What are advantages and disadvantages of using ssl?
Advantage of using SSL is the increased security in terms of following:
Confidentiality: It becomes extremely difficult for hacker to decrypt the data even if he gets the data by intercepting in the communication flow commonly known as eavesdropping.
Authentication: Proving Identity is another use of ssl . An encrypted hash of data when decrypted with public key is a match to the hash of actual data. That confirms that hash of data was only encrypted with owner of private key. That means that data has been send by owner of the private key or signed by owner of the private key in case when data itself is certificate.
Message Integrity: An encrypted hash of data when decrypted with public key is a match to the hash of actual data. That confirms that data was not tampered in middle of the network communication.
Explain the SSL flow?
Client (Browser) contacts the website . Website represents the client with a certificate .If that certificate is CA signed then there will be no exceptions thrown on the browser and certificate will be considered as trusted otherwise browser will throw an exception that this site is not a trusted site .This is one drawback of not using CA signed certificates. Also , the subject name(Distinguished name, DN or Common Name, CN) of the public key certificate must match with domain name of the website. Otherwise you will get an error that name of the certificate does not match with the name of the website. Now , the browser has the public key .A random token is generated at the client, encrypted with public key and send to the server which is decrypted by private key on server .Now both the client and the server have one token which is known to each other . This token is the symmetric key .Now onwards , this symmetric key is used for encryption and decryption at both the client and server .
Why don't we only use public/private key at the both the ends throughout the communication flow in the above given answer ? In other words , why do we switch to symmetric cryptography after communication is established?
Data encrypted with public key can be decrypted with private key .The data encrypted with private key can be decrypted with public key .And then ,a hacker could have intervened in the communication flow and decrypted the data with public key.
Therefore we need to use symmetric key after the first token exchange which is unknown to others.
Also asymmetric key encryption algorithms are slower than symmetric-key algorithms.
Is there Client authentication performed in the answer above?
When the client connects to server .Does he authenticates to server .No, Client needs to have public key of the server which is already presented by server to the client in case when client is a browser .Otherwise in cases where client is not a browser but it is a JVM or a plugin or something else . The public key certificate(contains public key) of that node to which it wants to connect should be imported to client node.A public key is shared to public .So that means having the public key by the client does not mean its authenticated .For client to be authenticated , client should connect the server with a certificate whose public key is stored in server's keystore (or truststore).This is called as client authentication .Normally we use server authentication only while using ssl .And if we combine both server authentication and client authentication .This is called as Mutual authentication.
Disadvantage is increased computational overhead and therefore decrease in performance.
What is a Public key?
A public key can be shared with everyone else. When you access a website ,it represents you with a certificate which also contains the public key. A public key is commonly used for encryption. A public key is also used for decryption like in case of digital signatures.
What is a Private key?
Private key is not shared with everyone else . A private key will remain on the server and is commonly used for decryption . A private key is also used for encryption like in case of digital signatures.
What is a personal Certificate ?
A certificate that contains both private and public key. It is signed by CA(Certificate authority) or it can be a self signed . A CA example is Verisign, Thwate etc. When self signed ,it means the certificate created for and created by are the same. It can also be referred as mere certificate or a X509 certificate. Please note that a public key certificate may also be referred as mere certificate or a X509 certificate.
What is a public key certificate?
A certificate that contains only public key. It is signed by CA(Certificate authority) or it can also be a self signed . A public key certificate can always be extracted from personal certificate. It is also called as digital certificate or identity certificate.
What is a signer certificate?
Signer certificate is normally referred to the public key certificate of a CA. It may also be referred to any public key certificate.
It resides in web browser ,any end point which makes outbound connections to other end points . CA root cetificate should be at this end point as well as the public key certificate of server. A signer certificate only contains the public key of that particular CA. It is used to decrypt the hash of certificate encrypted with private key of that particular CA. If the decrypted hash of certificate and actual hash of certificate calculated at the receiving end point are found to be same. That means the certificate has not been tampered and the signature of certificate is valid.
If you are using CA signed certificates , then you don't have to do the additional task of importing the public key certificate to the client everytime you add a new certificate at the server end point. (You are accessing the server with multiple domain names) .Its enough that you have the signer certificate of CA at the client.
