Digital Certificates with example

Digital Certificate with example:

In this post, we will try covering topic Digital Certificates with an example certificate.

Content:
1. Example of Digital Certificate
2. Certificate Terminology
3. Digital Certificate definition
4. Class of Certificates
5. Certificate Extension
6. Certificate Fields
7. Good to know facts about Certificate.

Example of Digital Certificate

Before we know anything about certificates, its good know where and how certificates are used. In this post, i will try covering what are certificates, why are certificates used for.

Asymmetric key encryption, Public key infrastructure (PKI)  are the places where certificates are used.

Imagine party A and party B wants to exchange a secret code like password between them and currently they don't have any prior communication between them.

To Solve this problem, party A will have private key and public key  with him. party B also has its own private and public key with in.

public will be shared with all, private keys are never shared to any one.

Now if Party A wants to send secret code to party B.

Party A will use party B public key and encrypt the data and send it across to party B.

Only Party B knows its private key, so only party B will be able to decrypt the secret code .

Lengthy example but this a one of  basic use case of PKI.

Second example, more practical one
One more example is HTTPS communication in a browser. it uses PKI.
balakishore gaddam
HTTPS OPTION



 Certificate Terminology

  CA : Certificate Authority
  DN: Distinguished Name
  PKI: Pulbic Key infrastructure

What is Digital Certificate:
 
 A certificate is based on the X.509 standard and which holds information about an individual or an organization or a company to which a certificate is issued. .
It holds a public key.

It also holds the information about certificate authority  that issued the certificate.

Encoding used for a certificateASN.1 ( Abstract Syntax Notation One).
Each Field in the certificate are tagged with a number.


Sample Certificate:
bala kishore
Certificate


 A certificate contains
 
balakishore
digital certificate


Certificate can be used for encryption of emails, signing a library file etc.


Types of Certificate:
Definition of class  might vary from vendor to vendor.
Class 0
          Type of certificate used for demo or test purpose.

Class 1
           Issued to individuals.
           Contains name (alias name) and email address of the individual
           Usage : Digitally sign email, Encrypt email
            It does not facilitate strong authentication of the identity

Class 2
          Certificates are issued as Managed Digital Certificates
           
Class 3
        Class 3 certificate are issued to individuals and servers. It provides important assurance of identity of individuals  It is used for Digital signature , encryption of messages.


As per Verisign


class 1: Individuals
class 2 : organizations

Class 3 : servers and software signing
Class 4 : Business transaction
Class 5 : Government security etc.

This classification may vary from authority to authority.



Digital Certificate Extension:

Extensions are used to associate additional information with the user or public key etc.
Each extension has
  •  Extension ID
  •  Critical flag
  •  Extension value.

Critical Extension

If a critical extension is not understood the certificate should be refused.
Critical flag value is  true.
Yellow mark is seen on the critical extension




Basic Constraint critical extension specifies if the certificate can be used to sign other certificate.


Non Critical Extension


If a critical extension is not understood the certificate may not be refused. This extension is ignored.

Critical flag is false in the certificate

Subject Alternate Names is non critical extension contain alternative name like email or such.

Digital certificate and its each field in details

Version : its version number of the certificate.

             Version: v3, is a X.509 Version 3 Certificate refer for more details https://www.ietf.org/rfc/rfc2459

Serial number: Its a unique number that identifies a certificate.


A Signature is cryptographic signature of the content of the certificate.it is made up of issuer private key and it can be verified with issuer public key.

Signature Algorithm: Algorithm used to create certificate.
                           
Signature Hash Algorithm

Issuer:
       Certificate Authority who issued the certificate.

Valid From: Date and Time the certificate is issued from.

Valid To: Date and Time the certificate is valid to use.

Public Key: The public key is present in a certificate and it has a corresponding private key which is not present in cer.


Public Key Parameters:
                               parameters are used over many key exchanges

Subject:

             A subject contains distinguished name. it contains common name, optionally contain other details like organization unit, country etc. Subject is entity to whom certificate is issued.


CRL Distribution list:
contains the URL list of website that contains  Certificate Revocation list. When a certificate is revoked, the information is sent to the CA and the CA authenticates the request and advertises the revoked certificate in the Certificate Revocation List. URL would contain that list.



Certificate Policies
         Certificate Policies  is a set of rules that defines how the CA will issue the certificates.

Certificate Practice Statements
           It is a document written in  text that describes how the CA plans to manage the certificates that it issues.

Thumbprint algorithm
         The algorithm used to create the unique value of the certificate.
          Example : sha1

Thumbprint 
        The unique value that identifies the certificate. This can be checked with the issuer of the certificate.

Authority Key Identifier
       The authority key identifier extension provides a means of  identifying the public key corresponding to the private key used to  sign a certificate
    
Subject Key Identifier
       Subject key identifiers SHOULD be derived from the public key or a method that generates unique values.

