TLS- Are there two digital signature in play during handshake - ssl

Could you please clarify on the below doubt.
From IBM website,
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10520_.htm
The steps of the digital signature process are as follows:
The sender computes a message digest and then encrypts the digest using the sender's private key, forming the digital signature.
The sender transmits the digital signature with the message.
The receiver decrypts the digital signature using the sender's public key, regenerating the sender's message digest.
The receiver computes a message digest from the message data received and verifies that the two digests are the same.
So there is a digital signature created using the some random message during handshake. Along with it, there is a digital signature value in the personal certificate issued by CA which is called "Digital Signature Value". This Signature value is present in the certificate itself. But there is one more signature value created from random message during handshake also. Why we have 2 times signature here even for one way SSL. Where is my understanding wrong?. Thanks .

encrypts the digest using the sender's private key
Any time you see something about “encrypting with a private key”, expect the explanation to be flawed. There is no such thing as “encrypting with a private key”. What the writer means here is signs the digest using the sender's private key. Calling a signature “encryption” comes from a very limited understanding of cryptography: the two concepts have different properties and they use different algorithms. For example, it is not always possible to “decrypt” a signature and recover the digest that was signed (it's possible with some signature algorithms and impossible with others); all you can do is to verify whether a certain digest has a certain signature.
This being said, yes, there are two signatures.
The signature in the certificate ties the server's public key with the server's name. More precisely, it means that the certificate authority guarantees that the server with a certain name has a certain public key. This guarantees to the client that the certificate is genuine. Anybody can send you a valid certificate for some server name, but the certificate authority only signs a certificate if it knows that the owner of the name is also the owner of the private key associated with the public key in the certificate.
The signature of the digest in the handshake ties the server's public key with this particular handshake. Anybody can sign a handshake with their own private key, but not with somebody else's private key.
From the second signature, the client knows that the handshake was signed by whoever owns a certain private key. From the first signature, the client knows that the owner of a certain private key is the owner of a certain domain name. By putting the two together, the client knows that the handshake was signed by the owner of the domain name.
In fact in a typical handshake there may be more signatures. How does the client decide to trust the CA? After all anybody can sign a certificate with their own private key. In general there is a chain of certificates: the server's certificate is signed by a CA, the CA has its own certificate which is signed by another CA, and so on. This ends with a small set of CA certificates that are hard-coded in the client's operating system or browser. These certificates are known as roots of the chain. They're often called “root CAs”, but note that being a root CA is not a property of a CA, since different systems can have different sets of root CAs.
For more information about TLS, see How does SSL/TLS work?.

Related

How exactly is a SSL certificate validated?

I have done some research on this but still have some trouble connecting the dots as to what exactly happens when the server send its certificate to the client in terms of verifying signature and root certificates.
When you create a CSR, it generates a private key along with it, and you send it to the CA to generate the cert and sign it, but doesn't the CA use it's own private key to sign? So what is the point of the private key you generated with your CSR?
When server sends its certificate for client to validate, how exactly does client validate that it is a valid CA cert. It has a collection of trusted CA certs, ok - but how exactly are they used to verify that it was a valid CA that signed the server's certificate using the signature and public key of the server certificate? What things are compared to make sure it was not forged?
Is there any point in encrypting your internal self signed certs? How about an internal root cert? Or is the private key the only one worth encrypting?
If we don't keep a database of encrypted data for our web service (over SSL) for example, would we ever care about storing our own private key once we generated the self signed cert, and if we do, they why?
When you create a CSR, it generates a private key along with it
Or you have already generated your own private key.
and you send it to the CA to generate the cert and sign it
You send the CSR. You don't send your private key. It's private. You don't send it to anyone.
but doesn't the CA use it's own private key to sign?
Yes.
So what is the point of the private key you generated with your CSR?
It pairs with the public key contained in the certificate and it is part of the process used to prove that you and only you own that certificate, as only you can generate digital signatures with that private key that can be verified by the public key in the certificate.
When server sends its certificate for client to validate, how exactly does client validate that it is a valid CA cert. It has a collection of trusted CA certs, ok - but how exactly are they used to verify that it was a valid CA that signed the server's certificate using the signature and public key of the server certificate? What things are compared to make sure it was not forged?
The certificate itself is verified, by verifying its digital signature; it is checked for being within its validity period; and then an attempt is made to form a certificate chain using the alleged signer of the certificate (the 'issuer') and the trusted certificates in the collection.
Is there any point in encrypting your internal self signed certs?
No. They are public documents. Only the private key is private, and that isn't in the certificate.
How about an internal root cert?
No.
Or is the private key the only one worth encrypting?
Yes.
If we don't keep a database of encrypted data for our web service (over SSL) for example, would we ever care about storing our own private key once we generated the self signed cert, and if we do, they why?
Because it's private. It is a critical part of your identity. If you leak it, others can impersonate you.

