Category Archives: Cryptography

Azure and Let’s Encrypt certificate

In this post I will show you how to

  1. Create a sample .net core 3.0 website.
  2. Deploy a website to an Azure App Service.
  3. Assign a custom domain.
  4. Enable Let’s Encrypt certificate

Create a sample .net core 3.0 website

Startup Visual Studio 2019 and create a new project. Choose “ASP.NET Core Web Application” as your project template.

Create new ASP.NET Core web application

Press Create. Then choose “Web Application” .

Create an empty web application

Pres Create and Visual Studio opens with an overview screen of your new ASP.NET Core application. Press F5 to see it in action.

Now it is time to publish (or deploy) your (skeleton) application to Azure.

Deploy website to Azure

Deploying your website to Azure is simple. Right click on the solution and select Publish. Make sure App Service and Create New is selected and press Create Profile.

Publish a website to Azure

Now we have to fill in the details for the App Service. Please fill out the screen as you see fit.

Create a new App Service

Press Create and wait for the App Service to be created (this could take a while). When the window closes the App Service is created. Now it is time to publish the website to this app service. Press Publish

After a few moments the website is published and visual studio will start a new browser and open the website from the Azure environment.

As you can see the site has a domain name of “frubelen.azurewebsites.net”. Now it is time to assign our custom domain name to this site. After doing this we can send our browser to azure.frubelen.nl (for example) instead of the azure domain.

Assign a custom domain

Now we are going to assing our custom domain name. First of all you will have to decide if you want to assign the domain to the azure website or a subdomain.

If you want to assign the entire domain (not a subdomain) to this azure site you will have to create an A record at your dns provider. If you only want this azure site for a subdomain you should create a alias record, a CNAME record.

I have choosen to only send the subdomain azure.frubelen.nl to this site so I create a CNAME record at my DNS provider:

Create a CNAME record if you want to redirect a subdomain to azure

After changing your DNS registration it takes some time before all DNS servers have received this change. To check if DNS servers have received the change you could send your browser to https://digwebinterface.com/

Now go back to the azure portal and navigate to your App Service and select Custom Domains.

Press on “Add custom domain”. Fill in your subdomain to redirect to azure. In my example it is “azure.frubelen.nl”. Press Validate to let Azure retrieve the DNS records for the domain.

If the DNS servers are updated Azure will let you add the domain; press “Add custom domain”.

As you can see the domain is added. The next step is to secure our domain with a Let’s Encrypt certificate.

Enable Let’s Encrypt certificate

Now it is time to add the Let’s encrypt certificate to our domain. First of all you need a storage account. Let’s encrypt stores it certificate information on this storage account. Go to your resource group (mine is FRUBEL_RG) and press Add. Type “Storage account” and select the item from the dropdown. Press create. Type in a storage account name ( I will use letsencryptfrubelen). Press “Review and create” press “Create”.

Next navigate to the storage account just created and selected the keys “Access Keys” page.

Copy the connectionstring for Key you will need this later on. Now in the Azure portal go back to your App Service and select Configuration on the left navigation.

Now we are going to add 2 app settings to the app service. Both have as value the connection string to the storage account. Add the key AzureWebJobsStorage and AzureWebJobsDashboard.

First create a new App Registration. Select “Azure Active Directory”.

The select App Registration in the navigation on the left and then press “New Registration”.

Press Register. On the overview screen press “Add an application ID URI”. Then press “Add a scope”. Remove the default and fill in (in my case) “http://frubelen” and press “Save and Continue”.

Fill out the next screen as shown below and press Add Scope.

First, you need to install the Azure PowerShell module, which can be done though WebPI or the PowerShell Gallery.

Execute the Powershell commands below. It will create an App Registration in your Azure Active directory.

As you can see the site has a domain name of “frubelen.azurewebsites.net”. Now it is time to assign our custom domain name to this site. After doing this we can send our browser to azure.frubelen.nl (for example) instead of the azure domain.

Assign a custom domain

Now we are going to assing our custom domain name. First of all you will have to decide if you want to assign the domain to the azure website or a subdomain.

If you want to assign the entire domain (not a subdomain) to this azure site you will have to create an A record at your dns provider. If you only want this azure site for a subdomain you should create a alias record, a CNAME record.

