Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Published byGertrude Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information."— Presentation transcript:

1 Certificate-Based Operations

2 Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information from unintended audiences Identify the information stored in a digital certificate Describe how digital certificates are used for authentication on the FortiGate unit Create a certificate request and submit the request to an authorized CA Import digital certificates onto the FortiGate unit Describe how SSL content inspection is performed

3 Cryptography Internet Click here to read more about cryptography

4 Cryptography Internet Cryptography provides a base for protecting data exchanged between two parties in an electronic transaction Elements include: Data privacy Data integrity Authentication Non-repudiation Click here to read more about cryptography

5 Cryptography – Data Privacy ?

6 ? Encryption can be used to hide information as it travels across the network Data is private while in transit since the encrypted information is unintelligible to an intruder Only the intended recipient will have the ability to decipher (decrypt) the data

7 Cryptography – Data Integrity Data as created Data as received Match

8 Cryptography – Data Integrity Data as created Data as received Match Allows the recipient to verify that information has not been modified while in transit Date as created matches the data as received Data has not been tampered with between sender and recipient

9 Cryptography – Authentication Identity information appended to data Sender identify verified and trusted

10 Cryptography – Authentication Identity information appended to data Sender identify verified and trusted Recipient can verify the identity of trusted senders Confirm the origin of the data

11 Cryptography – Non-Repudiation Identity information appended to data Sender can not deny participating in exchange

12 Cryptography – Non-Repudiation Identity information appended to data Sender can not deny participating in exchange Sender can not deny participating in the transaction at a later date Identity information binds sender to the data exchanged

13 Symmetric Cryptography Algorithm PlaintextSymmetric algorithm Encrypted text Symmetric algorithm Plaintext At senderAt recipient Random number between 40 and 256 bits

14 Symmetric Cryptography The key used to encrypt is the same as the one used to decrypt This key must be shared between the sender and the recipient Key must be securely delivered to the recipient before they can decrypt the data Conversion from plaintext to encrypted text and back is fast Suitable for bulk data Key management issues Number of keys that must be managed by a user increases with size of community

15 Asymmetric Cryptography Symmetric Cryptography Each user holds one key for each recipient they communicate securely with. This key must be securely delivered to each recipient. Asymmetric Cryptography Each user holds a pair of keys; one key is freely distributed (public key), the other key is kept secret by the holder (private key). Public Private

16 Asymmetric Cryptography Public Private Public Private Data encrypted using the public key must be decrypted using the private key Data encrypted using the private key must be decrypted using the public key

17 Asymmetric Cryptography Public Private Public Private Data encrypted using the public key must be decrypted using the private key Data encrypted using the private key must be decrypted using the public key Public and private keys work as matched pairs Any operation performed with one key (for example, encryption) must be undone (for example, decryption) with the other key in the pair

18 Asymmetric Cryptography Public Private Public database Public Private Public Private

19 Asymmetric Cryptography Public database Public keys can be made available to the community of users through a public repository or distributed in any other method Public keys is freely available Private key must be stored securely and accessible only to the key holder Must be password protected to prevent unauthorized access

20 Asymmetric Cryptography Algorithm PlaintextAsymmetric algorithm Encrypted text Asymmetric algorithm Plaintext At senderAt recipient Public Private

21 Asymmetric Cryptography Key lengths longer 512 to over 8,000 bits Only intended recipient will have private key to decrypt Must be kept secure Removes need to deliver secret key to recipient Solution to key management issues

22 Diffie-Hellman This variation of asymmetric algorithm allows the exchange of secret key data without any prior secrets Combine private key of one party with public key of other Can compute same shared key Resulting key used for cryptography Generates keys only Diffie-Hellman does not encrypt data

23 Digital Certificates Private Certification Authority Public database Public Click here to read more about digital certificates

24 Digital Certificates Private Certification Authority Public database The public portion of the key pair is submitted to a Certification Authority User information and key data is verified Data published in industry-standard format and the digital signature of CA is applied Signature guarantees integrity of data and that it has been verified by a trusted party Digital certificate published to public repository Click here to read more about digital certificates

25 Digital Certificate Contents Certificate Format Version Certificate Serial Number CA Signature Algorithms Issuer Name (X.500) Validity Period Subject Name (X.500) Public Key Issuer Alternate Identifier User Alternate Identifier Extension V3 1234567890 RSA with MD5 dc=com, dc=company, ou=ca1 August 15, 2008 to August 15, 2011 dc=com, dc=company, ou=ca1, ou=John Doe 73ks6dm3s34pm...... Value Certification Authority Digital Signature

26 Digital Certificates Algorithm PlaintextAsymmetric algorithm Encrypted text Asymmetric algorithm Plaintext At senderAt recipient Private Issued by trusted CA? Expiration? Revocation? Public

