Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Certificates Nigel Pentland Guide Share Europe, April 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Certificates Nigel Pentland Guide Share Europe, April 2005."— Presentation transcript:

1 Digital Certificates Nigel Pentland nigel.pentland@eu.nabgroup.com nigel@nigelpentland.net Guide Share Europe, April 2005

2 Digital Certificates What are Digital Certificates all about? How can we make use of them? Examples relating to WebSphere Some useful tools to assist us along the way

3 3 The Russian Postal System Puzzle † n Boris in Moscow n Natasha in St. Petersburg n Boris has a ring and wants to get engaged as quickly as possible n Strong box with a hasp to which a number of padlocks could be attached n Together they hatched a clever scheme to get the precious jewel from Moscow to St. Petersburg securely – how did they do it? † Taken from ‘In Code’ by Sarah Flannery

4 4 Cryptography n Symmetric cryptography has been around thousands of years hieroglyphs Caesar cipher The Cipher of Mary Queen of Scots Le Chiffre Indéchiffrable http://www.simonsingh.com/ excellent CD-ROM free download… http://www.simonsingh.com/ n Asymmetric is relatively very new ! n Latest development - Secret Sharing (polynomial or hyperplanes)

5 5 Coming up with the idea Concept: n James Ellis – GCHQ – allegedly – 1970 n Witfield Diffe & Martin Hellman – 1977

6 6 Making the idea work Mathenatical implementation: n RSA U.S. Patent : 4,405,829 Filed : December 14, 1977 Issued : September 20, 1983 n Ron Rivest, Adi Shamir, Len Adleman n RSA Patent expired 21 st Sept 2000

7 7 Crypto – by Steven Levy ‘Steven Levy’s Crypto is the story of the unlikely, not to say downright motley, crew of mathematical and computer revolutionaries who broke NSA’s and GCHQ’s cryptographic monopoly, and in so doing helped to launch the internet revolution … an unparalleled chronicle of a remarkable group of people who have affected all of our lives’ Stephen Budiansky, Daily Mail Jim Bidzos

8 8 Asymmetric cryptography n Works by using pairs of keys with special properties (i.e. a one way trap door function) n If you encrypt with one then you can only decrypt using partner n By convention we refer to these as public and private keys n public certificate n private key

9 9 Digital Certificate Standards n PKCS10 – Certification Request Syntax Standard n PKCS11 – Cryptographic Token Interface Standard n PKCS12 – Personal Information Exchange Syntax Standard n RFC3280 – Internet X.509 Public Key Infrastructure n ASN.1 – Abstract Syntax Notation 1 note: this includes Object Identifiers or OIDs (RFC 3061) http://asn1.elibel.tm.fr/en/index.htm http://asn1.elibel.tm.fr/en/index.htm

10 10 RFC3280 … KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } …

11 11 De facto Notation Alice & Bob Asymmetric cryptography Ron Rivest Alice and Bob After Dinner Speech Given by John Gordon in Zurich 1984 http://www.conceptlabs.co.uk/alicebob.html

12 12 Who generates certificates? n Trusted 3 rd party ? n Internal Certificate Authority (i.e. CA) Deciding factors are: Trust Cost

13 13 Trusted 3 rd Parties Plus lots of others too… Founded 1996 Founded 1995 Verisign bought Thawte in 2000 for £400 million

14 14 Soyuz TM-34 – April 2002 Soyuz CommanderYuri GidzenkoRussia Flight EngineerRoberto VittoriItaly TouristMark ShuttleworthSouth Africa paid £13 million to be 2 nd space tourist

15 15 Internal Certificate Authority (CA) n RACF – i.e. RACDCERT command ICSF – Integrated Cryptographic Support Facility – beware backup ! n PKI Services – i.e. RACF bolt-on n GSK Toolkit (aka ikeyman) Note: multiple versions ! n OpenSSL

16 Digital Certificates What are Digital Certificates all about? How can we make use of them? Examples relating to WebSphere Some useful tools to assist us along the way

17 17 Encryption and or Authentication This is done using a framework defined by one of the following standards: n SSL (probably v3) Secure Sockets Layer n TLS Transport Layer Security n Cryptographic client server handshake protocol n SSL and TLS - Designing and Building Secure Systems by Eric Rescorla

18 18 Simple Client Server n Server has a certificate typically one issued by a Certificate Authority n Client needs to establish trust relationship typically it needs to trust the issuing Certificate Authority n Unless that is SGC is being used – Server Gated Cryptography

19 19 Mutual or Client Authentication n SSL or TLS is used to authenticate both ways n First the server is authenticated as before n Then the client is authenticated to the server in the same way n Exactly how this happens depends on the protocol being used n Hence MQ operates differently to WAS using only labels, where WAS also uses Common Name (i.e. URL) defined in the certificate

20 Digital Certificates What are Digital Certificates all about? How can we make use of them? Examples relating to Websphere Some useful tools to assist us along the way

21 21 Example 1- generate a Unix MQ Manager certificate //RACF EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=A,HOLD=YES //SYSTSIN DD * PROFILE NOPREFIX RACDCERT GENCERT + ID(USERID) + SUBJECTSDN(CN('ibmwebspheremqmanager') + OU('Technology') + O('National Australia Group Europe') + L('Glasgow') + SP('Scotland') + C('GB')) + SIZE(1024) + NOTBEFORE(DATE(2004-08-25)) + NOTAFTER(DATE(2006-08-25)) + WITHLABEL('ibmwebspheremqmanager') + SIGNWITH(CERTAUTH LABEL(‘TEST-MQ-ROOT')) + KEYUSAGE(HANDSHAKE,DATAENCRYPT) /*

