Some often used Openssl command:
For connecting to the openssl server:
openssl s_client -connect <Server-IP> -cipher
For connecting to the openssl server with client certificate
openssl s_client -connect <Server-IP> -cert <certificate path> -key <private key>
For the server to be ready to accept connections
openssl s_server -cert <certificate path> -key <private path> -accept 443 -WWW
For seeing the plaintext contents of the SSL certificate
openssl x509 -in cert.pem -noout -text
Friday, March 18, 2011
Monday, March 14, 2011
SSL for the beginners
I often have to explain SSL to the sales people. Here is a short version of what I usually end up saying.
Let's say Bob and Alice wish to talk securely. The usual requirements would be that
1. No would should be able to eavesdrop on the conversation. This is fulfilled by encryption.
Additonally,
2. If both Bob and Alice cannot see each other, then both of them should be assured that they are talking to the right person. This is fulfilled by authentication.
3. No one should be able to modify the message that they send to each other. This is fulfilled by using message digests.
SSL stands for Secure sockets layer. It uses separate mechanisms to handle encryption, authentication and message digests.
Encryption is a way in which one can mathematically change the message to make it look like a random string. In other words, if Alice sends "Hello Bob" to Bob, the encrypted message may look like "xwygh" i.e. a random English message.
Authentication can be used by Alice / Bob to prove that they are indeed who they claim to be. One of the ways in which they can be achieved is to use a certificate. This certificate is issued by someone whom both Alice and Bob trust. In SSL parlance, this entity is called as the trusted certificate authority.Thus, when Alice presents a certificate and claims that it is signed by a trusted certificate authority that is also trusted by Bob, then Bob can be assured that Alice is indeed whom she claims to be.
Message digest is a short version of the message (or mathematically speaking, a hash of the message). The important property of this version is that the message cannot be recovered if someone looks at this version(again, mathematically speaking, this is a one way hash). So when Alice sends a message "Hello, Bob) to Bob, she also sends this version along with it. When Bob receives the message, he will again create a message digest over the message he received and compare the two digests. If someone modifies the message to "Bye, Bob", then the message digest that Bob creates will be different from the message digest that Bob receives. This will indicate to Bob that the message has been modified.
Let's say Bob and Alice wish to talk securely. The usual requirements would be that
1. No would should be able to eavesdrop on the conversation. This is fulfilled by encryption.
Additonally,
2. If both Bob and Alice cannot see each other, then both of them should be assured that they are talking to the right person. This is fulfilled by authentication.
3. No one should be able to modify the message that they send to each other. This is fulfilled by using message digests.
SSL stands for Secure sockets layer. It uses separate mechanisms to handle encryption, authentication and message digests.
Encryption is a way in which one can mathematically change the message to make it look like a random string. In other words, if Alice sends "Hello Bob" to Bob, the encrypted message may look like "xwygh" i.e. a random English message.
Authentication can be used by Alice / Bob to prove that they are indeed who they claim to be. One of the ways in which they can be achieved is to use a certificate. This certificate is issued by someone whom both Alice and Bob trust. In SSL parlance, this entity is called as the trusted certificate authority.Thus, when Alice presents a certificate and claims that it is signed by a trusted certificate authority that is also trusted by Bob, then Bob can be assured that Alice is indeed whom she claims to be.
Message digest is a short version of the message (or mathematically speaking, a hash of the message). The important property of this version is that the message cannot be recovered if someone looks at this version(again, mathematically speaking, this is a one way hash). So when Alice sends a message "Hello, Bob) to Bob, she also sends this version along with it. When Bob receives the message, he will again create a message digest over the message he received and compare the two digests. If someone modifies the message to "Bye, Bob", then the message digest that Bob creates will be different from the message digest that Bob receives. This will indicate to Bob that the message has been modified.
Subscribe to:
Posts (Atom)