How do we know that an SSL signature belongs to a specific certificate?

I am reading the following article about HTTPS:
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
I do understand how we can verify that a signature was truly created by VeriSign.
But how can we know that VeriSign created this signature for this specific domain that we are connected to (or actually for this certificate)?
Since I can see the certificate, including the signature, what stops me from creating my own certificate, replacing the signature with the one I saw on the Amazon.com certificate, and pretending to have a certificate signed by VeriSign?
Since I can see the certificate, including the signature, what stops me from creating my own certificate, replacing the signature with the one I saw on the Amazon.com certificate, and pretending to have a certificate signed by VeriSign?
A certificate has a subject, public key, issuer and signature (among other fields). For example, a subject might be example.com (a DNS name) or joe#example.com (and email address), and the issuer might be Startcom. The issuer's signature binds the subject's public key to the subject. That's all a certificate does: it binds a public key to an entity through an authority's signature. The authority is often called "trusted" or "trusted third party".
So the person who is validating the certificate you are trying to forge will extract the issuer, get the issuer's public key (that's in a different certificate), and then use the issuer's public key to verify your certificate data. Since you forged the signature (i.e., used a different public key than that of the issuer), the signature verification will fail.
Because the public key with which you can verify the signature is part of the certificate and also part of the signature. So you can't change any of those things without breaking the signature.
#gilden But I do not try to create a new signature. I use (almost) exactly the same certificate amazon sent me when I tried to https-contact its website (so same signature and same public key as on amazon's cert). The only thing I change on that cert is the name field (i.e. the name of the website/computer who was given the authority by the signer to use this cert to authenticate itself). So I'm going to change this field from "amazon.com" to "rapt.com". Now I can use this cert to convince people rapt.com is a trusted website. What in the SSL algorithm is going to make me fail in my scheme?
Then the browser/client will use the amazon.com public key to communicate with your server, for which you do not have the corresponding private key. Hence you will not be able to decrypt the pre_master_secret from the client certificate message, and the ssl/tls handshake will fail.

What kind of private key is located in a PKC12 pfx file?

