Digital Certificates With Chuck Easttom
Digital Signatures Digital Signature is usually the encryption of a message or message digest with the sender's private key. To verify the digital signature, the recipient uses the sender's public key. Good digital signature scheme provides: authentication integrity non-repudiation RSA algorithm can be used to produce and verify digital signatures; another public-key signature algorithm is DSA.
Digital Signatures - Continued Normal Asymmetric Encryption Bob wants to send Alice a message that Eve cannot read Bob uses Alice’s public key. Even if Eve intercepts and has Alice’s public key, she cannot decrypt it. Only Alice’s PRIVATE key can decrypt. This protects confidentiality. Digital Signature Bob wants to send Alice a message and be able to have Alice know for a fact that it came from Bob Bob uses his own private key. Anyone who receives the message can use Bob’s public key to decrypt the message. If it works, then it must have been signed with Bob’s private key. This protects integrity.
What is a digital certificate? It is a digital ‘document’ that contains a public key and some information to allow your system to verify where that key came from.
What are certificates used for? Web Servers Authentication of Cisco Secure phones E-Commerce
X.509 The most widely used digital certificate standard. First issued in July 3, 1988 In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name in
X.509 certificates Relied on by S/MIME Issued by CA Provide public key Proof of corresponding private key Detailed info about yourself Digitally sign information Send request to CA Contains your name, info about you, and signature of person who issued certificate
X.509 certificate content Version Certificate holder’s public key Serial number Certificate holder’s distinguished name Certificate’s validity period Unique name of certificate issuer Digital signature of issuer Signature algorithm identifier
X.509 Certificate file extensions .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-- ---" and "-----END CERTIFICATE-----" .cer,.crt,.der - usually in binary DER form, but Base64- encoded certificates are common too (see.pem above) .p7b,.p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s) .p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected) .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
PGP certificates Defines its own format A single certificate can contain multiple signatures PGP certificate includes PGP version number Certificate holder’s public key Certificate holder’s information Digital signature of certificate owner Certificate’s validity period Preferred symmetric encryption algorithm for the key
PKI Public Key Infrastructure. The infrastructure for distributing digital certificates, that contain public keys. A PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA).
CA Certificate Authority. The primary role of the CA is to digitally sign and publish the public key bound to a given user. It is an entity trusted by one or more users to mange certificates. Verisign and Godaddy are two obvious examples.
CA - Verisign Class 1 for individuals, intended for . Class 2 for organizations, for which proof of identity is required. Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority. Class 4 for online business transactions between companies. Class 5 for private organizations or governmental security.
RA RA ( Registration Authority ) Used to take the burden off of a CA by handling verification prior to certificates being issued. RA acts as a proxy between user and CA. RA receives request, authenticates it and forwards it to the CA.
CRL Certificate Revocation List. It is a list of certificates that have been revoked for one reason or another.
OCSP Online Certificate Status Protocol is a real time protocol for verifying certificates.
SCVP The Server-based Certificate Validation Protocol (SCVP) is an Internet protocol for determining the path between a X.509 digital certificate and a trusted root (Delegated Path Discovery) and the validation of that path (Delegated Path Validation) according to a particular validation policy
Digital certificates Continued - Management Centralized key-management systems Decentralized key-management systems Three phases of key life-cycle Setup and initialization Administration Cancellation
Digital certificates Continued- Setup and initialization phase Process components Registration Key pair generation Certificate generation Certificate dissemination
Digital certificates Continued- Administration phase Key storage Certificate retrieval and validation Backup or escrow Recovery
Digital certificates Continued- Cancellation and history phase Expiration Renewal Revocation Suspension Destruction
Digital certificates Continued- Key recovery agents Person who can recover keys from the keystore on behalf of a user Highly-trusted person Issue recovery agent certificate EFS Recovery Agent certificate Key Recovery Agent certificate
Trust Models Hierarchical Single authority Web of trust
Certificates and Web Servers HTTPS means HTTP secured with either SSL (older) or TLS (newer). The certificate must be installed on the web server for the website to use HTTPS
SSL Secure Sockets Layer Developed by Netscape V 2.0 in 1995
TLS Transport Layer Security Successor to SSL Was first defined in RFC 2246 in January 1999 Is backward compatible with SSL 3.0 Transport Layer Security provides RSA encryption with 1024 and 2048 bit strengths. TLS also supports the more secure bilateral connection mode (i.e. mutual authentications), in which both ends of the communication session can verify each other. TLS 1.1 was defined in RFC 4346 in April 2006 TLS 1.2 was defined in RFC 5246 in August 2008.
Microsoft Certificate Services Certificate authority Web enrollment Online responder Network device enrollment
Windows Certificates certmgr.msc
Questions Now it is time for Q&A And don’t forget to check my website where you can get notes from my classes, find my blog, check out my FaceBook fan page (I put a tech tip up about 3 times a week), find out about my latest books, get lots of free tutorials.