So what is a TLS CA certificate
?
When you communicate with a third party
using a secure channel like HTTPS
,
the SSL
(Secure Socket Layer) protocol
and the TLS
(Transport Layer Security) protocol
include a security measure called digital certificates
that implements asymmetric encryption
by using a private and public key.
In this protocol, a public key is signed
by the CA
(Certificate Authority) using their private key.
This way a certificate provides a link
between the public key and the CA
that signed that key.
The following process is how a connection works:
-
The browser connects to the server using a secure protocol.
-
The server responds with the digital certificate
containing the server’s public key.
-
The browser looks to see if the CA
from the certificate is included
on its trusted list of CA’s
.
This is where we will work.
-
Once the browser verifies that the CA
from the certificate
is in its trusted list of CA’s
,
it uses the public key provided in (2)
to create a session key.
-
Finally, the browser and the server encrypt data
over the connection using the session key.
Having a CA-issued
digital certificate
with its public keys stored on the trusted list
indicates to a cellphone
that it can "trust" the proxy HTTPS
responses.
Without this, we cannot intercept secure channel traffic.
As we don’t have a CA
we are going to create a self-signed one.
First, we generate the certificate
with 3650 days of validity
and using a SHA256
hash.
It will also request some information.
We can put our personal/company information here
or leave it blank:
Generating the certificate
$ openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -outform der -keyout fluidattacks.key -out fluidattacks.der -extensions v3_ca
Generating a RSA private key
writing new private key to 'fluidattacks.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CO
State or Province Name (full name) [Some-State]:Antioquia
Locality Name (e.g., city) []:Medellin
Organization Name (e.g., company) [Internet Widgits Pty Ltd]:Fluid Attacks
Organizational Unit Name (eg, section) []:Fluid Attacks
Common Name (e.g., server FQDN or YOUR name) []:Fluid Attacks
Email Address []:[email protected]
After generating the certificate,
we have to convert it to PEM
in order to import it into the phone,
and DER
to import it into burp
:
Converting the cert
$ openssl x509 -inform DER -outform PEM -text -in fluidattacks.der -out fluidattacks.pem
$ openssl rsa -in fluidattacks.key -inform pem -out fluidattacks.key.der -outform der
Finally, we export our key into a PKCS8
file
in order to import it to burp
:
Modifying for burp
$ openssl pkcs8 -topk8 -in fluidattacks.key.der -inform der -out fluidattacks.key.pkcs8.der -outform der -nocrypt
Once we have all the files,
we need to start configuring our phones.