This series “Digital security” is from my notes prepared for certifications.

Certificates are linked to “Identity” by leveraging the security of digital signatures(asymmetric key cryptography and hash functions).

A certificate has following information:

• Subject’s name and public key (Who the certificate is issued to)
• Issuer’s name and signature (Who issued the certificate)

If the issuer and subject are the same entity, the certificate is considered to be self-signed. These are good for development or internal/local uses where secure applications require certificates within the network.

Over the internet, there are security firms that issue certificates. These are often called the Root Certification Authority (Root CA).

The Root CA don’t directly sign all the domain/server/vanity certificates. The Root CA create multiple intermediate CA who then sign the end user certificates.

This mechanism of chained trust to authenticate a host/client over the network is known as Public Key Infrastructure(PKI).

Web browsers by default, have a certificate store which contains the certificates of many Root CA and intermediate CA.

In addition to browsers, application servers (IIS, Tomcat, NGINX, etc) have their own collection of certificates to trust incoming client or outgoing server connections.

In addition to these specialized applications (Browsers and App servers), the operating systems has its own certificate store used by client applications (Skype, Office, 7Zip, Fiddler, Postman, etc).

Inspecting a certificate will show that the certificate was most likely issued by an intermediate “Issuing Authority”. Below screenshot was taken by importing certificate of www.airbnb.com and all certificates in its chain of trust.

The certificates were analysed on 28/03/2023. The end user certificate had expired at this point.

The Root CA’s public key is hashed and that hash is encrypted using Root CA’s private key. This results in the Root CA’s signature.

The Root CA’s public key and signature are then shared to the public. Anyone who wants to validate the public key and also authenticate the sender, can verify the signature.

Root CA’s self signed certificate contains Root CA’s public key and Root CA’s signature.

Root CA’s signature is then attached on Intermediate CA’s certificate, along with Intermediate CA’s public key. Intermediate CA generates its own signature using its public and private keys.

End user’s certificate will contain Intermediate CA’s signature, end user’s public key.

To validate end user’s certificate, we validate the end user signature using the end user certificate’s public key. This leads us to validate Intermediate CA’s signature.

The browser/web-server/OS might have Intermediate CA’s public key which can be used to validate that Intermediate CA’s signature. This leads us to validate the Root CA’s signature.

The Root CA’s public key SHOULD BE available at the client’s browser/web-server/OS in order to validate the Root CA’s signature.

The chain of trust will stop there because Root CA’s certificate is self-signed.

Below image from wikipedia:

Digital signature, Certificates, SSL/TLS are a layer 4+ mechanism to ensure confidentiality, integrity and authentication.

This series “Digital security” is from my notes prepared for certifications.

Asymmetric key cryptography can be used for the purpose of message signatures because:

1. The fact that only a public key pair of a private key encrypted message will work, means that the message was encrypted by the owner of the private key. The owner can be uniquely authenticated as a fact of owning the private key.
2. The fact that the public key can’t be used by a nefarious actor to encrypt a message and later be used again by another downstream legitimate user to decrypt it, ensures the integrity of the message and security in authenticating the message.

Step 1: A and B generate their asymmetric key pairs.

Step 2: A and B share each other’s public keys.

Step 3: A generates a hash digest of a message using DSA and then encrypts that digest using its private key.

Step 4: A sends the message appended with the encrypted digest to B.

Step 5: B decrypts the appended ciphertext using A’s public key and retrieves the digest. This proves that the digest was encrypted by A using its private key.

Step 6: B then attempts to generate the same digest for the message using the pre-agreed algorithm (mostly DSA).

This proves to B that the message has retained its integrity and wasn’t tampered with in the journey from A to B.

So what’s a digital signature?

In the context of files shared between server and client, it can be the a pre-shared hash of the file. The hash might be in a common location where only the admins can update the hash information.

In the context of SSL/TLS certificates, the public key of one server is already shared with anyone who wants to communicate with that server. So all the tentative clients have that public key. Going by our example, A’s public key is available to B. The public key is just a series of bytes. So A can treat its public key as the message and generate it’s digest. A will encrypt the digest using its private key. The resulting ciphertext is A’s digital signature.

Read the steps again and it might be more clear now.

.

This series “Digital security” is from my notes prepared for certifications.

Encryption deals with the process of substituting plaintext with ciphertext.

The reverse of encryption seeks to generate the plaintext from the ciphertext.

If it was enough to validate the equality or just to identify a common message between two parties, encryption is not necessary.

A hash algorithm performs a mathematical operation on the entire data(plaintext) to generate an output(digest) that is much smaller than the input.

In many cases, the output size is only a tiny fraction compared to the original data. Unlike encryption, hashing is irreversible.

A hash/digest is a fingerprint of the original message.

If some data was commonly known/shared to two parties, then they only need to agree on a common hashing algorithm to check if both had the same data.

Well known hash algorithms:

MD5(Message Digest Algorithm) was the most common hash algorithm,

SHA(Secure Hash Algorithm)-1, SHA-3 produce 160 bit digest.

