Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan
Basic Terms Public Key Cryptographic Standards, PKCS A collection of 12 papers PKCS #1 to PKCS #12 developed by RSA Labs and representatives from the academia and industry. PKCS #1RSA Algorithm PKCS #3Diffie-Hellman Algorithm PKCS #7Cryptographic Message Syntax Std PKCS #10Key Certification Request PKCS #11Standard API for developers PKCS #12Certificate Interchange Format PKCS #13Elliptic Curves Algorithm
Basic Terms Digital Signatures DSS issued by NIST Message Digest Algorithms Non Reversible (One way function) Examples
Digital Certificates Certificates are the framework for identification information, and bind identities with public keys. They provide a foundation for identification, authentication and non-repudiation.
Sample View of a Certificate Certificate Types : Private/PersonalServerDeveloper
X.509 v3 Certificate Format Version Certificate Serial Number Signature Algorithm Identifier Issuer Name Validity Period Subject Name Subject Public Key Information Optional Fields
X.509 v3 Extension Fields Associate additional information for subjects, public keys, managing certification hierarchy and certificate revocation lists. Extension type Extension value Criticality indicator
X.509 Profiles Tailor the authentication model of X.509 to specific environments based on Risk perception. IETF Public Key Infrastructure (PKIX -1) : Application-independent certificate based key distribution mechanism. SET Standard : Secure messaging for payment-service transactions over open-networks.
Certification Authorities Trusted organization that issues certificates and maintains status information about certificates. Certification Practice Statement
How Digital Certificates work? Generate Public and Private Keys. Get Certificate from the CA Sign the document/page using the private key. Send signed document over open networks along with the CA’s certificate. Recipient verifies using the signing CA’s public key Trust Chain and Fingerprints
Web Server Security Server Authentication using SSL Information to/from the correct Web Site Information in encrypted form Setting up SSL on a Web Site Create a Server Certificate Request Obtain the Server Certificate from a CA/locally Install it on the Web Server Establishing an SSL connection Need root certificate of the issuing CA
Client Authentication Anonymous Basic Challenge Response (NT) SSL Client Authentication
Application Subject Authentication Certificate Generation Certificate Distribution Certificate Revocation Certification and Registration
Subject Authentication Confirm the identity of the subject Based on the class of certificate Local Registration Authority(LRA) model Example : Verisign Onsite
Importing a Certificate To send an encrypted message or document to a person who has a certificate. From a Certification AuthorityCertification Authority From a Directory Service (LDAP) From a signed message From a local file (encoded Binary PKCS #7)
Certificate Revocation Lists A data structure that has the list of all the serial numbers of the revoked certificates. Standard X.509 CRL format (ISO/ITU) Propagation Polling for CRLs Pushing CRLs Online status checking
Formal Specification ( PKCS #7 ) Abstract Syntax Notation (ASN.1) Design tool used for expressing syntax of messages. Widely used to describe protocols interfaces etc. PKCS #7 syntax for SignedData type ASN.1objects are encoded using BER/DER.
Key Certification Request PKCS #10 syntax using ASN.1 notation
Certificate Management Value and Validity of Certificates will be questioned Cross Certification (Multiple CA’s)
Applications of Certificates Sandbox Code Signing Vs Shrink-Wrapped Software Accountability and Authenticity Microsoft Authenticode 1.0 based on X.503 v3 and PKCS #7 Commercial Vs Individual Publishers Object Signing Netscape’s technology Signs any kind of Files
Applications (continued) Secure Messaging & S/MIME Web Server Security Microsoft ASP for Access Control