PKI and TLS

Introduction
Reading

2
PKI & TLS
Basics

3
 Basic Authentication
Connection
Keep it secret
Don’t re-use
Clear Text
Client Server
UserId & Password

Shared secret Store hash of shared

Symmetric key/password

Authorization: Basic VXNlcmlkOlBhc3N3b3Jk==

🡪 base64 decode 🡪 Userid:Password 4
User directories - LDAP

User, permissions and passwords are stored centrally

• “Identities” stored in high available, specialized servers: “directory”
• Avoid user management in applications (and servers)
LDAP server
• Lightweight Directory Access Protocol
• Standardized (old) database technology for user & group info
• LDAP is in fact a protocol, derived from X500
And more
• In Microsoft environment: Active Directory (domain servers)
• Specialized product suites: “IAM” (Identity & Access Management)
• Cloud: Azure Active Directory, AWS IAM, Google IAM
Always leverage the central directory server for users, groups, permissions and passwords

5
OAuth & OpenID

● Every application redirects user to central authorization server

● Client application receives access token to call the backend(s)
● No authentication anymore by applications
○ Users are trained to only enter their credentials via the authorization server

6
Hashing – Message Digest

Hash, fingerprint: unique value from input

• One way
• Extremely low probability of 2 inputs with same hash
Try it: openssl dgst -sha256 SOMEFILE
Algorithms:
• SHA-2: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256
• SHA-3: latest

More info:
• MD5 & SHA1 are outdated algorithms
• Passwords always stored as hashes
- SHA-2, Argon2, Bcrypt algorithm, … → make it slow with many 1000’s of iterations
- Combined with “salt” against rainbow table attacks
• API Security: cache hashed version of access tokens
• Bitcoin mining: sha-256(value) starts with ‘000000000000000000’ (18 zeroes) 🡪 bitcoin!
Try it, verify the salt and password for your user in Linux
openssl passwd -6 -salt ‘rounds=100000$<salt> <PASSWORD> 7
HMAC – Symmetric signature

Provides authenticity and data integrity using a shared secret.

= data + hash(key, data)
• Digital signature with shared key (no encryption)
Try it: openssl dgst -sha256 -hmac "SHAREDSECRET“ SOMEFILE
Use cases
• JWT (signed JSON) with HMAC { "alg": "HS256",
"typ": "JWT“ }….
• AWS Signature V4
- Default AWS security mechanism

8
Asymmetric Keys - Key Pairs

d lly
ate ica
Private key

rel mat
= TOP Secret

the
Public key

Ma
• Share, publish, …
• Send along with message
= Certificate

Mathematically related
• Prime numbers, elliptic curve, …
Try it: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048

9
Asymmetric encryption

Alice to Bob: openssl pkeyutl -encrypt -inkey

bob_public.pem
–pubin -in top_secret.txt -out top_secret.enc
Bob decrypts: openssl pkeyutl -decrypt -inkey
bob_private.pem
10
-in top_secret.enc > top_secret.txt
Practice
(Optional prerequisite : running webserver on Azure)

1. Create a private and public key pair with openssl

2. Share the public key with your neighbor
3. Write a simple text message; encrypt it with your neighbor’s public
key
OR: share your public key and encrypted message through the web
server on Azure if you have one running:
<html>
<a href=”./mykey.pub”>Click me for the key</a><br>
<a href=”./mysecretmessage”>THE MESSAGE</a>
</html>

4. Send the encrypted message to your neighbor (or download it!)

5. Decrypt the message you received with your own private key
11
Optimization

Asymmetric encryption is much slower than symmetric, solution:

• After channel is set up with asymmetric encryption: generation of Session Key
• Session Key is exchanged using existing channel
• Session key uses symmetric encryption
• Communication is then encrypted using symmetric session key
THE symmetric encryption algorithm: AES
• AES-256, AES-128

More info:
• AES developed developed by two Belgian cryptographers
- “Rijndael” ~ Joan Daemen and Vincent Rijmen
• Predecessors: DES, 3DES, RC2, RC4, ..
12
Asymmetric encryption: bi-directional