Authority Info Access (AIA)
   AIA extension allows SSL/TLS clients to go get the missing intermediate certificates, not presented by the server.  This extension, that adds in the final certificate a CA Issuer containing a URL, allows the browser to find the missing certificate and to check the chain again.
             
AIA


Good to know facts:

  • Self Signed certificate are self generated certificate with issuer and subject been same.
  • Well known certificate authorities:
In India : http://www.cca.gov.in/cca/?q=node/41
Generally : VeriSign, Entrust, Thwate, GeoTrust
In Internet explorer you can find the list of trusted authorities in
 Tools->Internet Options -> Content->Certificates -> Trusted Root Certificate Authorities.
 
balakishore
internet explorer





















unix find usefull command


Following post is an attempt to list most used and interesting use of unix find command.

you might find all of tutorials about this command but I tired to list down the once I used in my day to day life.


General syntax:
find /path [expression]

find files under a directory ignoring case

find /usr -iname sample.txt

To find a directory in  "sample" folder.

find / -type d -name sample

find all files ending with .txt and print first 3 results

find . -name "*.txt" | head -n 3

find all files ending with ".java" or ".cpp"

find . -name "*.java" -o -name "*.cpp"

find all files with specific format extension which are modified in last 1 days.

to find all files modified in last 1 day with cpp extension.

find  . -name  "*.cpp" -mtime -1



Replace all occurrence of a string all occurrence in all files
find ./ -type f -exec sed -i 's/3094/3081/' {} \;


Find all files on the specific directory   not modified in 1 years (365days)

find /dummy -mount -mtime 365| head -n 5


Find path of file where a particular string  is found ,  in current directory

find . -name \* -exec grep "VISIBILITY_HIDDE" '{}' \; -print

Find path of strings in .cpp files

find / -name \*.cpp -exec grep "debug" '{}' \; -print


Run strings on every file on the system that ends with ".pwd" (case insensitive)

find / -iname "*.pwd" | xargs strings $1 | sort

Limit depth of directory traversal

 find .  -maxdepth 2 -name "*.txt"

it limits the depth of the command.

FIND AND XARGS command


find / -print | xargs ls -ld

Xargs executes its arguments as commands, and reads standard input to specify arguments to that command

Delete the first file ending in ".swp" or "~" that have not been modified in 24 days starting in this directory.

find . -mount -mtime +24 \( -name "*.swp" -o -name "*~" \) | head -n 1 | xargs rm $1

 
List all empty direcories:
 
find /tmp -type d -empty 
 
find all empty directories and remove them in a specific directory.
 
find /tmp -type d -empty -exec rmdir  {} \;
 
 

Rarely used but interesting commands:

To find list of files that got changed with last 1 day. 
 
find / -mtime -1
 

Reference: http://www.cs.colostate.edu/~cs556/projects/project-1/Exercise.html

Firefox and its tricks

This post is for all Firefox lovers, some interesting command and tricks which would make browser usage more intellectual.


Firefox tricks.
By default Firefox opens a blank page on every new tab. But if you want to change it and have your own website link to be opened.
 Follow the following steps.
In the Firefox address bar: enter below value
·         about:config
·         accept the warning
·         navigate to browser.newtab.url
·         double click on “browser.newtab.url”, a pop up will open.
·         Provide your website details.
firefox config




Next step would to find the list of commands available in firefox.
Try following command in address bar.
about:about
Click on the links to find the operations.


Command Line options

launch firefox website from command line
open run, then type firefox<websiteurl>
example: firefox www.bing.com
it opens as a tab.

opening multiple web sites in Firefox simultaneously.
go to run
firefox www.bing.com google.com

When opening multiple URLs, it opens  sites in a new window


KEY WORD URL:
keyword.enabled value needs to be true
keyword.URL must have a website name

Any valid URL may be specified. The keyword will be appended to the URL and then the user will be redirected to the new URL. The default value is:
http://www.google.com/search?ie=UTF-8&oe=utf-8&q= 
 
Google Quick search
http://www.google.com/search?q=%s

Google's "I'm Feeling Lucky"     http://www.google.com/search?q=%s&btnI=I%27m+Feeling+Lucky
Yahoo!     http://search.yahoo.com/search?&p=%s    

Other commands with description.
Firefox Version:
Try command “about:mozilla” in address bar.
Try following command in firefox address bar. Follow ing athe results
about:
Shows information about Firefox.
about:blank
shows blank page
about:home
shows home page.
about:addons
shows addons
about:credits
lists contributors.
about:buildconfig
hows the arguments and options used to compile the Firefox build in use.
 about:memory
shows memory usage


Private browsing in firebox.( similar to incognito mode in chrome)

control + shift  + P
opens the browser in private session.
This is extremely useful while testing cookie related applications. 
On a machine which is used by multiple people, you do not want to leave any of the data or trace of site you visited. This option is ideal for those


avoid warning while closing a tab or group of tabs

in address bar, type
about:config
navigate to
browser.tabs.warnOnClose set to false
browser.tabs.warnOnCloseOtherTabs set to false



