Publickey Infrastructure Computer Center CS NCTU 2 Publickey
Public-key Infrastructure
Computer Center, CS, NCTU 2 Public-key Infrastructure q A set of hardware, software, people, policies, and procedures. q To create, manage, distribute, use, store, and revoke digital certificates. q Encryption, authentication, signature q Bootstrapping secure communication protocols.
Computer Center, CS, NCTU 3 CA: Certificate Authority (1) q 信任不是無中生有
Computer Center, CS, NCTU 6 What is a CA ? (1) q q Certificate Authority (認證中心) Trusted server which signs certificates One private key and relative public key Tree structure of X. 509 • Root CA
Computer Center, CS, NCTU Certificate (1) q 電子憑證 / 公開金鑰憑證 / 網路身份證 q A certificate is issued by a CA X q A certificate of a user A consists: • The name of the issuer CA X • His/her public key Apub • The signature Sig(Xpriv, A, Apub) by the CA X • The expiration date • Applications Ø Encryption / Signature 9
Computer Center, CS, NCTU Certificate (2) Alice: (1) Generate Apub, Apriv (2) Alice, Apub, ID proof CA X: (3) Generate Sig(Xpriv, Alice, Apub, T) (4) Sig(Xpriv, Alice, Apub, T) Cert. A, X=[Alice, Apub, Sig(Xpriv, Alice, Apub, T)] Note: Note CA does not know Apriv 10
Computer Center, CS, NCTU Certificate (3) q Guarantee of CA and certificate • Guarantee the public key is of someone • Someone is not guaranteed to be safe q Security of transmitting DATA • Transmit session key first Ø Public-key cryptosystem • Transmit DATA by session key Ø Symmetric-key cryptosystem 11
Open. SSL
Computer Center, CS, NCTU 13 Open. SSL q http: //www. openssl. org/ q In system • /usr/src/crypto/openssl q In ports • security/openssl
Computer Center, CS, NCTU 14 ports/Mk/bsd. openssl. mk # WITH_OPENSSL_BASE=yes - Use the version in the base system. # WITH_OPENSSL_PORT=yes - Use the port, even if base is up to date # WITH_OPENSSL_BETA=yes - Use a snapshot of recent openssl # WITH_OPENSSL_STABLE=yes - Use an older openssl version …… # if no preference was set, check for an installed base version # but give an installed port preference over it. . if !defined(WITH_OPENSSL_BASE) && !defined(WITH_OPENSSL_BETA) && !defined(WITH_OPENSSL_PORT) && !defined(WITH_OPENSSL_STABLE) && !exists(${DESTDIR}/${LOCALBASE}/libcrypto. so) && exists(${DESTDIR}/usr/include/opensslv. h) WITH_OPENSSL_BASE=yes. endif
Example: Apache SSL settings
Computer Center, CS, NCTU Example: Apache SSL settings – Flow q Flow • Generate random seed • Generate Root. CA Ø Generate private key of Root. CA Ø Fill the Request of Certificate. Ø Sign the certificate itself. • Generate certificate of Web Server Ø Generate private key of Web Server Ø Fill the Request of certificate Ø Sign the certificate using Root. CA • Modify apache configuration restart apache 16
Computer Center, CS, NCTU 17 Example: Apache SSL settings – Generate random seed q openssl rand -out rnd-file num % openssl rand -out /etc/ssl/Root. CA/private/. rnd 1024 q chmod go-rwx rnd-file % chmod go-rwx /etc/ssl/Root. CA/private/. rnd
Computer Center, CS, NCTU 18 Example: Apache SSL settings – Generate private key of Root. CA q openssl genrsa -des 3 -rand rnd-file -out rootca-key-file num % openssl genrsa -des 3 -rand /etc/ssl/Root. CA/private/. rnd -out /etc/ssl/Root. CA/private/rootca. key. pem 2048 • Note: phrase are asked (something like password) q chmod go-rwx rootca-key-file % chmod go-rwx /etc/ssl/Root. CA/private/rootca. key. pem
