Category: Certificates

What are Cipher Suites Explained

What are Cipher Suites Explained

Cipher Suites

Cipher SuitesSo when I mention Cipher suites, most people will find the nearest hole to hide in or think its an encryption protocol. But do you really need to know what Cipher Suites are and how they work. Well yes and no. You should have an overall understanding as these ciphers protect your communication channels between servers, websites or applications. Cipher suites are not indestructible and ciphers have been exposed to vulnerabilities.

What it is?

Cipher suites are used in TLS and SSL protocols. They are fundamentally based upon the HMAC (Keyed hash Message Authentication Code which used a cryptographic hash function and a secret cryptographic key)

How it works?

There are many ciphers available and it is the responsibility of the server to select a cipher to communicate upon. This is accomplished by  the client sending a list of available cipher it supports in order of preference to the server in a process called handshaking where the client says “hello” to the server and the server replying with “hello” and replies with the cipher suite it has selected.

What does it look like?

A cipher suite at first glance may look like a jumble of words, but lets break an example down:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The first section is stating what protocol the cipher is, so in our case TLS.

The second section states the key exchange algorithm ECDHE_RSA determines how the client/server will authenticate.

The third section states the bulk encryption algorithm in our case AES_128_GCM. This determines how to encrypt the message including key size.

The last section states the hash algorithm that is used to create the cryptographic hash of each block and in our case it is SHA256.

What about Null Cipher suites?

Well you may have come across Null Cipher Suites especially working with DirectAccess. When the word Null; is mentioned it is quickly seen as a secuirty risk. So lets discuss a Null Cipher suite. Null Cipher suites are encrypted however it is seen as an ancient form of encryption which always gets flagged up on audits. The message stream is encrypted with plain text and not random gibberish that you would expect for example:

KamHussain if encrypted using Null Cipher’s could look like:

Kangaroo Ant Mammoth Hyena Unicorn Seagal Seagal Alien Neptune

As you can see from above the message is encrypted, the first letter of each word if taken away makes up KamHussain.

So is this secure, well lets say you wouldn’t want to use this unless you have a specific requirement.

 

Creating a Certificate Signing Request using Windows 10

Creating a Certificate Signing Request using Windows 10

Creating a Certificate Signing Request using Windows 10

certificateCreating Certificate Signing Requests or CSR’s can be a daunting task, you don’t want to get it wrong as it can costs you, literally. Usually many administrators head over to IIS and create a request using the IIS management console. This will of course work but you may end up creating a SHA1 request, with no option for SHA2

I have however noticed Windows 10 being able to create CSR’s with all the latest cryptography and key lengths, as well as it being a breeze to process.

To get started you need to open the Certificate management console. Hit “Windows Key” + “R” and type “MMC” into the run window, now hit enter. Alternatively if you click “Start” and search for “Certificates” and click on “Manage Computer Certificates

 

Once the certificate console has opened, expand the personal store and right click on Certificates. Click All Tasks > Advanced Operations > Create Custom Request.

 

In the window click Next

Now click Next

 

Choose Proceed without enrollment policy and click Next

 

Click Properties

 

Now enter a Friendly Name (this can be anything, but something that you can use t easily identify the certificate) and enter a description.

Click the Subject tab

Important!!!

If you fail to enter the basic information like the image on the left, your certificate request will be invalid. You must enter:

Common Name – (this is the URL)

Organisational Unit – Department

Locality – Area e.g. Westminster

State – Area e.g. London

Country – this must be the two letter abbreviation for the United Kingdom use GB

To find your 2 letter country code click here

Finally enter the Alternative name DNS. This should be exactly the same as your URL.

 

Under the Extensions tab, select Server Authentication and Client Authentication for Extended Key Usage.

 

Under Key Usage select Digital signature and Key enciphement

 

Click the Private Key tab, select 2048 for Key Options and check Make private key exportable

Under Hash Algorithm select SHA256

Click OK and Next

Save your file as a .req

Validate your CSR

That’s pretty much it. You can verify that your request file is valid by opening it, copying the data and pasting it into the Symantec Crypto Report validation site click here .

Once you receive your certificate file it MUST be imported onto the computer where the CSR file was created as the private key exists on this machine and is never transmitted within the CSR. You can then export the certificate to any machine as it’s private key was marked as exportable.

Extracting a Private Key from a Certificate

Extracting a Private Key from a Certificate

Splitting a Certificate File

OpenSSLWe recently has an issue where I was required to upload a certificate to a F5 Big-IP. Now most of admins probably already figured out that some systems such as ADC’s or load balances require the certificate you upload to come in to parts. Part 1 is the certificate file itself so it will have an extension of .CER and part 2 is the private key with an extension of .KEY. Some certificate providers bundle the private key and certificate together, as useful as this, sometimes you have a requirement to separate the private key from the certificate file.

In order to split a certificate we will use OpenSSL for Windows, a free utility to manage and create certificates, if you don’t already have a copy of this utility, Click HERE to download it.

Assuming your utility is located in the root of the C Drive, and the certificate you want to split is also kept within in the same folder.

 

Open a administrative command prompt and navigate to the folder where you have stored the OpenSSL utility, then run the following command. You will be asked to provide the password for the certificate. This will extract the Private Key.

openssl pkcs12 -in certificates.pfx -nocerts -out privatekey.key

 

Next we will now extract the certificate, so run the below command:

openssl pkcs12 -in certificates.pfx -clcerts -nokeys -out certificate.cer

 

That’s it! You now have a private key and certificate which you can utilise. If you need to use OpenSSL on Windows, I’ve attached the program to this post. Just extract the files and using a command prompt navigate to the OpenSSL directory and call openssl.exe [then your commands]

Creating Self-Signed Certificates or Certificate Service Request with OpenSSL

Creating Self-Signed Certificates or Certificate Service Request with OpenSSL

Creating Certificates with OpenSSL

OpenSSL

One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found attached below.

Place the unzipped folder on the C: drive. Then open a command prompt and type CD C:\openssl-1.0.2h-x64_86-win64

 

Generate a new private key and Certificate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

 

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

 

Generate a certificate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privateKey.key -new

 

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

 

Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

 

Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

 

Check a private key

openssl rsa -in privateKey.key -check

 

Check a certificate

openssl x509 -in certificate.crt -text -noout

 

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12