About PKI Certificates Dartmouth College PKI Lab.

Slides:



Advertisements
Similar presentations
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
CP3397 ECommerce.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Identity and Access IDGo Secure (ISE) for Android Didier Bonnet November 2014.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Digital Certificate Installation & User Guide For Class - 2 Certificates.
X.509 Certificate management in.Net By, Vishnu Kamisetty
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Unit 1: Protection and Security for Grid Computing Part 2
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate revocation list
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
06 APPLYING CRYPTOGRAPHY
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
GRID-FR French CA Alice de Bignicourt.
Key management issues in PGP
Cryptography and Network Security
Product Manager, Keon PKI
S/MIME T ANANDHAN.
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
Installation & User Guide
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
PKI (Public Key Infrastructure)
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

About PKI Certificates Dartmouth College PKI Lab

X.509 Certificate Defined A type that binds an entity's distinguished name to a public key with a digital signature. This type is defined in the Internet X.509 Public Key Infrastructure (PKIX) Certificate and CRL Profile. This type also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer's signature algorithm identifier, a validity period, and extensions also defined in that document.

X.509 Certificate Defined 2 Data associated with a private key and containing a public key that provides information about: Identities of the issuer and subject Certificate validity dates and CRL location Certificate intended uses Serial number Other certificate information

X.509 Certificate Format version serialNumber signature issuer validity subject subjectPublicKeyInfo issuerUniqueIdentifier subjectUniqueIdentifier Extensions Certificate information is contained in ASN.1 structures.

Certificate Encodings DER is a binary encoding of the X.509 ASN.1 structures. PEM is the base 64 encoded version of DER. (For situations where binary format won’t work.) Text is a human-readable version of the ASN.1 structures.

PEM Example -----BEGIN CERTIFICATE----- MIIEbDCCA1SgAwIBAgICBAEwDQYJKoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixk ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMx GjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGgg Q2VydEF1dGgxMB4XDTAzMTAyNDE1MDg1OFoXDTAzMTAyNDE5MDg1OFowgaIxEzAR BgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJ BgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEZMBcGA1UEAxMQ TWFyayBKLiBGcmFua2xpbjEsMCoGCSqGSIb3DQEJARYdTWFyay5KLkZyYW5rbGlu QERhcnRtb3V0aC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK2Xsb+0 +ENqEwgu15Sthv47iKJ89O1ci0TLdbVYoFV92wDykX68+m2Z0NSBiM+mQqjDk8c6 USnAvwDZUtMVK5CU9kf9/hiCXmVxbFLgsqbpVEPzc83SGQ3fS70PuFeu00MdTRI6 +thtwTF/n7ZfGFc2XGTKXMnwqCh8cbOP7H5NAgMBAAGjggFYMIIBVDARBglghkgB hvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMIGiBgNVHSAEgZowgZcwgZQGCisG AQQBQQIBAQEwgYUwPQYIKwYBBQUHAgIwMTAYFhFEYXJ0bW91dGggQ29sbGVnZTAD AgEBGhVEYXJ0bW91dGggQ29sbGVnZSBDUFMwRAYIKwYBBQUHAgEWOGh0dHA6Ly93 d3cuZGFydG1vdXRoLmVkdS9+cGtpbGFiL0RhcnRtb3V0aENQU180U2VwMDMucGRm MCgGA1UdEQQhMB+BHU1hcmsuSi5GcmFua2xpbkBEYXJ0bW91dGguZWR1MB8GA1Ud IwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMD8GCCsGAQUFBwEBBDMwMTAvBggr BgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwDQYJ KoZIhvcNAQEFBQADggEBAB5+LvOPrCt6s6Hvba5a7WENTLxhh7r2KUZIDH7Y1PJ8 cUN5EfKAUoT00walcTIqCfexLpWJMk38oF4gTMwk3sabNEjfQwmdmsJSh2R6eBDL d658t94DpGxXw2U3rzDzFDc4lozK9cBn9GRt4w3py31Bz2DDzc4mjscEid44AV3V hLhI0ZqlWrqWWutW1Dugqol8A6APVGMjhZsYS5fFUe88LdvZgnb9UpDcOAPUoeN5 Rvl/aibNweyCBFU/MqII0Yxf1wrc+wg0R2gy+WaVqyK05ddwxwVJ94aZmAHGL6zO 7FjPU9XwLGBQfHbnbtfRZUech+ZQhjLlpXyYxRQ1KgM= -----END CERTIFICATE-----