22 22 Example 2 – generate a z/OS MQ Manager certificate //RACF EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=A,HOLD=YES //SYSTSIN DD * PROFILE NOPREFIX RACDCERT GENCERT + ID(MQUSERID) + SUBJECTSDN(CN('ibmWebSphereMQ1234') + OU('Technology') + O('National Australia Group Europe') + L('Glasgow') + SP('Scotland') + C('GB')) + SIZE(1024) + NOTBEFORE(DATE(2004-10-01)) + NOTAFTER(DATE(2006-10-01)) + WITHLABEL('ibmWebSphereMQ1234') + SIGNWITH(CERTAUTH,LABEL('TEST-MQ-ROOT')) + KEYUSAGE(HANDSHAKE DATAENCRYPT) /*

23 23 Example 3 – generate SSL Server certificate //RACF EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=A,HOLD=YES //SYSTSIN DD * PROFILE NOPREFIX RACDCERT GENCERT + ID(USERID) + SUBJECTSDN(CN('was.domain.com') + OU('Technology') + O('National Australia Group Europe') + L('Glasgow') + SP('Scotland') + C('GB')) + SIZE(1024) + NOTBEFORE(DATE(2004-10-01)) + NOTAFTER(DATE(2006-10-01)) + WITHLABEL('was label') + SIGNWITH(CERTAUTH,LABEL('TEST-ROOT')) + KEYUSAGE(HANDSHAKE DATAENCRYPT) /*

24 24 Example 4 – certificate renewal – step 1 //RACF EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=A,HOLD=YES //SYSTSIN DD * PROFILE NOPREFIX RACDCERT ID(USERID) GENREQ(LABEL('TEST')) + DSN('USERID.PKCS10.REQ') /*

25 25 Example 5 – certificate renewal - step 2 //RACF EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=A,HOLD=YES //SYSTSIN DD * PROFILE NOPREFIX RACDCERT GENCERT ('USERID.PKCS10.REQ') + ID(USERID) + NOTBEFORE(DATE(2004-11-08)) + NOTAFTER(DATE(2004-11-15)) + WITHLABEL('TEST') + SIGNWITH(CERTAUTH LABEL('TEST-ROOT')) /*

26 Digital Certificates What are Digital Certificates all about? How can we make use of them? Examples relating to WebSphere Some useful tools to assist us along the way

27 27 Useful Tools n base64 n CertMgr n dumpasn1 n ikeyman n MMC n Mozilla n OpenSSL n racf.co.uk

28 28 base64 base64 -- Encode/decode file as base64. Call: base64 [-e / -d] [options] [infile] [outfile] Options: --copyright Print copyright information -d, --decode Decode base64 encoded file -e, --encode Encode file into base64 -n, --noerrcheck Ignore errors when decoding -u, --help Print this message --version Print version number by John Walker http://www.fourmilab.ch/

29 29 CertMgr n Now part of the Microsoft.NET Framework SDK tools n Useful both as a GUI and command line tool n As a GUI it gives a shortcut way to fire up MS Certificate Manager Command line example that lists certificates for current user certmgr /s my

30 30 dumpasn1 n Very useful command line tool n Peter Gutmann - Professional Paranoid n http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c multi-platform source code http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c n Works on binary certificate files, namely DER encoded DER: Distinguished Encoding Rules for ASN.1, as defined in X.509

31 31 ikeyman n Two main versions, one does kdb (aka CMS) and the other does jks (Cryptographic Message Standard – RFC 3852) n kdb -D:\Program Files\ibm\gsk5\bin\gsk5ikm.exe sth – associated password stash file n jks -D:\Program Files\WebSphere\AppServer\bin\ikeyman.bat

32 32 MMC n Microsoft Management Console n Certificates is a standard Snap-In n Useful for managing certificates in a Windows client, or server n Enables a local administrator to administer all certificates within local Windows environment

33 33 Mozilla n Netscape or Firefox are particularly useful n Excellent error reporting in relation to certificates n They use dedicated certificate repository, not Windows n Netscape allows the user to enable the NULL encryption suites n for example https://mqmanager:1414/ would give option to display certificatehttps://mqmanager:1414/

34 34 OpenSSL n Source - http://www.openssl.org/http://www.openssl.org/ n Win32 - http://www.shininglightpro.com/products/Win32OpenSSL.htmlhttp://www.shininglightpro.com/products/Win32OpenSSL.html n Docs - http://www.mkssoftware.com/docs/man1/openssl.1.asphttp://www.mkssoftware.com/docs/man1/openssl.1.asp n Example command openssl s_client -connect mqmanager:1414 n Very, very, powerful utility, unable to do it justice on one slide ! n Try using openssl s_server to emulate a server in one window n And then try openssl s_client to emulate a client in another …

35 35 racf.co.uk Beware IRRDBU00 only unloads top level Common Name n RACF94 List of Certificates by user and label n RACF95 List of Certificates (unsorted) n RACF96 List of Key Rings n RACF97 List of Mappings n RACF98 List of Certificate Trusts n RACF99 List of Certificates (sorted by expiry date) n RACF101 List of Certificates (sorted by month of expiry)

36 Digital Certificates The End.

Download ppt "Digital Certificates Nigel Pentland Guide Share Europe, April 2005."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CP3397 ECommerce.

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Digital Certificates – GSE 2007 Nigel Pentland. Let’s consider a Server certificate What are we trying to achieve? How will we generate the certificates?

Digital Certificates – GSE 2007 Nigel Pentland. Let’s consider a Server certificate What are we trying to achieve? How will we generate the certificates?
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Similar presentations

Ads by Google