SSL Complete Guide: HTTP to HTTPS | Bogdan Stashchuk | Skillshare

SSL Complete Guide: HTTP to HTTPS

Bogdan Stashchuk

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
110 Lessons (10h 55m)
    • 1. 00 INTRO

      3:25
    • 2. 00 Section 1 Intro

      1:18
    • 3. 1 Overview of researches dedicated to SSL, TLS and HTTPS

      9:06
    • 4. 2 Overview of the certificates of some popular websites

      6:10
    • 5. 3 Difference between HTTP and HTTPS

      8:37
    • 6. 4 Analyzing traffic using Wireshark

      5:10
    • 7. 5 TCP IP stack by example

      7:51
    • 8. 6 Analyzing HTTP protocol using Wireshark

      6:05
    • 9. 7 Analyzing HTTPS and TLS using Wireshark

      5:23
    • 10. 00 Section 2 Intro

      0:34
    • 11. 8 Symmetric Key Encryption

      1:59
    • 12. 9 Symmetric Key Encryption Algorithms

      4:12
    • 13. 10 Hashing Overview

      6:57
    • 14. 11 MD5 hashing algorithm

      5:21
    • 15. 12 SHA hashing algorithm and HMAC overview

      5:32
    • 16. 13 Asymmetric keys overview

      2:15
    • 17. 14 Encryption using asymmetric keys

      2:55
    • 18. 15 Signing data using asymmetric keys

      4:37
    • 19. 16 RSA Overview

      2:29
    • 20. 17 PKI Public Key Infrastructure Overview

      3:52
    • 21. 18 Certificate overview

      4:37
    • 22. 00 Section 3 Intro

      0:58
    • 23. 19 Installing OpenSSL

      1:17
    • 24. 20 Using OpenSSL for RSA keys generation

      9:06
    • 25. 21 Exploring certificate of Instagram

      10:11
    • 26. 22 Exploring certificate of Google

      4:38
    • 27. 23 Exploring certificate of Comodo

      5:58
    • 28. 24 Root CA and root certificates in the OS

      8:16
    • 29. 25 How Chain of Trust is built

      8:30
    • 30. 26 Verifying chain of certificates

      4:56
    • 31. 27 Verifying SSL certificate and certificates chain

      10:53
    • 32. 28 PKI, Chain of trust and certificates summary

      3:30
    • 33. 29 Certificate domain scopes

      2:55
    • 34. 00 Section 4 Intro

      0:48
    • 35. 30 Introduction to the SSL and TLS

      2:44
    • 36. 31 History and versions of the SSL and TLS

      7:15
    • 37. 32 Why RSA is not used for data encryption in HTTPS

      3:48
    • 38. 33 How TLS session is established

      4:36
    • 39. 34 Analyzing TLS session setup using Wireshark

      13:12
    • 40. 35 Overview of cipher suites

      5:05
    • 41. 36 Encryption key generation by the web browser

      4:15
    • 42. 37 Delivering encryption key using Diffie Hellman key exchange

      3:14
    • 43. 38 Diffie Hellman overview

      2:48
    • 44. 39 Modulus operation

      2:38
    • 45. 40 Diffie Hellman algorithm

      8:38
    • 46. 41 Elliptic Curve Cryptography Overview

      1:53
    • 47. 42 Point Addition on Elliptic Curve

      5:47
    • 48. 43 Multiple Point Addition

      4:40
    • 49. 44 Point Doubling and Optimization

      5:58
    • 50. 45 Elliptic Curve Discrete Log Problem

      3:26
    • 51. 46 Comparing formulas

      2:50
    • 52. 47 ECDHE Elliptic Curve Diffie Hellman Exchange

      5:47
    • 53. 48 Exploring ECDHE with ECDSA

      9:57
    • 54. 00 Section 5 Intro

      0:18
    • 55. 49 Free domains overview

      1:56
    • 56. 50 Setting up free domain and hosting using GitHub Pages

      9:43
    • 57. 51 Exploring TLS session with our website at Github

      8:10
    • 58. 51 Exploring TLS session with our website at Github

      8:15
    • 59. 00 Section 6 Intro

      0:38
    • 60. 52 Planning next steps with Paid Domain

      1:59
    • 61. 53 Buying a domain

      10:56
    • 62. 54 Setting up free hosting

      12:19
    • 63. 55 Overview of the TLS settings at the free hosting

      5:06
    • 64. 56 OPTIONAL Trying to install free Letsencrypt TLS certificate on free hosting

      16:02
    • 65. 00 Section 7 Intro

      0:50
    • 66. 57 VPS vs Dedicated Server

      6:44
    • 67. 58 Hosting Services Overview PART 1

      6:33
    • 68. 59 Hosting Services Overview PART 2

      8:42
    • 69. 60 Buying a droplet at DigitalOcean

      10:36
    • 70. 61 Launching Wordpress website with HTTPS

      12:32
    • 71. 62 Exploring our brand new TLS Certificate

      6:51
    • 72. 63 Finishing Wordpress installation

      3:15
    • 73. 64 Let's Encrypt and Certbot Overview

      9:57
    • 74. 65 Exploring TLS certificates via shell

      11:46
    • 75. 66 Exploring certbot configuration and testing renewal

      12:11
    • 76. 67 What we have got so far

      2:24
    • 77. 00 Section 8 Intro

      0:29
    • 78. 68 Reverse Proxy and Cloudflare

      5:34
    • 79. 69 Overview of the current setup

      1:18
    • 80. 70 Moving our website to Cloudflare

      8:44
    • 81. 71 Exploring free TLS certificate from Cloudflare

      3:33
    • 82. 72 Exploring TLS settings at Cloudflare

      5:20
    • 83. 73 Cloudflare SSL Operation Modes

      14:27
    • 84. 74 Flexible SSL Operation Mode at Cloudflare

      13:22
    • 85. 75 Off SSL Operation Mode at Cloudflare

      6:51
    • 86. 00 Section 9 Intro

      0:26
    • 87. 76 Current Setup and planning next steps

      1:49
    • 88. 77 Installing Nginx web server

      14:02
    • 89. 78 Configuring Nginx web server

      11:41
    • 90. 79 Setting up Cloudflare Origin TLS certificate

      17:25
    • 91. 80 Cloudflare summary

      2:22
    • 92. 81 Disable Cloudflare

      7:29
    • 93. 00 Section 10 Intro

      0:23
    • 94. 82 Current Nginx server setup overview

      3:12
    • 95. 83 CSR Certificate Signing Request

      5:01
    • 96. 84 Generate Self Signed certificate using OpenSSL

      14:06
    • 97. 85 Self signed certificate overview

      3:01
    • 98. 86 Cloudflare and self signed certificate

      5:32
    • 99. 00 Section 11 Intro

      0:35
    • 100. 87 Paid certificates overview

      8:58
    • 101. 88 Getting 90 days valid free TLS certificate

      16:11
    • 102. 89 Installing Custom TLS Certificate

      7:04
    • 103. 90 Analyzing our new custom TLS Certificate

      4:11
    • 104. 91 Our TLS Setup is not complete

      6:53
    • 105. 92 Installing TLS certificate of intermediate CA

      6:38
    • 106. 93 HTTP and HTTPS versions of website

      3:12
    • 107. 94 Configuring 301 Redirects to HTTPS

      9:53
    • 108. 95 Custom TLS Certificate Summary

      2:24
    • 109. 96 Cleanup

      5:10
    • 110. 97 Summary

      0:54

About This Class

This course is all about securing websites with SSL/TLS certificates.

Become a master of HTTPS, Let's Encrypt, Cloudflare, NGINX and SSL/TLS Certificates.

This is the most complete practical SSL guide that includes tons of practical activities. All practice exercises are performed on a real domain and real hosting and finally you will get production ready solution with HTTPS setup and redirection of HTTP to HTTPS. You can have zero knowledge about computer networks, encryption, configuration of web servers. All will be taught from scratch, from simple setup to complex solution. If you want to get deep knowledge of SSL and HTTPS this course is for you!

We will start by exploring basics of symmetric encryption algorithms like AES,  asymmetric encryption RSA, hashing protocols MD5 and SHA.  Also I will explain you fundamentals of computer networks, TCP/IP stack and for that we will use Wireshark traffic analyzer.

You will learn what is the structure of the SSL/TLS certificate. Also you will understand why CAs (Certificate Authorities) are needed and how chain of trust is built.

In practice sections we will perform multiple practice activities:

  1. Buy a domain and configure DNS settings

  2. Use Certbot ACME client to automatically obtain free SSL certificate from Let's Encrypt

  3. With help of OpenSSL generate RSA keys, self-signed certificates

  4. Secure Wordpress with Apache using SSL/TLS certificates

  5. Create CSR (Certificate Signing Request) by OpenSSL and submit CSR to CA server

  6. Configure Cloudflare for your domain and setup different SSL modes of operations

  7. Install and configure NGINX web server for SSL/TLS certificates

  8. Migrate from HTTP to HTTPS

  9. Redirect all traffic using HTTP 301 redirect from HTTP to HTTPS

With this course you will get lifetime-long access to 100 lectures and tens of practical exercises. After the course you will become a guru of SSL and TLS encryption and will be able easily obtain and install SSL certificates on your web servers.

Don't wait and join the course now!

