CSE 4482Network Security

Instructor: N. Vlajic, Fall 2019

Digital Certificates& OpenSSL

TLS/SSL Recap• Typical TLS/SSL

(HTTPS) Situation– full authentication in TLS/SSL is usually

‘one sided’ anonymous client wants to connect to a verified server• i.e., only the server is required to provide

a digital certificate to the client

• it is possible, though, for the server to requesta certificate from the client

• one way the client could acquire a digital certificate is by obtaining a certificate of ‘server certificate’ grade from a CA:1) create a private/public key2) create a certificate signing request (CSR)3) send CSR to DigiCert4) receive the certificate

If the Web-site needs to authenticate its users/visitors, password-based

authentication is the most common way to go.

TLS/SSL Recap (cont.)

Though, remember, Digital Certificatehas to be signed by CA!!!

Digital Certificates

– an electronic document that isused to identify an individual,a server, a company or someother entity, and to associatethat entity with a public key

• Dig. Certificatesin WWW

Must be authorized (signed) by a trustedentity / 3rd party =

Certificate Authority!

Digital Certificates (cont.)

• Acquiring aDig. Certificate

– a dig. certificates / public key is first createdby the user, then signed by a mutually trustedthird party (Certificate Authority), and finallydisseminate to other users

Alice owns a Web server

Digital Certificates (cont.)

• X.509 – a standard that defines the format of public digitalcertificates - used in many Internet protocols and issupported by all modern browsers (RFC 5280)

Example: X.509 Format

optional

optional

• Public KeyInfrastructure(PKI)

– collection of servers / entities that create andmanage public keys and digital certificates• PKI’s main functions:

- manage complete life cycle of keys & certificates- provide key backup & recovery - update automatic key pairs & certificates- manage key histories- support cross-certification

Public Key Infrastructure

Public Key Infrastructure (cont.)

Example: PKI Related Standards

PKI over X.509 Public Key

Cryptography Standards

Public Key Infrastructure (cont.)

• PKI Components

– Registration Authority (CA): CA may (though optional!) use a 3rd

party Registration Authority (RA) to perform necessary checks on theperson or company requesting the certificate to confirm their identity

– Validation Authority (VA): entity that provides the service of verifyingthe validity of digital certificates – can operate using either CertificateRevocation Lists (CRL) or Online Certificate Status Protocol (OCSP)

– Certification Authority (CA): directly or indirectly trusted 3rd party that digitally sign a given certificate - CAs are critical components of the PKI system (guarantors of trust!); they also need a public & private key • the Root CA is at the top of the CA hierarchy and it has a self-signed certificate;

other subordinate CAs have certificates signed by the Root CA

• certificates of trusted Root CAs are ‘built in’ most modern Web-browsers

Note: typically serveris the one providing its

certificate to user/client

Symantec Co.IdenTrustComodo

DigiCert ...

https://www.sslshopper.com/symantec-sells-ca-business-to-digicert.html

Example: Role of Digital Certificates in HTTPS Communication

Public Key Infrastructure (cont.)

Public Key Infrastructure (cont.)

Example: The role of RA

https://www.cpacanada.ca/-/media/site/operational/ms-member-services/docs/webtrust/principles-and-criteria-for-certification-authorities-v2-0.pdf.

Example: Validation Authority Suite

https://www.axway.com/en/products/validation-authority

Example: PKI Trust Chain / Certification Hierarchy

Public Key Infrastructure (cont.)

Root CA: CA at the root of a PKI hierarchy.Issues only CA certificates.

Intermediate CA: CA below the root CA in PKI hierarchy. Issues other CA certificates or Client Certificates.

Issuing/Signing CA: CA at the bottom of a PKI hierarchy.Issues only Client Certificates.

Example: PKI Trust Chain / Certification Hierarchy in Play

verifyIssuing CA’scertificate

verify Web server’s

certificate

Example: Chain of Trust in Hierarchical PKI

Root Certificate:self-signed CA certificate

at the root of a PKI hierarchy. Serves as the PKI’s trust anchor. Used

to sign other CA’s certificates.

CA Certificate:certificate of a CA – used to sign end-user/entity

certificates.

End-User/Entity Certificate:

Issued to user for one or more purposes: email-protection, server-auth,

client-auth, code-signing. A user certificate

CANNOT sign another certificate!

Example: Root & Intermediate CAs in Chrome

• Types of DigitalCertificates

– based on their usage, digital certificatescan be of different type …

• Personal Certificate – issued by an Issuing CA directly to an individual- used (e.g.) to secure email transmissions- typically only require user’s name and email

address to receive

Public Key Infrastructure (cont.)

• Server Certificate – obtained from a CA, configured on the server, and sent to server’sclients to prove server’s authenticity- besides proving authenticity, allows the

establishment of secure connections withclients

• Developer Certificate – certificates used bysoftware developers to authenticate theirprograms/applications- i.e., to verify that the program is secure and

has not been tampered

OpenSSL

• OpenSSL – an open source toolkit & library that providescryptographic & TLS/SSL-protocol functionality• maintained by a group of volunteers worldwide, and is

available for a wide variety of platforms• can be obtained from https://www.openssl.org/

• a command line tool that can be used specifically for:→ creation of RSA, DH and DSA key parameters→ creation of X.509 certificates, CSRs and CRLs→ calculation of Message Digests→ encryption and decryption with ciphers→ SSL/TLS client and server tests→ handling of S/MIME signed or encrypted mail

OpenSSL (cont.)

• OpenSSLCommands

standardcommands

messagedigestcommands

ciphercommands

OpenSSL (cont.)

• Generate Public and Private RSA Keys

• Look Inside the Key File

More on OpenSSL in the upcoming Lab!!!

http://courseevaluations.yorku.ca/

Please complete by Dec 4!!!