Information Security

Lab (4)
Cryptography
SSL Certificate

created by Amal Hassan and Alaa Mahgoub 1

Outlines

 Introduction
 CrypTool
 What is TLS/SSL?
 What is Apache?
 SSL Certificate
 Certificate Types
 How To Create a SSL Certificate on
Apache
created by Amal Hassan and Alaa Mahgoub 2
Introduction
 Cryptography is the (art and) science of keeping
information secure

 Cryptanalysis is the (art and) science of

breaking a code

 Cryptology is the branch of math needed for

cryptography a

 A cryptographic algorithm (also called a

cipher) is the mathematical function used for
encryption and decryption cryptanalysis
 An algorithm together with all possible plaintexts,
ciphertexts, and keys is called a cryptosystem
created by Amal Hassan and Alaa Mahgoub 3
Encryption Techniques
 Substitution techniques

 Transposition techniques

 Hash functions: number of keys used

 Symmetric, (private) single-key, secret-
key, or conventional
 Asymmetric, two-key, or public-key
encryption

created by Amal Hassan and Alaa Mahgoub 4

Cryptography tools
 Digital certificate
 Digital signatures

 Protocols for Secure

Communications
 Secure Socket Layer (SSL) protocol:
 Secure Multipurpose Internet Mail Extensions
(S/MIME)
 S/MIME certicates follow X.509 standard

created by Amal Hassan and Alaa Mahgoub 5

CrypTool
 It is a comprehensive free e-learning
program, about cryptography and
cryptanalysis.
 Designed to demonstrate the application and
analysis of encryption algorithms offering
extensive online help and many visualizations.
 It is include an extensive online help
database.
 You can press F1 at any selected menu item to
get more information.

created by Amal Hassan and Alaa Mahgoub 6

CrypTool
Lab Experiment

created by Amal Hassan and Alaa Mahgoub 7

 What is SSL/TLS?
 Secure Socket Layer(SSL) and Transport Layer Security
(TLS) are protocols that provide secure (protected
and encrypted) communications over a computer
network or link.

 They are commonly used in web browsing and email.

 TLS is based on SSL and was developed as a

replacement in response to known vulnerbilities in
SSLv3.

created by Amal Hassan and Alaa Mahgoub 8

Security Provided
 SSL/TLS provides data encryption, data
integrity and authentication.
 This is means that when using ssl/tls you
can be confident that :
1. No one has read your message.
2. No one has changed your message.
3. You are communicating with the
intended person(server).

created by Amal Hassan and Alaa Mahgoub 9

OpenSSL Tool

 OpenSSL tool is a versatile command line tool that can

be used for a large variety of tasks related to Public Key
Infrastructure (PKI) and HTTPS (HTTP over TLS).

 It is full-featured toolkit for TLS/SSL.

 It is general purpose cryptography library.

 Openssl licensed under apache style license which

means that you free to get and use commercial and non-
commercial purposes subject to some simple licensed
condition.
created by Amal Hassan and Alaa Mahgoub 10
What is Apache?
 Apache is the most popular web server on
the internet. It is used to serve more than
half of all active websites.

 Although there are many viable web

servers that will serve your content, it is
helpful to understand how Apache works
because of its ubiquity.

created by Amal Hassan and Alaa Mahgoub 11

How to Install Apache

 Any Linux version can be done(Ubuntu

server, ubuntu user, kali,…)
 If you do not already have Apache
installed, you can do so now by issuing
the following commands:

sudo apt-get update

sudo apt-get install apache2

created by Amal Hassan and Alaa Mahgoub 12

 The Apache File Hierarchy
in Ubuntu
Apache keeps its main configuration files within the
"/etc/apache2" folder:
 cd /etc/apache2
 ls -F

created by Amal Hassan and Alaa Mahgoub 13

 apache2.conf: This is the main configuration file for
the server. Almost all configuration can be done from
within this file, although it is recommended to use
separate, designated files for simplicity. This file will
configure defaults and be the central point of access
for the server to read configuration details.

 ports.conf: This file is used to specify the ports that

virtual hosts should listen on. Be sure to check that
this file is correct if you are configuring SSL.
 conf.d/: This directory is used for controlling
specific aspects of the Apache configuration. For
example, it is often used to define SSL configuration
and default security choices.
created by Amal Hassan and Alaa Mahgoub 14
 sites-available/: This directory contains all of
the virtual host files that define different web
sites. These will establish which content gets
served for which requests. These are available
configurations, not active configurations.

