1 / 43

Certificates, Keys, Web Browsers, and Security

Certificates, Keys, Web Browsers, and Security - Sumanth Gelle Contents: Keys Symmetric Encryption Asymmetric Encryption Hybrid Encryption Certificate What does Certificate contain Authentication with certificate How to set up SSL on a web server

ivanbritt
Download Presentation

Certificates, Keys, Web Browsers, and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificates, Keys, Web Browsers, and Security - Sumanth Gelle

  2. Contents: • Keys • Symmetric Encryption • Asymmetric Encryption • Hybrid Encryption • Certificate • What does Certificate contain • Authentication with certificate • How to set up SSL on a web server • Certificate Revocation Lists • Browser • Internet Explorer

  3. What Does Cryptography Solve? • Confidentiality • Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation • Integrity • Ensure that message has not been modified during the transmission • Authenticity • You can verify that you are talking to the entity you think you are talking to

  4. Confidentiality--- Encryption is the answer • Integrity--- Hashing is the answer • Authentication--- Digital Certificate is the answer • Cryptography is key management

  5. Keys Symmetric Keys Clear-text input Clear-text output Cipher-text “An intro to PKI and few deploy hints” “AxCvGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!q3%” “An intro to PKI and few deploy hints” DES DES Encryption Decryption Same key(shared secret)

  6. Symmetric Encryption • Symmetric algorithms require the creation of a key and an initialization vector (IV) that must be kept secret from anyone who should not decrypt your data. TripleDESCryptoServiceProvider TDES = new TripleDESCryptoServiceProvider(); TDES.GenerateIV(); TDES.GenerateKey(); When the previous code is executed, a key and IV are generated when the new instance of TripleDESCryptoServiceProvider is made. Another key and IV are created when the GenerateKey and GenerateIV methods are called.

  7. Asymmetric Encryption • Asymmetric algorithms require the creation of a public key and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key. //Generate a public/private key pair. RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(); //Save the public key information to an RSAParameters structure. RSAParameters RSAKeyInfo =RSA.ExportParameters(false);

  8. Assymetric Encryption Continued… • To create an asymmetric key and save it in a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor. • To delete a key from a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor. Set the PersistKeyInCSP property of the class that derives from AsymmetricAlgorithm to false (False in Visual Basic). Call the Clear method of the class that derives from AsymmetricAlgorithm. This method releases all resources of the class and clears the key container.

  9. Clear text Encrypt Decrypt Cipher 1 Cipher 1 Encrypt Decrypt Cipher 2 Cipher 2 Transmission over the public network Priv Priv pub pub pub pub Example: SSL • Ensures confidentiality • And integrity if digitally signed • depending on how public key are exchanged • Authenticity, Identity, Non-repudiation Clear text

  10. Symmetrically Encrypted message Symmetric Encryption Asymmetric Encryption of session key Randomly-Generated symmetric “session” key Digital Envelope Recipient’s public key Asymmetric Encryption of session key Digital Envelope Repeat as necessary Public key of other recipient or recovery agent ENCRYPTED DOCUMENT Real World: Hybrid Encryption(typical for encrypted file storage) Clear-text message

  11. Clear-text message Symmetric Decryption Take the appropriate digital envelope containing the “session” key encrypted using recipient’s public key UNENCRYPTED DOCUMENT Asymmetric decryption of session key “session” key is decrypted using the recipient private key ENCRYPTED DOCUMENT Private key of the recipient Real World: Hybrid Decryption Symmetrically Encrypted message Digital Envelope Digital Envelope Digital Envelope

  12. PKI (Public Key Infrastructure) • Public Key Infrastructure provides the technologies that enable practical distribution of public keys” • Using CERTIFICATES

  13. Certificates

  14. What does Certificate contain? • Owner's public key  • Owner's name or alias  • Expiration date of the certificate  • Serial number of the certificate  • Name of the organization that issued the certificate  • Digital signature of the organization that issued the certificate 

  15. Authentication with Certificates • Owning a Certificate of Gianni does not mean that you are Gianni • Owning a Certificate does not imply you are authenticated • How would you verify that the person who comes to you pretending to be Gianni and showing you a certificate of Gianni is really Gianni ? • You have to challenge him ! • Only the real Gianni has the private key that goes in pair with the public key in the certificate.

  16. Authentication with Certificates • Denise gets Gianni’s certificate • She verifies its digital signature • She can trust that the public key really belongs to Gianni • But is it Gianni standing if front of her, or is that Michel ? • Denise challenges Gianni to encrypt for her a random phrase she generated (“I like green tables with flowers”) • Gianni has (if he is the real Gianni) the private key that matches the certificate, so he responds (“deRf35D^&#dvYr8^*$@dff”) • Denise decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she just generated for the challenge then it must really be Gianni himself !

  17. How to Set Up SSL on a Web Server • Step1. Generate a Certificate Request • Step 2. Submit a Certificate Request • Step 3. Issue the Certificate • Step 4. Install the Certificate on the Web server • Step 5. Configure Resources to Require SSL Access

  18. Step 1. Generate a Certificate Request • Start the IIS Microsoft Management Console (MMC) snap-in. • Expand your Web server name and select the Web site for which you want to install a certificate. • Right-click the Web site, and then click Properties. • Click the Directory Security tab. • Click the Server Certificate button within Securecommunications to launch the Web Server Certificate Wizard. Note   If ServerCertificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.