I have choosen to only send the subdomain azure.frubelen.nl to this site so I create a CNAME record at my DNS provider:

Create a CNAME record if you want to redirect a subdomain to azure

After changing your DNS registration it takes some time before all DNS servers have received this change. To check if DNS servers have received the change you could send your browser to https://digwebinterface.com/

Now go back to the azure portal and navigate to your App Service and select Custom Domains.

Press on “Add custom domain”. Fill in your subdomain to redirect to azure. In my example it is “azure.frubelen.nl”. Press Validate to let Azure retrieve the DNS records for the domain.

If the DNS servers are updated Azure will let you add the domain; press “Add custom domain”.

As you can see the domain is added. The next step is to secure our domain with a Let’s Encrypt certificate.

Enable Let’s Encrypt certificate

Now it is time to add the Let’s encrypt certificate to our domain. First of all you need a storage account. Let’s encrypt stores it certificate information on this storage account. Go to your resource group (mine is FRUBEL_RG) and press Add. Type “Storage account” and select the item from the dropdown. Press create. Type in a storage account name ( I will use letsencryptfrubelen). Press “Review and create” press “Create”.

Next navigate to the storage account just created and selected the keys “Access Keys” page.

Copy the connectionstring for Key you will need this later on. Now in the Azure portal go back to your App Service and select Configuration on the left navigation.

Now we are going to add 2 app settings to the app service. Both have as value the connection string to the storage account. Add the key AzureWebJobsStorage and AzureWebJobsDashboard.

First, you need to install the Azure PowerShell module, which can be done though WebPI or the PowerShell Gallery.

Execute the Powershell commands below. It will create an App Registration in your Azure Active directory.

The commands above create an App Registration in the Azure Active Directory.

Next go to the App service and select Extensions in the left navigation. Add the Let’s encrypt extension. Press Add and search for “”

Select the Legal Terms item, press Ok and next press Ok to add the extension. Then select the Extension and press Browse. A new browser window will open in which you van configure Let’s encrypt.

Go to your App Service and select Configuration on the left navigation.

Add the following App Settings

letsencrypt:Tenant The name of the directory you are working in
letsencrypt:SubscriptionId The id of your subscription
letsencrypt:ResourceGroupName The name of the resource group
letsencrypt:ClientId This is the ApplicationId of the app service (in the powershell $app.ApplicationId)
letsencrypt:ClientSecret The password (clear text)

Now go to the extensions page of the App Service and select Let’s Encrypt

In the screen that opens press Browse.

Fill in connection strings for the storage account and press Next.

Press Next.

Select the domain you want a certificate for, fill in your email and press “Request and install certificate”.

Your certificate is requested and installed. Now open a browser and navigate to https://azure.frubelen.nl. There you go your site is secured with a SSL certificate.

Share

Get certificate information with openssl

To display certificate information of a certificate issue the command below:

Information about the certificate is displayed. Some important items are:

The Issuer is a CA that signed this certificate.

The validity period of the certificate. Remember to renew your certificate before it expires!

The subject for this certificate. This certificate can be used for a website for the given CN.

Share

OpenSSL encrypt and decrypt files

cryptoWith the help of OpenSSL you can easily encrypt and decrypt files. This method of encryption is of course  also compatible with the openssl binaries you can download for the Windows platform. Use base64 encoding for better multi-plaform exchange.

Encrypt

Encrypt files with (a password is asked for encrypting):

Decrypt

Decrypt files with (a password is asked for decrypting):

The commands above use base64 encoding for storing the encrypted data.

Share

Public-key cryptography

cryptoYou give other people your public (encryption) key. Other people can encrypt data with your public key which you can only decrypt because you have the private (decryption) key for the public key that is used.

Generate a key pair (private / public) with 2048 bits length:

Generate a password protected key pair (private / public) with 4096 bits length:

Generate the public key from the private key:

Create a symmetric key (base 64 for convenience) and store in file:

Encrypt the symmetric key file with your public key:

Decrypt the symmetric key with your private key:

Public-key cryptography, also known as asymmetric cryptography, refers to a cryptographic algorithm which requires two separate keys, one of which is secret (or private) and one of which is public.

Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext or to create a digital signature.

The term “asymmetric” stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with conventional (“symmetric”) cryptography which relies on the same key to perform both.

The strength lies in the fact that it is “impossible” (computationally unfeasible) for a properly generated private key to be determined from its corresponding public key.

Thus the public key may be published without compromising security, whereas the private key must not be revealed to anyone not authorized to read messages or perform digital signatures.

