A qwerty · 2014/08/11 10:43

0 x00 background

Web level security testing, it is inevitable to do man-in-the-middle agent to intercept packet analysis. Common tools include BurpSuit, Fiddler, Charles, etc. The use of these tools is well documented on the web, so I won’t go into details here. However, when testing some high security sites, SSL communication problems are often encountered. Here is a summary of these digital certificates. Welcome to exchange tips.

0x01 Digital Certificate

Digital certificates are mainly used for authentication on the Internet. After obtaining the Certificate Authority (CA) authentication, a secure site obtains a digital Certificate to identify its legitimate identity.

The format of the digital certificate complies with the X.509 standard. X.509 is a digital certificate standard developed by the International Telecommunication Union (ITU-T). It sets up a strict CA grading system for issuing digital certificates.) Digital certificates are classified into server certificates and client certificates. The server certificate (SSL certificate) is used for authentication and communication encryption, and the client certificate is mainly used for authentication and electronic signature. The following is a brief introduction to the structure and working principle of digital certificates. The simplest certificates contain:

Contents of the certificate a) public key of the certificate owner b) issuer information C) User information d) etc. 2. Digital signature of the CA (after the CA uses the private key to encrypt the message digest of the certificate content) 3. Signature algorithmCopy the code

The actual structure of a digital certificate is as follows:

The detailed structure of the certificate content field is as follows:

The CA’s digital signature is the result of encrypting the HASH value of the certificate information with its private key. Due to the use of private key encryption and asymmetric encryption algorithm, digital signature can not be forged, and the packet digest also ensures the integrity of certificate information. You can use the CA’s public key to decrypt the CA’s digital signature to determine the authenticity of the digital certificate information. The procedure for verifying a server certificate on a client is as follows: 1. Check whether the certificate expires. 2. Check whether the domain name in the server certificate matches the actual domain name of the server

CA root certificates are mostly pre-installed by the operating system and set as trusted certificates. A root certificate is an unsigned public key certificate or a self-signed certificate issued by a CA and contains information such as the CA’s public key. Installing the root certificate of a CA indicates that the CA is trusted, which is the beginning of the trust chain of the certificate. Internationally famous CA’s include: verySign, Batltimore, Entrust, etc. China Financial Certification Authority (CFCA) is a national authoritative security Certification body approved by the People’s Bank of China and the State Information Security Administration. It is one of the important Financial information security infrastructures in China.

Tips: some browsers built in the CA certificate list https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/

0x02 Certificate Format

Common certificate files have the following formats:

Format extension der.cer.crt. rsa pkcs7.p7b.p7r cms.p7c.p7m. P7s pem. PEM (ASCII files generally use base64 encoding) pkCS10.p10.csr (ASCII files) SPC .pvk .spcCopy the code

The common keystore file formats are as follows:

Format extension jks.jks.ks jceks.jce PKCS12.p12 bks.bks uber.ubrCopy the code

0x03 Digital Certificate of the agent software

Agents such as BurpSuit and Fiddler can be used to intercept HTTPS traffic. They use a built-in SSL certificate to interact with the client, acting as a middleman to forward packets. Since the certificates of these agents are self-signed root certificates that have not been authenticated by well-known CA organizations, they are not trusted by default and the browser will block them with warnings.

When testing with desktop browsers, you can trust their certificates by adding exceptions. During the mobile test, you can export the certificates of the proxy software and install them on the mobile device to facilitate HTTPS proxy for mobile applications.

Export the BurpSuite certificate in browser Certificate Manager:

Export certificates directly from Fiddler:

0x04 Digital Certificate in Mobile Application Test

Installed directly

The digital certificate of the proxy software can be installed in the mobile phone system to facilitate security testing of APPS that use HTTPS traffic. Install the server certificate in Android as follows: Copy the digital certificate to the sdcard directory on Android. Choose Settings > Security > Select Install certificate from SDCARD.

The same thing happens in IOS.

In addition to installing agent certificates directly, some apps have their trusted keystore as follows: Several BKS keystore files exist under the/implies resource folder.

You can use a tool to open the BKS keystore and import and save the certificate for the agent software.

You can also import certificates using the keytool command line.

Tips: the Android system in the location of the CA certificate file: / system/etc/security/cacerts BKS

http://blog.csdn.net/haijun286972766/article/details/6247675

Modify the verification code. Some apps also verify the server certificate directly in the code.

You can reverse the app to get the SMALI code, modify the validation logic, and recompile the package to bypass the server certificate validation. A case in point is this blog: Cih.so /? p=476

0x05 About Client Certificates

In addition to server certificates, some high-security systems such as e-banking require users to provide client certificates for authentication. If the user certificate is incorrect, some users cannot connect to the server directly, and some users will have the following message:

Client certificates are mainly used for authentication and electronic signature purposes. Generally, e-banking client certificates containing private keys are stored in the USBKEY. Certificates containing private keys stored in the USBKEY cannot be exported or copied. You can use the certificate management tool of the USBKEY to install the certificate in the USBKEY, export the public key certificate in the browser, and configure the client certificate in the proxy software. The export method in the browser is as follows:

During the test, if the server detects the user’s client certificate and no client certificate is set, Fiddler displays the following message:

You can place the exported client public key certificate in the directory shown above.

BurpSuit can also set client certificates:

In addition to the user certificate (client certificate) stored in the USBKEY, CFCA also provides the download of soft certificates, which are certificate files containing the private key. When downloading the certificate at CFCA, select Microsoft Enhanced Cryptographic Provider V1.0

After installing the soft certificate to the browser, you can export the public key certificate in the same way. You can also export a certificate containing a private key that requires a password. After setting up the client’s public key certificate in the Fiddler agent, you can proxy directly.

0x06 About Android APP Signature

A digital certificate signed by Android App does not need to be authenticated by an authority. It is a self-signed digital certificate generated by the developer himself. Digital certificates have an expiration date, and Android only checks the expiration date when an application is installed. If the program has been installed in the system, the expiration of the certificate does not affect the normal function of the program.

Android uses digital certificates to identify application authors and establish trust between applications, rather than to determine which applications end users can install.

Since a malicious developer could replace an installed program by using the same package name, signing ensures that apps with the same name but different signatures will not be replaced.

In addition, when applying for some special rights, the need for authentication will use the signature. Eclipse uses the Debug certificate to sign the APK when debugging and compiling the APP. After installing the ADT development plug-in, Eclipse can directly use the Android Tools graphical interface to sign the APK.

A meta-INF folder is added after the signature

/ cert. RSA (containing certificate information)/cert. SF/manifest.mfCopy the code

View android signature information

keytool -printcert -file CERT.RSA
Copy the code