Transcripts

1. 00 INTRO: Hello and welcome to this Cars Discourse will cower everything that you need to know about as a cell. Tele certificates, https, protocol and encryption. Well, where am I? And why? I have decided to create the schools. My name is Bob Gansta shook and before I was a working go Jordan, about 67 years as a Cisco Security Network engineer. Also, I was teaching Francisco security courses and last 34 years, I am working primarily as software developer, and I have decided to combine my knowledge about computer networks, computer security and programming in discourse in order to give you strong knowledge about ability, toe and cream to data between your Web servers and your clients. Well, who are you? You may be. Eyes are simply owner off website who hosts it on one off hosting providers. Or you may be Dev ops, engineer or responsible for deployment off software to Web servers and configuration off those Web seras. All of you know that security is crucial. Part off Internet and most science are over the Sarah or https and http is considered insecure, and it is not recommended to use. And then this girl's I'll teach you how to enable https for any website and how to stop as a cell TLS certificate. Well, look our different options off as a selfie, lest certificates such as Let's Agreed certificates that are free. You will learn how to use surfboard acne client that always uto obtain certificates from let's and creep automatically. We will also discuss how toe use Cloudflare or service that is actually rather strokes it with ability toe provide free TLS encryption and off course. We will greed certificate signing request and get your own certificate for your own website . We will install different SSL Tila certificates on riel Web servers on riel domain, and we will use primarily Mobuto operating System and Sigh software as NJ Annex and a Parcher, and this girl's is really hands on girls and it contains a lot of different practice activities and the stronger command you to follow me along. We will start by occurring some heretical stuff about encryption about Haitian l greetings about generation opposite your keys using elliptical cryptography and so wall, and after that we will move to practice activities. We will buy own domain and buy bait hosting. No worries. It will ghost around 6 $10. So let's get started and I hope to see inside by Theo 2. 00 Section 1 Intro: welcome to Distrust Introduction section here. I'll explain you why it is so important. Toe and greet traffic between Web servers and Web plans. I'll explain the difference between http and https protocol. Also, I'll dive a beat in computer networks and explain you what is DCP a big stack. After that, we will analyze several dealers certificates off popular Web sites such as Google and Facebook. And for that we will also use wire shark. And this program allows you to capture all traffic that goes from your computer and back, and you'll see that if you will use http protocol, everyone who will be able to capture traffic between your computer and Web server will be ableto easily read it with https this much, much harder or even impossible, because traffic is ingredient. Okay, let's get started. And we will start by looking at somebody's Georges that show you importance off using encryption in computer networks, and you'll see that percentage off websites that use https constantly grows. So let's get started 3. 1 Overview of researches dedicated to SSL, TLS and HTTPS: Hi. In this lecture, I would like to share with your results off some analyses that were made by some companies that have analyzed most popular websites in the world. And here's the article dated as off sort September 2018. And here you see that more than 50% off all web sites in the world use actually, https protocol. No worries. The later on in the course, I'll explain your difference between http and https, but for now, you should know that https is secure. Version off. Http and old data. The descent from the website disserved over https is secure. It means and greeted. So in this research, I would like to show you this diagram that shows you constant growth off percentage off the websites that direct from http to https and you see constant grows from 2016 till July 2018 . It is actually not the most recent information, but it shows the trend. And as of July 2018 you see that more than 40% I assume around 50% off all web sites where using https, let's know, examine other research that was made by qualities as a cell lobs and his more recent. And this researcher was made on Lee among most popular sites in the world that have already as a cell and tell us and creeps and enabled. And here in this security summary section, you can see that the only 15% off all surveyed websites have other quad level off security . It is great a plus. This means that enabling a cell tell us is not a guarantee that your side is fully secured . For instance, you see that 33% off researched websites have in the squad level off security, and it means that something may be wrong Quiz TLS and a cell configuration on the website. Okay, here on this diagram, you see also as a cell great distribution. And there are different grades A, B, C, D and F, and around 7% off. All websites have great f. It is ah, lowest possible great and most websites great A or A plus. And is this the way you sedate are about 150,000 websites that have SSL enabled and this list is actually Alexis least off most popular science in the world. He had down below. You can see other analysis. For example, some certificates chains are incomplete. We will talk about Jane's later on down below. You can see key strengths distribution, and you see that 90% off websites generate keys that have lancs 2048 beats down below. You can also see other diagrams and the moment I will dive deeper. I just wanted toe show you. General picture conclusion here is following Even if website has a cell TLS encryption enabled, it is not a guarantee that it is fully secured. Onley 66% off. Such websites have other quad level of security. Others may have some issues with security. Let's look at another analysis and this article is dated as off February 17 2016. But it is still relevant, and in this article, you can read about results off for https settings analysis or for 10,000 most popular domains, and this analysis was performed by a sheriff's, the most popular resources for CR search engine optimization and using the service, you can analyze any website it's Rankin's and someone. But here in this article, they talk about https, and here you see some key findings. And here you see, for example, that around 60% off websites that were tested in 2016 didn't have as a cell encryption. No, As you have seen from other researchers, this number is around 40% because around 60% off all Web sites now actually use https. Also, some websites may have both http version and https version. And if there was https version available, it is very important to set up correct redirect from HDP toe https and that is usually done using special called http Cold 301. It is permanent redirect, but some websites incorrectly use temporal redirect with cold 300 to. And here you see that even Google uses sometimes gold 300 to this temporal redirect instead off 301 permanent or direct. Okay, let's go down. And here on those diagrams, you see that over 90% off top 10,000 domains have a sub optimal https implementation. What does it mean? It means that those websites may use obsolete and corruption algorithms or support old versions over TLS or SSL. Also here on this diagram, you see that issue DBS was not working correctly on over 65% off for top 10,000 domains. It means that even if HDB s is supported by website, it is not a guarantee that the set up is fully correct and fully secure. What game? Let's go down and you see that 23% off websites didn't use communicable Https version communiqu Eliza special make attack on the HTML page that tells where browsers that canonical version off the HTML page must be served over https. Also here you see that one off four domains were using temporal redirects instead of permanent redirect. Okay, let's scroll down. And here you can take your time and read this article on your own. And also here. I wanted to show you important diagram that shows us distribution off the websites over positions in the Google search and dependency off the position in the search results own https protocol. And here you see that more than 25% off all websites that are shown as the first position in the future results are served over HDB s. And that means that Google also gives more credit to websites that several content over https in opposite websites that Sarah content over http. Okay. And here, down below. You can read some recommendations on how websites should be set up toe satisfy all or recommendations regarding https protocol usage. Okay, That was just short overview off different researchers and conclusion is following. Each year, more and more websites are migrated from http toe https and most websites. Most popular websites are served on Lee over https and all requests. Toe http protocol automatically redirected toe https. And that is made using special issue to be response. Gold 301 permanent. Redirect. Okay. In the next lecture, let's look at the some most popular websites, such as Google or Instagram, and lessen Elias House. They use https protocol and let's see how, as a self certificates looks like. So see you in a moment. My by 4. 2 Overview of the certificates of some popular websites: Let's no look at the some Most popular websites is a rolled and let's examine. Where are they used, Https or not? Let's first look at google dot com. And here you see that Google Chrome uses https protocol, and this small look I come is indicator of that. You can click on this icon and you'll see information that connection is secure. And that means that all information to descend or received from this website, for example, passwords or credit card numbers or some singles is always private and cannot be intercepted by someone else. You can click here on your mom and read some additional information on this indicator that tells us that connection is secure. There are also other options, such as in for or No secure and north, secure or dangerous. And the next lecture, when I will show you difference between http and https protocol, you'll see this information sign. For now. Let's get back to this webpage and less click again on this Look, I come and let's click on certificates. Here you see in Brandis is that this certificate is well it and there are several criteria that I used to the timing Where's our certificates is valid or not. For example, each certificate has valid time. And if current time is out off the range off the validity period off the certificates, you'll see here warning that certificate is invalid. Let's click on certificate here and ah, in the pop up window, you'll see information about certificates that is used by current website and here, for example, You see that the certificate was easier by global sign certificates also read him. There was also intermediate authority cold Google Internet Authority, J Stream. And this intermediate certificate authority has actually issued certificates for this website here. You see that this certificates is wild card. That means that it can be used for will dot com and for all its sub the mines. No worries. Now I will give you just a short overview off certificate structure and later on Strauss the girls, I'll explain all parts off certificates in details here. You also see expiration date off this certificates and till this date you certificate will be easier and this certificate will be actually deleted. I am recording the schools in March 2019 and that means that there was some time till this expiration date. Also, if you want to look at the tails off this certificate, you can click here on details and here you'll see such sections as subject Name is your name Zan Public inform extensions. And so what? Also, if I will scroll down at the very end off certificates, you'll see Finn grow prions shot 256 and shot one. Those fingerprints are cold. Cash is off certificated and they I usedto verify integrity off certificates and you are able to take certificates. Creator Harris using same l greeting, for example Shah one and compare toe hash us. No worries. We will talk about cashing l greetings later on in the course. For now, please keep in mind that area certificate has fingerprints and they are used for integrity . Jack Off certificate. Okay, let's close this window and less navigate. For example, toe instagram did come and check whether this website uses https and yes, in dust. You also see, here's this look, I can let's click on it again. You see here message connection is secure and certificates is well it let's click again at certificates and here you see certificated chain for this website and ah, certification authority that has issued this certificate is called D Josep High Assurance route. See a There was also intermediate. See, a Here it is. And this intermediate See, A has east your certificate for this domain. And here you see the difference between certificates for instagram that home and google dot com and difference is here. And that means that the certificates may be used on Lee for website instagram that home with www practice and here we seize it. If you'll try to access Brochin without three W's like that Last press enter, you will be automatically redirected to subversion with three W's. Okay, let's Ah, look at the details off this certificate. Click on details here and ah here. Same as in previous certificates at google dot com. You see subject name you see is your name. You see, public inform and so one also. Same as for previous certificates. At the very end, you'll see fingerprints that I used for integrity Jack off certificates itself. Okay, that's all for this lecture and the next bomb. We will talk about difference between http and https protocols. So see you in a moment. Bye bye. 5. 