Can anybody clarify to me what kind of "Private Key" is located in a PFX file ?
I am asking this because after having read quite a lot on digital certification I am still a bit confuse on the Private Key part, especially when Certificate Authority is involved.
The part I am missing is where it is said that the Private Key is kept secret on the CA side but if I go in my Personal Certificate Store and I try to export a certificate, I am able to export it with the private key in it.
Is this private key is the same as THE private key that we are not supposed to know ?
Public key cryptography is used for two different purposes when it comes to X.509 certificates used for SSL/TLS.
Each X.509 certificate contains a public key, which has a matching private key held only by the identity this certificate belongs to (the subject of the certificate).
One of the purposes is to build trust in another certificate. A CA uses its private key to sign other certificates: possibly other (intermediate) CA certificates or End-Entity Certificates (the ones that are actually going to be used for the SSL/TLS connection itself).
For example, the Root CA's private key can be used to sign (i.e. issue) an Intermediate CA's certificate. The Intermediate CA certificate can be verified using the Root CA certificate's public key. The Intermediate CA's own key-pair isn't involved in this verification (although the verification process ensures that the public key in that cert belongs to the Intermediate CA).
The Intermediate CA's private key can be used to sign your server certificate (an EEC). The Intermediate CA's public key can be used to verify the authenticity of your server certificate. Someone who would only have the Root CA certificate can therefore check your server certificate by building a chain. Again, your server public and private keys are not involved in this verification at all, but the result of these operations proves that the public key in your server certificate belongs to your server name.
There is no relationship between any of the key pairs involved in a certification chain. Even the CA issuing a certificate will not (or should not) have access to the private key of the certificate it is issuing.
The second usage of public key cryptography is during the SSL/TLS handshake. The exact mechanism depends on the cipher suite, but this allows the client to agree with the server on a secret that only the server with the private key matching the public key in the server certificate will be able to see. It's this private key that is the private key of the certificate itself.
In a PKCS#12 file, you will find an End-Entity Certificate and the private key matching the public key in that certificate, to be used by the entity to which this certificate was issued, and generally a chain of CA certificates (from the one directly issuing the EEC to other CA certificate further up the chain, possibly up to a Root CA).
Here, I've taken this example of an EEC for an SSL/TLS server, but the same could apply for EEC to be used in other contexts (e.g SSL/TLS client or S/MIME).
If you are talking about SSL-Certificates and SSL I think you mean X509-Certificates in common. Let me make it clear first: the passwords of the private keys are different.
The magic here is Chaining of the Certificates, i.e.
Root Certificate from CA
Intermediate Certificate from CA (for instance Class 2)
Your Certificate
If you look at your SSL-Certificate, you will find this structure. Every certificate within this hierarchy can be seen as a certificate for its own. You can find more information within this msdn article. A briefly description from my point of view:
The Certifcates within this chain can be seen are separate Certificates. With their own ability to sign Information with the private key and validating signature with their private key. They are basically linked within this chain.
You might ask Why are the Certificates linked?
There are two main reasons: Security and Trust.
If you loose your private key or if your certificates is broken, it's need to be revocated. This basically says, that your Certificates should not be trusted anymore. It's listed on the Revocation-List on the parent Certificate to ensure that this security break can be fixed very fast. This behavior explains, why root certficates creating IntermediateCertificates and not your requested Certificate - they want to be sure that they can revocate their Intermediate Certificate as well.
Additionally to this functional explanation there is a mathematical, but I am not able to explain this is an easy way. You can find Information about this within it's article on Wikipedia. Basically it says, that you can't calculate the password from the parent and / or public certificate to use the private certificate.

OpenSSL and s_client - why is a private key required from the client?

