1 / 23

CERTIFICATES

Learn about digital certificates and how they secure data through authentication, integrity, encryption, and token verification. Explore the role of Certification Authorities, different types of certificates, and the process of obtaining and distributing certificates. Also, discover Certificate Revocation Lists and their formats.

sherrillt
Télécharger la présentation

CERTIFICATES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CERTIFICATES

  2. What is a Digital Certificate? • Electronic counterpart to a drive licenses or a passport. • Enable individuals and organizations to secure business and personal transactions across communication networks.

  3. How do they secure the data? • Authentication • Integrity • Encryption • Token verification

  4. Certification Authority(CA) • Trusted entity which issue and manage certificates for a population of public-private key-pair holders. • A digital certificate is issued by a CA and is signed with CA’s private key.

  5. X.509 Version 3 Digital Certificate

  6. Types of Certificates Root or Authority certificates These are self signed by the CA that created them Institutional authority certificates Also called as “campus certificates” Client certificates These are also known as end-entity certificates,identity certificates,or personal certificates. Web server certificates used for secure communications to and from Web servers

  7. Getting a Certificate Create an encryption Private and Public key pair. Create a Certificate Request based on your key. • Send all the required details Like Server,company,Location, state,country and also the documents proving your identity. Send the certificate request to your choice of CA . • CA confirms the accuracy of the information submitted . • The certificate is signed by a device that holds the private key of the CA. • The certificate is sent to the subscriber and also a copy of it may be submitted to the • certificate repository, such as a directory service for publication.

  8. Distribution of Certificates • Systems and channels that are not necessarily protected by confidentiality,authentication and integrity. • The certificate is self-protecting: The CA’s digital signature inside the certificate provides both authentication and integrity protection. • Distribution via Directory Services: Lightweight Directory Access Protocol (LDAP). This is nothing more than access protocol used to retrieve the certificate for recipient.

  9. X.509 Certificate Format • Version: Indicator of version 1,2 or 3. • Serial number: Unique identifying number for this certificate. • Signature:Algorithm identifier of the digital signature algorithm. • Issuer: X.500 name of the issuing CA. • Validity:Start and expiration dates and times of the certificate. • Subject:X.500 name of the holder of the private key(subscriber). • Subject public-key information:The value of the public-key for the subject together with an identifier of the algorithm with which this public-key to be used. • Issuer unique identifier: An optional bit string used to make the issuing certification authority name unambiguous. • Subject unique identifier: An optional bit string used to make the subject name unambiguous.

  10. X.509 Certificate Format • Extensions: Used for incorporating any number of additional fields into the certificate. • Extension Type: contains an object identifier value i.e. governs the basic data type (text string,date….etc) . • Criticality indicator: Simple flag that indicates whether an occurrence of an extension is critical or non-critical. The purpose of this is to accommodate environments in which different system implementations recognize different sets of extensions.

  11. X.509 Certificate Format • Standard Certificate Extensions. • Key Information: These are used to allow the administrators to limit the purpose for which certificates and certified keys can be used. Like CRL-signing,certificate signing …..etc. • Policy Information: convey certificate policy i.e. use of these extensions which relate to the CA’s practices. • Subject and Issuer attributes:Support alternative names for certificate subjects and issuers. • Certification path constraints: Help different domains link their infrastructures together. • Extensions related to CRL’s

  12. Certificate Revocation • Canceling a certificate before than its originally scheduled validity period. • Certificate Revocation Lists (CRL) A CRL is a time-stamped list of revoked certificates that has been digitally signed by a CA and made available to certificate users. Each revoked certificate is identified in a CRL by its certificate serial number – generated by the issuing CA.

  13. X.509 Certificate Revocation List

  14. X.509 CRL Format • Version: Indicator of version 1 or 2 format • Signature: Indicator of the algorithm used in signing this CRL • Issuer:Name of the authority that issued this CRL • This update: Date and time of issue of this CRL • Next update: Date and time of issue of next CRL (optional) • Certificate Serial Number: Serial number of a revoked or suspended certificate. • Revocation date: Effective date of revocation or suspension of a particular certificate. • CRL entry extensions: Additional fields • CRL extensions: Additional fields that must be attached to the full CRL.

  15. X.509 CRL Formats • Extensions and Entry-Level Extensions • General Extensions:: Like CRL number – incrementing number for each CRL issued in sequence covering the same certificate population. Invalidity date:: This is CRL entry extension field indicates a date when it is known or suspected that a private key was compromised. • CRL Distribution Point :: Identifies the point or points that distribute CRL’s on which a revocation notification for this certificate would appear if this certificate were to be revoked. • Delta-CRL’s: It is a digitally signed list of the changes that occurred since the issuance of the prior base CRL.

  16. X.509 CRL Format of Extensions • Indirect CRL’s : Allows a CRL to be issued by a different authority from the one that issued the certificate. • Certificate Suspension: An item may be held on a CRL rather than revoked. It can be specified in the entry-level extensions as “certificate hold”. • Status Referrals: It is a signed,time stamped list of CRL’s and their respective CRL scopes that a certification authority currently uses.

  17. Distributing CRL’s • Issuing CRLs regularly such as hourly,daily or weekly…. Decision of CA. Can be distributed easily using the communications and server systems which do not need much security – as these are digitally signed. • Limitation: Time granularity of revocation is limited to the CRL issue period. • Online Status Checking: uses OCSP ( Online Certificate Status Protocol). The responder is the CA or the authorized person by the CA. The OCSP response is digitally signed, contains the identifier of the responder, time of response, status. • Limitation: Very expensive.

  18. Using Pre-existing certificates (Verisign) • IF the IP address or Domain name is changed – then the certificate needs to be changed. • If you are changing your Server Software – because verisign issues the certificates considering the server software and IP address / domain name configuration.

  19. It is a check for a digital certificate. Its checks 3 things for each certificate back to its path. Each certificate has a path back to a root certificate. For each certificate in the path: • Check each certificate is within its validity period. • Check each certificate’s signature is correct. • Check each certificate has not been revoked.

  20. What trust models does PGP support? • Direct trust (peer to peer) • Hierarchical trust (central signing authority, sub-authorities) • PGP supports 3 levels of signing authorities, without many of the limitations other cert formats have • Similar to x.509 trust model • Web of Trust • useful between divisions of different companies • collaboration/competition

  21. Key Recovery Key Recovery Keys Public Keys A very safe place Encrypted Key Encrypted Passphrase Decrypt with Encrypt Key and Key Recovery Private Key Passphrase

  22. How does PGP provide data recovery? • Additional Decryption Key technology • Not key recovery; user holds their own private key at all times • Each session key used to encrypt a message is encrypted to the recipient’s public key, and also to an ADK (pub key) • Holder of the ADK can decrypt any information encrypted to the ADK • Enforced on the client and on the mail server (PMA) • ADKs can be split and shared among upper management

  23. Additional Decryption Keys (ADKs) • Incoming vs. Outgoing • Diffie-Hellman only • Enforcement • Splitting the ADKs • Multiple ADKs • Departmental level ADKs

More Related