Encrypt with public key of recipient

• Only receiver can decrypt

Encrypt with private key of sender

• Everyone can decrypt
• ~ Signature

Algorithms
• Prime numbers: RSA
• Elliptic Curve: ECDSA/EdDSA

13
 Digital signing

Alice:

Bob:

14
Signed Message

Original message
• Clear text, readable
Signature
• Signed message digest
Certificate
• Public key
• Identity of the sender

But: how to trust that public key is really related to identity in client cert?
15
Verify signature

=
? OK

16
Certificate

Contains
• Public key
• Private key owner = “CN” = common name

Private cert: CN is identity of person

Server cert: CN is domain name (!)
More info
• Alternative
- SSH public keys in known_hosts
- Publish public keys as JWKS keyset (API Security)
- PGP, …
• X509v3 format: very old (1988)
- Derivated from X500 (Directory), X400 mail, …
• Certificates in ASN1 syntax, no XML, no JSON
Google internally has certs in protobuf format (ALTS)

17
Certificates

Signed by Certificate Authority

• Signed by trusted 3rd party
• Guaranteed link identity/keypair
Limited validity
• Server certs: 1 – 2 yrs
• Personal certs: 5 – 10 yrs
Trusted root certificates in “truststore”
• List of trusted, self-signed root certificates
• Browser/OS vendors manage trusted CA list (Linux: system-managed)
• You may restrict trusted CA’s, self manage truststore

18
 Certicate Validation
PKI Authority Authority

Registration
Authority
Public Key Infrastructure
• Certificate Authority has essential role
CA signs Certificate Signing Requests
• CSR = newly generated cert request A public key infrastructure (PKI) is a set of roles, policies, and procedures
needed to create, manage, distribute, use, store, and revoke digital
certificates and manage public-key encryption. The purpose of a PKI is to
CA charges cost facilitate the secure electronic transfer of information for a range of network
activities such as e-commerce, internet banking and confidential email. It is
• Except (!) required for activities where simple passwords are an inadequate
authentication method and more rigorous proof is required to confirm the
identity of the parties involved in the communication and to validate the
Internal CA’s at many orgs information being transferred.

• With CA tooling

19
SSL Secure Sockets Layer - Simplified

Verify Certificate Connection

Signature
Name (CN)=DNS Certificate
Generates random Public key
Session key Client Server
Session key
Encrypts with
Public key server

Session encrypted with symmetric session key

Session key regularly changed

SSL = Secure Sockets Layer, TLS 🡪 Transport Layer Security

SSL 3.0 (1996) 🡪 TLS 1.0 🡪 TLS 1.1 🡪 TLS 1.2 (RFC5246) 🡪 TLS 1.3 (RFC8446)
20
mTLS: TLS + Client Authentication

Certificate based authentication, “mutual TLS”

• Server asks for client certificate
• Client proves ownership of private key
Server Certificate
SomeData SessionKey
Client Certificate
Private Keyuser|client Private Keyserver
• Identity mapping: relationship between
- Identity in certificate and
- Actual user/client in the system

