certificates keys web browsers and security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Certificates, Keys, Web Browsers, and Security PowerPoint Presentation
Download Presentation
Certificates, Keys, Web Browsers, and Security

Loading in 2 Seconds...

play fullscreen
1 / 43

Certificates, Keys, Web Browsers, and Security - PowerPoint PPT Presentation


  • 245 Views
  • Uploaded on

Certificates, Keys, Web Browsers, and Security - Sumanth Gelle Contents: Keys Symmetric Encryption Asymmetric Encryption Hybrid Encryption Certificate What does Certificate contain Authentication with certificate How to set up SSL on a web server

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Certificates, Keys, Web Browsers, and Security' - ivanbritt


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
contents
Contents:
  • Keys
      • Symmetric Encryption
      • Asymmetric Encryption
      • Hybrid Encryption
  • Certificate
      • What does Certificate contain
      • Authentication with certificate
      • How to set up SSL on a web server
      • Certificate Revocation Lists
  • Browser
      • Internet Explorer
what does cryptography solve
What Does Cryptography Solve?
  • Confidentiality
    • Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation
  • Integrity
    • Ensure that message has not been modified during the transmission
  • Authenticity
    • You can verify that you are talking to the entity you think you are talking to
slide4
Confidentiality---

Encryption is the answer

  • Integrity---

Hashing is the answer

  • Authentication---

Digital Certificate is the answer

  • Cryptography is key management
slide5
Keys

Symmetric Keys

Clear-text input

Clear-text output

Cipher-text

“An intro to PKI and few deploy hints”

“AxCvGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!q3%”

“An intro to PKI and few deploy hints”

DES

DES

Encryption

Decryption

Same key(shared secret)

symmetric encryption
Symmetric Encryption
  • Symmetric algorithms require the creation of a key and an initialization vector (IV) that must be kept secret from anyone who should not decrypt your data.

TripleDESCryptoServiceProvider TDES = new TripleDESCryptoServiceProvider();

TDES.GenerateIV();

TDES.GenerateKey();

When the previous code is executed, a key and IV are generated when the new instance of TripleDESCryptoServiceProvider is made. Another key and IV are created when the GenerateKey and GenerateIV methods are called.

asymmetric encryption
Asymmetric Encryption
  • Asymmetric algorithms require the creation of a public key and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key.

//Generate a public/private key pair. RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();

//Save the public key information to an RSAParameters structure.

RSAParameters RSAKeyInfo =RSA.ExportParameters(false);

assymetric encryption continued
Assymetric Encryption Continued…
  • To create an asymmetric key and save it in a key container

Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field.

Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.

  • To delete a key from a key container

Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field.

Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.

Set the PersistKeyInCSP property of the class that derives from AsymmetricAlgorithm to false (False in Visual Basic).

Call the Clear method of the class that derives from AsymmetricAlgorithm. This method releases all resources of the class and clears the key container.

example ssl

Clear text

Encrypt

Decrypt

Cipher 1

Cipher 1

Encrypt

Decrypt

Cipher 2

Cipher 2

Transmission over the public network

Priv

Priv

pub

pub

pub

pub

Example: SSL
  • Ensures confidentiality
    • And integrity if digitally signed
  • depending on how public key are exchanged
    • Authenticity, Identity, Non-repudiation

Clear text

real world hybrid encryption typical for encrypted file storage

Symmetrically

Encrypted

message

Symmetric

Encryption

Asymmetric

Encryption

of session key

Randomly-Generated symmetric “session” key

Digital Envelope

Recipient’s

public key

Asymmetric

Encryption

of session key

Digital Envelope

Repeat as necessary

Public key of

other recipient

or recovery agent

ENCRYPTED

DOCUMENT

Real World: Hybrid Encryption(typical for encrypted file storage)