Computer Center, CS, NCTU Example: Apache SSL settings – Fill the Request of Certificate q openssl req -new -key rootca-key-file -out rootca-req-file % openssl req -new -key /etc/ssl/Root. CA/private/rootca. key. pem -out /etc/ssl/Root. CA/private/rootca. req. pem q chmod go-rwx rootca-req-file % chmod go-rwx /etc/ssl/Root. CA/private/rootca. req. pem Enter pass phrase for rootca-key-file: Country Name (2 letter code) [AU]: TW State or Province Name (full name) [Some-State]: Taiwan Locality Name (eg, city) []: Hsin. Chu Organization Name (eg, company) [Internet Widgits Pty Ltd]: NCTU Organizational Unit Name (eg, section) []: CS Common Name (eg, YOUR name) []: nasa. cs. nctu. edu. tw Email Address []: liuyh@cs. nctu. edu. tw A challenge password []: (不需要密碼,直接 Enter) An optional company name []: (直接 Enter) 19
Computer Center, CS, NCTU Example: Apache SSL settings – Sign the certificate itself q openssl x 509 -req -days num -sha 1 -extfile path_of_openssl. cnf -extensions v 3_ca -signkey rootca-key-file -in rootca-req-file -out rootca-crt-file % openssl x 509 -req -days 5109 -sha 1 -extfile /etc/ssl/openssl. cnf -extensions v 3_ca -signkey /etc/ssl/Root. CA/private/rootca. key. pem -in /etc/ssl/Root. CA/private/rootca. req. pem -out /etc/ssl/Root. CA/private/rootca. crt. pem q rm -f rootca-req-file %rm -f /etc/ssl/Root. CA/private/rootca. req. pem q chmod go-rwx rootca-crt-file %chmod go-rwx /etc/ssl/Root. CA/private/rootca. crt. pem 20
Computer Center, CS, NCTU 21 Example: Apache SSL settings – Generate private key of Web Server q openssl genrsa -out host-key-file num %openssl genrsa -out /etc/ssl/nasa/private/nasa. key. pem 2048 q chmod go-rwx host-key-file %chmod go-rwx /etc/ssl/nasa/private/nasa. key. pem
Computer Center, CS, NCTU 22 Example: Apache SSL settings – Fill the Request of Certificate q openssl req -new -key host-key-file -out host-req-file % openssl req -new -key /etc/ssl/nasa/private/nasa. key. pem -out /etc/ssl/nasa/private/nasa. req. pem q chmod go-rwx host-req-file % chmod go-rwx /etc/ssl/nasa/private/nasa. req. pem
Computer Center, CS, NCTU Example: Apache SSL settings – Sign the certificate using Root. CA q Tramsmit host-req-file to Root CA, and do following steps in Root. CA • openssl x 509 -req -days num -sha 1 -extfile path_of_openssl. cnf -extensions v 3_ca -CA rootca-crt-file -CAkey rootca-key-file -CAserial rootca-srl-file -CAcreateserial -in host-req-file -out host-crt-file % openssl x 509 -req -days 365 -sha 1 -extfile /etc/ssl/openssl. cnf -extensions v 3_ca -CA /etc/ssl/Root. CA/private/rootca. crt. pem -CAkey /etc/ssl/Root. CA/private/rootca. key. pem -CAserial /etc/ssl/Root. CA/private/rootca. srl -CAcreateserial -in /etc/ssl/nasa/private/nasa. req. pem -out /etc/ssl/nasa/private/nasa. crt. pem • rm -f host-req-file ( in both Root. CA and Web Server) % rm -f /etc/ssl/nasa/private/nasa. req. pem • Transmit host-crt-file back to Web Server 23
Computer Center, CS, NCTU Example: Apache SSL settings – Certificate Authority (8) • Include etc/apache 22/extra/httpd-ssl. conf ## ## SSL Virtual Host Context ## <Virtual. Host _default_: 443> # General setup for the virtual host Document. Root /home/wwwadm/data <Directory “/home/wwwadm/data"> Options Indexes Follow. Sym. Links Allow. Override All Order allow, deny Allow from all </Directory> Server. Name nasa. cs. nctu. edu. tw: 443 Server. Admin liuyh@nasa. cs. nctu. edu. tw Error. Log /var/log/httpd/nasa. cs-error. log Custom. Log /var/log/httpd/nasa. cs-access. log common SSLEngine on SSLCipher. Suite ALL: !ADH: !EXPORT 56: RC 4+RSA: +HIGH: +MEDIUM: +LOW: !SSLv 2: +EXP: +e. NULL SSLCertificate. File /etc/ssl/nasa. crt. pem SSLCertificate. Key. File /etc/ssl/nasa/private/nasa. key. pem 24
Appendix: PGP
Computer Center, CS, NCTU PGP q Pretty Good Privacy q Public key system • Encryption • Signature q security/gnupg q Will talk more in Network Administration q Ref: http: //security. nknu. edu. tw/textbook/chap 15. pdf 26
- Slides: 26