Application Security and Hardening

Geekwise Academy


Week 9 - Encryption and SSL/TLS Certificates


Instructors:

Corey Shuman


Slack Channel:

#application-security

Github Repo:

https://github.com/coreyshuman/GeekwiseApplicationSecurity

Lecture Notes:

http://coreyshuman.github.io/GeekwiseApplicationSecurity/LectureNotes


Table of Contents:


    Encryption

    [OWASP: Guide to Cryptography](https://www.owasp.org/index.php/Guide_to_Cryptography)

    This week will we look into encryption. Any time you are storing sensitive data that your clients wouldn't want make public, it is important to encrypt that data to protect it from leaks or hacks. We will start by learning about the most common encryption methods in use today, then we will work on using encryption to secure our user's information in the blogging app.

    Types of Encryption

    **Symmetric Cryptography**

    With Symmetric Cryptography, data is encrypted and decrypted with the same key. Some examples of symmetric algorithms:

    • DES (weak)
    • 3DES
    • AES

    **Asymmetric Cryptography**

    Also called Public/Private Key Cryptography, asymmetric algorithms always have two keys, one to encrypt the data and another to decrypt the data. One key is generally labeled the Public key and can be distributed. The other key is the Private key and must be kept hidden.

    Examples:

    • PGP
    • SSL

    **Hashes**

    Hash functions take some data of an arbitrary length (and possibly a key or password) and generate a fixed-length hash based on this input. Hash functions used in cryptography have the property that it is easy to calculate the hash, but difficult or impossible to re-generate the original input if only the hash value is known. In addition, hash functions useful for cryptography have the property that it is difficult to craft an initial input such that the hash will match a specific desired value.

    Examples:

    • MD5 (weak)
    • SHA-1 (weak)
    • SHA-256

    **Key Exchange Algorithms**

    Key exchange algorithms allow us to safely exchange encryption keys with unknown parties. Diffie-Hellman, used in SSL certs, is an example.

    NodeJS Crypto

    NodeJS has a built-in cryptography library which we should rely on anytime we need encryption or true random numbers. We can find the documentation here:

    [NodeJS: Crypto](https://nodejs.org/api/crypto.html)

    Here is a good starter article on implementing encryption in NodeJS:

    [Encrypt and decrypt content with Nodejs](http://lollyrock.com/articles/nodejs-encryption/)

    Key Management

    [Wiki: Key Management](https://en.wikipedia.org/wiki/Key_management)

    It is important for us to protect the data of our customers in the case of a server breach. We also need to assume that the hacker will have lots of time to try and crack encrypted data if they manage to steal our database, so we must use strong encryption with good practices. A big no-no is storing the secret keys in the same place as the data. If we do this, then it is trivial for the hacker to decrypt the data. Instead, we must make it difficult for anyone to get access to the secret keys, while still allowing our application to use the key.

    Encrypting Database Fields

    [AWS: Field-Level Encryption](https://aws.amazon.com/blogs/security/how-to-enhance-the-security-of-sensitive-customer-data-by-using-amazon-cloudfront-field-level-encryption/)

    **Our Encryption Sandbox:** (make sure the app is running)

    [http://localhost:8080](http://localhost:8080)

    In-Class: Additional Encryption

    Add new fields to the *Encryption Sandbox* and apply a different encryption method from the ones already used to secure those fields.

    Determine what are the advantages and disadvantages to the encryption method you selected.

    Additional Resources

    [A basic encryption strategy for storing sensitive data](https://www.itworld.com/article/2693828/data-protection/a-basic-encryption-strategy-for-storing-sensitive-data.html)

    [Encrypting Sensitive Data in Your MongoDB Database](https://www.compose.com/articles/encrypting-sensitive-data-in-your-mongodb-database/)

    Assignment: Apply AES-256-GCM Encryption

    In our Secure Blog application, add secure encryption to the post content.

    SSL/TLS Certificates

    SSL Certificates use public key cryptography to encrypt web traffic between a server and a web browser. Public key cryptography is a type of asymmetric cryptography, meaning there is a private and a public key. The web server uses the private key and your web browser uses the public key.

    SSL Certificates must be signed by a Root Certificate, which is a globally trusted certificate managed by a Certificate Authority. A Certificate Authority is a company like GlobalSign or DigiCert who is trusted by browser and operating system vendors to sign and issue certificates. Our computers and mobile devices maintain a list of the trusted CA Root Certificates. This allows them to verify the legitimacy of an SSL Certificate. That is how Chrome knows it can trust a website when it shows the green lock next to the URL.

    Creating Self-Signed Certificates using OpenSSL

    The easiest certificate to generate is a self-signed certificate. These types of certificates will show an error in web browsers because they are not signed by a Root Authority. However, they will still work, and are useful for testing.

    We will use a command line tool called [OpenSSL](https://www.openssl.org/) to generate our self-signed certificate.

    This command will let us create a certificate. OpenSSL will prompt us for additional information required by the certificate.

    It is also possible to generate a certificate fully automatically, with no prompts from OpenSSL

    It is possible to do this process within a Dockerfile to create an SSL cert when a container is built.

    In-Class: Create a Certificate

    Let's SSH into our application 03-HttpsExpressBasic and generate an SSL certificate. Use the following command to SSH into the container.

    Put your certificate in the `/cert` folder and update the `PASSPHRASE` env variable.

    Using Wireshark to Verify our Certificate

    [Wireshark](https://www.wireshark.org/) is a tool that will allow us to sniff the packets traveling in our network.

    Start up Wireshark and listen on the `loopback` device. Now try visiting our app using the unencrypted port `8080` and the secure port `4443`.

    Filter the Wireshark results to see the unencrypted traffic by using this filter: `tcp.port == 8080`.

    Do the same with the encrypted traffic: `tcp.port == 4443`. Notice the difference between the two types of traffic?

    Docker Certificate Using Docker Secret

    [Dockerflow: Certs](https://proxy.dockerflow.com/certs/)

    Getting Certificates

    The traditional option for getting a certificate for your site has always been to purchase one from a Certificate Authority, such as DigiCert. Let's take a look at their site:

    [DigiCert](https://www.digicert.com/)

    Today, there is a much cheapter (read: free) option. [Let's Encrypt](https://letsencrypt.org/) allows us to generate certificates for free, and we can even automate their creation and renewal.

    Automating Certificate Renewal

    Let's Encrypt offers an API for generating and renewing certificates. Let's take a look at some NPM modules that will let us automate our certificates.

    [greenlock-express](https://github.com/Daplie/greenlock-express)

    Using Let's Encrypt with a Web Host

    I will demonstrate (or at least attempt) to user Let's Encrypt to add a certificate to my website hosted on Arvixe, which uses Cpanel.

    Assignment: Add SSL to Our Blog

    Use the process we did in class, plus the code examples, to add SSL to our Secure Blog application.


    Resources