Download firefox direct link:
https://www.mozilla.org/firefox/all/
 

Message Digest- calucation using openssl


openssl command line utility is used to calculate message digest of the value.


calculate message digest writes to hexademical output to a console(stdout)
openssl dgst -sha1 file.txt

Example output:
SHA1(file.txt)= 1f8ac10f23c5b5bc1167bda84b833e5c057a77d2


calculates message digest and writes data to text file in hexademical format
openssl sha1 -out digest.txt file.txt
Example output in digest.txt file
SHA1(file.txt)= 1f8ac10f23c5b5bc1167bda84b833e5c057a77d2


   
calculate hash value using a DSA private key.
openssl dgst -dssl -sign cacert.pem -out signedoutput.txt   inputfile.txt

verification of signature of a file.
openssl dgst -dss1 -prverify cacert.pem -signature dsasign.bin file.txt

CIA triad- Network Security - Part2 -



Security revolves around the BIG words. We call it CIA triad. Everyone talks about this CIA, so do I.
At high level, truly security is all about this three terminologies called Security Principles.

 

Integrity – Confidentiality - Availability
I will try to complete this topic as fast I could, you can find any article talking about this.            


Balakishore
cia triad

Confidentiality:
Information not disclosed to unauthorized persons or entities.

One means of achieving confidentiality:            
Data Encryption is one means of achieving confidentiality. Like encrypting  passwords.

Ways to violate confidentiality:
Malware, intruders, social engineering.

Integrity:
It can be data integrity or system integrity. It’s a property where System or Data is not modified by unauthorized users.It relates to origin trustworthiness, completeness, and correctness of information.

It includes:
Authenticity: Ability to verify that  unauthorized user didn't modify the content.
Non repudiation & Accountability:  Any Action on the system can be verified and associated with a  user.

One means of achieving Integrity:                        
Hashing is one mechanism. Hashing the data you receive and comparing with the hash of the original message.

Ways to violate Integrity:
stealing passwords, replay attacks

Availability:
It’s a property where system or system is available to authorized users.

One means of achieving Availability:
Fault tolerant systems, redundant copies and backups.


Gaddam Balakishore
CIA


CIARISKControl Mechanisms
IntegrityLoss of privacy.
Identity Theft
unauthorized access to information
Encryption, Authentication, Access control
ConfidentialityInformation is no longer reliable.
Indemnity Theft
unauthorized access to information
4-Eyes, Audit logs
AvailabilitiesBusiness disruption.
Identity Theft
unauthorized access to information
Back ups


Types of Security Attacks -Network Security Tutorials- Part1



As part of the series of topics on network security.

Hope you will like it.

Security Attacks:

An action that compromises, the security of information.

1. Passive Attacks
It intercepts the message, learns about the makes use of the message, but does not affect system resources.
Passive attacks can be of:
1.         
            Release of Message contents
Any message or file transferred over the network is intercepted. This intercepted data can contain sensitive information.
2       Traffic  Analysis:
If the data is masked/encrypted, intruder may not be directly able to read it. Intruder would be able to read the pattern of the message, identify the host’s communicating, length and the frequency of the message.


2. Active Attacks
This form of attack, intercepts the message, modifies or recreates a false stream of message.
Active Attacks can be of:
1.       Masquerade.
One pretends to be a different entity. Authentication sequence can be captured and replayed after a valid authentication. And using this information to impersonate and get illegal access.

Masquerading occurs when one person uses the identity of another to gain access to a computer. This may be done in person or remotely


2.       Replay
Capture the data and retransmit the data.

3.       Modification of messages.
Actual message: “allow xyz to read a file”,
Post modification: “allow gs to read a file”.
Here ‘xyz’ is been replaced by ‘ gs’ by the middle man.

4.       Denial of Service.
There are two forms of denial of service.
First form: Suppressing all messages directed to a particular destination.
Second form: disrupted the network by disabling the network or by overloading it with messages to degrade the performance.(Bottle neck)

3. Insider Attack
It involves any insider eavesdrop, steal or damage information. Use that stolen information any purpose.

Example:
Credit card or Cell phone holder information shared to external person.

4. Close-in attack:
Social engineering is best way to describe this kind of attack.
 Attacker cans the advantages of being physically close to the target devices.

Example:
Shoulder surfing is one such example.  Person looking over someone's shoulder, to get information such as password, PIN.

5. Distribution attack:
Introduction of Trojan horse or back-door program. This code gets distributed across the network to gain unauthorized access to information or to a system function and disrupts the functionality of the system.


Good to know difference:
Difference between masquerade and replay attacks:

Masquerade is any attack wherein the attackers acts  as if  attcker was some other user or entity in the system.
Replay attack is plain attack, where use intercepts the data, resend the same data.

In Simple words, Masquerade manipulates the request.
Replay attack just sends the intercepted request without manipulating it.