Certification

Certification Andrea Piras piras@crs4.it

Contents • Brief Overview of Asymmetric Cryptography • What is certification? • X.509 • X.509 Certificate • Extensions • Qualified Certificate • QC Extensions • Certificate Authority • Italian CAs • Certificate Revocation List

Contents • Java Packages • Java Code Example • Microsoft, Netscape & Certificates • Bibliography

Brief Overview of Asymmetric Cryptography Encryption(public key) Decryption(private key) Decryption(public key) Encryption(private key) Based on: discrete logarithm problem, elliptic curve discrete logarithm problem, factoring problem, e-root problem Key Pair: Public (can be showed), Private (kept secret)

Brief Overview of Asymmetric Cryptography Attack: Man in the middle A B X

What is certification? It’s the process to release certificates (digital documents attesting to the binding of a public key to an individual or an entity). Not perform cryptographic operations with keys. It’s a service of the public key infrastructure (PKI).

X.509 It’s the ITU-T (also known as CCITT) Recommendation to define the certificate sintax. Used in a lot of authentification and secure communication protocols (ex. SSL). • Exist 3 versions: • Version 1 published in 1988 • Version 2 published in 1993 • Version 3 published in 1995

X.509 Certificate An X.509certificate consists of the following fields: • Version • Integer (1, 2 or 3) • Serial number • Own and unique integer • Signature algorithm ID • Identificator of the signature algorithm and the optional parameters • Issuer name • Some information about the issuer: country, locality, state or province, street, organization, organizational unit, common name, • e-mail, etc. • Validity period • Two dates: not valid before and not valid after

X.509 Certificate • Subject name • As issuer name (country, locality, state or province, street, organization, • organizational unit, common name, e-mail, etc). • Subject public key • The certificated public key; key algorithms: ECDSA, Diffie Hellman, • DSA, RSA. • Issuer unique identifier • Versions 2 and 3 only • Subject unique identifier • Versions 2 and 3 only • Extensions • Version 3 only • Signature on the above fields • Using private key of the issuer

Extensions Critical If it is impossible performing the extension, the certificate is refused Not Critical If it is impossible performing the extension, the extension is ignored CAN REVOLUTIONIZE THE CERTIFICATE USE

Extensions • AuthorityKeyIdentifier • indicate which is issuer public key corrisponding at the private key used for signing, • ever not critic. • BasicConstraints • used only in a CA Certificates, how deep a certification path, if the deep is 0 it’s a • CA leader certificate, ever critic. • CertificatePolicies • some phrases insert by the issuer. • CRLDistributionPoints • how find informations about distribution points and the reason, ever not critic. • IssuerAltName • alternative name for the issuer. • SubjectAltName • alternative name for the issuer, critic if the subject is null.

Extensions • NameConstraints • a name space within which all subject names in subsequent certificates in a certification path, can been indicated restrictions to some subject name or subject alternative names, if no name of the type is in the certificate it’s acceptable, it’s possible make restrictions on host or domain, minimun number is 0 and the maximun is absent, used only in CA certificate and ever critic. • KeyUsage • the purpose of the key in the certificate: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly; ever critic. • Ex. if the public key is used only for signing, digitalSignature and nonRepudiation must be setted true. • ExtendedKeyUsage • some addition to or in place of the basic purposes of the KeyUsage.

Extensions • SubjectKeyIdentifier • obtained applying SHA-1 at the certicate public key, recommended, ever not critic. • SubjectDirectoryAttributes • another subject informations, ever not critic. • PolicyMappings • used in CA certificate for mapping the issuer policy with the subject policy making the issuer equal to the subject, not critic if it’s a CA certicate. • PolicyConstraints • constrains path validation to prohibit policy mapping or require that each certificate in a path contains an acceptable policy identifier.

Qualified Certificate • Extension of the X.509 certificate • Identify the subject with an high level of security preventing repudiation • Must contain the extensions: • BiometricInformation • CertificatePolicies • KeyUsage • QualifiedCertificateStatements • SubjectDirectoryAttributes

QC Extensions • BiometricInformation • holds the hash value corresponding to some specific biometric • information which itsself is not included but may be referenced • by means of an URI. • QualifiedCertificateStatements • statements about qualified certificate, ex: restrictions on CA's liability, certificate issued in accordance with a particular legal system.

