1 / 22

CERTIFICATES

CERTIFICATES. “ a document containing a certified statement, especially as to the truth of something ”. What is a Digital Certificate?. Electronic counterparts to driver licenses,passports.

vanig
Download Presentation

CERTIFICATES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CERTIFICATES “a document containing a certified statement, especially as to the truth of something”

  2. What is a Digital Certificate? • Electronic counterparts to driver licenses,passports. • Enable individuals and organizations to secure business and personal transactions across communication networks.

  3. How do they secure the data? • Authentication • Integrity • Encryption • Token verification

  4. Certification Authority(CA) • Trusted entity which issue and manage certificates for a population of public-private key-pair holders. • A digital certificate is issued by a CA and is signed with CA’s private key.

  5. X.509 Version 3 Digital Certificate

  6. Types of Certificates Root or Authority certificates These are self signed by the CA that created them Institutional authority certificates Also called as “campus certificates” Client certificates These are also known as end-entity certificates,identity certificates,or personal certificates. Web server certificates used for secure communications to and from Web servers

  7. Getting a Certificate Create an encryption Private and Public key pair. Create a Certificate Request based on your key. - Send all the required details Like Server,company,Location, state,country and also the documents proving your identity. Send the certificate request to your choice of CA . CA confirms the accuracy of the information submitted . The certificate is signed by a device that holds the private key of the CA. The certificate is sent to the subscriber and also a copy of it may be submitted to the certificate repository, such as a directory service for publication.

  8. Distribution of Certificates • Systems and channels that are not necessarily protected by confidentiality,authentication and integrity. • The certificate is self-protecting: The CA’s digital signature inside the certificate provides both authentication and integrity protection. • Distribution via Directory Services: Lightweight Directory Access Protocol (LDAP). This is nothing more than access protocol used to retrieve the certificate for recipient.

  9. X.509 Certificate Format • Version: Indicator of version 1,2 or 3. • Serial number: Unique identifying number for this certificate. • Signature:Algorithm identifier of the digital signature algorithm. • Issuer: X.500 name of the issuing CA. • Validity:Start and expiration dates and times of the certificate. • Subject:X.500 name of the holder of the private key(subscriber). • Subject public-key information:The value of the public-key for the subject together with an identifier of the algorithm with which this public-key to be used. • Issuer unique identifier: An optional bit string used to make the issuing certification authority name unambiguous. • Subject unique identifier: An optional bit string used to make the subject name unambiguous.

  10. X.509 Certificate Format • Extensions: Used for incorporating any number of additional fields into the certificate. • Extension Type: contains an object identifier value i.e. governs the basic data type (text string,date….etc) . • Criticality indicator: Simple flag that indicates whether an occurrence of an extension is critical or non-critical. The purpose of this is to accommodate environments in which different system implementations recognize different sets of extensions.

  11. X.509 Certificate Format • Standard Certificate Extensions. • Key Information: These are used to allow the administrators to limit the purpose for which certificates and certified keys can be used. Like CRL-signing,certificate signing …..etc. • Policy Information: convey certificate policy i.e. use of these extensions which relate to the CA’s practices. • Subject and Issuer attributes:Support alternative names for certificate subjects and issuers. • Certification path constraints: Help different domains link their infrastructures together. • Extensions related to CRL’s

  12. Certificate Revocation • Canceling a certificate before than its originally scheduled validity period. • Certificate Revocation Lists (CRL) A CRL is a time-stamped list of revoked certificates that has been digitally signed by a CA and made available to certificate users. Each revoked certificate is identified in a CRL by its certificate serial number – generated by the issuing CA.

  13. X.509 Certificate Revocation List

  14. X.509 CRL Format • Version: Indicator of version 1 or 2 format • Signature: Indicator of the algorithm used in signing this CRL • Issuer:Name of the authority that issued this CRL • This update: Date and time of issue of this CRL • Next update: Date and time of issue of next CRL (optional) • Certificate Serial Number: Serial number of a revoked or suspended certificate. • Revocation date: Effective date of revocation or suspension of a particular certificate. • CRL entry extensions: Additional fields • CRL extensions: Additional fields that must be attached to the full CRL.

  15. X.509 CRL Format of Extensions and Entry-Level Extensions • General Extensions:: Like CRL number – incrementing number for each CRL issued in sequence covering the same certificate population. Invalidity date:: This is CRL entry extension field indicates a date when it is known or suspected that a private key was compromised. • CRL Distribution Point :: Identifies the point or points that distribute CRL’s on which a revocation notification for this certificate would appear if this certificate were to be revoked. • Delta-CRL’s: It is a digitally signed list of the changes that occurred since the issuance of the prior base CRL.

  16. X.509 CRL Format of Extensions • Indirect CRL’s : Allows a CRL to be issued by a different authority from the one that issued the certificate. • Certificate Suspension: An item may be held on a CRL rather than revoked. It can be specified in the entry-level extensions as “certificate hold”. • Status Referrals: It is a signed,time stamped list of CRL’s and their respective CRL scopes that a certification authority currently uses.

  17. Distributing CRL’s • Issuing CRLs regularly such as hourly,daily or weekly…. Decision of CA. Can be distributed easily using the communications and server systems which do not need much security – as these are digitally signed. Limitation: Time granularity of revocation is limited to the CRL issue period. • Online Status Checking: uses OCSP ( Online Certificate Status Protocol). The responder is the CA or the authorized person by the CA. The OCSP response is digitally signed, contains the identifier of the responder, time of response, status. Limitation: Very expensive.

  18. Using Pre-existing certificates (verisign) • IF the IP address or Domain name is changed – then the certificate needs to be changed. • If you are changing your Server Software – because verisign issues the certificates considering the server software and IP address/domain name configuration.

  19. Digital Certificates In SSL(Secure Socket Layer) • SSL is used to create a secure connection between a user and a web page on the Internet. • It uses the Digital Certificates to authenticate the identities of the parties involved in the transaction. • IT works as following: • Once you access a secure URL the browser passes the following information to the server: Browser’s SSL version number, list of the encryption algorithms it supports, and a string of randomly generated data. • Then the Server replies with the same information as above along with it’s Digital Certificate.

  20. Digital Certificates In SSL(Secure Socket Layer) • If the server requires client authentication, it will send a request asking for the client’s digital certificate. • Now the Browser will first authenticate the identity of the server : validity dates of the server’s certificate • trusts" the CA that issued the server certificate(by looking for the root certificate from the CA . • Then it will decrypt the digital signature on the server’s certificate • If the browser can successfully decrypt the signature, it accepts the certificate as valid proof of the server’s identity.

  21. Digital Certificates In SSL(Secure Socket Layer) • The browser now determines the strongest encryption algorithm supported by both parties and creates a "premaster secret" from the data involved in the transaction thus far. The premaster secret is encrypted using the server’s public key and is passed to the server. • The server may also verify the validity of the client, then it will also check for all the corresponding details. Once the client validity is confirmed…. The server will decrypt the premaster secret . • Since both know the this value they will perform a series of calculations and calculate the “ master secret ”.Both should have arrived at the same value..so now they create a “session key”.

  22. Digital Certificates In SSL(Secure Socket Layer) • The SSL secure connection is now in place and the browser and server begin exchanging data using the symmetric session key.

More Related