Upload File

x.509 certificates for saml - switch...x.509 certificates: a bird’s eye view! • certificate =...

  • Home
  • Documents
  • X.509 Certificates for SAML - SWITCH...X.509 certificates: a bird’s eye view! • certificate = public key + name + signature • the two “certificate worlds” of a Shibboleth
3
© SWITCH 2015 X.509 Certificates for SAML Shibboleth and public-key cryptography SWITCHaai Team [email protected] © SWITCH 2015 IdP-to-SP communication To secure communications between an IdP and an SP (or vice versa), each entity needs a key pair: for authenticating/signing SAML messages for encrypting SAML messages The most popular public-key algorithm today is RSA, typically with a key size of 2048 bits X.509 is a standardized, ubiquitous format for public- key data structures, so it’s convenient for use as a container for public keys in the SAML world 2

Upload: others

Post on 18-Mar-2020

9 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: X.509 Certificates for SAML - SWITCH...X.509 certificates: a bird’s eye view! • certificate = public key + name + signature • the two “certificate worlds” of a Shibboleth

© SWITCH 2015

X.509 Certificates for SAML Shibboleth and public-key cryptography

SWITCHaai Team [email protected]

© SWITCH 2015

IdP-to-SP communication!

•  To secure communications between an IdP and an SP (or vice versa), each entity needs a key pair: –  for authenticating/signing SAML messages –  for encrypting SAML messages

•  The most popular public-key algorithm today is RSA, typically with a key size of 2048 bits

•  X.509 is a standardized, ubiquitous format for public-key data structures, so it’s convenient for use as a container for public keys in the SAML world

2

Page 2: X.509 Certificates for SAML - SWITCH...X.509 certificates: a bird’s eye view! • certificate = public key + name + signature • the two “certificate worlds” of a Shibboleth

© SWITCH 2015

X.509 certificates: a bird’s eye view!•  certificate = public key + name + signature •  the two “certificate worlds” of a Shibboleth SP (or IdP):

–  SSL/TLS between the user’s browser and the Web server –  XML Signature and XML Encryption for SAML messaging

between the SP and the IdP

3

© SWITCH 2015

X.509 certificate validation!

•  for SSL/TLS, validating the certificate’s name and signature by the browser is absolutely crucial –  browsers validate the chain against a built-in set of root

certificates by verifying the signatures, and must make sure that the name is matching (would be vulnerable to MiTM otherwise)

•  for the SAML world and the SWITCHaai federation, certificates are fully embedded in the federation metadata, and only the public key is considered by Shibboleth (X.509 is used as a convenient container format) –  name and signature are basically thrown away

4

Page 3: X.509 Certificates for SAML - SWITCH...X.509 certificates: a bird’s eye view! • certificate = public key + name + signature • the two “certificate worlds” of a Shibboleth

© SWITCH 2015

SWITCHaai requirements for SAML embedded certificates !•  either a self-signed certificate with minimal subject

information and X.509v3 extensions (recommended, can be created with the keygen script bundled with the Shibboleth SP)

•  or a certificate signed by a well-known CA, with organization validation (OV), chaining to a root trusted by either Microsoft or Mozilla

•  further reading: •  https://www.switch.ch/aai/support/certificates/certificate-acceptance/

https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements/

5

© SWITCH 2015

Examining X.509 certificates !

•  Details in text format: openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text

•  Display the fingerprint only: openssl x509 –in /etc/ssl/certs/ssl-cert-snakeoil.pem \ –noout –fingerprint [-sha256]

•  Dump a pure Base64 block (e.g. when grabbing from XML metadata – paste into console and end with Ctrl-D): openssl base64 -d | openssl x509 -inform der -text

6

https://www.switch.ch/aai/support/certificates/certificate-acceptance/
https://www.switch.ch/aai/support/certificates/embeddedcerts-requirements/

Peter Saint-Andre - FOSDEM · but only if not using self-signed certs $$$ real X.509 certs are expensive. free digital certificates for XMPP server admins

Kubernetes the Very Hard Way - USENIX...a.Kubernetes and Certificates b.Exceptions? c.Impact of Certificate Rotation 3.Efficient networking a.Giving pod IPs and routing them b.Accessing

ATEX System Certificate

The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence

ANNUAL REPORT June 2016...Mr. Abdul Jaleel Shaikh Mr. Ahmed Ateeq Mr. Abdul Hafeez • The pattern of holding of certificates by the certificate-holders is included in this annual

INDIA’S BIGGEST BUSINESS AWARDS · NOMINATION CERTIFICATE TROPHY & CERTIFICATION The winners will get a trophy and framed certificate by well-renowned celebrities. The certificates

