- Количество слайдов: 22
Digital Certificates Presented by Sunit Chauhan Copyright, 1996 © Dale Carnegie & Associates, Inc.
Basic Terms • Public Key Cryptographic Standards, PKCS A collection of 12 papers PKCS #1 to PKCS #12 developed by RSA Labs and representatives from the academia and industry. PKCS #1 RSA Algorithm PKCS #3 Diffie-Hellman Algorithm PKCS #7 Cryptographic Message Syntax Std PKCS #10 Key Certification Request PKCS #11 Standard API for developers PKCS #12 Certificate Interchange Format PKCS #13 Elliptic Curves Algorithm
Basic Terms • Digital Signatures • DSS issued by NIST • Message Digest Algorithms • Non Reversible (One way function) • Examples
Digital Certificates are the framework for identification information, and bind identities with public keys. They provide a foundation for • identification , • authentication and • non-repudiation.
Sample View of a Certificate Types : • Private/Personal Server Developer
X. 509 v 3 Certificate Format • • Version Certificate Serial Number Signature Algorithm Identifier Issuer Name Validity Period Subject Name Subject Public Key Information Optional Fields
X. 509 v 3 Extension Fields • Associate additional information for subjects , public keys , managing certification hierarchy and certificate revocation lists. • Extension type • Extension value • Criticality indicator
X. 509 Profiles Tailor the authentication model of X. 509 to specific environments based on Risk perception. • IETF Public Key Infrastructure (PKIX -1) : Application-independent certificate based key distribution mechanism. • SET Standard : Secure messaging for payment-service transactions over open-networks.
Certification Authorities • Trusted organization that issues certificates and maintains status information about certificates. • Certification Practice Statement
How Digital Certificates work? • Generate Public and Private Keys. • Get Certificate from the CA • Sign the document/page using the private key. • Send signed document over open networks along with the CA’s certificate. • Recipient verifies using the signing CA’s public key • Trust Chain and Fingerprints
Web Server Security • Server Authentication using SSL • Information to/from the correct Web Site • Information in encrypted form • Setting up SSL on a Web Site • Create a Server Certificate Request • Obtain the Server Certificate from a CA/locally • Install it on the Web Server • Establishing an SSL connection • Need root certificate of the issuing CA
Client Authentication • Anonymous • Basic • Challenge Response (NT) • SSL Client Authentication
Certification and Registration • Application • Subject Authentication • Certificate Generation • Certificate Distribution • Certificate Revocation
Subject Authentication • Confirm the identity of the subject • Based on the class of certificate • Local Registration Authority(LRA) model • Example : Verisign Onsite
Importing a Certificate To send an encrypted message or document to a person who has a certificate. • • From a Certification Authority From a Directory Service (LDAP) From a signed message From a local file (encoded Binary PKCS #7)
Certificate Revocation Lists • A data structure that has the list of all the serial numbers of the revoked certificates. • Standard X. 509 CRL format (ISO/ITU) • Propagation • Polling for CRLs • Pushing CRLs • Online status checking
Formal Specification (PKCS #7) • Abstract Syntax Notation (ASN. 1) Design tool used for expressing syntax of messages. Widely used to describe protocols interfaces etc. PKCS #7 syntax for Signed. Data type • ASN. 1 objects are encoded using BER/DER.
Key Certification Request PKCS #10 syntax using ASN. 1 notation
Certificate Management Value and Validity of Certificates will be questioned • Cross Certification (Multiple CA’s)
Applications of Certificates • Sandbox • Code Signing Vs Shrink-Wrapped Software • Accountability and Authenticity • Microsoft Authenticode 1. 0 • based on X. 503 v 3 and PKCS #7 • Commercial Vs Individual Publishers • Object Signing • Netscape’s technology • Signs any kind of Files
Applications (continued) • Secure Messaging & S/MIME • Web Server Security • Microsoft ASP for Access Control