3 Difference between HTTP and HTTPS: Now it's time to explain difference between age to be protocal and https. For that, let's analyze one off websites that we have already explored. For example, instagram that come and let's find any website that the still served over http was that so ? Let's simply a type of sites request as http Web site legs that enter and ah, here, for example, or hear example dot com. We will see website that the served over http and here immediately you see warning not secure. And if I click on this icon, you'll see message. Your connection to the site is not secure, and you shouldn't enter any sensitive information on the side, for example, passwords or credit cars. And that means that entire communication with this website is unencrypted, and everyone who will see to between you and does this website may capture and read information, and you'll see that in one of the next lectures, where we will analyze network traffic that is sent from your computer. For now, let's explore this website and instagram dot com in order to show you the difference between those two websites. Let me open up, Inspector. You can do that by press and right bottle off the mouse and click here, Inspector. And here this panel will be opened. It is called Google Chrome Developer Tools, and we need network. Tap this one and the While you are on the step, let's make it actually larger. Let's refresh webpage, weaken consists or a fresh bottle. I come for a fresh and here you'll see a bunch off requests. For example, here was request for JavaScript file or here down below. You see a requests for images here. This extension dot PG indicates that we are the lording image. You can also feel thereby content type. For example, if you click here image, you'll get Onley least off images that were downloaded on this particular webpage. You can click on any of the images. For example, let's click on this one and click here Preview and you'll see preview off the image that was actually the lorded. And this image is the shown here on the main page. Okay, let's ah closest and let's analyze. For example, GS files and the GS stands for Jonah squeaked, and it indicates that we don't Lord jobless food files you see here by default such cones as name off the file is and status that indicates gold off. The response from the server and the cold 200 means that resource was served successfully, and it is a successful response from the Serra here in this column. You see diaper off the results, and we can analyze such types as images, and here in the comb type, you'll see extension off a particular image. So here with J pack extension and here below, you see several PNG images. Let's also filter by documents. Let's click on the dog here and now you'll see least off for HTML files that were the lorded for this particular webpage and first file with this name. Question Mark H l equal. Sign em. I didn't defy us actual html document that was downloaded and this document is actually shown here. You can click on the response here and you'll see html file that start with opening html Tech and ends with closing html Tech here at the top. Oh, you see, for example, title off the work page and it is instagram and this title you see here as well as a top. Okay, that's ah, how you can explore different files that, well, don't lauded for specific webpage. And let's actually do following. Let's expand least off the combs that will be displayed here in this table. For that, you can simply click on the right bottle off the mouse on one off the hitters off the column. And here you will see goal names that are selected by default and let's add to the selection scheme again, right? But a mouse click and the left at domain. Okay, now there are additional combs so that he appeared after the selection. And here you see, for example, comb gold scheme. And in this comb you see which protocol was used for serving particular file. For example, this JavaScript file was downloaded over https. Same for other files. Those PNG images where also downloaded over https. Let's also explore this domain com and in this column you'll see actual domain where each file was downloaded from, and you see that most files were downloaded from the main parent domain, www dot instagram dot com. But some resources, for example, those Logan client events that actually x h r request. We will talk about them later on. You can see that they were the Lord from the graph dot instagram dot com And that is a nozzle domain. If I'll scroll down, you see that another files, for example, those way. I don't Lord it from www dot facebook dot com. And it means that each website is actually a set off the files that I usually don't lorded from different domains. And for this particular small webpage, there were sortie request to different websites and total science off All files east one comma, six megabytes. Okay, let's no go toe example domain. This one recap that it is served over Http and let's open up Google developer tools here. Right, but a mouse click and inspect. And let's same as for instagram that come, let's click on the network tab and last for a fresh webpage here. And now you see only one request here. Request for HTML document and notice. That scheme here is http, not https. And if I click on this document and click here on the heather step, you'll see that actual request toe. This website was made toe this idea dress and this sport support is a d. And if I will do the same on instagram dot com website Wesley here by documents and click on this first file and click on the headers here. You'll see that port is for for three. And that is the difference between https and http. So Burt for https is 440 stream and port for http. Protocol is 80 and those pores are TCP bulls about what is disappear. Let's talk about TCP and the entire TCP I be stack in the next Lasher. And for that you will don't Lord program called wire shark that follows us toe. Analyze Entire web Traffic is a descent from your computer and back. So see you in the next lecture. Bye bye. 6. 4 Analyzing traffic using Wireshark: Okay, let's leave those two taps open. And now let's install program called Wire Shark. So lets navigate tow wire sharp that come. And the Lord this program. So what does wear a shark wire? Shark is a program that lows you to capture traffic that descend from your computer and back. And then this lecture using this programme, I will show you difference between http and https protocols. Wire shark is available for Windows and MacOS. So let's click on Send a lot and the ill don't Lord Mac OS version. And if you are on Windows, you can choose Windows installer and make sure that you will choose Eyes are 64 or so to beat version depending on your operating system. So let me click on the Mac OS version. Okay. File was downloaded. Well, sir, click on it. And now I will quickly go through the installation. So let's double click on the p k g file. And here Klay continue again. Continua agree with license and install. Let me try my best world installed software. Okay? Installation was successful. Who has closed and let's move the trash eats installer. Okay. Why are shark was successfully installed and no, let's open it up. So here, using sport light, I'll find it. So why are shark press and arm and program was successfully opened? Okay, what you should do now. Now you should choose particular interface that wire shark will use for capture off the traffic. I am currently connected using wireless adapter, and that's why I'll click here. Why, if I as a net zero And here when I hold her over this adopter, you see it's Mac address and I d address in a moment. I'll explain you what those addresses mean okay with choose it. Double click and here capture or the traffic will be started immediately. Let's get back to Google Chrome and here let me close this step. I don't need it anymore. And let's maybe get back toe instagram dot com and let's click here. Refresh to refresh. Let's wait until you'll be fully loaded and let's never get back Toe wire shark And here, no less breast. All the store bottom and capture will be stopped. So here you see, least oh, for all brackets that toe wear send from my computer and back, we need to find entire conversation that a cure between my computer and instagram that come for that We need to first find out which I be Address was used by instagram dot com For that we can click, for example, on this document and ah, in the head of section you'll see actual i p address off Instagram don't come. Also, we can find out which i p address is used by particular website using a nasty look up and you should use it in their terminal so I can open up terminal and the type here and s look up three W's instagram dot com Enter and here you'll see known Authoritative answer. And here was maybe address that is used by this website and this AP address matches this one that we see here in the header rows section. Okay, No, our goal is to future those results in the wire shark by this I p address. Let's go up. Is this I p address control seem and plus get back to wire a shark And here we can feel her those results by i p address for that. Let's click on this small drop down icon And here choose option b dot other to equal science. And instead of this iBeam let me based corporate one so entire expression we'll look like this. I'd be dot other to equal science and corporate. I'd be address. So let me make it smaller and last breath enter. And now you'll see entire conversation that acute between my computer and instagram dot com . And here you see that protocol that was used East eyes or TCP or DLS? Okay, let's make a short balls now. And the next lecture I'll explain you structure off each packet and I'll explain you what his i p what is TCP and what is https? Actually. Okay. See in a moment by buying 7. 