Creating an SSL certificate – step by step

 Security, Techie Stuff  No Responses »
Feb 262012
 

What is an SSL certificate?
At its most basic level, an SSL certificate is used to encrypt electronic communication, to authenticate users or devices, and to sign electronic communication. There are various types of SSL certificate – Web Server certificates, Email certificates, code signing certificates etc.
Here, I will describe the process of creating a new SSL certificate for use on a website as this is the most common use for certificates. At some point, I may write further guides describing different types too.

What are the components of an SSL certificate?
SSL certificates contain a number of pieces of information:
Subject – the name of the entity being identified by the certificate.
Private key – never seen by the client.
Public key – associated with the private key.
Issuer – the name of the Certification Authority who has signed the certificate.
Serial number – a unique identifier for the certificate
Validity period – the start and end dates between which the certificate can be considered valid.
Usage – a description of what the associated public/private  key pair can be used for.
Digital Signature – the signature of the issuer.

The certificate uses Public Key cryptography to encrypt, sign and authenticate.
The private key is known only to the owner of the certificate. A piece of information encrypted with this key can only be decrypted by the associated public key.

How do we communicate securely?
Let’s assume a situation where I want to communicate securely with you. I make a connection to your web server and request your certificate. Your server supplies the certificate which contains your public key. I generate a master key which we will both use to encrypt our communication. I encrypt the master key with your public key and send it to you. You are the only person who can decrypt the master key as you are the only person who knows your private key.

We have now securely exchanged a master key without anyone else being able to know it and can communicate securely.

What is signing?
In the same way you can sign a letter to ‘prove’ that it was written by you (assuming no one is capable of forging your signature), you can digitally sign an electronic communication to prove it was created by you – this also confirms that the content has not been changed since you signed it (and means you can’t deny the document was created by you)
When you digitally sign a document, you hash the content and encrypt the hash value with your private key. This is then sent with your certificate and the document. When I receive the signed document, I can decrypt the hash using your public key from the certificate. I then hash the document myself and confirm the two hashes match.

But, how do I know you are you?
Communicating securely is fine, but how do I know you are who you claim to be and not someone pretending to be you?
Public Key Cryptography to the rescue again!
When you create a certificate, you can have it signed by a Certification Authority (CA) – they will do some checks to confirm your identity; generally by doing a WHOIS search against your domain name and verifying your name and address.
Once they have established that you own the domain for which you are creating the certificate, they will digitally sign the certificate for you. This means they are vouching for your identity.
Every web browser comes with a list of CAs which it trusts – there are hundreds of them. When I receive your certificate, I check who it was issued by. If it was issued by a CA which I trust, I am able to confirm that it is signed by them and I know that I can trust the certificate.

Great, how do I create a web certificate then?
The high level steps to create a certificate signed by a CA are:
Create a public/private key pair.
Send the public key and certificate info to a trusted CA
The CA creates and signs a certificate which contains your domain name and private key.
You install the certificate on your web sever where it is associated with the private key.

Creating the key pair.
I will use the Microsoft IIS web sever as an example because I am most familiar with it. Other web severs use similar steps.
IIS has a wizard to step you through creating a certificate…
In IIS, right-click on your website and choose ‘properties’.
On the Directory Security tab, click the Server Certificate button this will open the wizard.
Choose ‘Create a new certificate’ then ‘Prepare the request now, but send it later’.
Enter the details as you are prompted for them and, at the end, save the certificate request somewhere you can find it.

You have now created the keypair and prepared a Certificate Signing Request (CSR) ready to submit to your favorite Certification Authority.
The CSR is a block of text which is uploaded to the CA as part of the enrolment process. Once enrolment is complete, the CA will provide you with your new certificate – either as some text displayed on screen or as a file in an email. Either way, it should be saved as a file on your web server.

Installing to certificate
Back in the certificate wizard in IIS, choose ‘Process the pending request’
Choose the file supplied by your CA and follow the wizard to install your certificate.

The certificate should now be served when you visit the website in your browser on port 443. (https://)
You should probably make a secure backup of the certificate now by exporting it from the certificates snap-in.

For Apache servers, the CSR is created using the OpenSSL software – there are plenty of guides online.

Burg Wächter Point Safe P2E Safe Review

 Security, Techie Stuff  No Responses »
Dec 152011
 
Burg p2e 300x264 Burg Wächter Point Safe P2E Safe Review

Burg Wächter P2E safe

I have recently purchased a free-standing home safe from Burg Wächter (sometimes spelt Burg Waechter). The Pointsafe range comes in four sizes P1, P2, P3 and P4 and is available with an electronic pad lock or a key. I bought the electronic P2E version. The electronic version comes with two ‘override’ keys in case you forget the combination. Remember to store these keys securely, but not in your safe!

The safe is rated for £1000 cash or £10000 jewellery, so is not a high security safe but sounds about right for the things I would store in a home safe (passport and other documents, a small amount of emergency cash and a backup of my photographs on disk). The P2E version has single skinned walls (3.5mm steel) and a double skinned door. There is an internal metal shelf, and the floor is felt-lined. The back and floor each have two holes for fixing the safe to a wall or floor with the supplied bolts, plastic blanking cover the holes at the back.  The door seems solid, with two locking bolts which extend 16mm when locked. The door hinge is visible at the bottom of the door – this may be a weakness. The external dimensions of the safe are 255(h)x350(w)x300(d), internally they are 248(h)x343(w)x241(d). The volume is 20.5l and the safe weighs 16.5Kg. The safe is large enough for A4 paper with a little room to spare, but you will have to bend it to fit it through the door.

