To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.
Certificatetest: Difference between revisions
Created page with "# Hardening the Security The ZNC acts as proxy for the irc connection, so the ZNC will manage 2 kind of connections: - IRC client <-> ZNC - ZNC <-> IRC Server To increase ou..." |
No edit summary |
||
Line 42: | Line 42: | ||
{{DISPLAYTITLE:SSL Commands}} | |||
The scope of this page is to be the compendium for all the commands required to manage ZNC's certificates. | |||
= Algorithms = | |||
The Public Key Infrastructures (PKI) are based on asymmetric cryptography principles: ''public'' & ''private'' key. | |||
The | There are 3 primary algorithms used for PKI key generation: | ||
* '''(ECC) Elliptic Curve Cryptography''' | |||
It is the most recently-developed encryption method of the three, but it is going to be more supported. With shorter key lengths, it provides equivalent levels of cryptographic strength as RSA and DSA. | |||
* '''(RSA) Rivest-Shamir-Adleman''' | |||
The RSA algorithm was developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. It is currently the most used and supported key algorithm. Nowadays the key length standard is 2048-4096 bits. | |||
* '''(DSA) Digital Signature Algorithm''' | |||
It uses a different algorithm than RSA to create public/private keys but both are considered to be equivalent at same key length. The main differences come down to performance, speed and adoption by the market. Moreover some software are limited to manage DSA up to 1024 bits. | |||
{| class="wikitable" | |||
- RSA | !colspan="6"|Algorithms Key Size Comparison (bits) | ||
- | |- | ||
!Symmetric | |||
!RSA/DSA | |||
!ECC | |||
|- | |||
|80 | |||
|1024 | |||
|160-223 | |||
|- | |||
|112 | |||
|2048 | |||
|224-255 | |||
|- | |||
|128 | |||
|3072 | |||
|256-383 | |||
|- | |||
|192 | |||
|7680 | |||
|384-511 | |||
|- | |||
|256 | |||
|15360 | |||
|512+ | |||
|} | |||
Taking in consideration the current security standards, we will continue using ''ECC'' and ''RSA''. | |||
= Key generation = | |||
The first step is to create a key pair. As described before, we will provide commands to create ''ECC'' or ''RSA'' keys. | |||
'''''WARNING:''''' The folllowing commands will not encrypt/password protect the private key cause ZNC is unable to properly handle encrypted private key files. For this reason keep it secret. | |||
Before to proceed, if you want to adopt the ''ECC'', check 2 constraints: | |||
* Your IRC Client supports ''ECC'' | |||
* In the case you want certificates signed by a [[Signed_SSL_certificate|global CA]], be sure it supports ''ECC'' | |||
If any of these 2 points will be a ''NO'', then use the ''RSA''. | |||
Regarderless the algorithm you choose, at the end of the process you will have: | |||
* 1 priv.key | |||
* 1 pub.key | |||
* 1 priv.info (''optional'') | |||
== ECC == | |||
# Generate the ECC private key with 256-bit key length | |||
openssl ecparam -genkey -name prime256v1 -outform PEM -out priv.key | |||
# Generate the ECC public key | |||
openssl ec -outform PEM -pubout -in priv.key -out pub.key | |||
# Get information on the ECC private key | |||
openssl ecparam -noout -text -in priv.key | |||
# Get sensitive information on the ECC private key | |||
openssl ecparam -noout -text -in priv.key -param_enc explicit | |||
On last 2 commands you can add <code>-out priv.info</code> to get information stored on a file | |||
== RSA == | |||
# Generate the RSA private key with 4096-bit key length | |||
openssl genrsa -out priv.key 4096 | |||
# Generate the RSA public key | |||
openssl rsa -outform PEM -pubout -in priv.key -out rsa.pub.key | |||
# Get sensitive information on the RSA private key | |||
openssl rsa -noout -text -in priv.key | |||
On last command you can add <code>-out priv.info</code> to get information stored on a file | |||
= Certificate generation = | |||
== Certificate Signing Request == | |||
The requirement to have a Certificate is to create a Certificate Signing Request (CSR). The command is the same for ''ECC'' and ''RSA'' keys. | |||