 sites-enabled/: This directory establishes which

virtual host definitions are actually being used.
Usually, this directory consists of symbolic links
to files defined in the "sites-available" directory.

 mods-[enabled,available]/: These directories

are similar in function to the sites directories,
but they define modules that can be optionally
loaded instead.
created by Amal Hassan and Alaa Mahgoub 15
SSL Certificate
A SSL certificate is a way to encrypt a site's information
and create a more secure connection.

created by Amal Hassan and Alaa Mahgoub 16

SSL Certificate
 Additionally, the certificate can show the virtual
private server's identification information to site
visitors.

 Certificate Authorities can issue SSL certificates that

verify the server's details while a self-signed certificate
has no 3rd party corroboration.

created by Amal Hassan and Alaa Mahgoub 17

created by Amal Hassan and Alaa Mahgoub 18
created by Amal Hassan and Alaa Mahgoub 19
created by Amal Hassan and Alaa Mahgoub 20
Who generate these
certificates?
1. Certificate Authorties (CA): Companies
work to generate certificates.

2. Self signed certificate: you can do it by

yourself.

created by Amal Hassan and Alaa Mahgoub 21

 Certificate Types
 Certificate Authorities (CA): offers the certificate type
that you require.

 Many CAs offer variations of these certificate types

under a variety of, often confusing, names and pricing
structures.

 Here is a short description of each type:

1. Single Domain: Used for a single domain, e.g.

example.com. Note that additional subdomains, such
as www.example.com, are not included.
created by Amal Hassan and Alaa Mahgoub 22
2. Wildcard: Used for a domain and any of its

subdomain e.g.: a wildcard certificate for

*.example.com can also be used for

www.example.com and store.example.com

3.Multiple Domain: Known as a (Subject Alternative
Name )SAN or UC certificate, these can be used with
multiple domains and subdomains that are added to
the Subject Alternative Name field.
e.g.: a single multi-domain certificate could be used
with example.com, www.example.com, and
example.net
created by Amal Hassan and Alaa Mahgoub 23
There are different levels of validations that CAs
offer:

 Domain Validation (DV):

DV certificates are issued after the CA validates

that the requestor owns or controls the domain in
question.

 Organization Validation (OV): OV certificates can be

issued only after the issuing CA validates the legal
identity of the requestor.
created by Amal Hassan and Alaa Mahgoub 24
 Extended Validation (EV):

 EV certificates can be issued only after CA validates

the legal identity, among other things, of the
requestor, according to a strict set of guidelines.

 The purpose of this type of certificate is to provide

additional assurance of the legitimacy of your
organization's identity to your site's visitors.

 EV certificates can be single or multiple domain,

but not wildcard.
created by Amal Hassan and Alaa Mahgoub 25
Generating SSL Certificates
 If you would like to use an SSL certificate to secure a service
but you do not require a CA-signed certificate, a valid (and
free) solution is to sign your own certificates.
 A common type of certificate that you can issue yourself is
self-signed certificate, It is a certificate that is signed with
its own private key.
 can be used to encrypt data just as well as CA-signed
certificates, but your users will be displayed a warning that
says that the certificate is not trusted by their computer or
browser. Therefore, self-signed certificates should only be
used if you do not need to prove your service's identity to its
users (e.g. non-production or non-public servers).

created by Amal Hassan and Alaa Mahgoub 26

 Because a self-signed certificate is not signed by any trusted
CA, you'll need to manually mark the certificate as trusted, a
process which is different in each browser and operating
system. Thereafter, the certificate will act like any normal CA-
signed certificate.

 Self-signed certificates are good for one-off use when you only
need to manually manage trust on a few clients, and don't
mind the fact that it can't be revoked or renewed without more
manual effort.