But if you are using the self signed certificates , then you have to everytime import the public key certificate of the server to the client whenever you add a new certificate at the server end point. In case when your client is browser then you will get a message to import it. In cases when your client is not a browser but its a Java application, a webservice , a LDAP , JMS application etc. then your configuration will not work .So , it would be the administrator responsibility to import the public key certificate of the server at the client's end point whenever self signed certificates are used.
Is it possible for hash to be same for two different messages?
No, its not possible.
What is a X509 certificate?
Its a standard structure of a certificate . Common file extensions for a X509 certificate are .p12, .cer , crt , .der etc.
All the certificates we deal in with while using websphere are X509 certificates .
What is a encryption algorithm?
An encryption algorithm is used to encrypt the data .
What is a signature algorithm?
A signature algorithm is used to generate the signature by encrypting the hash of data (data can be a certificate or actual data) by applying the private key of a Signer (Certificate Authority). So, its a combination of hash and asymmetric key algorithm.
What is CA’s signature of a Public key certificate?
CA signature of a certificate is Encrypt(private key)[ hash(Public key certificate)] where encryption is applied to the hash of certificate also known as Digest using the private key.
What is a root certificate?
A root certificate is the one which is at the top of certificate chain .Suppose certificate A is signed by CA certificate B which is signed by certificate C. So certificate C is a root certificate . Certificate C is signed by Certificate C only .That means Root certificates are self signed certificates.Client needs to have root certificates .In the above example , if a web browser possess the root certificate C .Then it can also accept a certificate signed by CA certificate B.
Why does browser does not throw an exception when it finds the certificate presented by the server is CA signed?
This is because the browser already has CA signer certs imported into it .Browser installable itself comes with CA signer certs loaded into it.
What are the validations done when client receives the public key certificate from server during its first communication with server?
Checking the expiration date of certificate.
Matching the the subject name(Distinguished name, DN or Common Name, CN) of the public key certificate with domain name of the website.
Checking whether certificate is from trusted CA and then validating the signature of the certificate.
What is a keystore?
A keystore stores all kind of certificates. It may also be referred as key database.
What is a truststore?
A trustore is also a keystore.
A truststore is mainly referred to that keystore on the client which contains all the signer certificates(public key) of the servers which intend to make connections with the client .For a connection to be successful , the public key of the certificate on the server should be at the client because when a client makes a connection to the server, it sends randomly generated data encrypted with public key which is decrypted by server with the private key.If the client does not have the public key certificate of server , the ssl handshake fails.
If you are using CA signed certificates , then you don't have to do the additional task of importing the public key certificate to the client everytime you add a new certificate at the server end point. (You are accessing the server with multiple domain names) .Its enough that you have the signer certificate of CA at the client.
But if you are using the self signed certificates , then you have to everytime import the public key certificate of the server to the client whenever you add a new certificate at the server end point. In case when your client is browser then you will get a message to import it. In cases when your client is not a browser but its a Java application, a webservice , a LDAP , JMS application etc. then your configuration will not work .So , it would be the administrator responsibility to import the public key certificate of the server at the client's end point whenever self signed certificates are used.
What is an inbound connection?
In case of client to server communication , the request with reference to client is outbound and with reference to server is inbound.
A connection coming to an end point is an inbound connection for that end point.This end point is the server.This should have the private key to decrypt the data coming from other end point.
Client and server are decided as a result of their first communication . The end point which initiates the connection and request a response from other end point is referred to as client. The other end point is referred to as server . Though during the course of communication , they keep on changing their roles.
What is an outbound connection?
A connection going to other end point B from an end point A is an outbound connection for end point A.
That means end point A is client in case of outbound connection .End point A should be having the public key certificate part of the server's personal certificate.
Client and server are decided as a result of their first communication . The end point which initiates the connection and request a response from other end point is referred to as client. The other end point is referred to as server . Though during the course of communication , they keep on changing their roles.
What is the default password for WebSphere default keystore ,truststore, plugin-key.kdb files?
WebAS
What is a sniffer?
