This shows you the differences between two versions of the page.
Previous revisionLast revision | |||
— | cryptography [2023/07/02 10:46] – [GT-AX6000 Broadcom] Jan Forman | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Generate CA + certificate ====== | ||
+ | < | ||
+ | openssl genrsa -out rootCAKey.pem 2048 | ||
+ | openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 7300 -out rootCACert.pem | ||
+ | openssl x509 -in rootCACert.pem -text | ||
+ | openssl x509 -outform der -in rootCACert.pem -out rootCACert.crt | ||
+ | |||
+ | -- generate server cert | ||
+ | openssl genrsa -out ServerKey.pem 2048 | ||
+ | openssl req -new -sha256 -nodes \ | ||
+ | -key ServerKey.pem -out ServerRequest.csr -reqexts san -config \ | ||
+ | <(echo " | ||
+ | echo distinguished_name=req; | ||
+ | echo " | ||
+ | echo " | ||
+ | ) \ | ||
+ | -subj "/ | ||
+ | printf " | ||
+ | openssl x509 -req -sha256 -in ServerRequest.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ServerCert.pem -days 3650 -extfile v3.ext -extensions san | ||
+ | openssl pkcs12 -export -out cert.pfx -inkey ServerKey.pem -in ServerCert.pem -certfile rootCACert.pem | ||
+ | </ | ||
+ | |||
+ | Show certificate request < | ||
+ | |||
+ | |||
+ | ====== Check TLS ====== | ||
+ | < | ||
+ | |||
+ | ====== Prefer PolyChacha in TLS 1.3 ====== | ||
+ | |||
+ | add in / | ||
+ | < | ||
+ | openssl_conf = default_conf | ||
+ | |||
+ | [default_conf] | ||
+ | ssl_conf = ssl_sect | ||
+ | |||
+ | [ssl_sect] | ||
+ | system_default = system_default_sect | ||
+ | |||
+ | [system_default_sect] | ||
+ | Ciphersuites = TLS_CHACHA20_POLY1305_SHA256: | ||
+ | Options = ServerPreference | ||
+ | </ | ||
+ | |||
+ | ====== PuTTY CAC ====== | ||
+ | PuTTY CAC is a fork of the PuTTY, a popular Secure Shell (SSH) terminal. PuTTY CAC adds the ability to use the Windows Certificate API (CAPI) or a Public Key Cryptography Standards (PKCS) library to perform SSH public key authentication using a private key associated with a certificate that is stored on a hardware token. | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ===== SSH generate key ===== | ||
+ | < | ||
+ | |||
+ | < | ||
+ | |||
+ | < | ||
+ | |||
+ | ===== PuTTY Key Generator ===== | ||
+ | |||
+ | ====== Cert Identity Search ====== | ||
+ | https:// | ||
+ | |||
+ | ====== OpenSSL conf ====== | ||
+ | CentOS location | ||
+ | < | ||
+ | |||
+ | |||
+ | ====== PGP Keyserver ====== | ||
+ | [[https:// | ||
+ | |||
+ | ===== Hardware Acceleration ===== | ||
+ | Check if AES-NI is enabled | ||
+ | < | ||
+ | |||
+ | Check speed | ||
+ | < | ||
+ | openssl speed aes-128-cbc | ||
+ | openssl speed -evp aes-128-cbc | ||
+ | openssl speed -evp chacha20 | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Check OpenSSL throughput ===== | ||
+ | < | ||
+ | |||
+ | ===== Performance remarks ===== | ||
+ | ^Decrypting a 1MB file on the Galaxy Nexus (OMAP 4460 chip)^^ | ||
+ | | AES-128-GCM | 41.6ms | | ||
+ | | ChaCha20-Poly1305 | 13.2ms | | ||
+ | |||
+ | AES128 vs AES256 1.38x faster\\ | ||
+ | AES128 faster on desktop due to AES-NI HW Acceleration | ||
+ | AES-NI is between 4-8x the performance of AES\\ | ||
+ | ChaCha20-Poly1305 faster on mobile phones or slower HW | ||
+ | |||
+ | ==== AWS Graviton2 performance ==== | ||
+ | | AES 128bit GCM | 2482MB/s | | ||
+ | | AES 256bit GCM | 2014MB/s | | ||
+ | | ChaCha20-Poly1305 | 731MB/s | | ||
+ | ==== GT-AX6000 Broadcom ==== | ||
+ | | AES 128bit GCM | 783MB/s | | ||
+ | | AES 256bit GCM | 673MB/s | | ||
+ | | ChaCha20-Poly1305 | 297MB/s | | ||
+ | ==== RaspberryPI 4 Broadcom ==== | ||
+ | | AES 128bit GCM | 783MB/s | | ||
+ | | AES 256bit GCM | 673MB/s | | ||
+ | | ChaCha20-Poly1305 | 297MB/s | | ||
+ | |||
+ | ===== OpenSSL Cipher list ===== | ||
+ | < | ||
+ | # openssl ciphers | sed ' | ||
+ | </ | ||
+ | |||
+ | ===== OpenSSL Performance test ===== | ||
+ | < | ||
+ | |||
+ | ===== My preferred string for now ===== | ||
+ | Functional with HTTP/2 protocol | ||
+ | < | ||
+ | ssl_session_cache shared: | ||
+ | ssl_protocols TLSv1.2 TLSv1.3; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_ciphers !aNULL: | ||
+ | add_header Strict-Transport-Security " | ||
+ | |||
+ | ===== Test StartTLS ===== | ||
+ | < | ||
+ | openssl s_client -connect ip:21 -starttls ftp -showcerts | ||
+ | openssl s_client -connect ip:25 -starttls smtp -showcerts | ||
+ | </ | ||
+ | |||
+ | ===== Encrypt tar with password ===== | ||
+ | |||
+ | Compress and encrypt | ||
+ | < | ||
+ | |||
+ | Decrypt and decompress | ||
+ | < | ||
+ | |||
+ | ===== Install additional CA in CentOS / Redhat ===== | ||
+ | < | ||
+ | place CA here -> / | ||
+ | yum install / | ||
+ | c_rehash | ||
+ | </ | ||
+ | |||
+ | ===== Self signed certificate + altname ===== | ||
+ | < | ||
+ | set -e | ||
+ | |||
+ | if [ -z " | ||
+ | hostname=" | ||
+ | else | ||
+ | hostname=" | ||
+ | fi | ||
+ | |||
+ | local_openssl_config=" | ||
+ | [ req ] | ||
+ | prompt = no | ||
+ | distinguished_name = req_distinguished_name | ||
+ | x509_extensions = san_self_signed | ||
+ | [ req_distinguished_name ] | ||
+ | CN=$hostname | ||
+ | [ san_self_signed ] | ||
+ | subjectAltName = DNS: | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid: | ||
+ | basicConstraints = CA:true | ||
+ | keyUsage = nonRepudiation, | ||
+ | extendedKeyUsage = serverAuth, clientAuth, timeStamping | ||
+ | " | ||
+ | |||
+ | openssl req \ | ||
+ | -newkey rsa:2048 -nodes \ | ||
+ | -keyout " | ||
+ | -x509 -sha256 -days 3650 \ | ||
+ | -config <(echo " | ||
+ | -out " | ||
+ | openssl x509 -noout -text -in " | ||
+ | </ |