Clear-text

message

real world hybrid decryption

Clear-text

message

Symmetric

Decryption

Take the appropriate digital

envelope containing the

“session” key encrypted

using recipient’s public key

UNENCRYPTED

DOCUMENT

Asymmetric

decryption

of session key

“session” key is decrypted using the recipient private key

ENCRYPTED

DOCUMENT

Private key of

the recipient

Real World: Hybrid Decryption

Symmetrically

Encrypted

message

Digital Envelope

Digital Envelope

Digital Envelope

pki public key infrastructure
PKI (Public Key Infrastructure)
  • Public Key Infrastructure provides the technologies that enable practical distribution of public keys”
    • Using CERTIFICATES
what does certificate contain
What does Certificate contain?
  • Owner's public key 
  • Owner's name or alias 
  • Expiration date of the certificate 
  • Serial number of the certificate 
  • Name of the organization that issued the certificate 
  • Digital signature of the organization that issued the certificate 
authentication with certificates
Authentication with Certificates
  • Owning a Certificate of Gianni does not mean that you are Gianni
    • Owning a Certificate does not imply you are authenticated
  • How would you verify that the person who comes to you pretending to be Gianni and showing you a certificate of Gianni is really Gianni ?
    • You have to challenge him !
    • Only the real Gianni has the private key that goes in pair with the public key in the certificate.
authentication with certificates16
Authentication with Certificates
  • Denise gets Gianni’s certificate
  • She verifies its digital signature
      • She can trust that the public key really belongs to Gianni
      • But is it Gianni standing if front of her, or is that Michel ?
  • Denise challenges Gianni to encrypt for her a random phrase she generated (“I like green tables with flowers”)
  • Gianni has (if he is the real Gianni) the private key that matches the certificate, so he responds (“deRf35D^&#dvYr8^*$@dff”)
  • Denise decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she just generated for the challenge then it must really be Gianni himself !
how to set up ssl on a web server
How to Set Up SSL on a Web Server
  • Step1. Generate a Certificate Request
  • Step 2. Submit a Certificate Request
  • Step 3. Issue the Certificate
  • Step 4. Install the Certificate on the Web server
  • Step 5. Configure Resources to Require SSL Access
step 1 generate a certificate request
Step 1. Generate a Certificate Request
  • Start the IIS Microsoft Management Console (MMC) snap-in.
  • Expand your Web server name and select the Web site for which you want to install a certificate.
  • Right-click the Web site, and then click Properties.
  • Click the Directory Security tab.
  • Click the Server Certificate button within Securecommunications to launch the Web Server Certificate Wizard. Note   If ServerCertificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.
step2 submit a certificate request
Step2. Submit a Certificate Request
  • Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard.
  • Start Internet Explorer and navigate to http:// hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services.
  • Click Request a Certificate, and then click Next.
  • On the Choose Request Type page, click Advancedrequest, and then click Next.
  • On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.
  • On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier.
  • In the Certificate Template combo box, click WebServer.
  • Click Submit.
  • Close Internet Explorer.
step3 issue the certificate
Step3. Issue the Certificate
  • Start the Certification Authority tool from the AdministrativeTools program group.
  • Expand your certificate authority, and then select the Pending Requests folder.
  • Select the certificate request you just submitted.
  • On the Action menu, point to All Tasks, and then click Issue.
  • Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.
  • On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate.
  • Close the properties window for the certificate.
  • Close the Certificate Authority tool.
step4 install the certificate on the web server
Step4. Install the Certificate on the Web Server
  • Start Internet Information Services, if it's not already running.
  • Expand your server name and select the Web site for which you want to install a certificate.
  • Right-click the Web site, and then click Properties.
  • Click the Directory Security tab.
  • Click Server Certificate to launch the Web Server Certificate Wizard.
  • Click Process the pending request and install the certificate, and then click Next.
  • Enter the path and file name of the file that contains the response from the CA, and then click Next.
  • Examine the certificate overview, click Next, and then click Finish. A certificate is now installed on the Web server.
step5 configure resources to require ssl access
Step5. Configure Resources to Require SSL Access
  • Start Internet Information Services, if it's not already running.
  • Expand your server name and Web site. (This must be a Web site that has an installed certificate.)
  • Right-click a virtual directory, and then click Properties.
  • Click the Directory Security tab.
  • Under Secure communications, click Edit.
  • Click Require secure channel (SSL). Client's browsing to this virtual directory must now use HTTPS.
  • Click OK, and then click OK again to close the Properties dialog box.
  • Close Internet Information Services.
how to set up client certificates
How to Set Up Client Certificates
  • Step 1. Create a Simple Web Application
  • Step 2. Configure the Web Application to Require Client Certificates
  • Step 3. Request and Install a Client Certificate
  • Step 4. Verify Client Certificate Operation
certificate stores
Certificate Stores
  • Certificates are stored in safe locations called a certificate stores. A certificate store can contain certificates, CRLs, and Certificate Trust Lists (CTLs). Each user has a personal store (called the "MY store") where that user's certificates are stored. The MY store can be physically implemented in a number of locations including the registry, on a local or remote computer, a disk file, a data base, a directory service, a smart device, or another location.
  • While any certificate can be stored in the MY store, this store should be reserved for a user's personal certificates, that is the certificates used for signing and decrypting that particular user's messages.
  • In addition to the MY store, Windows also maintains the following certificate stores:
  • CA and ROOT. This store contains the certificates of certificate authorities that the user trusts to issue certificates to others. A set of trusted CA certificates are supplied with the operating system and others can be added by administrators.
  • Other. This store contains the certificates of other people to whom the user exchanges signed messages.
  • The CryptoAPI provides functions to manage certificates. These APIs can be accessed only through unmanaged code. Also, CAPICOM is a COM-based API for the CryptoAPI, which can be accessed via COM Interop.
certificates revocation list
Certificates Revocation List
  • X.509 certificates and many other certificates have a valid time duration. A certificate can expire and no longer be valid. A CA can revoke a certificate for a number of reasons. To handle revocations, a CA maintains and distributes a list of revoked certificates called a Certificate Revocation List (CRL). Network users access the CRL to determine the validity of a certificate.
slide31
Certmgr.exe
  • Makecert.exe