Sniffer is a software(with hardware) that can intercept traffic over a part of network.
What is phishing ?
Counterfeiting an actual website to a fake website with wrong intentions is phishing.
What are MD5 , SHA?
MD5(Message Digest 5 )
SHA ( Secure HASH algorithm) are hash functions to generate hash.
Why do we use Hash algorithms?
Hashing algorithms are a one-way encryption, i.e. it is impossible to derive the message from the digest. The main reasons for producing a message digest are:
The message integrity being sent is preserved.Any message alteration will immediately be detected.
The digital signature will be applied to the digest, which is usually considerably smaller than the message itself.
Hashing algorithms are much faster than any encryption algorithms (asymmetric or symmetric).
Hashing algorithms are also called as thumbprint algorithms. And the hash of data is also called as thumbprint.
What is a CSR ?
CSR is certificate signing request which is either signed by self or send to be signed by CA.
This has all the details like Common Name , Organization name , Country , duration of validity , key size etc . including the public key . A CSR is created by the entity which intends to use the signed certificate in future.
Why do we use digital signature?
A digital signature is mainly used for proving identity. A digital signature can be used with any kind of message, whether it is encrypted or not.
Authentication:Proving Identity is a use of ssl . An encrypted hash of data when decrypted with public key is a match to the hash of actual data.That confirms that hash of data was only encrypted with owner of private key.That means that data has been send by owner of the private key or signed by owner of the private key in case when data itself is certificate.
Message Integrity:An encrypted hash of data when decrypted with public key is a match to the hash of actual data.That confirms that data was not tampered in middle of the network communication.
Digital signature is used to add the CA signature to a public key certificate request. Note that public key certificate is not encrypted .
Digital signature is used to add the signature to a data. Data can be encrypted or sent as it as after attaching the signature .Public key is attached to data which is required for decryption of data if encrypted and to validate the signature .
In case when two separate key pairs are generated for encrypting the data and producing the signature .Then in that case two public key needs to be attached while sending the request.
In the above case when CA is the one which is signing the document , then one public key needs to be attached only for decrypting the data , the other public key is already known to the client.
It may also be possible that key pairs are generated at receiver's end and send to sender before he wants to transmit a confidential information to receiver .Then in that case sender uses the receiver's public key to encrypt the data.
How do you create a CSR?
CSR stands for certificate signing request.
A key pair is generated by specifying the name of algorithm , key size .The generated public key in the previous step is used to the create the CSR.
Some of the software's like ikeyman hide the first step of generating key pair and just one step is needed to create CSR where you specify the CN , size of key (e.g. 1024bit ,2048 bit) and few other details . CN(Common Name) is the most important field of all which should match with domain name of the site.
What is TLS?
A successor to SSL.
Give some example tools for certificate management.
ikeyman provided with IBM websphere products, openssl , keytool - an utility provided by java language .
These are few of the softwares that can be used for certificate management .These tools can create key database files, create new certificate request , create renewal certificate request , create self signed certificates , export certificates , import certificates etc.
What is a CRL?
CRL is certificate revocation list . A certificate can be revoked if its private key has been compromised or for some other reason.After the revocation of certificate by CA , the CRL must be made available to all users or a mechanism should be put in place to check whether the certificate has been revoked or not . CRL's are updated by CA's but the implementation of CRL's is not widely supported and there is no full proof solution for this .Checking a certificate against a CRL is not the responsibility of SSL protocol.Authority using the certificate has to apply the new certificate after the previous certificate has been revoked.
Can we use the same asymmetric key pair for encryption as well as signing?
We should not use the same key pair for encryption and signing because if one key gets stolen then other is still safe.There are some mathematical reasons also for the same for which you have to dig more into mathematics of cryptography.
Can you determine the private key as you already know the public key ?
For a a cryptographic algorithm to be sound , it should not be feasible to deduce the private key from the knowledge of public key.
What is kerberos?
Kerberos provide symmetric-key distribution and management.
Give some examples of some asymmetric key algorithms and symmetric key algorithms.
RSA, DSA are asymmetric key algorithms.
DES and triple-DES are symmetric key algorithms.
