Wednesday, November 24, 2021

Should you require to extract the product key from pre-installed MS Windows 10

There is no need to know the product key, since the machine has a digital entitlement. 

 If you need to reinstall MS Windows due to a reason out of many, you may think that you require the product key of the preinstalled with Windows 10. Really you don't require the product key. what happened is the hardware (your PC) will get a digital entitlement, where a unique signature of the computer will be stored on Microsoft Activation Servers.

Anytime you need to reinstall Windows 10 on that machine, just proceed to reinstall Windows 10. It will automatically reactivate. 

If you are prompted to enter a product key, click 'I don't have a key' and 'Do this later'

If you want to really find the product key:

  1. Open the command line as the administrator (Run As Administrator)
  2. Type the command:
    • wmic path SoftwareLicensingService get OA3xOriginalProductKey
  3. Hit enter, the product key will be revealed
  4. Copy the product key to a text file.

Monday, November 1, 2021

SSL/TLS Cipher Suites and Perfect Forward Secrecy

An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that helps to establish a secure connection between two entities — usually the client (a user’s browser) and the web server they’re connecting to (your website).

Creating a secure, encrypted connection via the SSL/TLS protocol is a fairly complex process that has many layers to it. In technical terms, it’s regarded as an “SSL/TLS handshake.” This includes key exchange, identity verification, data encryption, etc.

To negotiate a secure communication, the client and the server need to come on terms with four crucial elements:

  1. Key exchange algorithm: RSA (Rivest–Shamir–Adleman), DH (Diffie-Hellman), ECDH (Elliptic-curve Diffie-Hellman), and ECDHE (Elliptic-curve Diffie-Hellman Ephemeral) are some of the most widely used key exchange algorithms.
  2. Bulk encryption algorithm: Encrypt messages exchanged between clients and servers. Ex. AES.
  3. Data encryption algorithm
  4. Hash function: Generate message hashes and signatures to ensure the integrity of a message

A cipher suite is a set of cryptographic algorithms that describes the above four elements.

This is an example of a cipher suite: 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS : Protocol
  • ECDHE : The first part is the key exchange algorithm.
  • RSA: It uses a key signed with an RSA certificate authority which is supported by most internal certificate authorities
  • AES_256_GCM: The third section is the type of encryption algorithm used.
  • SHA384: The fourth component is the type of hashing algorithm used.
TLS 1.2, the most extensively used version of TLS in the world, has 37 ciphers in total. However, not all of them are safe enough to use. Here’s a list of some of the TLS 1.2 ciphers:
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Perfect Forward Secrecy for TLS

Perfect Forward Secrecy (PFS) is a concept in Transport Layer Security (TLS) that makes sure that even if attackers manage to gain access to the private key of a certificate, they are not able to decrypt communication from the past (or communication in the future, without using active man in the middle attacks). For example, if the latest key is compromised, it exposes only a small portion of the user's sensitive data.

Example of Perfect Forward Secrecy cipher suites using ephemeral key agreement with  elliptic curve Diffie-Hellman key exchange:
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA384

Enabling perfect forward secrecy on your server: If you check the security details of a site and see that it is using "ECDHE" or "DHE" then the server is already using forward secrecy. Any key exchange that uses ephemeral keys provides forward secrecy.

Downsides of perfect forward secrecy: While they generally don't outweigh the benefits, like anything else, there are drawbacks to this type of security. To begin with, it usually requires greater processing power from a server since every transaction requires the generation of a unique encryption key. Ephemeral Elliptic Curve Diffie-Hellman is believed to be the faster of the two, but even it adds up to 20 percent greater SSL/TLS processing requirements to a server.

If you would like to test your implementation of SSL/TLS, following websites could be used:

https://www.ssllabs.com/ssltest

https://gf.dev/tls-scanner

https://www.digicert.com/help/

https://www.sslshopper.com/ssl-checker.html

 


Tuesday, October 12, 2021

How Often Should You Perform Security Vulnerability Assessments

Vulnerability scans shall be conducted after any major system, organization, or infrastructure change to identify any security gaps. Also vulnerability assessments are required to be conducted as per the information security program/strategy of the organization. Required frequencies as of industry standards are listed below.

  • ISO 27001: Requires quarterly external and internal vulnerability scans
  • HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
  • PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
  • FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
  • NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)

Overall, an industry best practice is to perform vulnerability scanning at least once per quarter.

Monday, July 26, 2021

One-way and two-way SSL authentication

How One-Way SSL Works?
Below is the high level description of the steps involved in establishment of connection and transfer of data between a client and server in case of one-way SSL:

  1. Client requests for some protected data from the server on HTTPS protocol. This initiates SSL/TLS handshake process.
  2. Server returns its public certificate to the client along with server hello message.
  3. Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) for CA signed certificates.
  4. SSL/TLS client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server’s public key.
  5. After agreeing on this secret key, client and server communicate further for actual data transfer by encrypting/decrypting data using this key.

How Two Way SSL Works?

In Two-Way SSL authentication, the client and server need to authenticate and validate each others identities. The authentication message exchange between client and server is called an SSL handshake, and it includes the following steps:

  • A client requests access to a protected resource.
  • The server presents its certificate to the client.
  • The client verifies the server's certificate.
  • If successful, the client sends its certificate to the server.
  • The server verifies the client’s credentials.
  • If successful, the server grants access to the protected resource requested by the client.