openssl req -new -sha512 -key priv.key -out cert.csr | |||
If -subj "/CN=YourNickname" | |||
* For a RSA based certificate, with 4096-bit key length: | |||
<pre># Generate the rsa private key and the certificate embeded in same file for ZNC's YourNickname: | |||
openssl req -nodes -sha512 -newkey rsa:4096 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=YourNickname"</pre> | |||
* For an ECC based certificate, with 256-bit key length: | |||
<pre># Generate the ecc private key: | |||
openssl ecparam -genkey -name prime256v1 -out user.key | |||
# Generate the Certificate Signing Request (CSR) for ZNC's YourNickname: | |||
openssl req -new -sha512 -key user.key -out user.csr -subj "/CN=YourNickname" | |||
# Submit the CSR to a CA or selfsign it yourself with: | |||
openssl req -x509 -sha512 -days 3650 -key user.key -in user.csr -out user.crt | |||
# Embed private key and certificate in same file as requested in many cases: | |||
cat user.crt user.key > user.pem</pre> | |||
= Glossary = | |||
* '''Certificate:''' Also known as X.509 certificate, it is used to encrypt and decrypt data relaying on a related public and private key pair. | |||
* '''CSR:''' Certificate Signing Request | |||
* '''DSA:''' Digital Signature Algorithm | |||
* '''ECC:''' Elliptic Curve Cryptography algorithms | |||
* '''RSA:''' Rivest-Shamir-Adleman algorithms | |||
* '''PKI:''' Public Key Infrastructures | |||
* '''Private Key:''' One of the key pair. It is the one that must be kept secret | |||
* '''PEM:''' Privacy Enhanced Mail - a Base64 encoded ASCII file format | |||
* '''Public Key:''' One of the key pair. It is the one that can be freely shared | |||
* '''P12:''' Common file extension for '''PKCS#12''' format | |||
* '''PFX:''' Common file extension for '''PKCS#12''' format | |||
* '''PCKS12:''' Common file extension for '''PKCS#12''' format | |||
* '''PKCS#12:''' Binary format for storing certificate chain and private key in a single: encryptable file |
Revision as of 16:14, 18 August 2021
- Hardening the Security
The ZNC acts as proxy for the irc connection, so the ZNC will manage 2 kind of connections: - IRC client <-> ZNC - ZNC <-> IRC Server
To increase our security we want that both of them use SSL layer; otherwise the information will be securized only on the side with the SSL in use and totally undecure on the other side, and this means: garbage in - garbage out.
Before to proceed we have to be sure that the ZNC has been compiled with SSL support.
To do this (ask..)
- ZNC Config
As reported in the Configuration we have a couple of security options.
(Ask if split pem or keep it single)
Another important configuration is the keyxchange. The defaults are perfectly fine but if you are security paranoid and your clients support latest EC (elliptic curve) algos, you can push them yo accept only XXXX
- Certificate
Copy the certificate instructions
- IRC Client connection
As first connection we are going to manage the IRC Client <-> ZNC one. First step is the enabling of the SSL port directly on first configuration. Otherwise we can proceed enabling via WebAdmin panel or via command line.
- Web Admin Page
Screenshot
- Command line
Run this command (Check command)
Now we have to configure our clients to use the SSL on connection. The second optional step is to use the Cert
The scope of this page is to be the compendium for all the commands required to manage ZNC's certificates.
Algorithms
The Public Key Infrastructures (PKI) are based on asymmetric cryptography principles: public & private key.
There are 3 primary algorithms used for PKI key generation:
- (ECC) Elliptic Curve Cryptography
It is the most recently-developed encryption method of the three, but it is going to be more supported. With shorter key lengths, it provides equivalent levels of cryptographic strength as RSA and DSA.
- (RSA) Rivest-Shamir-Adleman
The RSA algorithm was developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. It is currently the most used and supported key algorithm. Nowadays the key length standard is 2048-4096 bits.