SHA-2 has 6 variants of varying digest size:

• SHA-224 : 224 bit digest
• SHA-256: 256 bit digest
• SHA-384: 384 bit digest
• SHA-512: 512 bit digest
• SHA-512/224: 512 bit digest truncated to 224 bits.
• SHA-512/256: 512 bit digest truncated to 256 bits.

DSA (Digital Signature Algorithm) is used exclusively for the purpose of signatures and certificates.

MD5 and SHA-1 have been compromised and are not preferred in security/signature applications. They’re still used to verify data integrity in non-trivial use cases.

Passwords are stored only as a digest of the original password. This prevents any user from reverse engineering the digest.

.

This series “Digital security” is from my notes prepared for certifications.

Asymmetric key cryptography is processing intensive and is suitable only for small bits of data.

Symmetric key cryptography is not expensive (on processing) and can be used to encrypt a very large bulk of data.

Using symmetric key cryptography, ciphertext is as long as the plaintext.

Using asymmetric key cryptography, ciphertext is much longer than the plaintext. Due to this expansion, bulk encryption using asymmetric cryptography is not feasible. This data size difference will translate to processing speed differences which will go on to impact the network’s throughput.

A middle ground in security and performance is achieved by using asymmetric keys to securely share the symmetric keys.

Step 1: Both parties generate their private and public key-pair.

Step 2: Both parties exchange each other’s public keys.

Step 3: ‘A’ wants to send a large amount of data to ‘B’ so it prefers to use symmetric key encryption. ‘A’ encrypts a newly generated symmetric key with B’s public key. B then uses its own private key to decrypt the data and retrieve the symmetric key generated by A. Now the symmetric key has been shared securely over the network.

Step 4: When A wants to send a large bulk of data to B, A encrypts the bulk data with the symmetric key which was previously shared with B. B decrypts the bulk data using the same symmetric key.

B can use the same symmetric key to encrypt and send data to A.

SSL, TLS, Certificates. IPSec and SSH use SSL which leverages hybrid encryption.

This series “Digital security” is from my notes prepared for certifications.

If the key of a Symmetric-key algorithm is compromised, a malicious actor can sniff on all the encrypted traffic.

An algorithm that doesn’t require the same key to be shared by both parties to encrypt and decrypt data is an Asymmetric-key algorithm.

A key-pair is generated by one party A. This key-pair has two keys that are mathematically linked together. A retains a key (which is then called the private key).

The other key is called a public key and it is shared with everyone, including the other party B with whom secure communication is desired.

B encrypts a message using the public key and sends it back to A.

Even though everyone else other than A and B have the public key, they can’t decrypt the message.

The message can only be decrypted using the private key which is only with A.

Step 1: Both parties generate their private and public key-pair.

Step 2: Both parties exchange each other’s public keys.

Step 3: A encrypts a message using B’s public key and sends that to B.

Step 4: B decrypts the message using their private key to get A’s original message.

Similarly, B can encrypt a message using A’s public key which is then decrypted by A using their private key.

Once a party encrypts a message using the public key, only the corresponding private key can decrypt the message.

If the private key is compromised, all messages encrypted by the paired public key can be decrypted using it.

If a public key is compromised, false encrypted messages can be sent to the owner of the paired private key.

If one keys in a key-pair encrypts a message, only the other key in the key-pair can decrypt it.

The same key that encrypts a message, can’t decrypt it.

RSA(Rivest, Shamir, Adleman), DSA(Digital Signature Algorithm) and ECDSA(Elliptic Curve DSA) are most common asymmetric cryptographic algorithms.

This series “Digital security” is from my notes prepared for certifications.

The cipher key is used to encrypt and also decrypt a message. Anyone who needs to decrypt the message, needs the key.

An algorithm is the logic/process of applying the key over plaintext to encrypt it. The cipher text can be de-ciphered/decrypted using the same algorithm and cipher-key(just called key).

When a shared key is required at both ends of a secure channel for encrypt and decrypt operations, the algorithm requiring using such shared key is a Symmetric-key algorithm. The same key is required for encrypting and decrypting.

Consider the binary XOR operation.

If A and B are two binary inputs, the XOR output is A’B + AB’.

A	B	A’	B’	A’B	AB’	A’B + AB’
0	0	1	1	0	0	0
0	1	1	0	1	0	1
1	0	0	1	0	1	1
1	1	0	0	0	0	0

Plaintext(Name) = 01001110  01100001  01101101  01100101

Cipher key = 0x22 = 00100010

Encrypt by performing Plaintext XOR key

Ciphertext = 01101100 01000011 01001111 01000111 = mCOG

Decrypt by performing Ciphertext XOR key

Decrypt result = 01001110 01100001 01101101 01100101 = Name

Basic XOR operation can be considered a symmetric key algorithm.

Block ciphers work on large blocks of data and generate the output at one shot.

Stream ciphers work on smaller chunks of a larger block and generate the output as the stream arrives.

Stream ciphers are useful for audio/video/conferencing which will benefit from data transfer in smaller chunks.

Stream ciphers are useful when transferring files or smaller data. With the advent of faster hard drives and faster networks, block ciphers have displaced stream ciphers in modern cryptography.

AES (Advanced Encryption Standard) is the most common block cipher. Block sizes are shown along with AES for clarity:

AES128, 192, 256, etc. Larger block sizes are more secure.