The keypad is responsive and makes a quiet beep when you press the buttons. The single line LCD display is not backlit so can be difficult to read, but you really don’t need to read it when opening or closing the safe. When not in use, the display shows the current time.

The bolts are driven by an internal motor rather than by turning a handle on the front – this should make the safe less susceptible to opening by ‘bumping’. After entering the correct code, the spring-loaded door swings open automatically.

The batteries (4xAA) are accessible from the outside of the safe, and the emergency keyhole is located behind them. The keys are four-sided cruciform keys which make the lock harder to pick and the keys harder to duplicate than a standard or tubular key.

The safe comes with the batteries, keys and two fixing bolts hidden in the packaging – be careful you don’t throw them out!

The electronic lock has two codes – the user code (1-6 digits) which you would use day to day for opening the safe and a master code (8 digits) which should be stored safely to allow the safe to be opened if the user code is forgotten (again, don’t store this in the safe!) The safe can also be set into ‘hotel mode’ which means a new user code needs to be entered in order to lock the safe if it is left open for more than 5 minutes.

The default user code is 168 and default master code is 12345678 – these should both be changed as soon as possible.

Overall, this seems to be a reasonable home safe which does not have many of the common security problems often seen in cheaper safes.

The user manual(pdf) is available on the Burg-Wächter website.

Server Gate Cryptography secrets

 Security, Techie Stuff  1 Response »
Aug 292010
 
padlock 300x225 Server Gate Cryptography secrets

Padlock by Ralph Aichinger

Certification Authorities (CAs) offer two types of SSL certificate, one type includes Server Gate Cryptography (SGC) and is often promoted as a premium, or high security option and is charged at a much higher price than the non-SGC equivalent. So, it should be a no-brainer that you should buy the best, most expensive certificate you can afford to ensure the security of traffic with your website, shouldn’t it?

Well, no.

Until late 1999, the United States were imposing restrictions on the export of strong cryptography which resulted in ‘export versions’ of Internet Explorer, Netscape and other web browsers which did not enable high encryption by default. Instead, browsing SSL sites with an ‘export version’ browser resulted in a connection which was encrypted with 40 or 56-bit encryption. A non-export version would negotiate 128-bit encryption. To allow very sensitive sites to step-up the encryption to 128-bit even on an export version browser, special certificates were issued to authorised sites, for example government sites and financial institutions, which would unlock the high encryption functionality and allow 128-bit secure connections.
By 2000, the export restrictions were dropped and the international browser versions began supporting 128-bit encryption by default. At the same time, SGC certificates were offered to anyone who wanted them to allow older export browsers to use high encryption.

For a few years after 2000, it made sense to use an SGC enabled certificate if you wanted to ensure everyone could access your site securely and it was worth paying a premium to ensure that your site was available to the maximum number of customers. Now, though, there are many fewer users with the old browsers, so you won’t affect as many customers by removing the SGC capability.

But, it can’t hurt to use an SGC certificate, can it?

Well, yes.

These old browsers (e.g. Internet Explorer 4.01 to 5.01, Netscape 4.07 to 4.72) are over 10 years old now, they have not received security updates or patches since 2000. The security patches which have been released for more modern browsers in the past ten years help to protect the system against keyloggers, viruses and other malware which can intercept data on the client, even if it is transmitted across the network securely encrypted. This means that the connection which is assumed to be secure by the user probably isn’t, and malware in the browser could potentially be carrying out unauthorised transactions on your server using the client’s credentials. Worse still, the malware could hide the fraudulent transactions from the user so he never sees evidence of a problem.

Updating these browsers to modern, secure versions is free and simple. High-encryption packs are available from Microsoft for older operating systems – Windows 95, Windows 98, Windows NT and Windows 2000, and a huge variety of secure browsers are available for free download.

So, how many customers are likely to be unable to access my site when I move to non-SGC certificates?

In an Entrust Whitepaper on the subject from July 2009, the estimate is that 0.07% of browsers on the Internet would be affected, less than 1 in a thousand, and this number is likely to be even lower now.

This small percentage of users who will be unable to connect to your site are unlikely to be surprised as more and more of the Internet will be becoming unavailable to them every day as other sites move away from these outdated certificates. It really is time they dragged themselves into the 21st Century and spent 5 minutes upgrading their browsers to ensure their connection is secure. By making sites unavailable to them, you are doing your customers a favour by encouraging them to upgrade, and are helping to protect your other customers by making it harder for malware to get a foothold on your server.

There is one very important change you need to make to your server though, ensure that weak encryption is not supported otherwise these old browsers will negotiate 40 or 56-bit connections with your server!

Domain Renewal Scam

 Security, Techie Stuff  1 Response »
Feb 032010
 

domainrenewalgroup 231x300 Domain Renewal Scam

When I came home from work, an official looking envelope from the ‘Domain Renewal Group’ was waiting for me. Inside was an equally official looking letter which I initially thought was a bill. It turns out it is just a marketing letter posing as a renewal notice for one of my domains.

It seems they look at the WHOIS records for domains which are expiring soon and send out these letters in the hope someone will think it is a bill and give them a cheque or credit card number. They expect me to pay £20 to renew my domain and make them my new registrar, this is vastly more expensive than renewing with my current registrar which would cost only £5.46 for a year.

I think this is a deliberately deceiving letter designed to look like a bill in the hope that it will just be paid and forgotten – many people with websites don’t really understand the roles of registrar, hosting company etc. and this will just confuse them further.

In short, if you’re happy with your current registrar, don’t bother changing. If you do decide to change, don’t be forced into it by someone sending you direct marketing letters.