I need to setup a 2 way SSL communication channel between a .NET/WCF application and a third party web server. Right now I am trying get a successful handshake with the host in order to validate that all the elements are setup correctly (client certificate, server certificate authority, network communication...). I'm using the openSSL command line tool to try and validate this, using the s_client command.
Here is what is stopping me, and what I don't understand:
whatever I do, openSSL is expecting to find a private key for the
client certificate
the client certificate was given to me by the third party, but it
does not contain any private key
if I just generate my own private key file using openSSL, I'm getting
a key values mismatch error
Keep in mind that I have just started getting my hands into SSL so I have a very basic understanding of the whole protocol. From what I've been reading, it seems that both server and client need their private key in a 2 way SSL setting. However, I can't figure out how to get a working private key on my client (working with the client certificate that was given to me).
I would very much appreciate if somebody could shed some light on client certificate private keys, as this is giving me a major headache.
Certificates on their own are only public pieces of information. What links a public key certificate to the name it contains is the fact that whoever has legitimate control over that name (e.g. your name or your server's name) also has the private key for it.
Certificates are used to prove the identity of the remote party by challenging the remote party to perform an operation that can only be done with the corresponding private key: signing something (which can be verified with the public key) or deciphering something that was encrypted with the public key. (Both can happen in the SSL/TLS handshake, depending on the cipher suite.)
During the SSL/TLS handshake, the server sends its certificate (in clear) and proves to the client that it has the corresponding private key using an authenticated key exchange.
In your case, you also want to use client-certificate authentication. It's not enough to send the client certificate during the handshake: the client must also prove it has the private key. Otherwise, anyone who receives that certificate could clone it. The point of using certificates is to prevent any cloning, in such a way that you never have to show your own secret (the private key).
More specifically, the client has to sign the handshake messages in the Certificate Verify message of the TLS handshake so that the server can verify it against the public key sent in the client certificate. Without this step, no client-certificate authentication would be taking place.
the client certificate was given to me by the third party, but it does
not contain any private key
Giving you your certificate without its private key seems a bit pointless, unless you're expected to have generated a certificate request on your side beforehand (in which case you would have the private key).
Indeed, rather than being given a certificate and its private key, it's better practice for you to generate your key-pair, create a certificate request (CSR), and have your CA issue a certificate from that CSR (but without them ever knowing your private key). In this case, you would be expected to have kept your private key, and you would be able to use it with the cert you would have received.
This is an interesting question. I was puzzled by TLS related errors while configuring LDAPS, my learnings here.
The names, "public key" and "private key" sound like it's an one-way operations, but it works both ways, anything encrypted by one key and be decrypted by another key - just that one key is made public
Info = openly available data, with unknown integrity - it could be tampered by 3rd party
Signature = Info encrypted by a private key, accompanies Info
Verifying signature = use public key to decrypt the signature and get Info back thus proving "whoever created the signature knows the private key", or, the Info is untouched after it's signed
That is, unless the private key is stolen
Certificate = Info + Signature + public key + private key
Info = the meat
Signature = to verify integrity of Info
public key = to verify other certificates, see Certificate Chain
private key = not included in certificate itself but should be kept by certificate owner, could be used to sign other certificates
Certificate Authority (CA) = Anyone who holds a public / private key pair and creates certificates
CA identity is indicated in Info on a certificate
Certificate Chain = Use public key on mother-certificate to verify the signature on a child-certificate, to ensure child-certificate was created and signed by mother CA
And mother created and signed by grandma, so forth
Root CA = Root CA is the CA you trust unconditionally
Because their certificates (Root Certificates) are pre-loaded in your browser or OS as a source of trust
Also because their certificates are self-signed, its Signature is created using its own private key, verified by its own public key
This could be confusing, but think it as the origin of certificate-based encryption - only when people found out that relying on a few Root CA's to create and sign countless certificates are insecure (private keys might get stolen) and impossible (rapidly increasing demands of certificates), they came up with the idea of certificate chains
Root CA's only create and sign certificates for some Intermediate CA's so private keys are not used too often and is safer
Intermediate CA's can create and sign millions of certificates and get their certificate revoked when a private key is known to be leaked
This is the reason you don't often see the Root Key Ceremony, which signifies the importance of the private key for a Root Certificate: the less the private key is used, the less it could be exposed
Self-Signed Root Certificate = virtually the same as a Root Certificate - just no one but the creator would trust
TLS Handshake = server sends certificate, client validate is against the certificate chain, when verified, exchange a "password" securely
The "password" is then used to encrypt actual data transfer using symmetric encryption
Asymmetric encryption is not used for actual data due to its need for intense computation powers
Client Certificate Authentication = in addition to previous process which authenticates the server, the server demands a valid certificate to be provided by the client, also a signature of previous handshake messages
The signature is created using the private key of the certificate and can be verified by the public key on the certificate
This proves the ownership of the certificate
This is used usually for restricting access to known individual clients
Using certificates means no man-in-the-middle or replay attack could happen
This is often seen in finance or IoT
This is also utilized by LDAPS, which caused mystic error messages when I had a valid certificate in my local keystore but it was not accompanied by its private key
...So, in terms of openssl, when you use -cert you indicate Client Certificate Authentication, with which you will need -key to specify the corresponding private key.
However, for many Web scenarios, even if the certificate for a server is signed by a homemade CA, one only need to add the homemade CA to truststore or keychain then server certificate can be validated. This is done by using -CAfile.
Bottom-line.. If you're sending client certificates, then you would need the client certificates' private key to encrypt the pre-master secret

SSL query - CSR for certificate renewal

Need the understanding about SSL and the way it functions. Kindly help answer the below.
I understand that the CSR that we generate has our public key and DN info i.e C=,CN=,L=,O=,OU=,ST=.
Are both these two compoments (JPMC public key and the DN) hashed and if the hash is also send to verisign at the time we request them for a cert (new cert or a cert renewal).
What amount these (public key, DN and the hash) are encrypted using JPMC's private key.
Does Verisign (CA) use the public key that we send them as part of the CSR or do they have it from other means inorder to decrypt whatever was encrypted above.
No, the information in a certificate signing request is not hashed - how could it be - you can't get the information back after hashing? It is not encrypted either, none of the information is sensitive.
A CSR contains the version of the PKCS#10 standard which is being used, the DN of the entity the certificate is for, the public key that will be used, and optionally, some attributes such as subject alternate names, etc.
The CSR is signed, using the private key generated to initiate the request (or, in renewal, the private key of the existing certificate).
PKCS#10 is the main specification for all of this.