Digital Certificates

Copyright, 1996 Dale Carnegie & Associates, Inc.

Basic Terms
Public Key Cryptographic Standards, PKCS
A collection of 12 papers PKCS #1 to PKCS #12 developed by RSA Labs and representatives from the academia and industry. PKCS #1 RSA Algorithm PKCS #3 Diffie-Hellman Algorithm PKCS #7 Cryptographic Message Syntax Std PKCS #10 Key Certification Request PKCS #11 Standard API for developers PKCS #12 Certificate Interchange Format PKCS #13 Elliptic Curves Algorithm

Basic Terms
Digital Signatures
DSS issued by NIST

Message Digest Algorithms

Non Reversible (One way function)
Examples
Message Digest Algorithm MD2, MD4, MD5 SHA, SHA-1 Organization RSA Data Security Inc. US Government Digest Length 128 bits 160 bits
3

Digital Certificates
Certificates are the framework for identification information, and bind identities with public keys. They provide a foundation for identification , authentication and non-repudiation.
4

Sample View of a Certificate

Certificate Types : Private/Personal

Server

Developer
5

X.509 v3 Certificate Format

Version Certificate Serial Number Signature Algorithm Identifier Issuer Name Validity Period Subject Name Subject Public Key Information Optional Fields
7

X.509 v3 Extension Fields

Associate additional information for subjects ,public keys ,managing certification hierarchy and certificate revocation lists. Extension type Extension value Criticality indicator

X.509 Profiles
Tailor the authentication model of X.509 to specific environments based on Risk perception. IETF Public Key Infrastructure (PKIX -1) : Application-independent certificate based key distribution mechanism. SET Standard : Secure messaging for payment-service transactions over open-networks.

Certification Authorities
Trusted organization that issues certificates and maintains status information about certificates. Certification Practice Statement

Certification Authoritys Private Key X.509 v3 Format Certificate

CAs Digital Signature

Generate Digital Signature

10

How Digital Certificates work?

Generate Public and Private Keys. Get Certificate from the CA Sign the document/page using the private key. Send signed document over open networks along with the CAs certificate. Recipient verifies using the signing CAs public key Trust Chain and Fingerprints

11

Web Server Security

Server Authentication using SSL
Information to/from the correct Web Site Information in encrypted form

Setting up SSL on a Web Site

Create a Server Certificate Request Obtain the Server Certificate from a CA/locally Install it on the Web Server

Establishing an SSL connection

Need root certificate of the issuing CA

12

Client Authentication
Anonymous Basic Challenge Response (NT) SSL Client Authentication

13

Certification and Registration

Application Subject Authentication Certificate Generation

Certificate Distribution Certificate Revocation

14

Subject Authentication
Confirm the identity of the subject Based on the class of certificate Local Registration Authority(LRA) model
End Entity
Request Enrolment Renewal

CA
Certificate Issuance Revocation Suspension Renewal Repository

LRA
Get Certificate Applications Authentication Generate Key Pairs Revocations

Example : Verisign Onsite

15

Importing a Certificate
To send an encrypted message or document to a person who has a certificate. From a Certification Authority From a Directory Service (LDAP) From a signed message From a local file (encoded Binary PKCS #7)

16

Certificate Revocation Lists

A data structure that has the list of all the serial numbers of the revoked certificates. Standard X.509 CRL format (ISO/ITU)

Propagation Polling for CRLs Pushing CRLs Online status checking

17

Formal Specification (PKCS #7)

Abstract Syntax Notation (ASN.1) Design tool used for expressing syntax of messages. Widely used to describe protocols interfaces etc.
SignedData ::= SEQUENCE { version Version digestAlgorithms DigestAlgorithmIdentifiers contentInfo ContentInfo certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL crls CertificateRevocationLists signerInfos SignerInfos }

PKCS #7 syntax for SignedData type ASN.1objects are encoded using BER/DER.
18

Key Certification Request

CertificationRequest ::= SEQUENCE { certificationRequestInfo CertificationRequestInfo signatureAlgorithms SignatureAlgorithmIdentifiers signature Signature } CertificationRequestInfo ::= SEQUENCE { version Version subject Name subjectpublickeyInfo SubjectPublicKeyInfo attributes [0] IMPLICIT Attributes } Version ::= INTEGER Attributes ::= Set (Name = Value pair) SignatureAlgorithmIdentifier ::= AlgorithmIdentifier Signature ::= BIT STRING

PKCS #10 syntax using ASN.1 notation

19

Certificate Management
Value and Validity of Certificates will be questioned Cross Certification (Multiple CAs)
Top-Down Hierarchical Structure

Forest of Top-Down Hierarchies

20

Applications of Certificates
Sandbox Code Signing Vs Shrink-Wrapped Software
Accountability and Authenticity Microsoft Authenticode 1.0
based on X.503 v3 and PKCS #7 Commercial Vs Individual Publishers

Object Signing
Netscapes technology Signs any kind of Files

21

Applications (continued)
Secure Messaging & S/MIME Web Server Security
Microsoft ASP for Access Control

22