Public key algorithms, unlike symmetric key algorithms, do not require a secure initial exchange of one (or more) secret keys between the parties.

Each user has a pair of cryptographic keys – a public encryption key and a private decryption key. Similarly, a key pair used for digital signatures consists of a private signing key and a public verification key.

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.

The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key.

DES has been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128-bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations

Share

Cryptography notes, tips and tricks

Cryptography notes.

This article is about cryptography and asymmetric encryption / decyption.
Asymmetric (public / private key pair) and symmetric (one key to encrypt and decrypt).

– distribute your public key
– keep your private key secret and private 🙂

Ask people who want to send you a secret mail to encrypt it with the public key. Only you, the owner of the private key, are able to decrypt it.

Install openSSH from http://slproweb.com/products/Win32OpenSSL.html (Visual C++ 2008 Redistributables and Win32 OpenSSL v1.0.1c).

Add the installation folder to your path and adjust the environment variable OPENSSL_CONF to point to your configuration file.

Asymmetric encryption of a file:
1. Create a private key and public key pair:
> openssl genrsa -out private.pem 1024
1a. Encrypt you private key:
> openssl rsa -in private.pem -des3 -out private-enc-key.pem
2. Extract the public key from this file (the public.pem, created below, can be freely distributed):
> openssl rsa -in private.pem -out public.pem -outform PEM -pubout
3. Encrypt a file:
> openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file_enc.txt
4. Decrypt the file with your private key:
> openssl rsautl -decrypt -inkey private.pem -in file_enc.txt -out decrypted.txt

Retrieve information about your private key (generated with genrsa command):
> openssl rsa -in privateKey.pem -text

NOTES

Privacy Enhanced Email (PEM)

http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html

 

Share

Display X509 certificatie information in C#

Display information about a X509 certificate with this little C# fragment:

[sourcecode language=”csharp”]
using System;
using System.Security.Cryptography.X509Certificates;

class App
{
static void Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine(“Usage: Viewcert .cer”);
return;
}

X509Certificate x509 = X509Certificate.CreateFromCertFile(args[0]);

Console.WriteLine(
“Issued to {0}nIssued by {1}nSerial# {2}n”
+ “From {3} To {4}nAlgo {5} Params {6}n”
+ “Format {7}n”
+ “Cert Hashn{8}nCert Datan{9}nPublic Keyn{10}”,
x509.Subject, x509.Issuer, x509.GetSerialNumberString(),
x509.GetEffectiveDateString(), x509.GetExpirationDateString(),
x509.GetKeyAlgorithm(), x509.GetKeyAlgorithmParametersString(),
x509.GetFormat(), x509.GetCertHashString(), x509.GetRawCertDataString(),
x509.GetPublicKeyString());
}
}
[/sourcecode]

Share

Check public key of MSI

For a project I have to test the signing of a MSI. The MSI has to be uploaded to a web server. The web server has to test the signing status of the MSI. The code below saves the MSI file (in the upload control) local. With help of the X509Certificate class a certificate object is instantiated. The SigningStatus is a enum.

[sourcecode language=”csharp”]
internal static SigningStatus GetSigningStatus(FileUpload fileupload)
{
string fileName = Path.Combine(
Context.Server.MapPath(WebConfigurationManager.AppSettings[“IprTempDir”]),
fileupload.FileName);

try
{
// Save file so it can be uses in constructor for the X509 certificate (constructor does
// not handle streams!)
fileupload.SaveAs(fileName);
13: X509Certificate2 x509msi = new X509Certificate2(fileName);
if (x509msi.GetHashCode() != 0)
{
X509Certificate2 key = new
X509Certificate2(StrToByteArray(WebConfigurationManager.AppSettings[“PublicKey”]));

if (string.Compare(
x509msi.PublicKey.EncodedKeyValue.Format(false),
key.PublicKey.EncodedKeyValue.Format(false)) == 0)
{
// Public key web.config equal to public key of uploaded file => Company signed
return SigningStatus.CompanySigned;
}

// File is signed but not with the Company public key
return SigningStatus.Signed;
}
else
return SigningStatus.NotSigned;
}
catch (CryptographicException)
{
return SigningStatus.NotSigned;
}
finally
{
if (File.Exists(fileName))
{
File.Delete(fileName);
}
}
}
[/sourcecode]

Share