21
Certificate formats & file extensions

.pem
-----BEGIN CERTIFICATE-----
• PEM = base64 encoded MIIDbTCCAlWgAwIBAgIId78vW/JpC3swDQYJKoZIhvcNAQELBQAwNjELMAkGA1UEBhMCQkU
xDDAKBgNV…..WuLQuZtMQbp1Qs0dUNx0FYZZunKDS7fihS6CsNvHO/pORZNkEzigjQif98hCn
• Cert only or Public + private key (pkcs#8)
YYZ7I4pbPVSEoN2T6FyShra2WFj+nrW5iTqLM=
.der: -----END CERTIFICATE-----
• DER = binary format -----BEGIN RSA PRIVATE KEY-----
• Binary version of PEM MIIEowIBAAKCAQEAwaLfVKIgRalmy7sRpvXR0DmSYevnX1nddFsqe4nsqiXCSbIXCoiqH25iOol
RKgZk5ivUhzVrjJQ6eJ5yoFtU7xnm0DjZ3K+xrjOedBUZTnobfQ8QMFEfP+…/jHpZExlBtfmTKs
.cer or .crt: in PEM or DER format MsAfcOJJ9UNdTNVK0v2IzrhAa2Bl0F83J5SpOfhPI5urDdcqBUMelmW4xBdtZfgb
-----END RSA PRIVATE KEY-----
.csr: certificate signing request -----BEGIN CERTIFICATE-----
• Cf. PKCS#10 MIIDZTCCAk2gAwIBAgIIavMc8YKThVIwDQYJKoZIhvcNAQELBQAwLjELMAkGA1UEBhMCQkUx
DDAKBgNVBAoTA2k4YzERMA8GA1UEAxMIaThjLXJvb3QwHhcNMjMwMjI….
.p12 or .pfx: binary keystore format
-----BEGIN CERTIFICATE REQUEST-----
• Cf. PKCS#12 MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCVUsxFzAVBgNVBAMMDmdsb2JhbHNpZ24u
• Private keys, certs (incl. intermediate and root CA) …
ndn3KyCF2E/0Him9FCG1cAsIjTEjIzqmdzqr/ffm9AUXlaPOtT4=
.jks: Java keystore format -----END CERTIFICATE REQUEST-----
.p7b: Signed data
• PKCS#7 format, can also be certificate, never private key

22
Recap

SHA-2 for hashing (SHA-128, SHA-256, SHA-512)

AES: algorithm for symmetric encryption
RSA, EC: asymmetric encryption algorithms, also used for signing
• RSA (key length 2048 or 4096), evolution to elliptic curve (shorter keys)

X509 certificate: relation between public key & identity

CA: Certificate Authority
PKI: Public Key Infrastructure
TLS = Transport Layer Security
• TLS 1.2, evolving to TLS 1.3, SSL old but often used name
• mTLS = mutual TLS

23
Questions

The current standard for hashing? SHA-2 (SHA-128, SHA-256, SHA-512)

The only symmetric encryption algorithm? AES
Alice signs message to Bob: which key to use? Alicepriv_key
Alice encrypts messages to Bob: which key? Bobpub_key
What does common name (CN) of server cert contain? DNS name
How long are server certificates typically valid? 1 – 2 year
Average cost for server certificate? €60 (upto 1000)
Free server certificates, how? Letsencrypt
Where do you have your personal private key? On eID card (!)
What upcoming technology will break crypto? Quantum comp.

24
Certificate Authorities & Truststores

● List of CA’s
○ Chrome and Firefox use different lists !
○ Firefox relies on CCADB list
○ Chrome: chrome://system (on Windows, Chrome uses the Windows truststore)
○ Linux: root certs are system-managed and not visible directly via the browser
(/etc/ssl/certs)

● Certificate pricing
○ From 0 to 1000+ !

● NEVER Import custom CA into your browser, e.g. country, university,

work…
○ Else your TLS traffic may be spied!
○ Using man-in-the-middle proxies, e.g. mitmproxy

25
● Dutch CA DigiNotar hacked
Obtaining certificate
Obtain certificate

1. Create key pair

○ Never share your private key
○ Algorithm: RSA, ECC, EdDSA (smaller key size)
2. Pay your CA
○ Unless using letsencrypt, thanks to sponsors
3. Upload public key as Certificate Signing Request
○ -----BEGIN NEW CERTIFICATE REQUEST----- ...
4. Provide proof you own the DNS domain by (temporarily) creating
○ Web page with CA provided content
○ TXT DNS record with CA provided value
5. Download CA signed certificate
6. Deploy in application, reverse proxy or other
7. RENEW every 1 or 2 years
○ Letsencrypt: every 90 (or 60) days

27
Types of certificates

● Server certificate
○ CN=www.domain.xxx
○ Wildcard certificate: CN=*.domain.xxx
○ Validation:
■ Domain validated (DV): provide proof you own the domain
■ Organization validation (OV): provide proof you own/represent the organization
■ Extended validation (EV): CA verifies the organization thoroughly
● Personal authentication certificate
on Belgian eID
● Document signing certificate
● Email/S/MIME Certificate
○ Sign email
○ Get one for free from Actalis
● Code signing certificate