- (DSA) Digital Signature Algorithm
It uses a different algorithm than RSA to create public/private keys but both are considered to be equivalent at same key length. The main differences come down to performance, speed and adoption by the market. Moreover some software are limited to manage DSA up to 1024 bits.
Algorithms Key Size Comparison (bits) | |||||
---|---|---|---|---|---|
Symmetric | RSA/DSA | ECC | |||
80 | 1024 | 160-223 | |||
112 | 2048 | 224-255 | |||
128 | 3072 | 256-383 | |||
192 | 7680 | 384-511 | |||
256 | 15360 | 512+ |
Taking in consideration the current security standards, we will continue using ECC and RSA.
Key generation
The first step is to create a key pair. As described before, we will provide commands to create ECC or RSA keys.
WARNING: The folllowing commands will not encrypt/password protect the private key cause ZNC is unable to properly handle encrypted private key files. For this reason keep it secret.
Before to proceed, if you want to adopt the ECC, check 2 constraints: * Your IRC Client supports ECC * In the case you want certificates signed by a global CA, be sure it supports ECC If any of these 2 points will be a NO, then use the RSA.
Regarderless the algorithm you choose, at the end of the process you will have:
- 1 priv.key
- 1 pub.key
- 1 priv.info (optional)
ECC
# Generate the ECC private key with 256-bit key length openssl ecparam -genkey -name prime256v1 -outform PEM -out priv.key # Generate the ECC public key openssl ec -outform PEM -pubout -in priv.key -out pub.key # Get information on the ECC private key openssl ecparam -noout -text -in priv.key # Get sensitive information on the ECC private key openssl ecparam -noout -text -in priv.key -param_enc explicit
On last 2 commands you can add -out priv.info
to get information stored on a file
RSA
# Generate the RSA private key with 4096-bit key length openssl genrsa -out priv.key 4096 # Generate the RSA public key openssl rsa -outform PEM -pubout -in priv.key -out rsa.pub.key # Get sensitive information on the RSA private key openssl rsa -noout -text -in priv.key
On last command you can add -out priv.info
to get information stored on a file
Certificate generation
Certificate Signing Request
The requirement to have a Certificate is to create a Certificate Signing Request (CSR). The command is the same for ECC and RSA keys.
openssl req -new -sha512 -key priv.key -out cert.csr
If -subj "/CN=YourNickname"
- For a RSA based certificate, with 4096-bit key length:
# Generate the rsa private key and the certificate embeded in same file for ZNC's YourNickname: openssl req -nodes -sha512 -newkey rsa:4096 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=YourNickname"
- For an ECC based certificate, with 256-bit key length:
# Generate the ecc private key: openssl ecparam -genkey -name prime256v1 -out user.key # Generate the Certificate Signing Request (CSR) for ZNC's YourNickname: openssl req -new -sha512 -key user.key -out user.csr -subj "/CN=YourNickname" # Submit the CSR to a CA or selfsign it yourself with: openssl req -x509 -sha512 -days 3650 -key user.key -in user.csr -out user.crt # Embed private key and certificate in same file as requested in many cases: cat user.crt user.key > user.pem
Glossary
- Certificate: Also known as X.509 certificate, it is used to encrypt and decrypt data relaying on a related public and private key pair.
- CSR: Certificate Signing Request
- DSA: Digital Signature Algorithm
- ECC: Elliptic Curve Cryptography algorithms
- RSA: Rivest-Shamir-Adleman algorithms
- PKI: Public Key Infrastructures
- Private Key: One of the key pair. It is the one that must be kept secret
- PEM: Privacy Enhanced Mail - a Base64 encoded ASCII file format
- Public Key: One of the key pair. It is the one that can be freely shared
- P12: Common file extension for PKCS#12 format
- PFX: Common file extension for PKCS#12 format
- PCKS12: Common file extension for PKCS#12 format
- PKCS#12: Binary format for storing certificate chain and private key in a single: encryptable file