Text Example Certificate: Data: Version: v3 Serial Number: 0x401 Signature Algorithm: SHA1withRSA Issuer: CN=Dartmouth CertAuth1,O=Dartmouth College,C=US,DC=dartmouth,DC=edu Validity: Not Before: Friday, October 24, :08:58 AM EDT America/New_York Not After: Friday, October 24, :08:58 PM EDT America/New_York Subject: J. Franklin,O=Dartmouth College,C=US,DC=dartmouth,DC=edu Subject Public Key Info: Algorithm: RSA Public Key: Exponent: Public Key Modulus: (1024 bits) : AD:97:B1:BF:B4:F8:43:6A:13:08:2E:D7:94:AD:86:FE: 3B:88:A2:7C:F4:ED:5C:8B:44:CB:75:B5:58:A0:55:7D: DB:00:F2:91:7E:BC:FA:6D:99:D0:D4:81:88:CF:A6:42: A8:C3:93:C7:3A:51:29:C0:BF:00:D9:52:D3:15:2B:90: 94:F6:47:FD:FE:18:82:5E:65:71:6C:52:E0:B2:A6:E9: 54:43:F3:73:CD:D2:19:0D:DF:4B:BD:0F:B8:57:AE:D3: 43:1D:4D:12:3A:FA:D8:6D:C1:31:7F:9F:B6:5F:18:57: 36:5C:64:CA:5C:C9:F0:A8:28:7C:71:B3:8F:EC:7E:4D Extensions: Identifier: Netscape Certificate Type Critical: no Certificate Usage: SSL Client Secure Identifier: Key Usage: Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Identifier: CertificatePolicies

Certificate Viewer Example

Certificate Revocation List (CRL) Defined A type that contains information about certificates whose validity an issuer has prematurely revoked. The information consists of an issuer name, the time of issue, the next scheduled time of issue, a list of certificate serial numbers and their associated revocation times, and extensions. The CRL is signed by the issuer.

Certificate Revocation List (CRL) Defined 2 A secured list of no longer trusted certificates provided by a Certificate Authority so applications can reject otherwise valid certificates that are compromised or otherwise invalid before their validity period expires. Issued periodically or as needed. Checked by applications at certificate verification time. OCSP protocol provides an alternative which can be an online service.

CRL Format version signature issuer thisUpdate nextUpdate revokedCertificates crlEntryExtensions crlExtensions

CRL Example

CRL Example 2

Certificate Viewers Windows (invoked from IE, desktop, other applications) Mozilla/Thunderbird (invoked from Preferences in Mozilla or Account Options in Thunderbird) Other applications Demos of Certificate Viewers Windows Mozilla

About PKI Key Stores Dartmouth College PKI Lab

Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate A function of their client computer and software Should be locally password protected Should be encrypted and/or protected by specialized hardware May be provided by OS or by application(s) May hold the only copy of a private key

Key Store Anatomy (first look before we launch into details)

Key Store Interfaces Microsoft Windows CAPI RSA PKCS#11 RSA PKCS#12 Java Keystore Application specific

Browsers and Key Stores Browsers provide one of the most common ways to access key stores GUI for key generation and certificate enrollment Viewing and manipulating certificates and keys Import/export Mozilla/Netscape/FireFox does PKCS#11 Internet Explorer/Windows does CAPI

Key Store Types “Software” –Keys encrypted in a file “Hardware” –Keys stored on specialized hardware tokens

OS Key Stores CAPI: Microsoft Windows CryptoAPI “Keychain” from Apple Many Windows applications use CAPI; others have their own key store.

“Software” Key Store Stores certificates and encrypted keys on the local computer’s file system Encryption is password protected Relatively vulnerable to key theft (depending on implementation) Requires exporting and importing to use the key on another computer or in a different key store on the same computer All PKI applications support this type of key store – for some it is the only type supported.

“Hardware” Key Store Stores certificates and keys in special purpose hardware (typically USB token or smart card and reader) Much higher assurance - the key cannot be used without the user’s password, but still not unbreakable Allows easy private key mobility between computers and applications Two-factor security (need token plus password to do anything) makes hardware key stores much more secure than software key stores

PKCS#11 Standard developed by RSA to provide applications with a key store and PKI cryptographic functions Used by Mozilla on all OSes (even Windows) Has a lower-level API for plugging in different implementations (enables hardware tokens) Open source implementations available Similar to MS CAPI – unfortunately MS opted to not support PKCS#11

Microsoft CAPI (AKA CryptoAPI) Microsoft Windows “standard” API for providing PKI functionality to applications Provides: – Key store function –Cryptographic operations using the key store and certificate –GUI for managing certificates and keys –Facilities to create, import, and export certificates and keys Cryptographic Service Provider (CSP) layer allows 3 rd party software, token, and smartcard solutions Microsoft’s software key store CSP has some issues

Key Store Anatomy (revisited now that we are familiar with the pieces)

Application Key Stores Some applications don’t use either CAPI or PKCS#11 Adds undesirable complexity for average end user Incompatible with hardware keys (since they can only support PKCS#11 and CAPI/CSP interfaces) Require exporting and importing certificates/keys AOL AIM has its own key store Java keystores becoming more utilized

How PKI Uses Passwords Passwords protect local key stores Stored and managed locally by the user Never stored on servers (an important feature – passwords on servers and traversing a network are more vulnerable) User provides the password to “unlock” their private key – all other operations use asymmetric key cryptography

User Accounts Windows CAPI stores software keys in each user’s profile If user accounts are secure, then CAPI keys are protected by the Windows logon security

PKCS#7 and PKCS#12 More RSA standards No awards for imaginative names… PKCS#7 is general syntax for data that may have cryptography applied to it PKCS#12 specifies secure containers for transporting PKI certificates with private keys