1. Cryptography Basics
- Understand Key Concepts:
- Encryption, decryption, hashing, and digital signatures.
- Key terms: confidentiality, integrity, authentication, non-repudiation.
- Learn Symmetric Cryptography:
- Algorithms: AES, DES, ChaCha20.
- Modes of operation: ECB, CBC, GCM.
- Learn Asymmetric Cryptography:
- Algorithms: RSA, ECC, DSA.
- Key exchange (Diffie-Hellman).
- Practical Steps:
- Use OpenSSL for simple encryption and decryption.
2. Keys: Private vs. Public
- Private Key:
- Always secret, used for decryption and signing.
- Stored securely (e.g., in HSM or keystore).
- Public Key:
- Shared openly, used for encryption and signature verification.
- Master Public-Private Key Pair Usage:
- Encrypt a message using the public key and decrypt with the private key.
3. X.509 Certificates
- What is X.509?
- A standard format for public key certificates.
- Includes details like subject, issuer, validity period, and public key.
- Practical Work:
- Generate certificates using OpenSSL.
- Create a Certificate Authority (CA) and sign requests.
4. PKCS Standards
- Key Standards:
- PKCS#11: Cryptographic token interface (e.g., HSM integration).
- PKCS#12: Personal Information Exchange format for private keys and certificates.
- PKCS#7: Cryptographic message syntax for signed/encrypted data.
- Practical Work:
- Use
pkcs11-tooland OpenSSL to explore PKCS implementations.
- Use
5. PEM vs. CERT
- PEM (Privacy-Enhanced Mail):
- Base64 encoded certificate format.
- Common extensions:
.pem,.crt,.cer.
- CERT:
- Binary certificate format.
- Common extensions:
.der,.crt.
- Practical Comparison:
- Convert between PEM and CERT using OpenSSL:
- Convert between PEM and CERT using OpenSSL:
6. Keystore and Truststore
- Keystore:
- Stores private keys and associated certificates.
- Used by applications to establish their identity.
- Truststore:
- Stores trusted certificates (usually CA certificates).
- Verifies the identity of external systems.
- Tools:
- Use Java
keytoolto manage keystores and truststores.
Certificate (X.509 Certificate):
- A digital certificate (e.g., X.509) is a document that binds a public key to an entity (such as a person, organization, or website).
- Contains:
- The public key of the entity.
- Information about the entity (name, organization, etc.).
- Issuer details (Certificate Authority - CA).
- Validity period (start and expiry dates).
- Signature of the CA to ensure authenticity.
- Does not contain: The private key.
Example:
A website's SSL/TLS certificate contains the site's public key but not the private key.
Key (Public/Private Key):
- A key pair consists of:
- Public key: Used for encryption or signature verification.
- Private key: Used for decryption or signing (must be kept secret).
- A key itself does not contain a certificate, but it can be associated with a certificate.
How They Work Together:
- When a certificate is issued, it includes the public key that corresponds to a private key stored securely by the certificate owner.
- When encrypting or verifying data, the certificate's public key is used.
- The corresponding private key (not in the certificate) is used to decrypt or sign.