28
More SSL/TLS
SSL Server checks

Online tools to check “quality” of your SSL server config

• E.g. https://www.ssllabs.com/ From OWASP:

OWASP TLS Cheat sheet Online tools: SSL Labs Server Test, CryptCheck,
CypherCraft, Hardenize, ImmuniWeb,
• SSL.com TLS Best Practices Observatory by Mozilla, Scanigma

Offline tools: O-Saft, CipherScan, CryptoLyzer,

SSLScan, SSLyze, testssl.sh, tls-scan, OWASP
PurpleTeam

30
ciphersuites

A cipher suite is a string that contains information on what algorithm will be

used for what.

TLS_AES_128_GCM_SHA256
• TLS the protocol
• AES encryption type
• 128 encryption key size.
• GCM Block cipher mode (if and how info from previous block is used for encryption of next
block)

• SHA256 Hashing algorithm for TLS/SSL data packets integrity and

authentication checks.
Each site has list of supported ciphersuites
31
Configure a list with modern (but supported) ciphersuites
Keystores

Application needs to sign message

• Application needs to open/read keystore
• Keystore is password protected

Options
• Administrator enters password when application starts
• Application stores password somewhere

Best practice: protect your keystores

• Restricted limited file access
• Let application run under specific user-account
• Leverage Keyvault (AWS, Azure, …)
• Let key material be injected/mounted into container

Advanced: Hardware Security Module (HSM)

• Card (PCI,USB,Ethernet,..) contains key + crypto processor
• Key Pairs cannot be exported

32
Keystores & truststores

Keystore: contains private key(s) and certificates

• Also: keyring, PSE (SAP)

Truststore only contains certificates

• = Public keys

Keystore format: PKCS12

Certificate renewal (don’t forget!)
• Generate CSR with new keypair
- Can also re-use existing keypair
- Same or new keystore Image source: https://www.java67.com/2012/12/difference-between-truststore-vs.html

• Get CSR signed by CA,

- Proof ownership/identity
• Import signed certificate ~ activate
33
Certificate (renewal)

SSL server cert: proof of domain ownership with

• File: specific page on your website
• DNS: record with specific, temporary TXT or CNAME record
• Specific mail address

Letsencrypt: automated renewal

• Letsencrypt certs are free but only valid for 90 days
• Automatically renew based on ACME v2 protocol (rfc8555)
• E.g. with “certbot”

34
Certificate chains – Chain of trust

TLS server cert must send full chain (root CA optional)

• Server cert + Intermediate CA cert (+ root CA cert)
Client checks if
• Server cert itself is in truststore
• Intermediate CA cert is in truststore
• Root CA cert is in truststore
Is always self signed cert
And client checks chain of signatures

If chain incomplete, cert not accepted

Image source: https://knowledge.digicert.com/solution/SO16297.html
• Connection should be refused
35
Certificate chain

Provide Verify against truststore

• Full chain • Verify against root CA
Cert Intermediate Root CA Root CA

• Only cert • Verify against intermediate

Cert Intermediate Root CA

• Server cert never in truststore

Cert Intermediate Root CA
• Self signed cert • Self-signed cert in truststore
Self-signed Self-signed

36
SNI Server Name Indication

Multiple TLS endpoints on single IP address

• What server cert should server return?
Send server name as part of initial SSL handshake
• Extension described in RFC3546

Source image: https://comodosslstore.com/resources/what-is-sni-or-server-name-indication/ 37

Certificate revocation checks

Certificates can be revoked

• If private key is stolen/lost before expiration

CA’s maintain list of revoked certs

• Certificate Revocation List (rfc5280)
• Server cert contains URL of signed list of revoked certs
Endpoints must be reachable (!)
OCSP Certificate-status protocol
• rfc2560, rfc6960
• ASN.1 format over http

Online Certificate Status Protocol (OCSP) stapling

• TLS Server returns recent, signed OCSP response
• Performance++: avoids that every client needs to do OCSP validity check
• Privacy++: CA does not know who is accessing your server