5 TCP IP stack by example: in this lecture, I would like to explain you structure or for each year packet. And for that I'll use wire shark. And here you see bikes or for a request from my computer, for example, this one So source is my computer. My AP address and destination is I'd be address off the remote website and here on the next line, you see response. So now source is I'd be address off the remote computer and destination is mine. I p address. Okay, so here you see TCP Protocol and DLS protocol. Let's examine throws trick West off the TCP Protocol and let's make this section larger and let them unify this bottom window like that. So here you see structure off the packet that was sent initially from my computer toe remote computer and Zahra several handles in this packet frame header, as on a to heather Internet protocal, Russian four header and transmission control protocol. Heather. Let's expand this transmission control protocol section. So click here on this arrow and you'll see the tales related toe TCP Protocol. And what I want to explain you here is that we are using for transmission source and destination for us so sore sport is chosen by Sandor randomly and this broad is always larger than 1024. And destination port, in this case is 443. And you already know that this sport is used for https protocol. Also here in this packet, Zahra Flex. So actually there was a single flag. It just seen flag. And this flag is related toe set up off the new TCP session. And if you will look at those throws three man suggests this one this one and this one you will see entire conversation related toe set up off the brand new TCP session and it is actually set up using three way handshake with a different set of flex. So if you roast request contains only seen flag response contains scene and our flags. And after that initiator or the session sends request on Lee with art flak. So here uses it. But main point here is that port that is used by Ramon Serra is always 443. So I sent requests toe this port and server response from the sport. So here in this second packet, you see that sore sport in this packet is fraught 143 and Destination port is mine. That was used for euros. Bag it here. Okay, that is TCP Protocol. It also has a bunch of ours or information, for example, window size and so on. But now I don't want to dive deeper and let's move on and let's look at ours are headers and let's expand Internet Protocol Version four header So short it is a P V four and here you see information related toe be addresses. So here source AP address is a P address that is used by my computer and destination AP Address is I'd be address over the remote server also in this header. You see, for example, total length off the header. Some flags don't frogman flak, for example. Time to leave and so one. Also in this header, you see information about next header next in terms off encapsulation Next header, for I'd be before Heather is TCP header and we have already explored it. So on this layer there was information related toe baby addresses and this layer is responsible for delivery off each packet and ah, special devices called routers that are placed between my computer and remote server used wrote this packet based on the destination AP address Toe He's destination. And when any packet is sent back from the remote server, for example, this one my i p address is used for delivery off the back. It actually. In fact, my AP address is private I p address and somewhere on the path Net address Translation A. Cures Sonett is network address translation and this private AP address will be replaced with public I p address. But it is a subject for us. Of course. For now you should understand that this heather be before Header is used for routing off each packet. Okay, lets no look at this candor as they're not too. And ah, in this Heather, you see information about Mac addresses that's actually analyze another packet that was originated by my computer for examples this trust one. And here you'll see that source Mac address. He's mine. I p address off my computer and each Mac address consists off for 16 hacks and XML numbers . And first health is used as identifier off man affair show. So this Mac address is always hard coded in the adapter, so here I have selected make address off the router that is used for transmission off the data from my computer toe, Internet. And here you see My Mac address. And it is Mike address off my wireless adapter. And because it was manufactured by Apple, you see, here is this Apple graphics. And that means that using euros half off each Mac address, you can easily identify manufacture off specific adopter. Okay, that was as our Matt Handwara. And if I click on the frame, you'll see actual data that will send over the wire. And here in this header, you see some information related toe actual transmission off the data over wireless or wired network. Okay, lets unifies this caterer and left shortly. Summarize for each packet consists off several handles and, ah, each new header is added at the top off. Previous Keller, for example, throws we add TCB Hendro on top of it, we add, I'd be Russian four Heather. Additionally, due this heather, we add as a net to heather. After that, we add some information related to actual transmission over the vire and send data over viral IHS or Wired Network. That's how in a few worlds. Actual transmission, they explains. Okay, but we are interested in analysis Off Http and https Protocol. Let's Ah, roast. Start with analysis off http. Protocol but less with it after the small pause. See you. 8. 6 Analyzing HTTP protocol using Wireshark: in the previous lecture, I have explained you structure off each packet and now you know what is TCP Port? Water I p addresses sorrows and destination and what our Mac addresses sorrows, make address and destination. Mac address. Let's now try to capture data that will be send via http protocol. For that, I'll navigate back toe example dot com website and here you'll see some text on this webpage example. Domain. This domain is established to be used for illustrative examples and documents, and so and let's no try to capture entire data that will be sent toe this website for that . Let's get back to Wire Shark and let's relaunch it. Let's click on this blue icon. So left the continued results saving and let's get back to example, the comb and less refreshed weapons. So data was reloaded. And now our goal is to find out which I p address was used by this website. We can do that in two ways. Eyes are in network tab and click here on example to come and find this I p address here in the heterosexual or I can navigate Tau terminal. Let me clear it clear and type. Here s a look up example dot com Enter and here I'll find this I p address as well. So those i p addresses match Okay, lets no Corp is this I p address. Get back toe wire shock. Let's actually stop Camp charm And let's instead of this AP address based corporate one legs that less breast anthem And now you'll see conversation that acute between my computer and the server that hosts this website example Don't come. Okay, Now let me make this a section smaller. And here you see TCP protocol related data and http protocol related data. And if you click here on this packet, you see not only TCP together, but you also see hypertext transfer protocol header. Let's click on it. And here you'll see. For example, get request that was made toe remote server example dot com Here, down below, you see user agents drink that, identify us my web browser. And here you see that I was using Karam where? Browser and down below. You can jump toe response from remote server and this response will send in another frame. And if I'll scroll down, I can actually find this response this one and Ah, let me scroll up. You'll see here called off the response from the Sarah It is 200. Okay, And that means that response was successful. And the server has actually sent me data in Jay Z Former And this data is actual where Page that was requested by my computer. And if I'll make this section larger, you'll see such and coated response. It looks completely unreadable. But if I'll click here on the UN compressed entity body here, I can actually read response from the server. So here was HTML document that was sent by Sarah back to my computer. And here, you see, for example, H one html Tech Example. Domain left going back to the website. And here you see this H one hander. Let's actually click here on the response column and let's make it larger. And here you'll see same information. For example, let me scroll down. You'll see h one html Tech, and here was example domain. Let's get back to wire Shark. And here you also see this B tech and sentence. This domain is established to be used for illustrative examples and so one and that is exactly the text that appears here on this webpage. What does this mean? This means that you can capture and die a conversation between your computer and remote several. Because old data is sent in plain text and any computer the displaced between your computer and remote server, we'll be able to read this entire data on this page. There was no sensitive information, but if you'll dry toe, send for example, email or password over http, they will descend in clear text and could be easily captured by someone else and used for some purposes as a gain access to the system gain access to mail books. And so one. Okay, that's how data is sent. Using http protocol and again, old data is sent in clear text, and you have seen justice using wire shark applications. If you want, you can analyze other websites and become more formula with wire shark for no. Let's rip up this lecture and the next one. Let's analyze https and you'll see that. In fact, https is a CTB over DLS. So see you in a moment. Bye bye. 9. 7 Analyzing HTTPS and TLS using Wireshark: Now let's try to read information from https communication. For that, let's restart our capture so continue without saving. Let's go back to Google Chrome. Let's close this step and let's open up connection to, for example, facebook dot com Press Enter here. You see that this website is served also over https, and here you see that connection is secure and certificates is well, it. Okay, let's get back to wire sock and stop capturing packets where it's open up terminal and find out which I. P address was used by facebook dot com, and that's look up www dot facebook dot com. Enter and here you'll see I p. Address off the mold server that hosts this website. Let's go Business idea address. Go back to wire shark and replace I P. Address. Here in this futile section, we score pit one and less press enter, and here you'll see conversation between my computer and remote server. That horse facebook dot com application. Okay, now I see here such protocols asked TLS TC beam and I don't see any https or http protocols . So only TCP and TLS version 1.2. Let's click on one of the packets with DLS. We wanted to protocol. Who has men? If I this section for a moment and let's examine headers So frame Heather as they're not too Heather I'd be before headers and DCB headers are the same as before we see http protocol. But here you also see d. L s transport layer security, Kendra. And if I'll expand it, you'll see here TLS record layer. And that is actual payload that the scent in this packet. And here you see http, or DLS and that means that Asian to be communication or cures over TLS tunnel and all data that the sent over TLS is fully and grieved it. And we can prove that here we can try toe read this section. So let's try to find something that appears here on this page, for example, this sentence. We will be able to do that because everything is encrypted. And here you can only see random set off characters. And that's because all data that was sent from the server was encrypted using special key. And here is this encryption A cures using symmetric key encryption. And that means that my computer and remote server have same team that is used for encryption and decryption. But this keep is the river is a special way as the beginning of the TLS succession. And for the leery off this key that is used for symmetric encryption. We use asymmetric era. Say keys. No warriors always is. We will discuss later own throughout the course. For now, you should understand that in https protocol, old data is sent using DLS protocol and TLS is responsible for encryption off entire data that is sent over. Eat. You can also read details off the D. L s protocol. Let's click on this arrow and here you see pls version. It is wonderful to lancs off their payload and actual encrypted application data that is actually set off random characters. It actually looks like set off random characters. But if you do have special keep that was used for encryption off this data, you can successfully decrypt it and present by Web browser. That's why we actually see, hear readable data. Okay, that's how https protocol works. And my main point here is that entire communication over https protocol is fully encrypted . And second point is that https protocol uses TLS transport layer security that is responsible for set up off secure session and for encryption off application data. Okay, I hope that you enjoy does this practical lesson. And I recommend you to capture data to any other website you like and ensures that this website is that you will analyze is served over https. Same as for example facebook dot call. Okay, that's all for this lecture. And the next one I'll explain you What is encryption? And we will start talking about symmetric key encryption. So see you in a moment. Bye bye. 10. 00 Section 2 Intro: Welcome to this model. Here we will talk about encryption and I'll explain your difference between symmetric and s in magic encryption, you'll learn how eros a protocol works and what is public key infrastructure? Shortly picky, I We will also talk about occasion l Greetings such as 75 shop and you'll learn how they're used in public infrastructure. I'll see you inside. 11. 8 Symmetric Key Encryption: Let's move on. And in this section we will talk about encryption mechanisms about the hash functions. And I'll tell you about some most commonly used encryption l Greetings and cashing Al Green's also, we will start talking about s symmetric encryption and about s symmetric keys. But let's start with a symmetric encryption. So what is that? Symmetric encryption means that data is and creep that on one side, using special kim and then and with the data is sent toe in ours or site. And that another aside, de Creeps received data using same key. And again, main point here is that those keys here on this side and on this side are the same. That's why this type of encryption is called symmetric encryption. But of course, any person or any machine that owns this game has ability toe de creeped and creeped the data and gain access toe original data. And that is a drawback off Samir to encryption. And if you want to use it somewhere for encryption off your data, you should take care off key and keep should be kept secret. And, uh, it shouldn't be transferred to any other machines or send two hours, or people that is symmetric encryption and the next larger Let's talk about some protocols that utilize similar to encryption, so see you in a moment. 