 This is often good enough for development and testing

purposes, or for self-hosted web apps that only a few people
will ever use.

created by Amal Hassan and Alaa Mahgoub 27

How To Create a SSL Certificate on
Apache in kali linux
 sudo apt-get update
 sudo apt-get install apache2

 Step One — Activate the SSL Module

Enable the module by typing:

 sudo a2enmod ssl

 After you have enabled SSL, you'll have to restart the web server for the
change to be recognized:

sudo service apache2 restart

With that, our web server is now able to handle SSL if we configure it to do
so
created by Amal Hassan and Alaa Mahgoub 28
created by Amal Hassan and Alaa Mahgoub 29
created by Amal Hassan and Alaa Mahgoub 30
 Step Two — Create a Self-Signed SSL Certificate
by creating a subdirectory within Apache's configuration
hierarchy to place the certificate files that we will be
making:
 sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and

certificate, we can create them both in one step by
typing:
 sudo openssl req -x509 -nodes -days 365 -newkey
rsa:2048 -keyout /etc/apache2/ssl/apache.key -out
/etc/apache2/ssl/apache.crt

created by Amal Hassan and Alaa Mahgoub 31

 openssl: This is the basic command line tool provided
by OpenSSL to create and manage certificates, keys,
signing requests, etc.

 req: This specifies a subcommand for X.509 certificate

signing request (CSR) management. X.509 is a public
key infrastructure standard that SSL adheres to for its
key and certificate managment.
Since we are wanting to create a new X.509
certificate.

 -x509: This option specifies that we want to make a

self-signed certificate file instead of generating a
certificate request.
created by Amal Hassan and Alaa Mahgoub 32
 -nodes: This option tells OpenSSL that we do not wish
to secure our key file with a passphrase. Having a
password protected key file would get in the way of
Apache starting automatically as we would have to
enter the password every time the service restarts.

 -days 365: This specifies that the certificate we are

creating will be valid for one year.

 -newkey rsa:2048: This option will create the

certificate request and a new private key at the same
time. This is necessary since we didn't create a private
key in advance. The rsa:2048 tells OpenSSL to
generate an RSA key that is 2048 bits long.
created by Amal Hassan and Alaa Mahgoub 33
 -keyout: This parameter names the output file for the
private key file that is being created.

 -out: This option names the output file for the

certificate that we are generating.
 When you hit "ENTER", you will be asked a number of
questions.
 The most important item that is requested is the line
that reads "Common Name (e.g. server FQDN or YOUR
name)". You should enter the domain name you want to
associate with the certificate, or the server's public IP
address if you do not have a domain name

created by Amal Hassan and Alaa Mahgoub 34

The questions portion looks something like this:
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:New York
 Locality Name (eg, city) []:New York City
 Organization Name (eg, company) [Internet Widgits Pty
Ltd]:Your Company
 Organizational Unit Name (eg, section) []:Department of Kittens
 Common Name (e.g. server FQDN or YOUR name)
[]:your_domain.com
 Email Address []:your_email@domain.com

The key and certificate will be created and placed in your

 /etc/apache2/ssl directory.

created by Amal Hassan and Alaa Mahgoub 35

created by Amal Hassan and Alaa Mahgoub 36
 Step Three — Configure Apache to Use SSL
 Now we’ve our certificate and key available.
 Instead of basing our configuration file off of the 000-
default.conf file in the sites-available subdirectory,
we're going to base this configuration on the default-
ssl.conf file that contains some default SSL
configuration.

 Open the file with root privileges now:

 sudo nano /etc/apache2/sites-available/default-
ssl.conf

created by Amal Hassan and Alaa Mahgoub 37

 With the comments removed, the file looks something like this:

created by Amal Hassan and Alaa Mahgoub 38

 The entries in red were modified from the original file:

created by Amal Hassan and Alaa Mahgoub 39

 Save and exit the file when you are finished.

 Step Four — Activate the SSL Virtual Host

Now that we have configured our SSL-enabled virtual host, we need to enable
it by
 sudo a2ensite default-ssl.conf

We then need to restart Apache to load our new virtual host file:
 sudo service apache2 restart
This should enable your new virtual host, which will serve encrypted content
using the SSL certificate you created.

created by Amal Hassan and Alaa Mahgoub 40

created by Amal Hassan and Alaa Mahgoub 41
 Step Five — Test your Setup
 Now that you have everything prepared, you can test
your configuration by visiting your server's domain
name or public IP address after specifying
the https:// protocol, like this:
 https://server_domain_name_or_IP
You will get a warning that your browser cannot verify the
identity of your server because it has not been signed by
one of the certificate authorities that it trusts.

created by Amal Hassan and Alaa Mahgoub 42

 You can see in the middle green section that
the connection is encrypted.
created by Amal Hassan and Alaa Mahgoub 43
Test
View certificate

created by Amal Hassan and Alaa Mahgoub 44

created by Amal Hassan and Alaa Mahgoub 45
Thank you 

created by Amal Hassan and Alaa Mahgoub 46