From cd3fb8040f1b7c91ed598a8ad8d5c4d3d5721ff3 Mon Sep 17 00:00:00 2001 From: Jonathan Thompson Date: Sat, 8 Feb 2020 23:00:08 -0800 Subject: [PATCH] Typo and grammar corrections for the crypto lessons (#756) * Correct typos and grammar errors. * Revert one grammar change --- .../src/main/resources/lessonPlans/en/encryption.adoc | 10 +++++----- .../src/main/resources/lessonPlans/en/signing.adoc | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encryption.adoc b/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encryption.adoc index 60cf23a77..ab8bbed50 100644 --- a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encryption.adoc +++ b/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encryption.adoc @@ -11,7 +11,7 @@ Example protocols are: == Asymmetric encryption -Asymmetric encryption is based on mathematical principals that consist of a key pair. The two keys are usually called a private key and a public key. The private key needs to be protected very well and is only known to one party. All others can freely use the public key. Something encrypted with the private key can be decrypted by all that have the public key, and something encryted with the public key can only be decrypted with the private key. +Asymmetric encryption is based on mathematical principles that consist of a key pair. The two keys are usually called a private key and a public key. The private key needs to be protected very well and is only known to one party. All others can freely use the public key. Something encrypted with the private key can be decrypted by all that have the public key, and something encrypted with the public key can only be decrypted with the private key. Example protocols are: @@ -23,10 +23,10 @@ Example protocols are: Here is a short description of what happens if you open your browser and go to an https site. * Your browser connects to the server and gets the webserver certificate -* Your browser checks if it trusts the certificate issuer by checking if the issuer certificate is in its trust store. This trust store is managed by operating and browser updates. And on some coroporate networks it is managed by the company. From the certificate the browser obtains the public key. -* The browser now generates random bytes to be used to generate a symmetric key and encrypts this the public key of the server. So only the server can decrypt it. -* At the end of this process both the browser and the webserver will use the exchanged symmetric key (in the asymmetric key exchange process) to encrypt and decrypt messages that are send back and forth between the browser and the webserver. +* Your browser checks if it trusts the certificate issuer by checking if the issuer certificate is in its trust store. This trust store is managed by operating system and browser updates. And on some corporate networks it is managed by the company. From the certificate the browser obtains the public key. +* The browser now generates random bytes to be used to generate a symmetric key and encrypts this with the public key of the server. So only the server can decrypt it. +* At the end of this process both the browser and the webserver will use the exchanged symmetric key (in the asymmetric key exchange process) to encrypt and decrypt messages that are sent back and forth between the browser and the webserver. -Symmetric keys are used because it can be used more safely for large amounts of data. +Symmetric keys are used because they can be used more safely for large amounts of data. diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/signing.adoc b/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/signing.adoc index 5cfc3a7bf..881f585f3 100644 --- a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/signing.adoc +++ b/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/signing.adoc @@ -2,7 +2,7 @@ A signature is a hash that can be used to check the validity of some data. The signature can be supplied separately from the data that it validates, or in the case of CMS or SOAP can be included in the same file. (Where parts of that file contain the data and parts contain the signature). -Signing is used when integrity is important. It is meant to be a guarantee that data send from A to B was not altered. So A signs the data by calculating the hash of the data and encrypting that hash using an assymmetric private key. B can then verify the data by calculating the hash of the data and decrypting the signature to compare if both hashes are the same. +Signing is used when integrity is important. It is meant to be a guarantee that data sent from A to B was not altered. So A signs the data by calculating the hash of the data and encrypting that hash using an asymmetric private key. B can then verify the data by calculating the hash of the data and decrypting the signature to compare if both hashes are the same. == RAW signatures @@ -12,7 +12,7 @@ A raw signature is usually calculated as follows: * encrypt the hash using an asymmetric private key (e.g. RSA 2048 bit key) * (optionally) encode the binary encrypted hash using base64 encoding -B will have to get the certificate with the public key as well. This might have been exchanged before. So at least 3 files are involved. The data, the signature and the certificate. +B will have to get the certificate with the public key as well. This might have been exchanged before. So at least 3 files are involved: the data, the signature and the certificate. == CMS signatures @@ -21,7 +21,7 @@ A CMS signature is a standardized way to send data + signature + certificate wit == SOAP signatures A SOAP signature also contains data and the signature and optionally the certificate. All in one XML payload. There are special steps involved in calculating the hash of the data. This has to do with the fact that the SOAP XML sent from system to system might introduce extra elements or timestamps. -Also, SOAP Signing offers the posibility to sign different parts of the message by different parties. +Also, SOAP Signing offers the possibility to sign different parts of the message by different parties. == Email signatures