Why would a certificate authority have multiple root certificates?

When I look at the trusted certificates in my browser, I see that many certificate authorities have multiple root certificates associated with them. For example, org-Amazon has Amazon Root CA 1, Amazon Root CA 2, Amazon Root CA 3, and Amazon Root CA 4.

How do the purposes of these four certificates differ?

I also see that some CAs have root certificates of different "tiers", such as gold, silver, and platinum. What’s the deal with these? I imagine there are price differences associated with the different tiers, but what extra service could they be offering?

How to protect certificates and keys in peer to peer application

I’m making a peer-to-peer cross-platform application (in Java & Kotlin), and I want to encrypt conversations between tens of users, concurrently.

However, due to lack of knowledge in security good practices & protocols and due to this being my first time actually getting into informatics security, I’m sort of confused.

My goal is that every peer connection has a unique session that shares as little as possible to the other peer connections, in order to minimize any risk if one connection proves to be vulnerable. The connections will be implemented using TLSv1.3 or TLSv1.2 (I do not intend to support lower protocols due to the risks involved with using them).

However, I’ve done some rudimentary research on my own, and I cannot wrap my head around the question, is having a keystore and a truststore on the (classloader) directory of my application a security vulnerability? Could it ever be one?

I am aware that keystore stores the private and public key of the server, and truststore stores the public key of the server, which it verifies & uses when contacting the server. How can I protect my keystore’s and truststore’s certificate password, when they must be on the application’s directory? Does it need to be protected, even?

What encryption algorithm should my keystore use? I’m heading for really strong encryption, future proofing as much as possible along with keeping up as much backwards compatibility as I can without reducing the application’s security.

Is there an issue with the certificates being self-signed considering I’m solely using them between peers of the same application?

Considering I’m doing Java, do SSLSockets/SSLServerSockets create a "brand new session" for every new connection, as in, do they reuse the private or public key? Are private keys generated when making a handshake with a client?

Thank you for taking the time in advance, privacy is a really big focus of the application itself.

Where are field names of decoded human readable X.509 certificates specified?

The ASN.1 module for X.509 certificates as specified in RFC 5912 – Section 14 is as follows:

TBSCertificate  ::=  SEQUENCE  {       version         [0]  Version DEFAULT v1,       serialNumber         CertificateSerialNumber,       signature            AlgorithmIdentifier{SIGNATURE-ALGORITHM,                                 {SignatureAlgorithms}},       issuer               Name,       validity             Validity,       subject              Name,       subjectPublicKeyInfo SubjectPublicKeyInfo,       ... ,       [[2:               -- If present, version MUST be v2       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL       ]],       [[3:               -- If present, version MUST be v3 --       extensions      [3]  Extensions{{CertExtensions}} OPTIONAL       ]], ... }  

The field names are the same in RFC 5280.

The decoded example certificate on the X.509 Wikipedia page however has completely different field names:

Certificate:     Data:         Version: 3 (0x2)         Serial Number:             10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6         Signature Algorithm: sha256WithRSAEncryption         Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2         Validity             Not Before: Nov 21 08:00:00 2016 GMT             Not After : Nov 22 07:59:59 2017 GMT         Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org         Subject Public Key Info:             Public Key Algorithm: id-ecPublicKey                 Public-Key: (256 bit)             pub:                      00:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5:                     af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e:                     9d:3b:ef                 ASN1 OID: prime256v1                 NIST CURVE: P-256         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Agreement          ... 

Signature Algorithm instead of algorithm, X509v3 extensions instead of just extensions.

Since the certificate has version 3, i would assume it doesn’t have anything to do with the version…

Of course i searched for various field names like X509v3 Key Usage or X509v3 CRL Distribution Points but couldn’t find any reference.

So where are the field names of the decoded human readable X.509 certificate specified or mapped?

Certificates for authentication and signing

Cross posting from SO to here for better reach https://stackoverflow.com/questions/62137112/certificates-for-authentication-and-signing

I have a client server scenario.

I have both thick client and a thin client (browser) which communicates with my server.

My thick client uses X-509 system certificate for client certificate authentication scenario and communicates with the server

Also this certificate is used for used to generate signed URL (with expiration time) for my thin client to communicate with my server which is used for integrity and authorization purpose. I also have a token based approach for authentication purpose in this case.

Now i want to complete move my authentication mechanism to OAuth based flow using client credentials or auth code based.

I understand that authentication and authorization can be moved to OAuth based communication. But how do i move my signing (digital signature) based use case to OAuth from certificate based ?

I don’t think there is any other way than to use certificate based PKI mechanism for digital signing. Can the private and public keys be distributed other than the certificates ?

Best Regards,

Saurav

X509 certificates – Are there any naming conventions?