The above steps are elaborated below in more technical terms and how the communication is established in a practical scenario.

1. Client Hello from client to server
    a. Client version (List of all SSL/TLS protocols client supports)
    b. Client random (A 32 byte random number to be used for generating encryption key)
    c. Session ID (blank if a new session)
    d. Compression method (Compression method to be used if compression is needed for SSL packets)
    e. Cipher suites (List of all cipher suites supported by client. Preferred one is first in the list)
    
2. Server Hello from server to client
    a. Server version (List of all SSL/TLS protocols server selected from client's provided list)
    b. Server random (A 32 byte random number to be used for generating encryption key)
    c. Session ID (Client provided session ID or a new ID in case of a new session)
    d. Compression method (Selected compression method to be used from the list provided by the client)
    e. Cipher suites (Selected cipher suite from the client's provided list)
    
3. Server Certificate from the server to client
    Server sends its certificate to the client containing public key of the server. This certificate
    acts as an identity of the server. Clients validate this certificate to ensure that it is not
    expired, it is issued by a trusted CA, it's digital signature is valid.
    
4. Certificate Request from server to client
    From mutual (2 Way) authentication, server sends a certificate request to the client
    
5. Server Hello Done from Server to Client
    Server confirms to the client that the server Hello message is finished.
    
6. Client Certificate from Client to Server
    TO enable SSL/TLS communication with two-way ssl, client sends it signed certificate to the server
    
7. Client Key Exchange from Client to server
    Client creates a pre-master secret and sends it to the server by encrypting it with server's public key.
    After decrypting pre-master key successfully, client and server will generate master secret using client
    random and server random communicated earlier. This master secret will be used to create session key for
    encrypting /decrypting data fro the entire session.
    
8. Client change cipher spec from client to server
    At this point, the client is ready to switch to a secure, encrypted communication. The change cipher spec
    protocol is used to change the encryption. Any data sent by the client from now on will be encrypted using
    the shared symmetric key.
    
9. Client handshake finished from Client to server
    At this step, handshake is completed from the client side and this becomes the first encrypted message for
    the created session.
    
10. Server change cipher spec from server to client
    The server is also ready to switch to an encrypted communication. Any data sent by the server from now on
    will be encrypted using the symmetric shared key.
    
11. Server handshake finished.
    The server completes the handshake by sending this message encrypted with the shared secret key.

The . pfx file, which is in a PKCS#12 format, contains the SSL certificate (public keys) and the corresponding private keys. When setting up two-way ssl communication, if the requirement is to share .pfx key with the other party, they will get the private key also.

What does SSL certificate include?
An SSL certificate contains information of the owner/organization, its location public key, validity dates, etc. It is mandatory that a valid certificate authority (CA) has validated the certificate.

Does SSL certificate contain private key?
All TLS certificates require a private key to work. The private key is a separate file that’s used in the encryption/decryption of data sent between your server and the connecting clients.

The certificate authority (CA) providing your certificate (such as DigiCert) does not create or have your private key. A private key is created by us — the certificate owner — when we request SSL certificate with a Certificate Signing Request (CSR). It should be saved safely on the server where it is generated. Private key should not be sent to anyone, as that can compromise the security of your certificate.

If you are yet to install your certificate, then the most likely location of your private key is on the computer or server where you generated the key pair and CSR. When you generated the key pair, you saved two files: one that contains the public key and one that contains the private key.

On Windows servers, the OS manages your certificate files for you in a hidden folder, but you can retrieve the private key by exporting a “.pfx” file that contains the certificate(s) and private key. Open Microsoft Management Console (MMC). In the Console Root expand Certificates (Local Computer). Your server certificate will be located in the Personal or Web Server sub-folder. Locate and right-click the certificate, identified by the Common Name, select Export and follow the guided wizard.




Wednesday, May 12, 2021

Uninstall Windows Update with Command Prompt

Use of WUSA command tool to uninstaill

If you are unable to remove an update from the Settings app or Control Panel, you can also use the Windows Update Standalone Installer, or wusa.exe, command line program to uninstall Windows updates.

In order to use this tool, you will need to know the KB number of the Windows update. To uninstall an update, open an Elevated Command Prompt (admin) and then type the following command after replacing the KB ID with the one that you wish to uninstall: wusa /uninstall /kb:[id]

Ex: #wusa /uninstall /KB:4023057 

Use DISM command tool to repair

When Safe Mode, Last Known Working Config, Startup Repair, System Restore are not helpful, try Deployment Image Servicing and Management (DISM).

DISM command with RestoreHealth option

If there are problems with the system image, you can use DISM with the RestoreHealth option to scan and repair common issues automatically.

From the System Recovery Command Prompt run the following command:
# dism /online /get-packages

This will produce a list of installed updates and packages. They will look like this:
           Package Identity: Package_for_KB978262~31bf3856ad364e35~x86~~6.1.1.0
           State: Installed
           Release Type: Security Update
           Install Time: 2/11/2010 1:01 PM

Find the most recent one and then make a note of the package identity.
Then run the following command:
# dism /online /remove-package /PackageName:Package_for_KB978262~31bf3856ad364e35~x86~~6.1.1.0
           Note: Name of update is from previous step which may vary.

You will get a status of the removal until it is complete. Then reboot your PC.
You will want to start with the most recent and remove them one at a time to find the problem update.

Reference:
[1] https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image