27 Digital Certificates Algorithm PlaintextAsymmetric algorithm Encrypted text Asymmetric algorithm Plaintext At senderAt recipient Private Issued by trusted CA? Expiration? Revocation? Public Applications performing encryption operations will always verify the digital certificate to confirm the following Certificate was issued by a trusted CA Verifies digital certificate on certificate Certificate is still within its validity period Certificate has not been deemed untrustworthy by the CA Verifies serial number against the certificate revocation list

28 Public-Key Infrastructure User registration Issuing certificates Maintaining revocation information Updating keys Updating certificates Publishing certificates Managing policies Creating keys System of policies, procedures and technologies for management of public key information

29 Secure Socket Layer Security Hello HTTPS:// Issued by trusted CA? Still valid? Has it been revoked? Public Secret Encrypted Secret Private Secret Symmetric key Click here to read more about Secure Socket Layer security

30 Secure Socket Layer Security Hello Symmetric keys are derived from the exchange of shared secrets between the web browser and the FortiGate unit Used to encrypt data exchanged between the web browser and the FortiGate device These symmetric keys are valid for the session only Web browser authenticates identity of web server Will only accept data in certificates that are signed by trusted CAs Click here to read more about Secure Socket Layer security

31 Certificates On a FortiGate Unit Certificate signed by a trusted Certification Authority Certificate self-signed by FortiGate unit Private Public

32 Certificates On a FortiGate Unit Certificate signed by a trusted Certification Authority Certificate self-signed by FortiGate unit Private Public portion of key pair can be published in certificate format by either the FortiGate unit itself or a trusted Certification Authority Data published in industry-standard format and a digital signature is applied Signature guarantees integrity of data Digital certificate forwarded to the web browser whenever an SSL-encrypted session is requested

33 Generating a Certificate Request Request submitted to Certification Authority Private Public + PKCS#10 Certificate Request

34 Generating a Certificate Request Request submitted to Certification Authority Private + PKCS#10 Certificate Request Complete the Certificate Request form on the FortiGate unit to generate a PKCS#10 formatted request Request file will include the public key of the FortiGate unit Request file is then submitted to a trusted CA Status of certificate will be listed on FortiGate unit as Pending

35 Generating a Certificate Request

36 Importing Certificates Private Public CA CRL Certificate of FortiGate unit Verification certificate of CA Certificate Revocation List

37 Importing Certificates Private CA CRL The CA will generate the digital certificate which is then imported onto the FortiGate unit Verification certificate of the CA creating the certificate must be installed on the FortiGate unit Used to verify digital signatures on all certificates generated by the CA Certificate Revocation List must be imported onto FortiGate unit on a regular basis Revocation information from CA must be kept up to date

38 Importing the CA Certificate

39 Backing Up and Restoring Certificates Certificate of FortiGate unit CA Verification certificate of CA Private Password-protected PKCS#12 file

40 Backing Up and Restoring Certificates Certificate of FortiGate unit CA Verification certificate of CA Private Password-protected PKCS#12 file The FortiGate unit private key and certificates must be backed up in case the device configuration is restored TFTP server required for the backup Keys and certificates stored in a password-protected PKCS#12 file File is imported back onto FortiGate unit after the restore operation Password from backup required

41 Installing a CA Certificate in the Browser

42 The verification certificate from the FortiGate unit must be imported into the web browser certificate store if using self-signed certificates Prevent warnings about untrusted content

43 Certificate Revocation List Certification Authority Serial Number: 764926 CRL Serial Number: 764926 ?

44 Certificate Revocation List Certification Authority Serial Number: 764926 Serial Number: 764926 ? Certificate Revocation List (CRL) contains the serial numbers of all certificates deemed untrustworthy CRL will always be checked before a certificate is used to insure that it is still trusted CRLs must be kept up to date on the FortiGate unit Must be manually copied from the CA to the FortiGate unit on a regular basis

45 SSL Content Inspection ? Web server SSL-secured session HTTPS:// Click here to read more about SSL content inspection on certain models of FortiGate unit

46 SSL Content Inspection ? Web server SSL-secured session FortiGate unit is unable to perform inspection operations on data exchanged during an SSL session Data is encrypted Filters are bypassed for SSL communication HTTPS:// Click here to read more about SSL content inspection on certain models of FortiGate unit

47 SSL Content Inspection Web server SSL-secured session HTTPS://

48 SSL Content Inspection Web server SSL-secured session The FortiGate unit SSL proxy can serve as a middleman in the SSL communication between the web browser and the web server Data is decrypted by FortiGate unit, is scanned by application proxies, then is re- encrypted for delivery to the web server Available on certain models of FortiGate device

49 Enabling SSL Content Inspection

50 SSL Content Inspection Concerns Mimics man-in-the-middle attack Does security policy allow it? Self-signed certificates on FortiGate unit may be untrusted Untrusted Certificate warning presented to user Verification certificate of FortiGate unit must be installed on browser SSL content inspection not performed if using client certificates Forces client-side authentication Certificate on FortiGate unit between client and web server created on the fly Certificate of web server substituted by certificate created by FortiGate unit

51 Student Resources Click hereClick here to view the list of resources used in this module

Download ppt "Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Similar presentations

Ads by Google