https://lapo.it/asn1js/

TLS 1.3: https://tls13.xargs.org/

TLS 1.2: https://tls12.xargs.org/

Bonus: An animated explanation on how elliptic curve crypto works: https://curves.xargs.org/

The app is a simple “quote generator”, similar to fortune. It will display a different line of text every time you load the page. I wanted to build this for displaying some quotes and catchphrases from my colleagues. From the initial idea to the first prototype took me about 1 hour.

First, make it work

The app in the most basic form consists of two python files: app.py and lines.py.

lines.py provides an array of strings:

lines = [
    "They did not do the needful.",
    "børk børk børk!",
    "lapopm",
    "User could not open cryptic email."
]

app.py contains the Flask app that makes things work. This is the most basic form that will only output a single string without formatting.

from flask import Flask
from lines import lines
import random

app = Flask(__name__)

@app.route("/", methods = ["GET"])
def ohwauw():
    wauw = random.choice(lines)
    return wauw

Then, make it pretty 🦋

The code above results in a rather bland page. Let’s use Flask’s template engine to add some formatting and css.

Here is our template, Flask expects it in templates\template_name.html relative to the app’s root directory.

<!DOCTYPE html>
<html>
    <head>
        <title>Oh Wauw! (tm)</title>
        <style>
            .wauw{
                width: 50%;
                text-align: center;
                font-family:'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
                margin: 0;
                position: absolute;
                top: 50%;
                left: 50%;
                transform: translate(-50%, -50%);
            }
        </style>
    </head>
    <body>
        <span class="wauw"><h1>{{wauw}}</h1></span>
    </body>
</html>

Now, we can pass the {{wauw}} parameter to the page:

@app.route("/", methods = ["GET"])
def ohwauw():
    wauw = random.choice(lines)
    return render_template('homepage.html', wauw=wauw)

Issuing a leaf certificate

This will create a certificate of the CertTemplateName template.

certreq -submit -attrib "CertificateTemplate:CertTemplateName" .\signing_request.csr

Issuing an issuing CA template

This assumes that the root CA is not running in enterprise CA mode. This command will create an issuing CA certificate valid for 1 (one) year.

certreq -attrib "CertificateTemplate:SubCA" -attrib "ValidityPeriod:1" -attrib"ValidityPeriodUnits:Years" .\SSL_CERT_R.csr

The certreq tool will then output a RequestId. Look this up in certsrv.msc, approve it and export the certificate.

If you pay close attention, it is even possible to work with this format outside of SQL server. Both decrypting and encrypting is possible, given that you can get the encryption key available outside of SQL Server. Using a HSM with the EKM integration is one way to do this, as SQL server has no native integration for exporting and importing keys.

Cryptographic message

Long story short:

• 16 bytes: key GUID
• x bytes: header
• x bytes: IV
• n bytes: ciphertext

Creating the ciphertext

The plaintext must be prepended with the following bytes:

• Magic number: 0x0DF0ADBA. Decryption will fail if the plaintext does not start with this number.
• Integrity bytes length: 0x0000 because we don’t use authentication in this example
• Plaintext Length: litle endian 16-bit integer. 12 bytes of plaintext will give 0x0C00
• IntegrityBytes: nothing, we don’t use this in this example

The header will have these bytes: 0x0DF0ADBA00000C00. The plaintext bytes follow immediately after it.

After these bytes, the padded plaintext follows. PKCS#5 padding seems to work just fine. The plaintext with header bytes is then fed into the AES-CBC cipher.

References

• https://techcommunity.microsoft.com/t5/sql-server-blog/sql-server-encryptbykey-cryptographic-message-description/ba-p/383541
• https://stackoverflow.com/questions/63666755/converting-uniqueidentifier-to-hex-string