Duration: 4 days
Prerequisites: Linux usage and administration fundamentals, ver2.0 – part 1
Note1: This course covers cryptography part from previous course: “Linux part 2: Security, services and administration topics“. Other topics from previous course are in new course Linux usage and administration fundamentals, ver2.0 – part 2 (as well as some other topics).
Note2: This course is linux based but >50% of content is general knowledge and information in cryptography, certificates etc. Therefore, it is also intended for e.g engineers in network environment where we have same protocols implemented on e.g. VPN concentrators with SSL /firewalls.
Note3: Ver 1.2 covers postquantum alghorithms for keyexchange (hybrid x25519mlkem768) and authentication (ml-dsa certificates)
Description:
The goal of this course is to provide deep understanding and solid hands-on knowledge of cryptography related topics. This includes general encryption symmetric algorithms, asymmetric algorithms, message digest algorithms, signing methods, certificates etc..
Next, TLS 1.2 & 1.3 protocols are covered in details on number of examples explaining how cryptography algorithms are used in these protocols.
Implementation of local CA ( using openssl) is explained as well as procedures for generating certificate signing requests, issuing certificate, using certificate are presented. Usage of LetsEncrypt as publicly available CA server is also covered.
TLS can be used as secure transport for number of protocols above it, but it was initially introduced for HTTP.
Therefore, http versions 1.1,2,3 are also covered as this knowledge is required when configuring with TLS ( e.g. SNI, ALPN).
apache2 and nginx are used as servers and configuration for different scenarios are provided, explained and tested ( e.g. pure http/https servers, forward/reverse proxies, terminating TLS on frontend or propagating TLS to backend etc).
Regarding other services, usage of certificates with ssh is also covered.
Note3: There is a playlist on youtube with videos in Croatian language that cover theoretical part of cryptography and algorithms from the course. During the course, these parts will also be covered, but mostly in a shortened form in order to leave enough time for labs and implementation-specific details for particular software. Therefore, it is recommended to go through these videos separately in addition to the course. The topics on youtube videos are related to general cryptography and does not cover all theory from this course. E.g. TLS part is not covered as well as many other topics and this will be presented during the course.
-
Content:
Lab preparation
HTTP server, reverse and forward proxy implementations
• Principles of operation
• HTTP 1.X protocols
• HTTP 2
• HTTPS: HTTP over TLS
• HTTP 3
• Implementations
– Apache as HTTP server
– Nginx as HTTP server
– Apache as reverse proxy server
– Nginx as reverse proxy server
– Apache as forward proxy server
Crypto and linked algorithms, certificates, TLS/SSL versions: theory and examples
• Hash (message digest) algorithms
• Message signing using hash algorithm and common secret
• Dictionary and repetition attacks: salting, counters
• HMAC
• Symmetric encryption algorithms
– Modes of operation
• Asymmetric encryption algorithms
• Key exchange algorithms
• Signature algorithms
• Certificates
• TLS
– TLS 1.2
– TLS 1.3
• QUIC and HTTP3
• QUIC and DNS HTTPS record
• TLS Session resumption
• TLS 1.3 early data with session resumption
Internal CA implementation using OpenSSL, use of certificate on nginx/apache2
• Create CA
– Generate keypair
– Create CA (self-signed) certificate
• Example with default command line
• Example with command line and params for DN
• Example with config file
• Create certificate for web server
– Create keypair
– Prepare config file and create certificate signing request
– Display certificate signing request
– Prepare v3 extended data for request
– Transfer request to CA, issue certificate
– Transfer issued certificate to the server
– Display certificate
– Transfer CA certificate to the server
– Add CA certificate to trusted root certificates
– Create certificate chain PEM file
• Use certificate with nginx, basic setup
• Test with s_client and display certificate
• OpenSSL as OCSP server
– Create keypair
– Prepare config file and create request
– Prepare v3 extended data for request
– Issue certificate
• Use certificate with Apache server, basic setup
• Prepare certificates for lin1 and lin4 for following labs
Web server setup, standard
• Apache2
• Nginx
Reverse proxying with SSL termination
• Apache: single certificate, URL redirect
• Apache: multiple certificates
• Nginx: single certificate, URL redirect
• Nginx: multiple certificates
Reverse proxying without SSL termination, nginx
Use Let’s Encrypt to obtain public certificate
SSH use with user and server certificates
• Preparation
– Creating SSH CA
– Creating keypair for hosts and users CA
– Creating CA for users and hosts
• Issuing certificate for some host
– Preparing keypair to sign on host
– Transfer public key to the CA
– Issue certificate for host
– Transfer signed certificate to host
– Check content of certificate before use
– Configuring SSHd to use and present host certificate
– Configuring SSHc to use host certificates signed by specific CA
• Adding users for test
– Enabling password authentication for test
– Testing access to server presenting certificate, user authentication via password
– Prepare and test certificate for lin2
• Issuing and using certificates for users
– Creating user keypair
– Issuing user certificate
– Check certificates
– Configure SSHd to accept user certificates
– Test connectivity
– Additionally limit allowed users on the server
• Revoking certificates
– Revoke user certificate
– Revocation using KRL files
– Revoke host certificate
– Revoke host certificate using KRL file