12. 9 Symmetric Key Encryption Algorithms: Let's move on and this lecture. Let's talk about encryption l readings. And primarily I'll talk now about symmetric key encryption l Greetings. There are several kinds off L readings that I used in the mother networks, and I also want to talk about some obsolete protocols. So let's start with deaths encryption algorithm. It is symmetric key encryption algorithm. It means that it uses same key for encryption and decryption and length off. The scheme is just 56 beats. It is spread the obsolete on duh. It is not used anymore for encryption because it is very easy for decrypt data that is encrypted. Using this, there's Alderete. There was its modification that performs actually encryption three times, one after azar, and it is based actually on death l greed. But again, this vulnerable toe different kinds off attacks that give you access to a regional data. And this algorithm is also considered obsolete, and it is no suggested for use anywhere. Let's not talk about modern encryption. L. Britain's and most commonly used these IAS algorithm and I asked stands for advanced encryption system, and this algorithm allows you to utilize keys off different lens. For example, there was IAS 128 l Rhythm and it means that it's Guillen is 128 beats. There was also, for example, I asked 256 and that means that EADS key Lang's is 256 beats. And that is ah algorithm that is used more often and again the same as death and three deaths. This algorithm IAS is cement to keep encryption algorithm, but it is much more secure than deaths and three deaths and it utilises keys off high lungs , Zen deaths and three days. And of course, it is suggested to use highest possible key length possible for this algorithm. Also, I have added here era say l greed. But this algorithm utilizes s symmetric use and we will talk about a symmetric encryption and Aeros a protocol later on in this section. For now, please keep in mind that I suggest you do use I s encryption algorithm whenever possible and never used society obsolete protocols as deaths and three days off course, other obsolete encryption algorithms exist on die. Don't want it to mentions. I'm here. Please just keep in mind that I ask is most modern and most secure. And exactly this protocol is used in a cell communication wire. Https protocol. Okay, let's move on. And the next layer. Cheryl, let's talk about hash functions. I'll explain you. What is hash? Why it is needed. And after that we will talk about some examples off the Kachin algorithms and you will try some of them in action. So see you in a moment by 13. 10 Hashing Overview: Hi. In this lecture, we are going to talk about hashes before we have discussed encryption algorithms and Samir took key encryption. And corruption is usually used for making data unreadable for sort party. And, um, off course, this data is encrypted during transfer over network would be easily changed, compromised, or something like that. And that will lead to situation when receiver we won't be ableto read original data or will read it with some errors. And that's where hash comes in. So what does hair cash is a fixed length string and its lungs, maybe 128 beats or 160 beats or 256 beats or something longer? And this Lennox depends on the algorithm that is used for creation off the cash. So how this has algorithms usually works, It takes input datum. And this data may have very belong, so it may be just a single word, or it may be a sentence, or it may be even a file. And when this hash function is applied, it creates fixed blanks cash based on the input data, and it grieves irascible hash. What it means. It means that if you have hash and don't know what is data on the input. You are not able to retrieve data from the cash. Why? Because same hash maybe created for unlimited, let's say, infinite quantity off different inputs. And that's why hash function is always one way so we can create hair based on any data, but we're not able to retrieve data from the hairs. Another important characteristic off any hash function is that each time when you slightly change input data, when you change, even single character or even single beat yes will be changed completely and again, it makes Hess even more irreversible and sort of characteristic off hash functions is that they don't require any keep. So we take on the data, take cash function and create using discuss function special cash. But there are some cash functions that also add ghee into the cashing protests, but I'll talk about it later on. But why do we need to hash and hash functions? So let's have a look at this diagram, and here you'll see that there are two sides, and on one side, the we create hash and the send data with hash toe another side, so what happens here is this diagram. His function is applied to original data and cash is created. And after that, data along with cash are sent over the network toe, receiver and receiver receives data and hash separate limb. And now, or see your takes. Data applies same hash function as was applied here on this side and creates fish. And after that, this hash and this hash are compared. And if those catch us major, it means for receiver that this data was not changed or wasn't mutated during transfer or the natural. And that is a purpose off cash. It verifies integrity off data. So again, in this scheme, we ensure using hash function and Tash algorithm that this piece of data during transfer over the network here was not changed off course. We should take your off encryption off this data. And usually encryption happens before creation off cash. His algorithms work in such a way that even small change off data well, lead toe creation off completely different hairs. And if at least one beat off data was changed somewhere here during transfer, then here we will get completely different cash. And during comparison, we will get different results. And usually when hash doesn't match, receiver simply rejects data and dust. Nothing. Quiz it. That's how hash functions are used for data integrity. Check. There are also keys on this diagram, but the please noted that the geese are optional and cash functions usually don't require any team for creation off the stairs. But I have told you in the previous life show that they are our hash functions that utilize these symmetric keys, and what we accomplished using gifts is following. We perform known just integrity. Check on the receiver. We also perform all syndication off Sander. What does it mean? It means that if on the receiver aside, we take data, take team, create hash and compare it to is received cash and those headshots match, we can be sure that cares. That we have received was created by a party that owns same key as we do so we perform no, just integrity. Check off the data, but we also often decayed Sander. But again, please notice that the keys are optional. Okay, let's move on the next lecture. I'll tell you about the Sam Occasion L. Britain's such as MD five and champ. They don't require any key. But there was modification off those protocols called H Mark and the five and a schmuck Sha that ad ski into the cash in process. Also, in the next life short, we will try shot and empty five l Britain's inaction. So see you in a bit. Bye bye. 14. 11 MD5 hashing algorithm: in this lecture, we're going to talk about some cash in L. Breeden's off course. There are a lot of other L grievance, but those mentioned here on this diagram are most popular, so we will talk quickly about MD five shot and H Mark L greetings, and let's start with MD five and the five grades. Fixed blanks hash off variable length input and output is always 128 beads, and the five is not considered obsolete algorithm, and it is still used somewhere again. Goal off fashion L Greed is to create one way hash and, um, other sigh. It's ah may perform same action, so take input data create, has and compare toe caches. And if cash this match then data was not mutated was not changed. For example, hashing is often used for password storage, for example, password that was entered by user somewhere in any application or on any website. Maybe start not as a plain text password instead of distort as hash. And each time when user enters its password, website or obligation, creates a hash again and compares that gas with against the distort in database. And if there was a match, We can be sure that the user has entered password correctly. Okay, let me show you MD five hashing algorithm in action. For that, I'll open simply terminal on the Mac. If your Windows user, you won't be able to perform same steps as I will do so simply, which may long. And here I'll defaulting. I am located on the desktop and I'll create a file Let me created using touch Command Onda file name will be simply filed dot txt So file was created and now I can use embedded command called MD Five. And this comment alos me to create cares off any file on dykan. Simply type MD five and name off the file file dot txt enter. And here you'll see cash off the file. And whenever I will change contents off this file, this hairs, when I will regenerate it will be changed as well. So let's try it toe. Make some changes in this file. So let me open it. Open file duty X team. And here let me add, for example, Hello world. Save the file, close it and let's generate hash once again from the five filed Otake steam and Trump and here you'll see a completely different hash. But off the same length 128 beats. So here, actually you see X a decimal numbers and each your checks. A decimal number is exactly four beats won't. And here this drink has sorted two characters Hexi decimal characters. Okay, so I could demonstrated you that MD five has changes each time when you change in blood also, you can dry empty five has generators online. Let me open will chrome and type here Great and d five cash like that and here throws link will be empty, five has generator And on this website you can simply type and its string again Let's type Hello rolled and bleak generate And here was empty five years that was generated based on this stream let's no try to compare toe caches that were generated here on this website for hello rolled string and heads that we got in the command line. Let me switch there and ah yeah, it seems that hashes are the same. It means that these embedded empty five program America creates a cash based on the contents of the file And here we have created hash based simply on a string. So let me change input here and type Hello World and at exclamation mark like that. Click, Generate. And of course, now I'll get completely different hash. And now this hash and this cash are different and don't match. Okay, that was MD five algorithm. Again. It creates output off fixed lengths. That is equal toe 128 beats. Okay, let's move on. And next. Let's talk about sham cashing algorithm. 15. 