CERTIFICATE IN ADVANCE DIGITAL MARKETING€¦ · 3 Google AdWords Fundamental Certificate 4 Google Display Advertising Certificates 5 Google Video Advertising Certificates 6 Microsoft

Secure Socket Layer (SSL) Certificate€¦ · Secure Socket Layer (SSL) Certificate SSL certificates are an essential component of the data encryption process that makes Internet

The Benefits of EV SSL Certificates...Comodo offers the highest assurance rate available with 2048-bit certificates. Comodo’s 2048-bit SSL certificates, for example, allow for

Certificates in Numerical Algebraic Geometry Jan …homepages.math.uic.edu/~jan/Talks/certificates.pdfproblem statement: a priori certificates for components 2 Tropical Algebraic

CS645: Lecture 1 (Computer and) Network Securitygreenie/cs645/CS645-12-01.pdf · 2012. 4. 4. · More Recently: RSA • Lenstra et al • Of 6.6 million distinct X.509 certificates

S PARSING OF X.509: ERADICATING S ISSUES WITH A PARSE TREE · X.509 certificate parsing and validation is a critical task which has shown consistent lack of effec-tiveness, with

gnu.ist.utl.ptgnu.ist.utl.pt/software/gnutls/manual/gnutls.pdf · ii 5 More on certificate authentication ......... 18 5.1 The X.509 trust model

ONLINE LEARNING BROCHURE Full Academy Access€¦ · HR Business Partner 2.0 | Certificate Program HR Metrics & Dashboarding | Certificate Program Talent Acquisition | Certificate

Programs Offered by College...Last Generated 2:06 pm on 01/22/2021 certificate/) certificate/) certificate/)

Karlstad University, Sweden arXiv:1711.03952v1 [cs.CR] 10 ... · Certificate Transparency (CT) is an experimental standard that enhances the public-key infrastructure around X.509

Optimized Certificate Revocation List Distribution for ... · Following the PPKI approach [12], we assume that each vehicle is assigned a certain number of short-term certificates

ITIL® Intermediate Certificate – Service Offerings ...qtnt.com/soa_flyer_qtnt_01.pdf · ITIL® Intermediate Certificate – Service Offerings & Agreements (SOA)* Certificate

Approvals and certificates

ITIL® Intermediate Certificate – Release, Control & Intermediate Certificate – Release, Control & Validation (RCV)* Certificate : ITIL® Intermediate Certificate-Release Control

Greenpass Client Tools for Delegated Authorization in ...trdata/reports/TR2004-509.pdf · SPKI allows certain local users to delegate network access to guests by issuing certificates

An End-to-End Measurement of Certificate Revocation in the Web… · 2017. 8. 16. · book by Gutmann [20] for a more in-depth treatment of these topics. 2.1 Certificates A certi

CAPE Digital Tools Certificates

AWS Certificate Manager · 2020-02-12 · AWS Certificate Manager User Guide Concepts What Is AWS Certificate Manager? Welcome to the AWS Certificate Manager (ACM) service. ACM

Web Security and Man In The Middle Attack - rprustagi.com fileSSL Certificates • Certificate types – DV (Domain Validation) - the basic type • Webserver authentication and

Certificate Click on the certificate to view details

Cinderella: Turning Shabby X.509 Certificates into Elegant ......Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation

Certificate Course on

Certificate of Analysis

Package ‘paws.security.identity’€¦ · Welcome to the AWS Certificate Manager (ACM) API documentation. You can use ACM to manage SSL/TLS certificates for your AWS-based websites

1. Student Details (Please use BLOCK LETTERS)Advanced Diploma/Diploma Certificate I to IV (Including trade certificates) No non-school qualification Group 1 Not in paid work for

SCHOOL OF WORKFORCE & CONTINUING EDUCATIONgrammar.ccc.commnet.edu/docs/continuing-education/...Certificate Programs in Healthcare 2-5 Certificate Programs in Business 6-7 Certificate

SMART CARDS IN LINUX - FOSDEM › ... › smart_cards_slides.pdf · pkinit: pre-authentication (RFC 4556) Certificate and signature from PKCS#11 krb5.conf FreeIPA 4.5: Mapping certificates

2005 No. 1970 CIVIL AVIATION - Legislation.gov.uk...Airworthiness and Equipment of Aircraft 8. Certificate of airworthiness to be in force 9. Issue, renewal, etc., of national certificates

183-211 Gage Block 1 - ctissb.comctissb.com/Mitutoyo MAP800/MAP800_product/Gauge Block.pdf186 Mitutoyo Gauge Blocks and Inspection Certificates A Certificate of Inspection is furnished