Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Published byCaroline Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's."— Presentation transcript:

1 Digital Certificates With Chuck Easttom

2 Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's private key. To verify the digital signature, the recipient uses the sender's public key. Good digital signature scheme provides:  authentication  integrity  non-repudiation  RSA algorithm can be used to produce and verify digital signatures; another public-key signature algorithm is DSA.

3 Digital Signatures - Continued Normal Asymmetric Encryption  Bob wants to send Alice a message that Eve cannot read  Bob uses Alice’s public key.  Even if Eve intercepts and has Alice’s public key, she cannot decrypt it.  Only Alice’s PRIVATE key can decrypt. This protects confidentiality. Digital Signature  Bob wants to send Alice a message and be able to have Alice know for a fact that it came from Bob  Bob uses his own private key.  Anyone who receives the message can use Bob’s public key to decrypt the message. If it works, then it must have been signed with Bob’s private key. This protects integrity.

4 What is a digital certificate?  It is a digital ‘document’ that contains a public key and some information to allow your system to verify where that key came from.

5 What are certificates used for?  Web Servers  Authentication of Cisco Secure phones  E-Commerce

6 X.509  The most widely used digital certificate standard.  First issued in July 3, 1988  In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name in

7 X.509 certificates  Relied on by S/MIME  Issued by CA  Provide public key  Proof of corresponding private key  Detailed info about yourself  Digitally sign information  Send request to CA  Contains your name, info about you, and signature of person who issued certificate

8 X.509 certificate content  Version  Certificate holder’s public key  Serial number  Certificate holder’s distinguished name  Certificate’s validity period  Unique name of certificate issuer  Digital signature of issuer  Signature algorithm identifier

9 X.509 Certificate file extensions .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-- ---" and "-----END CERTIFICATE-----" .cer,.crt,.der - usually in binary DER form, but Base64- encoded certificates are common too (see.pem above) .p7b,.p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s) .p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected) .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

10 PGP certificates  Defines its own format  A single certificate can contain multiple signatures  PGP certificate includes  PGP version number  Certificate holder’s public key  Certificate holder’s information  Digital signature of certificate owner  Certificate’s validity period  Preferred symmetric encryption algorithm for the key

11 PKI  Public Key Infrastructure. The infrastructure for distributing digital certificates, that contain public keys. A PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA).

12 CA  Certificate Authority. The primary role of the CA is to digitally sign and publish the public key bound to a given user. It is an entity trusted by one or more users to mange certificates.  Verisign and Godaddy are two obvious examples.

13 CA - Verisign  Class 1 for individuals, intended for email.  Class 2 for organizations, for which proof of identity is required.  Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority.  Class 4 for online business transactions between companies.  Class 5 for private organizations or governmental security.

14 RA  RA ( Registration Authority ) Used to take the burden off of a CA by handling verification prior to certificates being issued. RA acts as a proxy between user and CA. RA receives request, authenticates it and forwards it to the CA.

15 CRL  Certificate Revocation List. It is a list of certificates that have been revoked for one reason or another.

16 OCSP  Online Certificate Status Protocol is a real time protocol for verifying certificates.

17 SCVP  The Server-based Certificate Validation Protocol (SCVP) is an Internet protocol for determining the path between a X.509 digital certificate and a trusted root (Delegated Path Discovery) and the validation of that path (Delegated Path Validation) according to a particular validation policy

18 Digital certificates Continued - Management  Centralized key-management systems  Decentralized key-management systems  Three phases of key life-cycle  Setup and initialization  Administration  Cancellation

19 Digital certificates Continued- Setup and initialization phase  Process components  Registration  Key pair generation  Certificate generation  Certificate dissemination

20 Digital certificates Continued- Administration phase  Key storage  Certificate retrieval and validation  Backup or escrow  Recovery

21 Digital certificates Continued- Cancellation and history phase  Expiration  Renewal  Revocation  Suspension  Destruction

22 Digital certificates Continued- Key recovery agents  Person who can recover keys from the keystore on behalf of a user  Highly-trusted person  Issue recovery agent certificate  EFS Recovery Agent certificate  Key Recovery Agent certificate

23 Trust Models Hierarchical Single authority Web of trust

24 Certificates and Web Servers  HTTPS means HTTP secured with either SSL (older) or TLS (newer).  The certificate must be installed on the web server for the website to use HTTPS

25 SSL  Secure Sockets Layer  Developed by Netscape  V 2.0 in 1995

26 TLS  Transport Layer Security  Successor to SSL  Was first defined in RFC 2246 in January 1999  Is backward compatible with SSL 3.0  Transport Layer Security provides RSA encryption with 1024 and 2048 bit strengths.  TLS also supports the more secure bilateral connection mode (i.e. mutual authentications), in which both ends of the communication session can verify each other.  TLS 1.1 was defined in RFC 4346 in April 2006  TLS 1.2 was defined in RFC 5246 in August 2008.

27 Microsoft Certificate Services  Certificate authority  Web enrollment  Online responder  Network device enrollment

28 Windows Certificates  certmgr.msc

29 Questions  Now it is time for Q&A  And don’t forget to check my website www.ChuckEasttom.com where you can get notes from my classes, find my blog, check out my FaceBook fan page (I put a tech tip up about 3 times a week), find out about my latest books, get lots of free tutorials. www.ChuckEasttom.com

Download ppt "Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
PGP Overview 2004/11/30 Information-Center meeting peterkim.

PGP Overview 2004/11/30 Information-Center meeting peterkim.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Cryptography in e-Business Guest Lecture, November 13, 2006, Olin College Steven R. Gordon Prof. of Info Tech Management Babson College.

Cryptography in e-Business Guest Lecture, November 13, 2006, Olin College Steven R. Gordon Prof. of Info Tech Management Babson College.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google