12 SHA hashing algorithm and HMAC overview: Let's continue and this lecture. Let's talk about L Greed and let's also try it in action. This Calgary to mark has different versions. There was shot one version, and this version length off. The cash is always 160 beats, and there are other versions. For example, Shop 256 and this version length off the cash will be 256 bits. In this version, Hash is correspondent Lee, 512 bits and in different cases, different versions I used. Most popular is this one. So with cash length 256 beats, let's try this algorithm as well. And again, I'll use a command line on the Mac. Let me clear it. And in order to create shark hash here on the Mac, I should use shampoo, some command and here type again. Name off the file and recapped that there is file called file dot T X Team. And there was hello world streaming inside. So let me press and or here and here you'll see shark cash. So by default, if you don't supply any options here, you'll get sharp. One cash and this cash is exactly 160 beats long or 40 Hexi decimal characters. Okay, let's add some options and let's generate hash with 256 beats but that I can write, shot some, then dash a flag and here type 256 and to gain name of the file so file do txt enter and now you see longer hash. So here it is. And now this hash is 256 bits long. Let's also try option with 512 bits like that and throw. And here was longer cash again or gap that each time when I will change contents off into data, I'll get different hash. Completely different hash. Let's try that and let me first open file the D X team and at here, exclamation mark and save glows to file and less regenerate this lost cache like that and I got completely different stream so you can compare and you can be sure that those lions are different. Also, please note that you are not able to reverse cash, So if there was ahead, you will never be able to get into data from it. So cashing is one way algorithm. Okay, lets know also try creation off the stock cash online, and for that let's ah, search for it. So create shock has and here was first link shot. 100 56 generator. Actually, here you are able toe generate, not just shot 256 beats. You can also generate Shar one Hair's MD five years or shot 512. So let's enter our text. Hello world. And here you see it that the cash is generated automatically here at the bottom and now length off the cash is 256 beats. I can switch toe shop 512 and type same text as before. So hello world and now has is longer and completely different from the previous cash. Okay, that's how you can generate the shop cash. Let me close those steps and let me tell you a few words about ash. Mac al green ash Michael Greet may be used to stand alone, but usually it is used in combination eyes or with MD five or Shar al Britain's and main purpose off. This algorithm is adding a special secret team in tow hashing process, and it means that we speak H Mark algorithm we take not just input data. We also take special secret team or password and utilize it during creation off the hash. And with h mark algorithm, we create hash that is based no Justin data, but also on secret password or team. And that means that the arts are side my greed, same hash Onley if it has same secret keep and therefore this algorithm as additional level off security and it also follows to perform all syndication off the sender. So if you don't have same key as center has you will be able to create same age Mark cash. That is a purpose off H met Alderete. Ok, now it's time to move on. And next we will talk about a symmetric keys and s symmetric encryption. So see you in a moment by 16. 13 Asymmetric keys overview: in the previous lecturers, we have talked about symmetric key encryption on deck cashing l greetings. You also know that there are some cash in l grievance that also utilize keys for creation off hair, and same key is used on both sides. Now it's time to talk about and symmetric ease. So what is a pair off a symmetric keys? It is a prayer off cookies, cold, private and public. Usually those keys have same key length, but off course is a different. And the naming convention for those keys private and public isn't random. Private gear is always kept secret. And on Lee owner off this player off the Keys knows this Private Kim public can be communicated toe anyone in the world again. Private Key is always kept secret. Onley in one place and public is public and available for anyone. But what is the purpose off those keys? Private and public? There are actually different purposes. Trust, private and public key pair may be used for encryption, so public is used for encryption off data and on Lee owner off the private key. Using private key is able toe de creeped and creeped in data that is a first use case. Another use case is signing data using private key. So owner off this player off keys Science data creates hash in another world using private que and anybody who has public in may verify this sign Nature. That's how a symmetric keys, maybe usedto in different cases and the next lecture. Let's talk about encryption using estimate. Tiki's So see you in the next lecture by 17. 14 Encryption using asymmetric keys: Let's now examine the case when you could use a symmetric keys for data encryption and decryption recap that pair off keys. Symmetric keys consists off cookies, private and public. Private Keep is private and is owned the only by owner and is accessed only by owner. Public is available for anyone, so let's discuss how encryption works in such case. So on this diagram, there is owner off key pair and Onley. This owner knows private key off course. It also knows it's probably Kim public e off this pair can be communicated toe anyone in the world. So what's supposed that? These site wants to send and creep the data to the owner off private. Keep what does is just following. It takes data and in creeds this daytime using public e off the owner off this private. And here we get and grieved in data and this and greet the data can be seen by anyone in the world. But it can only be decrypted by private key. And this private team is owned Onley by owner off this key pair. And that means that this and greet the data. Maybe the creep that Onley by owner off this key pair. Nobody else could. The cream data. And if data is successfully sent to the owner or for private and public prayer, owner could degree data using private Keep Andi. That's how encryption and decryption is used in a symmetric keys world. We could compare this process off for encryption and decryption using a somatic gives with protests off sending email, for example, anyone in the role that may know my email address and anybody could send me email. But on Lee, I have access to my mail books. I suppose so, and only I am able to get in for from my my books and read eight there. And that's ah, pretty similar to this process. So Onley owner off Private Kim could read data, could decrypt it and read. Okay, that's how a semantic Giza could be used in data encryption and decryption. Let's go on and the next lecture. Let's discuss how estimate your cues may be used for signing data. So see you in a moment. Bye bye 18. 15 Signing data using asymmetric keys: from the previous lecture You lo how a symmetric years could be used for data encryption and decryption. For that case, if you want to send data to the owner off private give you simply take its public it and grieve data using this public keep and Onley owner using private key may creep it. A symmetric keys could be also used for signing data. But this gaze data flow is opposite and the data is sent from the owner or for key pair with private and public in tow. Anyone else and we want to it you following. We won't receiver off this data be 100% sure that this data was received from these owner from the owner off Private key. It means that no one else could send same data whisk same and greeted hash toe this party. So this protest is ah, toe stay brought us actually and owner off Private gim throws takes data and creates cash off this data. And here we could use any function that we have discussed before. Eyes are empty, five or shot, for example, recapped that each has has fixed lengths, eyes or 128 beats or 160 or something girls and here, owner and creeds This hash using East Private keep recap that private keep is only available for owner. Nobody else knows this keep, and after that and greeted hash along with data are sent to another party. And this another party must be sure that data was sent from the owner off Private Key. And that's why I eat very fires hash and following weight. It takes data using the same hash function. It creates hash and degrees hash that was sent by the owner or private. Keep using its public you and after that compares those toe here, show us. And if there is a match, this side could be sure that this data was sent on Lee by this party by owner Off Private. Keep because nobody else could create and grieve that hash that could be decreed that by this public, there's because Onley owner off the private key is ableto in creep hash in such a way that will be successfully decrypted using public E. But you might ask me what we achieved by signing the data using symmetric keys. There are a couple of positive effects so frost. In this case, we ensure that data was not changed during transfer. And second, if those caches meshed, we could be sure that this data was sent exactly by owner off Private key. And this process is called data sign Nature. So owner Science Day that using its private team, actually it and creeps in fact simply hash created based on data. And after that, anyone else would verify its sign. Nature and verification off the signature is done using public kill. That's how we comptel toe other world, that we are owners off this data and nobody else would create same hash as we don't. So that's how cement duties can be used for signing data. And this process is very important because that's what exactly happens when server sense does the client as a sell certificates each certificate condense, sign nature off the owner off certificates and the sign Nature is very fight exactly in such a way. OK, now it's time to discuss arrests a protocol and this protocol utilizes s a magic keys, and this protocol is used in certificated communication. So see you the next lecture by 19. 16 RSA Overview: we have just discussed what is a symmetric key encryption and how you can create sign insurers using symmetric keys. And now it's time to talk about protocol that utilizes a symmetric keys. And before I have told you that there is a single main protocol this primarily used in modern networks and certificate communications, and that protocol is called Eros a protocol. So let's look at it a little bit more closer. So Aero say abbreviation was created based on the first letters off names off three different developers off this public key crypto system. And those developers were called Rivest, Shamir and other Lyman. And there s a is not just a simple protocol, it is actually public key crypto system. And using this creep the system, you could create a new keys, priority and public. You can create these off different lands. You can perform encryption, you can perform the creeps and you can sign the and so one lengths off for a say, a user is between 1024 4096 beats, but primarily 2048 beats I used. And please note that the key lungs is always the same for private and public ease. Because each time when you generate key pair, both skis are generated and you're not ableto regenerate. For example, Onley probably keep and leave private key intact. Always keep very generated as a single entity. And again notice that private team must be always kept secret. And, ah, when you feel that private was compromised by someone else, please regenerate new key player. And if you need certificated based on the player, you need toe recreate certificates as well. So what games that was There s a protocol on DA Next. Let's discuss what is PG I and what is the place off our say crypto system in peaky. I so see you in a bit by 20. 17 PKI Public Key Infrastructure Overview: okay era, say is creeped, a system that allows you toe perform different actions based on a somatic keys, private and public. And the most popular Keelung is, ah, 2048 beats. So what is biggie? I picky I is public infrastructure and the picky I is actually set off. Different protocols are greetings entities, certificates that alos you toe perform communication based on certificates based on trust and using those trust relations. You could perform encryption off data. You can perform our syndication off the server. You're communicating grease and so one and there are many different elements in the peaky I infrastructure. And they are, for example, see a certification authority and roll off certification authority is toe eyes are signed certificates or delegate trust toe ours or entities, and that those entities are called intermediate sees, and the usually it main responsibility off intermediate see is is a sign a teacher or for new certificates that are eastward for are the entities, for example, for your website and off course, Zahra. Different owners off certificates, and you can use certificate for different purposes. For example, you can use certificates for SSL encryption as a selling TLS encryption and secure your website. Or you can use certificates ah to build VP and beautiful private network and send data over VPN tunnel securely and so on. So there are many different use cases for certificate. But what is certificate? Actually certificate is a set off data and before this girl's week of analyzed structure off some certificates that are owned by some companies such as Google and Instagram, and they used for you to be us protocal. And most important, information distorted by any certificates is public key off the owner off certificate. It means that every entity in picky I infrastructure has his old public give and this public it is always included in every certificates I can even at here this data let me Koppel this based here So public, Kim, let me make it smaller. And every again, every entity in pick your infrastructure owns public. So what? Mick Opiate based here as well so intermediate. See, A also has its own public. Kim See a has its public and so on, and the game goal off PG I infrastructure is to ensure that public kim off for every entity in pick your infrastructure is trusted by ours or entities. And, uh, that's why we need a CS Intermediate sees. And so what? And the next lectures, I'll explain you how this chain off trust is built, but the for No, let's proceed. And the next lecture I'll explain to you what is Certificate and reach data may be included in certificates and which data is mandatory, so see you in a bit by. 21. 