OpenSSL Cheat Sheet v1.2

OpenSSL reference by Alberto Gonzalez

A new version of the OpenSSL reference has been released.

Version 1.2

These are the changes:

  • Asymmetric encryption: Changes in how to export the public key to be consistent with the encryption command using RSA public key.
  • Asymmetric encryption: Encrypt a file using RSA public key.
  • Asymmetric encryption: Decryption of the previously encrypted file was included.
  • Symmetric encryption: Changes in the decryption of a file using another file as the key, instead of a password.
  • Digital Signatures: Signing a file using SHA-256 and RSA private key.
  • Digital Signatures: Verifying the signature previously generated using the RSA public key file.
  • Working with TLS protocol: Extract the domain certificate from an HTTPS/TLS connection.
  • Working with TLS protocol: nmap command: Display enabled cipher-suites over an HTTPS/TLS Connection.
  • Working with TLS protocol: nmap command: Display enabled cipher-suites over a TLS (HTTPS) Connection using SNI.

KeyStore Explorer: A great tool for simplifying cryptographic tasks in Java.

Recently I have been testing this tool when I work with Java Key Stores or Trust Stores. It’s KeyStore Explorer.

You can always use command line to execute cryptographic tasks in java using keytool library or bouncy castle, however for many daily activities like generating CSR files, creating cryptographic keys or managing several keystores or trust stores, you prefer a more friendly tool. This is where KeyStore Explorer fits in.

It’s support for cryptographic tasks, according to it’s website, is:

And you can handle, compare and manage many keystore files from the main window and explore their content easily:

It is definitely an extraordinary tool that can be downloaded here: http://keystore-explorer.org/

OpenSSL Cheat Sheet v1.0.5

Today I released the 1.0.5 version of the OpenSSL Cheat Sheet.

Change Control:

  • New additions:
    • Added the Java keytool command to generate Java Key Store files in PERSONAL SECURITY ENVIRONMENTS section.
    • Added two commands to generate CSR files using Elliptic Curve keys instead of RSA keys in DIGITAL CERTIFICATES section.
    • Added the command to generate a CSR file using an existing private key file. Useful when you need to renew your certificate but preserve the private key. DIGITAL CERTIFICATES section.
  • Corrections:
    • A few typo corrections in DIGITAL SIGNATURES.

You can download the PDF version here or access the online version.

Implementations: The Achilles heel in cybersecurity

Heartbleed

There are many new technologies, controls, mechanisms, modules, libraries for protecting and securing assets and information. Usually these new technologies were created and developed by people with good skills in the field, however, one of the main problems is the implementation phase.

Believe it or not, most of the vulnerabilities, either published or zero-day, exist because of a bad or terrible implementation of something that is secure in escense.

Think about cryptography. In general, cryptographic standard algorithms are approved and validated by many cryptographers around the world but when it comes the implementation phase, the standard or algorithm is implemented by a group of peole working at the same company or sometimes by only one developer with limited training in security and/or cryptography.

One of these examples is WEP Security Protocol for Wireless communications. It has different vulnerabilities but particularly the vulnerability of the key stream is a consequence of a weakness in the implementation of the RC4 stream cipher, not the RC4 algorithm by itself.

Continue reading Implementations: The Achilles heel in cybersecurity

The new OpenSSL Cheat Sheet

Enjoy this openssl cheatsheet to apply in symmectric and asymmetric encryption, digital signatures and certificates, create your own CA, sign files, use hashes.

Feel free to post any comments or recommendations for a future version.

You can download the latest PDF version from the website or by clicking here.

openssl cheatsheet

Security in payment data for e-commerce applications

Every day a new e-commerce application is published on Internet and more people are using these applications to acquire any kind of products, at the end that is the goal, but to get there you need to introduce some of your information, from personal information to payment information. You need to type in your address, your name, your age sometimes and your credit card (CC) information of course.

In Card Not Present transactions the information must be protected in a different way than card present transactions, that is because the information processed is in fact different.

Many of these web and mobile applications don’t follow protocols and rules to protect the customer information, not even moderately. In this post I will focus on the best practices for protecting this kind of critical information.
Continue reading Security in payment data for e-commerce applications