As per the title, what are the naming conventions when buying certificates ?

When buying a cert for TLS / https from a particular Server, naturally I will default to the Server name, for example, if the server is called MOONSERVER under Subject of the x509 Certificate I would set it as MOONSERVER.

Additionally, I need to use another cert for message signing. What shall I call this? What are the rules for valid names? e.g. are hyphens, underscores, etc Ok ? Are names case sensitive?

Algorithm and key size to choose for SSL certificates (security and CPU wise) in 2020 (using nginx)

I posted this question already on SO, but as it is not really a programmin question I thought it might be a better place to ask here:

I want to setup a new SSL certificate store for generating SSL certs (server certs (nginx) and client certs (linux/windows devices))

I’m searching already for quite some time and I’m not sure I fully understand. especially as some articles are a few years old.

Many articles just talk about RSA end seem to recommend 2048 or 3072 though mentioning that 2048 is today probably still the best choice ( https://expeditedsecurity.com/blog/measuring-ssl-rsa-keys/ )

I found for example one Article ( https://paragonie.com/blog/2019/03/definitive-2019-guide-cryptographic-key-sizes-and-algorithm-recommendations ) but it seems to talk mostly about key encryption as @dave_thompson_085 pointed out on SO

stating in the section “Asymmetric (“Public Key”) Encryption”

Use, in order of preference:     X25519 (for which the key size never changes) then symmetric encryption.     ECDH with secp256r1 (for which the key size never changes) then symmetric encryption.     RSA with 2048-bit keys.  The security of a 256-bit elliptic curve cryptography key is about even with 3072-bit RSA.  Although many organizations are recommending migrating from 2048-bit RSA to 3072-bit RSA (or even 4096-bit RSA)  in the coming years, don't follow that recommendation. Instead migrate from RSA to elliptic curve cryptography, and then breathe easy while you keep an eye out for post-quantum cryptography recommendations. 

However they don’t mention the impact on server CPU usage compared to RSA 2048/3072/4048. I also didn’t find many other articles suggesting to switch to Elliptic curve algorithms.

Another article ) https://www.thesslstore.com/blog/you-should-be-using-ecc-for-your-ssl-tls-certificates/ _ tries to promote ECC instead of RSA, but comments on the article state, that ECC is less safe than RSA if quantum computers kick in. And the article cites nowhere numbers for what performance improvement to expect when using ECC.

https://crypto.stackexchange.com/questions/1190/why-is-elliptic-curve-cryptography-not-widely-used-compared-to-rsa mentions potentially legal issues and fear of being sued.

Though CPU usage is not a major issue Id still like to get some idea as I’d like to use the same CA and cert store also on devices like raspberries.

So what is today the best choice for certificate key algorithms and key sizes for server certs (old internet explorer not required but PCs, tablets, mobile phones being used today should be able to connect to the server

and what’s the best choice for client certs (will not be used on mobile devices)?

I kind of tend to RSA 2048, but I’m really not that sure I interpret all the articles correctly and don’t like to make choices based on feelings.

Credential encryption scenarios using certificates

Situation:

  • We have several service accounts (AD) that need to use a limited set of credentials.
  • These service accounts run scripts (PowerShell & Python), etc on different servers, requiring these credentials. These servers all run different versions of Windows Server (2012 – 2016)

Currently the credentials are stored clear text, which is gaping security hole that needs to be fixed.

As we are a Microsoft shop, I initially wanted to opt for DPAPI, but this becomes unwieldy when multiple servers and accounts are used (as you have to store each credential in each combination of vault/server).

The second option was to store the credentials encrypted, on a SMB file share, with NTFS security to limit the accessibility to only the service accounts. The credentials would be encrypted with a certificate, which would be stored in the LocalMachine certificate store of each server. To access a specific credential, the service account would decrypt the file using the certificate.

This seemed like an OK approach:

  • Servers only need to be provisioned with the same certificate (public key is sufficient).
  • Only administrators can access the LocalMachine Certificate Store
  • The credentials are encrypted and stored in a share secured by NTFS permissions.

I then came across a similar implementation as a PowerShell module: PowerShell Credential Vault. The major difference, as far as I can see, is that it stores a randomly generated key, encrypts the credentials (password only) using this key, and then encrypts the key using the certificate. The credentials and the encrypted key are stored together in an XML file.

Is there any advantage over just using the certificate to encrypt the credentials?

Certificates and keys validity

I’m connecting to a server via TLS. My device has installed server cert, device cert, private key and public key.

I read here validity SSL/TLS that TLS cert will last max 2 years.

This means that every 2 years I will have to updat all the certs stored into my device? Only server cert and device cert? Do I have to update also public and private key?