18 Certificate overview: before we have discussed what is speaking. I you guys public infrastructure And what is air A Say so. Irsay is a crypto system that is based on a symmetric keys. Now it's time to go quickly over room what is certificate and which information is included in certificate. So certificate is digital entity. In fact, it is simply a file with some data. And in this file in certificates foreign information is usually included. There was information about owner off certificate. Usually it may be, for example, company name, company, address website and so one sometimes even serial number off certificated is included here in this section. Next information about easier. And here you go defiant information about entity that signed the certificate Onda usually here you will find information about certification authority or intermediate certification authority entity that again has signed this certificate. So next comes signing sharp and kept it before we have discussed how Sina Charles are created. Using s a metal keys, so signature is and creep potash and encryption is performed using private key. And that is what is included in each certificate. Sinus are if certificate was easier by any certification authority or intermediate certification. Also redeem This signature is made by that authority and based on the sign nature weaken, build Jane off trust. And if we trust certification authority and we see in certificates sign nature made by that authority, we can be sure that this certificates is also trusted and we can trust owner off the certificate. There are also self signed certificates that is, a certificates that is signed by its owner. And in such case, this signature is made using private key off the owner off certificates and most important , information that is stored in each certificates, as we have discussed in the previous larger is public keep so entire goal off certificates is to store, probably keep, and this public it is owned by owner off certificate, not by easier by owner and off course in certificates. You won't find the private key because private key must always be kept secret on golf course. It is not available in certificate. There are also some other blocks of information in certificates, but for now, let's a keep thing simple and for now, you should know that each certificate contains information about owner off certificates. Information about easier off certificates signed nature that is usually made by es your certificates and probably keep and every certificates is usually available for public. And you can be free toe the Lord certificates off any entity in the world, and you can use this data as you want. But again, main goal off certificates is toe store public Kim, and based on certificates, weaken build chains off trust. Okay, I think that for now it's enough talking about different abbreviations like there s a peak I I asked, and so warm, and it's time to die in practice and look at all of that in action. And, uh, no, we're moving to next section where we will together are generate our psyches, analyze certificates off for different websites. And I'll show you old this information in practice. And also we'll explore how as a cell TLS tunnels are created and how actual encryption off data in https protocol is performed. So I'll see you in the next section by 22. 00 Section 3 Intro: in this model, we will start talking about public key infrastructure in details, and I'll explain you what is as a cell till a certificate and how disc structured. Also, I'll explain you. What is certification also to Sarah or shortly See? And what is its role in the B G I infrastructure? You'll know what is certificates, chain and how chain off trust is built. We will analyze in the dales certificates or for several popular websites in this section. We will also start using open as a cell and with help off opens a cell you are able easily perform different tasks related toe creation. Offer a say keys, creation off certificates, signed requests and creating certificates. I'll see you inside. 23. 19 Installing OpenSSL: Now it's time to install a tool that will follow us toe generate arrests, eighties toe, create certificates, silent request request for you certificates and so on. And the best tool here is open as a cell. If you are in America, you don't need to worry about open. It's a cell. It is already installed. You can proceed to the next lecture for Windows. User. I'll explain what to do now. If you use Windows, please navigate toe. Pick it. Don't open as a cell, that orc Scroll down here on this page and find here buying a Riesling, this one. And here you'll find first your l this one Please click on it as well. And on this side, if you'll school down, you'll find installers for Windows. There are 64 sorted Toby's versions, so please choose version, depending on your system and the don't Lord installer. And after that fall, installation instructions. Okay, so please go ahead and install open. It's a cell, and when you will be done, you'll granted to proceed to next last house 24. 20 Using OpenSSL for RSA keys generation: Okay, I hope that you have successfully installed open. It's a cell if you're on windows. If you're Mark, you should simply open, terminal and type open as a cell. Enter. And if you see such problem, you are able to use open at the cell. So let's close. It controls that and feel things that we will do using open. It's a cell is generation off era say keys for that the weak in the simply type following command open as a cell space again. There s a and less press and or no, and you'll see protests off generation off Eros a key. And if I will scroll up, you'll see that key with Lancs 2048 was generated and hear directly in the council. You'll see your private keep. So begin Eros a private game. So here it is. And here was end off Eros, a private Keep off course. This is not secure because this is a private keep was just compromised. And anyone who is watching this video is able to use this private hell, and that's not what we want to achieve. So first approach that we can use is toe and creep Private Kim. And for that to weaken you special options in open as a cell. So let me clear. Terminal and the type here open as a cell Jim era Say again And here I'll add Opossum Desh I asked 256 like that. Let's press enter now and now you'll see that there s a private keep was generated But now open. It's a cell problems for past phrase And this past phrase will be used for encryption off private Keep So let me end on some password off course I don't tell it to you because it must be secure Password. So I'll entering password repeat Antam. And now Private key was generated once again. But if I will scroll up, you'll see that now Private he is and greeted And it wasn creep that you think I asked 256 l greed. You're also able toe and creep the private key using other algorithms, for example, we can use obsolete Alderete Masri death and enter here Dish three desk like that anti I'm sorry. It seems that I need to enter here Desk scream like that Antam and now our A se Ki will be generated once again again prompt for past phrase. Let me enter password to gain. Repeat. And now here you see Private key and it is encrypted using three deaths. Alderete OK, but there is usually no sense toe. Just see your private key here in the command line. And usually Private Kim should be stored in a separate file. And for that, we can use another option. In open is a cell. What McLear terminal and the type here open as a cell Jim era. Say again. Let's add and creeps. Um, so Desh I asked 256 and here I'll use another option. Dash out and right here. Name off the file way our private G will be stored. And let's start in the file. Gold private dot Pam. So what is spam? Spam is extension that is used for files that include two certificates. And also we can use that extension for storage off private. Keep so less breast until no generating cross a private key again prompt for past phrase. Let me aunt or something secure. Um, repeat and and now you won't see any outputs here. And if I'll least files on the desktop because now I'm located on the desktop, So ls you'll see file cold private dot Pam and I can look at contents off this file using, for example, can't command get and ah, right name on the file private dot Pam enter and here accountants off this file and again you see that this private key he's and Greep that using? I asked 256 Alderete. Okay, now you might ask me about What about public E. Where is it? Answer is simple. Public is also encoded here in private keep, and we are able to extract it from this private keep. And for that you can use ours or command and let's type it, Let me clear Terminal Let's die open as a cell again. Then era, say, a special option that tells open it's a cell that we want to perform some manipulations with Sarah say keys. Then comes option in dash in, and here we should specify name off the file where private give is stored, and in our case, name of the file is private dot Pam. Next. We should specify for March in which we want to extract a public Kim. And for that we should use option out form and type here, Pam in capital letters. After that comes another option that the tells opens a cell that we want to extract a public in, and that option is dash pop out. And finally, we want to extract the public e in tow. Separate file. Cold public that Pam. And for that we should add one more option. Final One. There's out and here, right name off the file. That's right. Name, public dot Them like that. And no, we are ready to go on and press enter. So enter Let's enter pass phrase for Private Pam. That's why we have entered it during capacity generation. So let me enter my password. You enter yours and always done so. Eros. A key was freedom. So let me least the files here on the desktop. And now I'll see new file cold public dot pam. Let's look at this Files or cat public dot Pam Enter and here you'll see contents off your public E. It starts with this line. Begin public e and ants with this line and public. You and of course, you are able now toe distribute this public Ito. Anyone in the rolled and any parcel could use this public Kim for encryption off the data that is sent to you and only you are able to decree that using your private key again public and private key are bound together. And if you want to create an hour's or public, you must create another key player and as a private key, and after that create, probably keep based on your private keep Okay, that's how you can easily and quickly create era, say keys. Using open as a cell. Let's also try to create Key off Marseilles or Lyons, because by the fold, lungs is 2048 beats. Let me clear Terminal and let's generate G off as lengths. Onda. Let's use simply open as a cell again command gen era, say, and the type here 4096 like that enter and now you'll see that he off lands 2096 bits is generated off course. It takes more time than for smaller keys, but the finally key was generated. And here you see output and you see how large now is this output Notice that this last example I have generated key that will spring to directly here. And this key wasn't encrypted Onda again. There's not to the best way off creating private keys. Okay, that's all for this lecture. And now you know how to use open. It's a cell for generation or for private key and based on private gur ableto create public you, in other words, retrieve public in from Private Kim a game. That's all for this lecture and the next one. Let's get back to where browser and look closer at certificates off some websites, so see you in a bit by. 25. 