Digital Certificate and Its Application in Security Testing

Digital Certificate and Its Application in Security Testing
0x00 background

To perform security tests on the Web layer, it is inevitable that a man-in-the-middle proxy will be used to capture packets for analysis. Common tools include BurpSuit, Fiddker, and Charles. The usage of these tools has been described on the Internet. I will not go into details here. However, when testing websites with high security, you may encounter SSL communication problems. Here is a summary of these digital certificate issues.

0x01 Digital Certificate

Digital Certificates are used for identity authentication on the Internet. After obtaining the CA (Certificate Authority) certification, the Security site obtains a digital Certificate to identify the authenticity of its legal identity.

The digital certificate format follows the X.509 standard. (X.509 is a digital certificate standard developed by the ITU (ITU-T. It sets up a series of strict CA grading systems to issue digital certificates .) Digital Certificates are mainly divided into server certificates and client certificates. Server certificates (SSL certificates) are used to encrypt identity authentication and communication. client certificates are mainly used for identity authentication and electronic signatures. The following describes the structure and working principle of the digital certificate. The simplest certificate includes:

1. certificate content a) Public Key of the certificate owner B) issuer information c) User information d) and so on 2. CA digital signature (CA uses the private key to encrypt the message digest of the certificate content) 3. signature Algorithm

The main structure of a real digital certificate is as follows:

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402195530-0.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

The detailed structure of the certificate content field is as follows:

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/04021911O-2.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

The digital signature of CA is the result after the CA uses its private key to encrypt the HASH value of the certificate information. Due to the use of private key encryption and asymmetric encryption algorithms, digital signatures cannot be forged, and the message digest also ensures the integrity of certificate information. You can use the CA Public Key to decrypt the digital signature of the CA in the digital certificate to determine the authenticity of the digital certificate information. The general process for the client to verify the server certificate is as follows: 1. check whether the certificate has expired. 2. is CA reliable? 3. can the CA Public Key properly unbind the CA digital signature of the server certificate, that is, the certificate signature value 4. whether the domain name on the server certificate matches the actual Domain Name of the server

Most CA root certificates are pre-installed by the operating system and set as trusted certificates. The root certificate is an unsigned Public Key Certificate or self-signed certificate. It is a certificate issued by a CA to itself, including information such as the CA Public Key. Installing the root certificate of a CA indicates that the CA is trusted. It is the beginning of the certificate trust chain. Internationally renowned CAs include verySign, Batltimore, and Entrust. China Financial Certification Authority (CFCA) is a national authoritative security Certification institution approved by the People's Bank of China and the national information security management institution, it is one of the important national financial information security infrastructure.

Tips:CA certificate list https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ built in Some browsers

0x02 Certificate Format

Common certificate files are in the following format:

Format extension DER. cer. crt. rsaPKCS7. p7b. p7rCMS. p7c. p7m. p7sPEM. pem (ASCII files generally use base64 encoding) PKCS10. p10. csr (ASCII file) SPC. pvk. spc

Common keystore file formats are as follows:

Format extension JKS. jks. ksJCEKS. jcePKCS12. p12BKS. bksUBER. ubr

0x03 digital certificate for proxy software

Proxy software such as BurpSuit and Fiddler can be used to intercept HTTPS traffic. They use a built-in SSL certificate to interact with the client and act as the intermediary to forward data packets. Because these agent software certificates are self-Signed root certificates without being authenticated by a well-known CA, they are untrusted by default, and the browser will block them with a warning.

When using a desktop browser for testing, you can add exceptions to trust their certificates. During mobile testing, you can also export the certificates of these agent software and install them on mobile devices to facilitate proxy for HTTPS traffic of mobile apps.

Export the BurpSuite certificate in the Certificate Manager of the browser:

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402196150-4.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

You can export the certificate directly in the Fiddler option:

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/040219E36-6.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/04021932R-8.png" alt = "enter image description here"/& gt; & lt;/p & gt; 0x04 digital certificates in mobile app Testing

Direct Installation

The digital certificate of the agent software can be installed in the mobile phone system to facilitate security testing for apps that Use HTTPS traffic. The Installation Method of the server certificate in Android is as follows: copy the digital certificate to the sdcard directory of Android. Choose Settings> Security> install certificate from SDCARD.

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402191219-10.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/04021a1O-12.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

Similar operations are also performed in IOS.

Import to keystoreIn addition to directly installing the agent software certificate, some apps bring their own trusted keystore, as shown below: Several bks keystore files exist under the/asserts resource folder.

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/04021950P-14.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

You can use the tool to open the bks keystore and import and save the certificate of the agent software.

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402195523-16.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

Of course, you can also use the keytool command line to import certificates.

Tips:In the Android system, the CA certificate file is located at:/system/etc/security/cacerts. bks.

Http://blog.csdn.net/haijun286972766/article/details/6247675

Modify detection codeSome apps directly verify the server certificate in the code.

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402193363-18.png" alt = "enter image description here"/& gt; & lt;/p & gt;

You can reverse the app to get the smali code, modify the verification logic, and re-compile and package the code to bypass the verification of the server certificate. For specific cases, refer to this blog:Http://cih.so /? P = 476

0x05 about client certificates

In addition to server certificates, some systems with high security requirements such as online banking also verify client certificates.

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402192W1-20.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

Client certificates are mainly used for identity authentication and electronic signatures. Generally, client certificates of online banking are stored in USB keys and cannot be exported or copied. If you can obtain a client certificate (such as a test certificate), you can also set it in the agent software. During the test, if the server detects the user's client certificate and the user does not set the client certificate, the following message is displayed:

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402195517-22.jpg" alt = "enter image description here"/& gt; & lt;/p & gt;

You can put the client certificate in the directory shown above.

BurpSuit can also set the client certificate:

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/04021a036-24.jpg" alt = "enter image description here"/& gt; & lt;/p & gt; 0x06 about Android APP Signature

The digital certificate signed by the Android app does not need to be authenticated by an authority. It is a self-Signed digital certificate generated by the developer. Digital Certificates are valid. Android only checks the validity period of the certificate when the application is installed. If the program has been installed in the system, the normal functions of the program will not be affected even if the certificate expires.

Android uses digital certificates to identify the application author and establish trust relationships between applications, rather than deciding which applications can be installed by end users.

Because malicious developers may use the same package name to confuse and replace installed programs, signatures can ensure that apps with different signatures are not replaced.

In addition, when you apply for some special permissions, the signature is used for verification. Eclipse uses the debug certificate to sign the apk when debugging and compiling the app. After installing the adt development plug-in, eclipse can directly use the android tools graphical interface to sign the apk.

& Lt; img src = "http://www.bkjia.com/uploads/allimg/140825/0402194149-26.png" alt = "enter image description here"/& gt; & lt;/p & gt;

A META-INF folder will be added after the signature

/CERT. RSA (including certificate information)/CERT. SF/MANIFEST. MF

View Android signature information

keytool -printcert -file CERT.RSA