digital certificates & openssl...digital certificates (cont.) • acquiring a dig. certificate...
TRANSCRIPT
TLS/SSL Recap• Typical TLS/SSL
(HTTPS) Situation– full authentication in TLS/SSL is usually
‘one sided’ anonymous client wants to connect to a verified server• i.e., only the server is required to provide
a digital certificate to the client
• it is possible, though, for the server to requesta certificate from the client
• one way the client could acquire a digital certificate is by obtaining a certificate of ‘server certificate’ grade from a CA:1) create a private/public key2) create a certificate signing request (CSR)3) send CSR to DigiCert4) receive the certificate
If the Web-site needs to authenticate its users/visitors, password-based
authentication is the most common way to go.
Digital Certificates
– an electronic document that isused to identify an individual,a server, a company or someother entity, and to associatethat entity with a public key
• Dig. Certificatesin WWW
Must be authorized (signed) by a trustedentity / 3rd party =
Certificate Authority!
Digital Certificates (cont.)
• Acquiring aDig. Certificate
– a dig. certificates / public key is first createdby the user, then signed by a mutually trustedthird party (Certificate Authority), and finallydisseminate to other users
Alice owns a Web server
Digital Certificates (cont.)
• X.509 – a standard that defines the format of public digitalcertificates - used in many Internet protocols and issupported by all modern browsers (RFC 5280)
• Public KeyInfrastructure(PKI)
– collection of servers / entities that create andmanage public keys and digital certificates• PKI’s main functions:
- manage complete life cycle of keys & certificates- provide key backup & recovery - update automatic key pairs & certificates- manage key histories- support cross-certification
Public Key Infrastructure
Public Key Infrastructure (cont.)
Example: PKI Related Standards
PKI over X.509 Public Key
Cryptography Standards
Public Key Infrastructure (cont.)
• PKI Components
– Registration Authority (CA): CA may (though optional!) use a 3rd
party Registration Authority (RA) to perform necessary checks on theperson or company requesting the certificate to confirm their identity
– Validation Authority (VA): entity that provides the service of verifyingthe validity of digital certificates – can operate using either CertificateRevocation Lists (CRL) or Online Certificate Status Protocol (OCSP)
– Certification Authority (CA): directly or indirectly trusted 3rd party that digitally sign a given certificate - CAs are critical components of the PKI system (guarantors of trust!); they also need a public & private key • the Root CA is at the top of the CA hierarchy and it has a self-signed certificate;
other subordinate CAs have certificates signed by the Root CA
• certificates of trusted Root CAs are ‘built in’ most modern Web-browsers
Note: typically serveris the one providing its
certificate to user/client
Symantec Co.IdenTrustComodo
DigiCert ...
Public Key Infrastructure (cont.)
Example: The role of RA
https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-0.pdf.
Example: PKI Trust Chain / Certification Hierarchy
Public Key Infrastructure (cont.)
Root CA: CA at the root of a PKI hierarchy.Issues only CA certificates.
Intermediate CA: CA below the root CA in PKI hierarchy. Issues other CA certificates or Client Certificates.
Issuing/Signing CA: CA at the bottom of a PKI hierarchy.Issues only Client Certificates.
Example: PKI Trust Chain / Certification Hierarchy in Play
verifyIssuing CA’scertificate
verify Web server’s
certificate
Example: Chain of Trust in Hierarchical PKI
Root Certificate:self-signed CA certificate
at the root of a PKI hierarchy. Serves as the PKI’s trust anchor. Used
to sign other CA’s certificates.
CA Certificate:certificate of a CA – used to sign end-user/entity
certificates.
End-User/Entity Certificate:
Issued to user for one or more purposes: email-protection, server-auth,
client-auth, code-signing. A user certificate
CANNOT sign another certificate!
• Types of DigitalCertificates
– based on their usage, digital certificatescan be of different type …
• Personal Certificate – issued by an Issuing CA directly to an individual- used (e.g.) to secure email transmissions- typically only require user’s name and email
address to receive
Public Key Infrastructure (cont.)
• Server Certificate – obtained from a CA, configured on the server, and sent to server’sclients to prove server’s authenticity- besides proving authenticity, allows the
establishment of secure connections withclients
• Developer Certificate – certificates used bysoftware developers to authenticate theirprograms/applications- i.e., to verify that the program is secure and
has not been tampered
OpenSSL
• OpenSSL – an open source toolkit & library that providescryptographic & TLS/SSL-protocol functionality• maintained by a group of volunteers worldwide, and is
available for a wide variety of platforms• can be obtained from https://www.openssl.org/
• a command line tool that can be used specifically for:→ creation of RSA, DH and DSA key parameters→ creation of X.509 certificates, CSRs and CRLs→ calculation of Message Digests→ encryption and decryption with ciphers→ SSL/TLS client and server tests→ handling of S/MIME signed or encrypted mail
OpenSSL (cont.)
• Generate Public and Private RSA Keys
• Look Inside the Key File
More on OpenSSL in the upcoming Lab!!!