21 Exploring certificate of Instagram: We have discussed a lot in the previews. Large Charles. We have talked about encryption algorithms, symmetric encryption algorithms about a symmetric keys, about the hash functions about Sinus. Charles, I have explained you what this era say, what the speaking I and which information is usually included in each certificate. Now it's time to explore all of that in practice. And let's explore again some certificates off for popular websites. And let's again explore certificated that is used to for encryption off traffic toe instagram that come So Leslie consists. Look, I come and click on certificated is valid and now let's explore information that is shown here in this window. So first we see chain off certificates here at the door. But you see information about certification authority, root certification authority and this certification authority does not usually issue certificates. It is considered as root entity in a chain off trust. And next comes intermediate. See a and this example this cold. Did you serve shot to high assurance, Sarah See? And this intermediate C has issued certificated for Instagram did come. So let's no look at this block of information. And here you see common name off the website for reach. This certificate was issued and here you see, actually wild card common name. So star don't three W's dot instagram that come. But honestly, I don't see sense in this star here at the beginning because usually e for domain, starting with the three W's, there will be no sub domains, so there will be nothing. Kia does the left, and that's why we shouldn't expect to get same certificates on any sub domains off instagram that come next. Here you see information about certification authority who has easier to exist certificates . And this certificate was issued by this sea and here in this Jane that we have already explored. You see this? See a as intermediate See that stands between route see a and instagram dot com. Next, you see expiration date, and this certificate is valid till July. Allowance 2019 Andi. After this date, this certificates will become invalid and new one must be issued. Okay, that is a basic information about the certificate. Let's look at the tails, and here in this section you'll see several blocks off information. So first comes subject name, and in this book you'll find information about owner off the certificate and owner off the certificates is website instagram did come So here again, you see common name and this name may just this name Actually this Tween is taken from this one common name shortly CNN Next you'll see organization name and in this case, this Facebook. Next you'll see locality. Menlo Park uses state this c eight and you see country or region. It is us. Next block is your name. And in this block you'll find information about easier off the certificate. And in our case, the certificate was issued by these intermediate certification authority story. Let's get back to this. Certificates on Dhere This section use information about these intermediate certification authority. So again, here was its common name and you see that this common name matches with this common name. Also, this information about location and organization So it is D just syrup located in us Also, you see serial number off the certificates. Sometimes serial number is included in subject name sexual, sometimes in ish your name section. But anyway, in the serial number off the certificates Next comes information about Sina chur l greed and in this case shop 256 with Eros. A encryption algorithm was used. So what is that? It is an algorithm that was used for creation off side nature. For the certificate. Let me actually get back weekly toe diagrams and show you this diagram again were kept that here on this diagram, I have explained you how Sana chur is created and it is created based on data. And the first we create hash using MD five or shot algorithm. And after that we in creep that has using private key off the owner. And that's how and greet that hash is created. And this and greet the Tash is called Sign Ishtar. In our example data East certificate and we take certificates, create hash and then and grieved that hash. That's how signature for certificates is created. And this sandwich er is created by certification authority that has issued the certificates . And in this case, this intermediate see called Desert shot to high assurance Sarah see created hash and after that has been agreed that it using its private keep so private key off intermediate see and this how Zeus it defecate for instagram that was signed by certification also dis error. If I'll school down, you'll see exactly disc signature. Here it is. If you click on it, you'll see full senator, and its size in this case is 256 bites. Okay, that's how signature was created. And that's how it was upended toe certificate Next. Next you see two feels cold. Not well before and not valid after. And those toe feels indicate validity period for this certificate and we can see that the certificate was issued on Lee for three months starting from April valves, and it is valid deal July allowance for just three months. Next you see public inform on in this action you actually see public key off the owner off the certificate or public if off instagram that call. So let's click on it. You can expand it and using this public if you are able toe in creep data and send this and creep the data toe instagram that come and only using corresponding private key, this data may be decrypted. Private keys, of course, kept secret. And it is located on the Cerro's Web servers that host pages for Instagram did come okay, here don't below you also see key size and in this case, this 2048 beats. And I can told you that this most portable Erkki size let's go down closer and here you'll see signature that was made by intermediate certification also reteam. After that, you'll see extension section with some additional information, and this extension sexual includes such section as Subject Alternative name. And in this section you'll find least off DNS names for which the certificate is valid. It means that if you will try to use the certificates on any art or domain that is not listed here, you'll get a certificated verification error. And in this certificates you see on Lee to DNS names and he you see wild card www dot instagram that come and exact the name three W's Instagrammed at home. And that's what I have explained you before. This certificate was actually created on Lee for single domain www dot instagram dot com. It looks like wildcard certificates, but in fact you won't see any hours or sub domains off these domain, usually sub domains used without three W's at the beginning. Okay, if I'll scroll down the very bottom off certificate you against see fingerprints, and those fingerprints are simply hashes off certificate. And you can use those fingerprints to verify integrity off certificates itself. Okay, that's how this certificates off instagram that home looks like. And here you see such a main sections as subject name information about owner off certificate. Next you see ish your name block. And here you see information about issue off certificates and this example Intermediate c eight. This one has issued certificated for instagram that come next that you see information about public e and public itself. So here it is. And you also see Sana chur off the certificate. And this example San Nature off certificate was made by intermediate certification authority and that was made using its private keep. Okay, let's re about this lecture and the next one Let's analyze on Mars or certificates from a nazar website. So see you in a bit. Bye bye 26. 22 Exploring certificate of Google: let's know, analyze as our certificates. And now let's have a look. A certificate that is used at google dot com. So let's again click on this. Look, I can certificated is valid and here you see similar chain. So let's click at the top. And here you see root Certification authority and this case, this global sign. Next you see intermediate certification authority and in this case, this Google Internet Authority J Stream. And here you see that it is intermediate and next you see certificates. It was easier for google dot com in this section. You see star dot google dot com It is common name, and in this case, the certificate is wildcard certificates. So it was issued for Google that home and for any sub domains. Next, you see information about issue and this information matches Name off this intermediate certification authority. Um, next you see expiration date and it is May 24th 2019 and now it is still valid. Let's expand the details and here let's have a look first at subject name Block. So he used information about location or for organization. Organization is Google. Elsie Common name is star dot google dot com It is the same as we have discussed here. Next comes information about the sure and issue is also located in us and this issue has signed the certificate. So here you see serial number off certificate here you see Senator algorithm and this algorithm the same as was for Easter ground school. It is shocked 256 with Eros A encryption again. This algorithm was used by the certification authority for signing this certificate. Next you see period when the certificate is valid and it is also valid Onley three months starting from marriage first and it will be expired at May 20 Force. It is actually even less than three months. Okay, Next, in dissection public info section, you see information about public key and here you can expand public Kim, it is small. In this case, it is just 65 bytes long and in beat. It is actually 512 beads. So it is really small public it also here below you see Santa Chur and the signature again was made by intermediate certification authority. This one would go Internet Authority J Stream and if you'll school down in extension section. You'll see interesting information and you'll see least off DNS names in subject, alternative name, section and this least off. Deena's names indicates websites where the certificate is a load to be used. In other words, this certificate may be used not just at the google dot com and all off its sub domains. It may be also used at Android at home and all off its sub domains at Google. See a and so one if I'll school down, I can even be ableto find youtube dot com and all of these sub teammates. It means that the certificates may be used on any off those websites that are listed here in this extensions section and such kind of certificates are cold multi domain certificates , and it means that single certificates may be used on multiple domains. Okay, at the very end, as usually, you see fingerprints sharp 256 and shot one. Okay, after supposed wealth, analyze one more certificates and it will be domain certificates off commodity com. This company actually sells certificates, and if your own website you can purchase one of the difficult it's here. But now we're not interested in purchasing certificates. We are interested in analyze uncalled structure off certificates that is used on this website. So let's have a look at it after the polls by 27. 23 Exploring certificate of Comodo: we can analyze certificates off instagram dot com and google dot com. This lecture less on Elias. One more certificates and it will be certificated that is used for encryption of data toe commodity com website. But this company sells certificates and you can find all information here. But we are interested in looking at certificate. Please notice the difference in your all here, Um, and your l, for example, here or here. So here you see Onley small Look, I come here as well, but here you also see information about company that holds certificates. So Comodo Security Solutions incorporated and that is the difference between certificates that is used here and certificates that are used here. So let's no click on this block and you may see that entire block, including company name is clickable. So let's click on it. Let's click them on certificates this valid And here let's explore information about the certificates again. There are stories of difficult. It's in a chain. So here is ruled Certification authority Commander Aero. Save them comes intermediate. See also Komada and next you see certificates directly for website three W's commodity. Come. And here you see that desertification was issued exactly for single domain three W's not Commander that Come. You don't see any faster eggs and that means that the certificate is domain certificate, not multi domain or not. Wild card. Just the main certificate issued for single domain here. Information about its your So here is the name off this intermediate certification authority next as usually expiration date. And you see that the certificates expires in one year up. And if I will expand the tail section, you'll see much more information here in the subject name. If I will go back to google dot com and look at this subject name you'll see on Lee five fields here you see much more fields, even serial number in the subject name section onda This gold certificate with extended validation. So more information is included here and more checks were performed by Is your off the certificate for example, Here you see address off the company. Also, you see postal code or you see business category and someone. So again, this certificated scold certificates with extended validation and such certificates Google , chrome and ours, or where browsers handled differently. So what they do is that they so additional information here in the bar. Okay. Remaining information. The certificates looks similar to information in other certificates. For example, ish your name, That is information about intermediate