Certificate Authority Any trusted administration able to issue certificates assuring the subject identity and which is his public key. Exist a hierarchy of Cas CA certificate lower level CAs Low level CA release low assurance certificates High level CA release high assurance certificates VERY HIGH LEVEL OF SECURITY

Italian CAs 7 CA known by AIPA S.I.A. S.p.A. (27/01/2000) … Seceti S.p.A. (06/07/2000) 20 march 2001 AIPA (Autorità per l'Informatica nella Pubblica Amministrazione) is the italian authority, born with the law 12 February 1993, no.39, to release the permission to a company to issuing certificates. The candidate company must present the request and 58 documents (legal, administrative, econimic, security planning, operation planning).

Certificate Revocation List • A list of certificates revoked before their expiration date. • The causes are: • certificated public key compromised • certificate subject changed • CA’s private key compromised • A CRL is maintained by a CA. • The CRLs are downloadable by verifiers from CAs or central repositories, or CAs send CRLs to verifiers at regular intervals. • When the certificate expires, it’s cancelled from the CRL.

Java Packages

Java Code Example ADD SECURITY PROVIDER CREATE KEY PAIR import java.util.*; import java.security.*; import javax.crypto.*; import iaik.x509.*; import iaik.x509.extensions.*; import iaik.asn1.*; import iaik.asn1.structures.*; public class CertificateExample{ public static void main(String[] args){ Security.addProvider(new iaik.security.provider.IAIK()); X509Certificate cert = new X509Certificate(); KeyPairGenerator kpg = KeyPairGenerator.getInstance(“RSA”, "IAIK"); kpg.initialize(1024, new SecureRandom()); KeyPair kp = generator.generateKeyPair(); ….

Java Code Example CREATE EXTEN- SIONS CREATE USAGE PERIOD CREATE ISSUER …. Name issuer = new Name(); issuer.addRDN(ObjectID.country, “IT"); issuer.addRDN(ObjectID.organization ,“CRS4"); issuer.addRDN(ObjectID.commonName, “CRS4 Certificate"); Vector extensions = new Vector(); extensions.addElement(new KeyUsage( KeyUsage.digitalSignature | KeyUsage.decipherOnly)); GregorianCalendar dateStart = new GregorianCalendar(); GregorianCalendar dateStop = new GregorianCalendar(); dateStart.add(Calendar.DATE, -1); dateStop.add(Calendar.MONTH, 6); ….

Java Code Example CERTIFICATE CREATED …. cert.setSerialNumber(java.math.BigInteger.valueOf(1)); cert.setIssuerDN(issuer); cert.setSubjectDN(issuer); cert.setPublicKey(kp.getPublic()); cert.setValidNotBefore(dateStart.getTime()); cert.setValidNotAfter(dateStop.getTime()); cert.addExtension(extensions[0]); cert.sign(AlgorithmID.sha1WithRSAEncryption, kp.getPrivate()); …. } }

Microsoft, Netscape & Certificates Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Microsoft Outlook Express 5.5 Netscape Navigator 4.75Netscape Messenger 4.75

Microsoft, Netscape and Certificates

Microsoft, Netscape and Certificates Microsoft Internet Explorer ignores the html tag <keygen>, own of Netscape

Microsoft, Netscape and Certificates application/x-x509-ca-certfor CA certificate application/x-x509-user-certfor user certificate Netscape knows CA certificates from user certificates because, before to send the certificate, it’s sent own content-type:

Bibliography • RSA Security Faqs • http://www.rsasecurity.com/rsalabs/faq • Public Key Infrastructure • http://www.opengroup.org/security/pki • http://csrc.ncsl.nist.gov/pki • Ferragina, Luccio, Appunti di crittografia, Università degli Studi di Pisa - Dipartimento di Informatica, settembre 2000 • IAIK-JCE 2.61 Reference • http://jcewww.iaik.tu-graz.ac.at • International Telecommucation Unit -Telecommunication Standardization Sector (ITU-T) • http://www.itu.int/ITU-T

Bibliography • RFC3039 - Qualified Certificate Profile • ftp://ftp.rfc-editor.org/in-notes/rfc3039.txt • RFC2459 - Certificate and CRL Profile • http://www.ietf.org/rfc/rfc2459.txt • AIPA - Autorità per l'Informatica nella Pubblica Amministrazione • http://www.aipa.it • http://www.aipa.it/servizi[3/normativa[4/circolari[2/aipacr22.asp

Certification

Certification

Presentation Transcript

AACN Certification

CERTIFICATION

Certification Update

Certification

CERTIFICATION!!!!

Certification

Certification:

Certification

Certification

Advance sas certification | Base sas certification

SA 8000 Certification – Social Accountability Certification

PALS Online Certification/Re-certification

CERTIFICATION

Certification

ServiceNow Certification Training | servicenow admin certification |servicenow administrator certification

TESOL Certification and TEFL Certification

BIS Certification | BIS Certification Process | BIS Certification Services