Certificate revocation is blurry topic

• Focus on revocation checks by browser, limited focus on appl-to-appl, server-to-server
• Unclear how integration products exactly handle revocation = homework
38
More certificate stuff Certificate

tbsCertificate
Certificate Subject Alternative Name
• Single server cert for multiple DNS names signatureAlgorithm
• Other option: *. cert, at extra cost

Validity: Issued On, Expires On signatureValue

Certificate serial number: unique identification

Extensions:
• Certificate Key Usage: What may cert by used for?
Object IDentifier syntax dating back from X.500, also in LDAP
• CRL distribution endpoint, check if cert on list of revoked certs
Based on certificate serial number

Certificate types
• Domain Validated: CA checks you own the domain
• Organisation Validated: legitimate business
• Extended Validation: strong identity verification
CA wil also monitor Certificate Transparency logs; consult yourself with crt.sh (or censys.io)
39
TLS = “steel pipe”

TLS is like “steel pipe”

• Strong end-to-end
But often terminated before actual server

Reverse
Firewall
• L7 firewall (NGFW)

Proxy
• Reverse proxy
Private key
• CDN (content delivery)
•…

Reverse
Firewall

Proxy
CDN
• The Great Firewall (China)
Private key Private key
If you trust internal CA, network components can potentially generate SSL certs on the fly

40
Secure connection

Client
• Reliable DNS: make sure you connect to the right server
- Remember: server cert CN == DNS name
- No mingling with hosts file or other
- DNS over HTTPS (DoH) is upcoming
• Truststore: trust only the required certificates
- Limited list of CA certs in well managed, readonly truststore
- Use multiple/many truststores
- Do not simply trust private CA’s
- Governments can force CA’s to sign whatever cert anyhow

Server side
• Renew your certs in time
- Ideally in automated manner
• Maintain your DNS: DNSSEC, remove unused subdomains, monitor, …
- Consider Certification Authority Authorization, DNS record specifying which CA may sign your certs
• Monitor certificate requests Certificate Transparency logs

41
Try it yourself

View cert details of a website

View truststore of your browser

Check SSL config of a web server

Debug TLS handshake

openssl s_client -connect www.kdg.be:443 -status –msg -debug
curl -iv https://www.kdg.be

( Try crt.sh to certs for name )

• Not supported by all CA’s

42
Certificate Truststores

● NEVER Import CA into your browser, e.g. country, university, work…

○ Else your TLS traffic may be spied!
○ Using man-in-the-middle proxies, e.g. mitmproxy

● Manage your truststore and do REMOVE CA’s

○ Especially in truststores of your own applications, e.g. Java truststore

43
Extra slides
 Challenge/response
Connection

Hash( Challenge + Challenge

Hash(Password) ) Client Server
Challenge

Comparison
Advanced implementation: of return hash
Salted Challenge Response Authentication Mechanism with expected
RFC5802: SCRAM response.
RFC7677: SCRAM-SHA-256
45
ciphersuite

A cipher suite is a string that contains information on what algorithm will be used for what.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS the protocol
• DHE Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman (DH/DHE).
• RSA Authentication algorithm
• AES_128 symmetric encryption algorithm.
• CBC symmetric mode of operation.
• SHA Hashing algorithm used for TLS/SSL data packets integrity and authentication checks.

46
ciphersuite

TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS the protocol
• RSA Key exchange algorithm. Most popular exchange methods are RSA and Diffie-Hellman
(DH/DHE).
• RSA Authentication algorithm
• AES_256 symmetric encryption algorithm.
• CBC cyber block chaining
• SHA256 Hashing algorithm used for TLS/SSL data packets integrity and authentication
checks.

47
Try it yourself

Create your own CA?

• With XCA

• Certificate Maker
•…

48
mTLS termination

X-SSL-Client-DN
X-SSL-Client-CN
X-SSL-Issuer
X-SSL-Client-Not-Before
X-SSL-Client-Not-After
RFC

Firewall
mTLS HTTPS

Private key

Client-Cert
Client-Cert-Chain

49