key -out cert.crt
Note: the first time this is run you will need to use the -CAcreateserial so that OpenSSL create a serial number file. This file is used automatically for subsequent certificates. Alternatively, you can use -set_serial to specify a specific serial number.