See a demo at Github
This 4th section of the article was written about a week after I finished the other 3 to clarify a mistake I kinda perpetuated from the begging. After reviewing my code, one of my colleagues raised the following issue: even though I was using RSA encryption, I was using the wrong public and private key.
So I had to go back, to the beginning:
RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and distinct from the decryption key which is kept secret (private). In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the “factoring problem“. The acronym RSA is the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. Clifford Cocks, an English mathematician working for the British intelligence agency Government Communications Headquarters (GCHQ), had developed an equivalent system in 1973, which was not declassified until 1997.
I will not go back into the entire content of the first part of the article and I will try to resume. Basically, instead of using an RSA public and private key, I was using an X.509 generated certificate.
So what’s wrong with using a DI & a PKI?
Digital Identity & PKI
A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. ISO/IEC 24760-1 defines identity as “set of attributes related to an entity”.
The information contained in a digital identity allows for assessment and authentication of a user interacting with a business system on the web, without the involvement of human operators. Digital identities allow our access to computers and the services they provide to be automated, and make it possible for computers to mediate relationships.
The term “digital identity” also denotes certain aspects of civil and personal identity that have resulted from the widespread use of identity information to represent people in an acceptable trusted digital format in computer systems.
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.
In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision.
The PKI role that assures valid and correct registration is called a registration authority (RA). An RA is responsible for accepting requests for digital certificates and authenticating the entity making the request. In a Microsoft PKI, a registration authority is usually called a subordinate CA.
In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.
X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.
The answer is somewhere in the middle. I could complete my colleague’s observation like this: you’re using the wrong certificate X.509 has an expiration date, while RSA public and private key don’t.
We were planning on delivering this application to be used for a very long time. It is very hard for us to deliver and change the encryption and decryption keys, thus using a simple RSA public & private key would benefit way more than passing on an SSL certificate.
RSA is two algorithms, one for asymmetric encryption, the other one for digital signatures. They use the same kind of keys, they share the same core operation, and they are both called “RSA”.
Diffie-Hellman is a key exchange algorithm; you can view it as a kind of asymmetric encryption algorithm where you do not get to choose what you encrypt. This is fine for key exchange, where you just want to obtain an essentially random shared secret between two people. Note that most usages of RSA asymmetric encryption, in practice, are also key exchange, e.g. in SSL/TLS: the client generates a random value, encrypts it with the server’s public key, and send it to the server.
When it comes to SSL/TLS communication, an RSA certificate is generated like this:
openssl genrsa -out cert/rsa/key.pem 2048 openssl rsa -in cert/rsa/key.pem -pubout -out cert/rsa/cert.pem
When you organize certificates in a way such that there is a strict hierarchy, where certificate issuers are called Certification Authorities and issue certificates to each other, with a handful of top-CA called “root CA”, then that overall structure is called a Public Key Infrastructure, i.e. a PKI.
X.509 is a standard for the format and contents of certificates. X.509 is rather open about what signature algorithms will be used for signing certificates, but in practice, 99% of the time, it will be RSA.
Another difference would be that an X.509 certificate, must and will always have an expiry date.
openssl req -newkey rsa:2048 -nodes -keyout cert/x509/key.pem -x509 -days 365 -out cert/x509/cert.pem
All the demo repositories presented within this article, have been updated to show you how to implement encryption with both a simple RSA public and private key, and also using a X.509 certificate and private key.
- Digital Identity
- Public Key Infrastructure
- Relationship between RSA, Diffie-Hellman Key Exchange, PKI and X.509?
- Making sense of SSL, RSA, X509 and CSR