about pki certificates
Download
Skip this Video
Download Presentation
About PKI Certificates

Loading in 2 Seconds...

play fullscreen
1 / 30

About PKI Certificates - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

About PKI Certificates. Dartmouth College PKI Lab. X.509 Certificate Defined.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' About PKI Certificates' - armine


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
about pki certificates

About PKI Certificates

Dartmouth College PKI Lab

x 509 certificate defined
X.509 Certificate Defined

A type that binds an entity\'s distinguished name to a public key with a digital signature. This type is defined in the Internet X.509 Public Key Infrastructure (PKIX) Certificate and CRL Profile. This type also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer\'s signature algorithm identifier, a validity period, and extensions also defined in that document.

x 509 certificate defined 2
X.509 Certificate Defined 2

Data associated with a private key and containing a public key that provides information about:

  • Identities of the issuer and subject
  • Certificate validity dates and CRL location
  • Certificate intended uses
  • Serial number
  • Other certificate information
x 509 certificate format
X.509 Certificate Format
  • version
  • serialNumber
  • signature
  • issuer
  • validity
  • subject
  • subjectPublicKeyInfo
  • issuerUniqueIdentifier
  • subjectUniqueIdentifier
  • Extensions

Certificate information is contained in ASN.1 structures.

certificate encodings
Certificate Encodings
  • DER is a binary encoding of the X.509 ASN.1 structures.
  • PEM is the base 64 encoded version of DER. (For situations where binary format won’t work.)
  • Text is a human-readable version of the ASN.1 structures.
pem example
PEM Example

-----BEGIN CERTIFICATE----- MIIEbDCCA1SgAwIBAgICBAEwDQYJKoZIhvcNAQEFBQAwdzETMBEGCgmSJomT8ixk ARkWA2VkdTEZMBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMx GjAYBgNVBAoTEURhcnRtb3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGgg Q2VydEF1dGgxMB4XDTAzMTAyNDE1MDg1OFoXDTAzMTAyNDE5MDg1OFowgaIxEzAR BgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJ BgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEZMBcGA1UEAxMQ TWFyayBKLiBGcmFua2xpbjEsMCoGCSqGSIb3DQEJARYdTWFyay5KLkZyYW5rbGlu QERhcnRtb3V0aC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK2Xsb+0 +ENqEwgu15Sthv47iKJ89O1ci0TLdbVYoFV92wDykX68+m2Z0NSBiM+mQqjDk8c6 USnAvwDZUtMVK5CU9kf9/hiCXmVxbFLgsqbpVEPzc83SGQ3fS70PuFeu00MdTRI6 +thtwTF/n7ZfGFc2XGTKXMnwqCh8cbOP7H5NAgMBAAGjggFYMIIBVDARBglghkgB hvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMIGiBgNVHSAEgZowgZcwgZQGCisG AQQBQQIBAQEwgYUwPQYIKwYBBQUHAgIwMTAYFhFEYXJ0bW91dGggQ29sbGVnZTAD AgEBGhVEYXJ0bW91dGggQ29sbGVnZSBDUFMwRAYIKwYBBQUHAgEWOGh0dHA6Ly93 d3cuZGFydG1vdXRoLmVkdS9+cGtpbGFiL0RhcnRtb3V0aENQU180U2VwMDMucGRm MCgGA1UdEQQhMB+BHU1hcmsuSi5GcmFua2xpbkBEYXJ0bW91dGguZWR1MB8GA1Ud IwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMD8GCCsGAQUFBwEBBDMwMTAvBggr BgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwDQYJ KoZIhvcNAQEFBQADggEBAB5+LvOPrCt6s6Hvba5a7WENTLxhh7r2KUZIDH7Y1PJ8 cUN5EfKAUoT00walcTIqCfexLpWJMk38oF4gTMwk3sabNEjfQwmdmsJSh2R6eBDL d658t94DpGxXw2U3rzDzFDc4lozK9cBn9GRt4w3py31Bz2DDzc4mjscEid44AV3V hLhI0ZqlWrqWWutW1Dugqol8A6APVGMjhZsYS5fFUe88LdvZgnb9UpDcOAPUoeN5 Rvl/aibNweyCBFU/MqII0Yxf1wrc+wg0R2gy+WaVqyK05ddwxwVJ94aZmAHGL6zO 7FjPU9XwLGBQfHbnbtfRZUech+ZQhjLlpXyYxRQ1KgM=

-----END CERTIFICATE-----

text example
Text Example

Certificate:

Data:

Version: v3

Serial Number: 0x401

Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5

Issuer: CN=Dartmouth CertAuth1,O=Dartmouth College,C=US,DC=dartmouth,DC=edu

Validity:

Not Before: Friday, October 24, 2003 11:08:58 AM EDT America/New_York

Not After: Friday, October 24, 2003 3:08:58 PM EDT America/New_York

Subject: [email protected],CN=Mark J. Franklin,O=Dartmouth College,C=US,DC=dartmouth,DC=edu

Subject Public Key Info:

Algorithm: RSA - 1.2.840.113549.1.1.1

Public Key:

Exponent: 65537

Public Key Modulus: (1024 bits) :

AD:97:B1:BF:B4:F8:43:6A:13:08:2E:D7:94:AD:86:FE:

3B:88:A2:7C:F4:ED:5C:8B:44:CB:75:B5:58:A0:55:7D:

DB:00:F2:91:7E:BC:FA:6D:99:D0:D4:81:88:CF:A6:42:

A8:C3:93:C7:3A:51:29:C0:BF:00:D9:52:D3:15:2B:90:

94:F6:47:FD:FE:18:82:5E:65:71:6C:52:E0:B2:A6:E9:

