Security Certificates

 

1. Cryptography Basics

• Understand Key Concepts:
  • Encryption, decryption, hashing, and digital signatures.
  • Key terms: confidentiality, integrity, authentication, non-repudiation.
• Learn Symmetric Cryptography:
  • Algorithms: AES, DES, ChaCha20.
  • Modes of operation: ECB, CBC, GCM.
• Learn Asymmetric Cryptography:
  • Algorithms: RSA, ECC, DSA.
  • Key exchange (Diffie-Hellman).
• Practical Steps:
  • Use OpenSSL for simple encryption and decryption.

---

2. Keys: Private vs. Public

• Private Key:
  • Always secret, used for decryption and signing.
  • Stored securely (e.g., in HSM or keystore).
• Public Key:
  • Shared openly, used for encryption and signature verification.
• Master Public-Private Key Pair Usage:
  • Encrypt a message using the public key and decrypt with the private key.

---

3. X.509 Certificates

• What is X.509?
  • A standard format for public key certificates.
  • Includes details like subject, issuer, validity period, and public key.
• Practical Work:
  • Generate certificates using OpenSSL.
  • Create a Certificate Authority (CA) and sign requests.

---

4. PKCS Standards

• Key Standards:
  • PKCS#11: Cryptographic token interface (e.g., HSM integration).
  • PKCS#12: Personal Information Exchange format for private keys and certificates.
  • PKCS#7: Cryptographic message syntax for signed/encrypted data.
• Practical Work:
  • Use pkcs11-tool and OpenSSL to explore PKCS implementations.

---

5. PEM vs. CERT

• PEM (Privacy-Enhanced Mail):
  • Base64 encoded certificate format.
  • Common extensions: .pem, .crt, .cer.
• CERT:
  • Binary certificate format.
  • Common extensions: .der, .crt.
• Practical Comparison:
  • Convert between PEM and CERT using OpenSSL:

    openssl x509 -in cert.pem -outform der -out cert.der

---

6. Keystore and Truststore

• Keystore:
  • Stores private keys and associated certificates.
  • Used by applications to establish their identity.
• Truststore:
  • Stores trusted certificates (usually CA certificates).
  • Verifies the identity of external systems.
• Tools:
• Use Java keytool to manage keystores and truststores.

Certificate (X.509 Certificate):

• A digital certificate (e.g., X.509) is a document that binds a public key to an entity (such as a person, organization, or website).
• Contains:
  • The public key of the entity.
  • Information about the entity (name, organization, etc.).
  • Issuer details (Certificate Authority - CA).
  • Validity period (start and expiry dates).
  • Signature of the CA to ensure authenticity.
• Does not contain: The private key.

Example:
A website's SSL/TLS certificate contains the site's public key but not the private key.

Key (Public/Private Key):

• A key pair consists of:
  • Public key: Used for encryption or signature verification.
  • Private key: Used for decryption or signing (must be kept secret).
• A key itself does not contain a certificate, but it can be associated with a certificate.

How They Work Together:

• When a certificate is issued, it includes the public key that corresponds to a private key stored securely by the certificate owner.
• When encrypting or verifying data, the certificate's public key is used.
• The corresponding private key (not in the certificate) is used to decrypt or sign.