HTTP over SSL / TLS or HTTPS

HTTP is an application Layer protocol from TCP/IP protocol layer’s perspective. Http is implemented on top of TCP, which means HTTP usages TCP as transport protocol. TLS/SSL is a security mechanism/protocol to secure the transport layer and basically TCP. The term “to secure” in the previous sentence does not mean that it will change the TCP protocol and make it secure instead it will add an extra layer of protocol on top TCP to provide security. Now the application protocol HTTP who were using TCP directly will use TLS APIs to call TCP API calls and make them secure from communication security perspective. The protocol stack can represented as in the figure below, which shows how the new TLS/SSL stack is introduced horizontally between the HTTP and TCP.

Now as communication security is concerned, how does HTTP achieves them is can be described with respect to the three basic goals of communication security i.e. (1) End point Authentication, (2) Confidentiality and (3) Data Integrity. TLS/SSL defines how these goals can be achieved.

Now most important and probably difficult part is the “End point Authentication”, because it deals with certificates and some very complicated concepts. In this step the client and server authenticated their identity. But most of the case, does not do a client authentication because it is not required from the application logic point of view and also makes the process more difficult.

Some nice readings on TLS/SSL and programming TLS with openSSL

• Wiki : TLS
• SSL and TLS: Designing and Building Secure Systems, this book also contains programming TLS /SSL with openSSL and TrueTLS in Java and C
• OpenSSL : The SSL/TLS library
• IBM article on OpenSSL

Genetic Cryptography?

I am thinking about a concept of cryptographic system based on Human Genome codes, which will specially help to create hash (one way functions), may be encryption/decryption also. I am not talking about the genetic algorithms, which are out of scope.

(( Genetic Code )) — Transform–> ((Behavior + Physical Construct + ….)) —>>> ((Human))

Now, let us apply the same logic for creating a hash function…

(( Document)) — Get Attributes or Properties —>( (Document Attributes) )—> ((Hash))

Does it make any sense? May be i am missing something….

Creating a simple Http Client using WinInet for Windows

The WinInet provides APIs to communcate (or interact) with HTTP services. I have started to use WinInet in my application (A console based one) to interact with Web Service but which leads me to write a SimpleHttp Client, which will support Http POST and Http GET requests. Although we can use WinInet directly but I have been missing the HttpClient like APIs from Apache, So i have tried to write one for me.

The architechtural overview for the same is presented in the following diagram

By the way people would love to use WinHttp Api. http://msdn.microsoft.com/en-us/library/aa384273(VS.85).aspx

Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)

PFX : PFX defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).
PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it from openssl, you can either download binary or source and then compile).

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem
This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.