Geek Answers Handbook

SSL / TLS without certificates

I am working on a project for pets, which (in the end, when it is done) will allow for secure file transfer (there is more than simple, but the rest is not particularly relevant). I would like to use the OpenSSL library as it seems to be the most complete free cryptography library (and I need basic symmetric encryption and hash support in addition to SSL / TLS).

I am looking for an implementation of a security scheme similar to SSH. Basically, a user will connect to my computer using TLSv1 (SSLv3.1). I want the connection to be successful, regardless of security. Then I want to check the public key (not a full certificate) that the user used. This key will be compared with the known public keys, and if it matches, then the user will be allowed access to a specific set of commands. If this does not match, the user will have the opportunity to use the connection to apply, so that his / her public key is added to my collection, but apart from this, he could not access my services.

I have no particular need for certificates. It would be much easier for me if I could just skip all the certificate data and work only with raw encryption keys. This is because this model follows the web trust model, not the hierarchical model used by most SSL / TLS connections, so I don't need CA certificates or subscriptions.

Unfortunately, the documentation for most OpenSSL, well, is generally missing. All the relevant articles that I find seem to be busy setting up a “standard” SSL / TLS connection, where the server certificate is verified down to the set of root certificates. This may be useful, but it’s hard for me to figure out how to connect to these non-traditional SSL connections.

Can anyone suggest any articles or documents that can help me figure out how to do this?

(The use of OpenSSL is not set in stone, and I can switch to another library if it provides a better way to do this, as well as hashing [SHA-512] and symmetric encryption [AES]. With the goal of targeting Linux, but it would be nice, if the end product were portable for Windows so my friends could use it too.)

+7
source share
2 answers

To expand on the answer to Eugene (I would put this as a comment, but it's a little long) ...

By doing this with the FOAF + SSL project (later renamed WebID), using X.509 certificates simplifies the implementation, simply because most SSL / TLS stacks are designed with them in mind (and their APIs reflect this).

The last time I checked FOAF + SSL, traditional PKI checks were still for the client to verify the server certificate. Another option, similar to SSH, would be to accept the public key / certificate when it is first discovered and alert the user when it changes. This is more or less the way SSH works anyway (in particular, I think that few people actually check key fingerprints from stripes the first time they see this).

Considering only the use of a client certificate (although some of them may apply to server certificates in a similar way):

  • Most server libraries seem to be able to handle X.509 certificates, but allow you to change the way they are validated (e.g. X509TrustManager in Java).
  • Until you can trust something that the client certificate says, unless you confirm it otherwise, you can insert some additional information (for example, the name of the subject or the alternative name of the subject to find out who claims to be) help (a) users organize their certificates and (b) give a hint so that the verifier knows what to look for. A bare public key can be difficult to handle.
  • A number of existing client tools (especially browsers) use X.509 certificates when authenticating SSL / TLS clients. Not much needs to be done to configure the client to use a self-signed X.509 certificate (as opposed to a certificate from PKI). (There are very few tools that support OpenPGP for TLS, I'm not sure if they can use it as a form of client certificate.)
  • Since you cannot trust a certificate without external checks, it does not matter if it is self-signed or not (that is, regardless of whether the issuer and subject are the same), at least assuming t sends you a certificate with which it I do not agree (therefore, it would not have to be sealed with my own key). The consequence of this is that you can easily create a service for issuing certificates. For example, key generation in a browser is convenient for users who do not want to use openssl or keytool . Here is an example of a service that will issue a certificate with a SAN that a user wants (there may be more recent versions if you check the project with FOAF + SSL / WebID ). No matter which private key name or issuer name such a service uses, the case does not matter much, but since browsers are designed around traditional PKIs, this does not make it easy to use truly self-signed certificates.

There are also problems with requesting a specific client certificate. The TLS 1.1 specification explicitly allows empty certification authorities (see RFC 4346 ), while TLS 1.0 was silent on this point. In practice, even with TLS 1.0, most client tools seem to be happy with the empty list (they just offer more choices). If you want your certificates for your system to be easily identifiable, you could use the same issuer DN for all these certificates, even if they were not signed with the same private key in practice (again, since you ignored signature).

+3
source

Using self-signed certificates is the same as "raw" keys, but easier to manage (see this question on how to accept or not accept self-service, a signed certificate in openssl).

+2
source

More articles:


All Articles