  19. Step2. Submit a Certificate Request • Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard. • Start Internet Explorer and navigate to http:// hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services. • Click Request a Certificate, and then click Next. • On the Choose Request Type page, click Advancedrequest, and then click Next. • On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next. • On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier. • In the Certificate Template combo box, click WebServer. • Click Submit. • Close Internet Explorer.

  20. Step3. Issue the Certificate • Start the Certification Authority tool from the AdministrativeTools program group. • Expand your certificate authority, and then select the Pending Requests folder. • Select the certificate request you just submitted. • On the Action menu, point to All Tasks, and then click Issue. • Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it. • On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate. • Close the properties window for the certificate. • Close the Certificate Authority tool.

  21. Step4. Install the Certificate on the Web Server • Start Internet Information Services, if it's not already running. • Expand your server name and select the Web site for which you want to install a certificate. • Right-click the Web site, and then click Properties. • Click the Directory Security tab. • Click Server Certificate to launch the Web Server Certificate Wizard. • Click Process the pending request and install the certificate, and then click Next. • Enter the path and file name of the file that contains the response from the CA, and then click Next. • Examine the certificate overview, click Next, and then click Finish. A certificate is now installed on the Web server.

  22. Step5. Configure Resources to Require SSL Access • Start Internet Information Services, if it's not already running. • Expand your server name and Web site. (This must be a Web site that has an installed certificate.) • Right-click a virtual directory, and then click Properties. • Click the Directory Security tab. • Under Secure communications, click Edit. • Click Require secure channel (SSL). Client's browsing to this virtual directory must now use HTTPS. • Click OK, and then click OK again to close the Properties dialog box. • Close Internet Information Services.

  23. How to Set Up Client Certificates • Step 1. Create a Simple Web Application • Step 2. Configure the Web Application to Require Client Certificates • Step 3. Request and Install a Client Certificate • Step 4. Verify Client Certificate Operation

  24. Certificate Stores • Certificates are stored in safe locations called a certificate stores. A certificate store can contain certificates, CRLs, and Certificate Trust Lists (CTLs). Each user has a personal store (called the "MY store") where that user's certificates are stored. The MY store can be physically implemented in a number of locations including the registry, on a local or remote computer, a disk file, a data base, a directory service, a smart device, or another location. • While any certificate can be stored in the MY store, this store should be reserved for a user's personal certificates, that is the certificates used for signing and decrypting that particular user's messages. • In addition to the MY store, Windows also maintains the following certificate stores: • CA and ROOT. This store contains the certificates of certificate authorities that the user trusts to issue certificates to others. A set of trusted CA certificates are supplied with the operating system and others can be added by administrators. • Other. This store contains the certificates of other people to whom the user exchanges signed messages. • The CryptoAPI provides functions to manage certificates. These APIs can be accessed only through unmanaged code. Also, CAPICOM is a COM-based API for the CryptoAPI, which can be accessed via COM Interop.

  25. Certificates Revocation List • X.509 certificates and many other certificates have a valid time duration. A certificate can expire and no longer be valid. A CA can revoke a certificate for a number of reasons. To handle revocations, a CA maintains and distributes a list of revoked certificates called a Certificate Revocation List (CRL). Network users access the CRL to determine the validity of a certificate.

  26. Certmgr.exe • Makecert.exe The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

  27. Internet Explorer (IE) • Integrated Windows Authentication. To enable this authentication method, in the Internet Options dialog box, click the Advanced tab, and then select the Enable Integrated Windows Authentication checkbox. • Server Certificate Revocation. Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection. To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box.

  28. Installing and Removing Trusted Certificates • On the Tools menu, click Internet Options, and then click the Content tab.  • Click Certificates.  • Click one of the following tabbed categories for the type of certificates you want to install or remove: •Personal. Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category.  •Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs.  •Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates.  •Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA.  •Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences

  29. 4.In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list. •  5.Work with particular certificates through one of the following methods: •To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate. •To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate.   •To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.

  30. To delete an existing certificate from the list of trusted certificates, click Remove.  •To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View. 

  31. Adding Trusted Publishers • To designate a trusted publisher for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher. • To add a trusted publisher 1.Use Internet Explorer to download signed active content from the publisher.  2.When the Security Warning dialog box appears, select the Always trust content from trusted publisher check box

  32. To download the software and control and add the publisher to the list of trusted publishers, click Yes.

  33. Configuring Advanced Security Options for Certificate and Authentication Features • You can easily configure options for certificate and authentication features that your users might need. • To configure advanced security options for certificates 1.On the Tools menu, click Internet Options, and then click the Advanced tab.  2.In the Security area, review the selected options.  3.Depending on the needs of your organization and its users, select or clear the appropriate check boxes. For example, to enable SSL 3.0, select the Use SSL 3.0 check box. 

  34. References • http://it-dep-is-techmeet.web.cern.ch/it-dep-is-techmeet/TechMeeting/2003-09-08/PKI-Intro.ppt#338%2c1%2cA-to-Z • http://it-dep-is-techmeet.web.cern.ch/it-dep-is-techmeet/TechMeeting/2003-10-22/2003-10-20-PKI-Intro-Hepix.ppt#394%2c11%2cExample • https://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk.mspx?mfr=true • http://resources.nznog.org/Friday-240306/RobertLoomans-SSLandTLSCertsForUserAuthentication/NZNOG-client-certs.ppt#294%2c5%2cWhy • http://msdn2.microsoft.com/en-us/bfsktky3.aspx

More Related