The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

internet explorer ie
Internet Explorer (IE)
  • Integrated Windows Authentication.

To enable this authentication method, in the Internet Options dialog box, click the Advanced tab, and then select the Enable Integrated Windows Authentication checkbox.

  • Server Certificate Revocation.

Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection.

To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box.

installing and removing trusted certificates
Installing and Removing Trusted Certificates
  • On the Tools menu, click Internet Options, and then click the Content tab. 
  • Click Certificates. 
  • Click one of the following tabbed categories for the type of certificates you want to install or remove:

•Personal. Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category. 

•Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs.

 •Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates.

 •Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA.  •Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences

slide36
4.In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list.
  •  5.Work with particular certificates through one of the following methods:

•To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate.

•To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate.

  •To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.

slide38
To delete an existing certificate from the list of trusted certificates, click Remove. 

•To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View. 

adding trusted publishers
Adding Trusted Publishers
  • To designate a trusted publisher for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher.
  • To add a trusted publisher

1.Use Internet Explorer to download signed active content from the publisher.

 2.When the Security Warning dialog box appears, select the Always trust content from trusted publisher check box

slide40
To download the software and control and add the publisher to the list of trusted publishers, click Yes.
slide41
Configuring Advanced Security Options for Certificate and Authentication Features
  • You can easily configure options for certificate and authentication features that your users might need.
  • To configure advanced security options for certificates

1.On the Tools menu, click Internet Options, and then click the Advanced tab. 

2.In the Security area, review the selected options. 

3.Depending on the needs of your organization and its users, select or clear the appropriate check boxes. For example, to enable SSL 3.0, select the Use SSL 3.0 check box. 

references
References
  • http://it-dep-is-techmeet.web.cern.ch/it-dep-is-techmeet/TechMeeting/2003-09-08/PKI-Intro.ppt#338%2c1%2cA-to-Z
  • http://it-dep-is-techmeet.web.cern.ch/it-dep-is-techmeet/TechMeeting/2003-10-22/2003-10-20-PKI-Intro-Hepix.ppt#394%2c11%2cExample
  • https://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk.mspx?mfr=true
  • http://resources.nznog.org/Friday-240306/RobertLoomans-SSLandTLSCertsForUserAuthentication/NZNOG-client-certs.ppt#294%2c5%2cWhy
  • http://msdn2.microsoft.com/en-us/bfsktky3.aspx