User Tools

Site Tools


cryptography

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
cryptography [2021/09/15 14:02]
Jan Forman
cryptography [2021/09/15 15:16] (current)
Jan Forman
Line 1: Line 1:
 +Generate CA + certificate
 +<code>
 +openssl genrsa -out rootCAKey.pem 2048
 +openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 7300 -out rootCACert.pem
 +openssl x509 -in rootCACert.pem -text
 +openssl x509 -outform der -in rootCACert.pem -out rootCACert.crt
  
 +-- generate server cert
 +openssl genrsa -out ServerKey.pem 2048
 +openssl req -new -sha256 -nodes \
 +  -key ServerKey.pem -out ServerRequest.csr -reqexts san -config \
 +  <(echo "[req]"; 
 +    echo distinguished_name=req; 
 +    echo "[san]"; 
 +    echo "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"
 +    ) \
 +  -subj "/CN=example.com"
 +printf "[san]\nsubjectAltName = DNS:example.com,DNS:www.example.net,IP:10.0.0.1\n" >v3.ext
 +openssl x509 -req -sha256 -in ServerRequest.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ServerCert.pem -days 3650 -extfile v3.ext -extensions san
 +openssl pkcs12 -export -out cert.pfx -inkey ServerKey.pem -in ServerCert.pem -certfile rootCACert.pem
 +</code>
 +
 +
 +
 +====== Check TLS ======
 +<code>nmap --script ssl-enum-ciphers janforman.com -p 443</code>
 +
 +====== PuTTY CAC ======
 +PuTTY CAC is a fork of the PuTTY, a popular Secure Shell (SSH) terminal. PuTTY CAC adds the ability to use the Windows Certificate API (CAPI) or a Public Key Cryptography Standards (PKCS) library to perform SSH public key authentication using a private key associated with a certificate that is stored on a hardware token.
 +
 +[[https://github.com/NoMoreFood/putty-cac/releases/|Download]]
 +
 +===== SSH generate key =====
 +<code>ssh-keygen -t ecdsa -b 384 -m PEM -C "Comment" -f ./key.pem</code>
 +
 +<code>openssl req -key ./key.pem -new -nodes -x509 -days 365 -out key_certificate.pem</code>
 +
 +<code>openssl pkcs12 -export -inkey key.pem -in key_certificate.pem -out key.p12</code>
 +
 +===== PuTTY Key Generator =====
 +
 +====== Cert Identity Search ======
 +https://crt.sh/
 +
 +====== OpenSSL conf ======
 +CentOS location
 +<code>/etc/pki/tls/openssl.conf</code>
 +
 +
 +====== PGP Keyserver ======
 +[[https://keyserver.pgp.com/vkd/GetWelcomeScreen.event]]
 +
 +===== Hardware Acceleration =====
 +Check if AES-NI is enabled
 +<code>grep -m1 -o aes /proc/cpuinfo</code>
 +
 +Check speed
 +<code>
 +openssl speed aes-128-cbc
 +openssl speed -evp aes-128-cbc
 +openssl speed -evp chacha20
 +
 +</code>
 +
 +===== Check OpenSSL throughput =====
 +<code>dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null"</code>
 +
 +===== Performance remarks =====
 +^Decrypting a 1MB file on the Galaxy Nexus (OMAP 4460 chip)^^
 +| AES-128-GCM |        41.6ms |
 +| ChaCha20-Poly1305 |  13.2ms |
 +
 +AES128 vs AES256 1.38x faster\\
 +AES128 faster on desktop due to AES-NI HW Acceleration
 +AES-NI is between 4-8x the performance of AES\\
 +ChaCha20-Poly1305 faster on mobile phones or slower HW
 +
 +===== OpenSSL Cipher list =====
 +<code>
 +# openssl ciphers | sed 's/\:/\n/gi'
 +</code>
 +
 +===== OpenSSL Performance test =====
 +<code># openssl speed md5 sha1 sha256 sha512 des des-ede3 aes-128-cbc aes-192-cbc aes-256-cbc rsa2048 dsa2048</code>
 +
 +===== My preferred string for now =====
 +Functional with HTTP/2 protocol
 +<code>ssl_session_timeout 4h;
 +ssl_session_cache shared:SSL:40M;
 +ssl_protocols TLSv1.2 TLSv1.3;
 +ssl_prefer_server_ciphers on;
 +ssl_ciphers !aNULL:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
 +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";</code>
 +
 +===== Test StartTLS =====
 +<code>
 +openssl s_client -connect ip:21 -starttls ftp -showcerts
 +openssl s_client -connect ip:25 -starttls smtp -showcerts
 +</code>
 +
 +===== Encrypt tar with password =====
 +
 +Compress and encrypt
 +<code>tar cvfz - * | openssl enc -e -aes128 -out secured.tar.gz</code>
 +
 +Decrypt and decompress
 +<code>openssl enc -d -aes128 -in secured.tar.gz | tar xvz -C test</code>
 +
 +===== Install additional CA in CentOS / Redhat =====
 +<code>
 +place CA here -> /etc/pki/tls/certs/cert.pem
 +yum install /usr/bin/c_rehash
 +c_rehash
 +</code>
 +
 +===== Self signed certificate + altname =====
 +<code>
 +set -e
 +
 +if [ -z "$1" ]; then
 +  hostname="$HOSTNAME"
 +else
 +  hostname="$1"
 +fi
 +
 +local_openssl_config="
 +[ req ]
 +prompt = no
 +distinguished_name = req_distinguished_name
 +x509_extensions = san_self_signed
 +[ req_distinguished_name ]
 +CN=$hostname
 +[ san_self_signed ]
 +subjectAltName = DNS:$hostname, DNS:localhost
 +subjectKeyIdentifier = hash
 +authorityKeyIdentifier = keyid:always,issuer
 +basicConstraints = CA:true
 +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
 +extendedKeyUsage = serverAuth, clientAuth, timeStamping
 +"
 +
 +openssl req \
 +  -newkey rsa:2048 -nodes \
 +  -keyout "$hostname.key.pem" \
 +  -x509 -sha256 -days 3650 \
 +  -config <(echo "$local_openssl_config") \
 +  -out "$hostname.cert.pem"
 +openssl x509 -noout -text -in "$hostname.cert.pem"
 +</code>
cryptography.txt · Last modified: 2021/09/15 15:16 by Jan Forman