54:43:F3:73:CD:D2:19:0D:DF:4B:BD:0F:B8:57:AE:D3:

43:1D:4D:12:3A:FA:D8:6D:C1:31:7F:9F:B6:5F:18:57:

36:5C:64:CA:5C:C9:F0:A8:28:7C:71:B3:8F:EC:7E:4D

Extensions:

Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1

Critical: no

Certificate Usage:

SSL Client

Secure Email

Identifier: Key Usage: - 2.5.29.15

Critical: yes

Key Usage:

Digital Signature

Non Repudiation

Key Encipherment

Identifier: CertificatePolicies - 2.5.29.32

certificate revocation list crl defined
Certificate Revocation List (CRL) Defined

A type that contains information about certificates whose validity an issuer has prematurely revoked. The information consists of an issuer name, the time of issue, the next scheduled time of issue, a list of certificate serial numbers and their associated revocation times, and extensions. The CRL is signed by the issuer.

certificate revocation list crl defined 2
Certificate Revocation List (CRL) Defined 2

A secured list of no longer trusted certificates provided by a Certificate Authority so applications can reject otherwise valid certificates that are compromised or otherwise invalid before their validity period expires.

  • Issued periodically or as needed.
  • Checked by applications at certificate verification time.
  • OCSP protocol provides an alternative which can be an online service.
crl format
CRL Format
  • version
  • signature
  • issuer
  • thisUpdate
  • nextUpdate
  • revokedCertificates
  • crlEntryExtensions
  • crlExtensions
certificate viewers
Certificate Viewers
  • Windows (invoked from IE, desktop, other applications)
  • Mozilla/Thunderbird (invoked from Preferences in Mozilla or Account Options in Thunderbird)
  • Other applications

Demos of Certificate Viewers

Windows

Mozilla

about pki key stores

About PKI Key Stores

Dartmouth College PKI Lab

key store defined
Key Store Defined
  • Protected “vault” to hold user’s private key with their copy of their x.509 certificate
  • A function of their client computer and software
  • Should be locally password protected
  • Should be encrypted and/or protected by specialized hardware
  • May be provided by OS or by application(s)
  • May hold the only copy of a private key
key store interfaces
Key Store Interfaces
  • Microsoft Windows CAPI
  • RSA PKCS#11
  • RSA PKCS#12
  • Java Keystore
  • Application specific
browsers and key stores
Browsers and Key Stores
  • Browsers provide one of the most common ways to access key stores
  • GUI for key generation and certificate enrollment
  • Viewing and manipulating certificates and keys
  • Import/export

Mozilla/Netscape/FireFox does PKCS#11

Internet Explorer/Windows does CAPI

key store types
Key Store Types
  • “Software”
    • Keys encrypted in a file
  • “Hardware”
    • Keys stored on specialized hardware tokens
os key stores
OS Key Stores
  • CAPI: Microsoft Windows CryptoAPI
  • “Keychain” from Apple

Many Windows applications use CAPI; others have their own key store.

software key store
“Software” Key Store
  • Stores certificates and encrypted keys on the local computer’s file system
  • Encryption is password protected
  • Relatively vulnerable to key theft (depending on implementation)
  • Requires exporting and importing to use the key on another computer or in a different key store on the same computer

All PKI applications support this type of key store – for some it is the only type supported.

hardware key store
“Hardware” Key Store
  • Stores certificates and keys in special purpose hardware (typically USB token or smart card and reader)
  • Much higher assurance - the key cannot be used without the user’s password, but still not unbreakable
  • Allows easy private key mobility between computers and applications
  • Two-factor security (need token plus password to do anything) makes hardware key stores much more secure than software key stores
pkcs 11
PKCS#11
  • Standard developed by RSA to provide applications with a key store and PKI cryptographic functions

http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/

  • Used by Mozilla on all OSes (even Windows)
  • Has a lower-level API for plugging in different implementations (enables hardware tokens)
  • Open source implementations available
  • Similar to MS CAPI – unfortunately MS opted to not support PKCS#11
microsoft capi aka cryptoapi
Microsoft CAPI (AKA CryptoAPI)
  • Microsoft Windows “standard” API for providing PKI functionality to applications

http://msdn.microsoft.com/library/en-us/security/security/cryptography_portal.asp?

  • Provides:
    • Key store function
    • Cryptographic operations using the key store and certificate
    • GUI for managing certificates and keys
    • Facilities to create, import, and export certificates and keys
  • Cryptographic Service Provider (CSP) layer allows 3rd party software, token, and smartcard solutions
  • Microsoft’s software key store CSP has some issues
application key stores
Application Key Stores
  • Some applications don’t use either CAPI or PKCS#11
  • Adds undesirable complexity for average end user
  • Incompatible with hardware keys (since they can only support PKCS#11 and CAPI/CSP interfaces)
  • Require exporting and importing certificates/keys
  • AOL AIM has its own key store
  • Java keystores becoming more utilized
how pki uses passwords
How PKI Uses Passwords
  • Passwords protect local key stores
  • Stored and managed locally by the user
  • Never stored on servers (an important feature – passwords on servers and traversing a network are more vulnerable)
  • User provides the password to “unlock” their private key – all other operations use asymmetric key cryptography
user accounts
User Accounts
  • Windows CAPI stores software keys in each user’s profile
  • If user accounts are secure, then CAPI keys are protected by the Windows logon security
pkcs 7 and pkcs 12
PKCS#7 and PKCS#12
  • More RSA standards
  • No awards for imaginative names…
  • PKCS#7 is general syntax for data that may have cryptography applied to it

http://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/index.html

  • PKCS#12 specifies secure containers for transporting PKI certificates with private keys

http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html

ad