Encryption and Authentication Process
When transferring encrypted data or email messages, encryption alone is not always sufficient to ensure the integrity of the data or the authenticity of the sender. A layer of authentication in the encryption process provides a level of trust and prevents hackers from impersonating legitimate users. The use of digital certificates, digital signatures, and encryption using public and private key pairs, ensure the origination and legitimacy of transmitted information.
Applied Encryption Processes
Most modern dynamic encryption uses a combination of
- symmetrickey,
- asymmetric-key, and
- hash encryption.
This combination capitalizes on the strengths of each type of encryption, while minimizing their weaknesses.
Programs such as
- Internet Information Server (IIS),
- Tomcat,
- PGP,
- Microsoft Exchange Server, and
- Windows Server 2019
as well as protocols such as
- (S/MIME) Secure Multipurpose Internet Mail Extension,
- PGP MIME (PGP/MIME), and
- SSL,
all employ a combination of symmetric-key, asymmetric-key, and hash encryption.
(VPN) Virtual private networks, which are extended local area networks that allow a company to conduct secure, real-time communication, and protocols such as (S-HTTP) Secure HTTP also use such combinations.
Secure HTTP
Secure HTTP (S-HTTP) uses the asymmetric process to secure online transactions, but as soon as this connection is made, it uses a symmetric key. Most browsers support this protocol, including Microsoft Internet Explorer, Mozilla, and Chrome.
Secure Sockets Layer (SSL) and Digital Certificates
The Secure Sockets Layer (SSL) protocol allows users to configure their applications to privately exchange data over public networks. SSL helps prevent eavesdropping, tampering, and message forgery. SSL 3.0 is an Internet Engineering Task Force (IETF) specification.
(The IETF is an organization that determines the standards and protocols for the Internet. You can learn more about the IETF at www.ietf.org.) All major web browsers and many e-mail clients support SSL, as do many additional applications used in the security industry.
SSL sessions occur on TCP port 443 by default.
Create an SSL certificate using OpenSSL
You can create your own SSL/TLS certificates using OpenSSL for free. Here's why and how:
Why create your own SSL/TLS Certificate?
- Testing and Development: Create certificates for local development environments or internal testing servers without spending money.
- Limited Scope: For small projects or personal websites where the trust established by a commercial Certificate Authority (CA) isn't critical.
- Learning purposes: Understanding how certificates and encryption work.
How to use OpenSSL for SSL Certificate Creation
- Generate a Private Key: This is the "secret" part of your certificate.
openssl genrsa -out mydomain.key 2048
-
Create a Certificate Signing Request (CSR): This contains details about your website/server that will go into the certificate.
openssl req -new -key mydomain.key -out mydomain.csr
-
Self-Sign the Certificate: This is where you act as your own CA.
openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
Important Considerations
- Trust: Web browsers won't automatically trust a self-signed certificate. Users will see a security warning. You might need to manually add your certificate as a trusted root certificate on client devices.
- Commercial vs. Self-signed:
- Commercial CAs (GoDaddy, Comodo, etc.) verify your identity and ownership of the domain. This establishes trust for public websites.
- Self-signed certificates offer encryption but not browser-accepted identity verification.
- Renewal: Self-signed certificates often have short lifespans, requiring you to regenerate them frequently.
When you SHOULD use a self-signed certificate
- Internal servers
- Local development and testing
When you SHOULD NOT use a self-signed certificate
- Public-facing websites
- Web applications where trust and user confidence are crucial
SSL uses a digital certificate
SSL uses a digital certificate to enable two applications to authenticate over a network. A digital certificate is created by a certificate authority, which is a trusted third party that attempts to determine the validity of a certificate request from person or host.
Once a digital certificate is signed by a certificate authority, it enables a server to prove its identity to a client. A digital certificate can also ensure data confidentiality because it encrypts all information between the client and the server. Finally, SSL provides data integrity services, because it uses one-way encryption to ensure that data has not been altered in transit. Essentially, a digital certificate is a specific form of an asymmetric key, except that digital certificates contain several fields that help a client (e.g., a web browser) determine authentication. Each of these fields is governed by the X.509 standard, as defined by RFC 2459. SSL encryption occurs above the Transport layer of the (OSI/RM) Operating Systems Interconnection Reference Model.
SSL uses a six-step handshake process to build a connection between a client and a server.