Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Certificates Principles of operation

Published byVivian Atkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Certificates Principles of operation"— Presentation transcript:

1 Digital Certificates Principles of operation
Nigel Pentland National Australia Group February 2013

2 Nigel Pentland Senior Security Analyst nigel.pentland@eu.nabgroup.com

3 Digital Certificates Types of certificates
Roles of certificates (identity, server, security & authentication) How is a certificate associated with something What are all the fields How are they managed with RACF Problem solving techniques - some scenarios and how to fix them with RACF commands How to set-up for the purpose of encrypting 3270 sessions, SSL sessions Discuss code from racf.co.uk

4 Types of certificates X.509 PKCS7 Cryptographic Message Syntax
PKCS Certification Request Syntax PKCS Cryptographic Token Interface PKCS Personal Information Exchange Syntax

5 Types of certificates Vendor defined classes
VeriSign uses the concept of classes for different types of digital certificates: Class 1 for individuals, intended for . Class 2 for organizations, for which proof of identity is required. Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority. Class 4 for online business transactions between companies. Class 5 for private organizations or governmental security. Other vendors may choose to use different classes or no classes at all as this is not specified in the PKI standards.

6 SSL and TLS certificates http://www.rtfm.com/sslbook/
Types of certificates SSL and TLS certificates

7 Types of certificates Binary DER PFX P12 BER CER P7B Windows OpenSSL
DumpASN1 OpenSSL Base64 encoded PEM CER P7S P7M ASN.1 decoded TXT X.509

8 TÜRK TRUST Topical example which is very much in the news

9 ASN.1 0 1341: SEQUENCE { 4 1061: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2
8 3: [0] { : INTEGER 2 : } : INTEGER 2087 : SEQUENCE { : OBJECT IDENTIFIER sha1withRSAEncryption ( ) : NULL : SEQUENCE { : SET { : SEQUENCE { : OBJECT IDENTIFIER commonName ( ) : UTF8String : 'T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmet' : 'leri' : } : } : SET { : SEQUENCE { : OBJECT IDENTIFIER countryName ( ) : PrintableString 'TR' : SET {

10 Binary

11 Base64 TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4= As this example illustrates, Base64 encoding converts 3 octets into 4 encoded characters.

12 Types of certificates Certificate Authority Server side SSL
HTTP server FTPS server (not SFTP) TN3270 server S/MIME certificate Client certificate Code Signing / Timestamping

13 Roles of certificates (identity, server, security & authentication)
Certificate Authority Sign certificates Sign CRLs / OCSP requests Server side certificates Emphasis on DNS matching Either Common Name (CN) Or Subject Alternative Name (SAN) Client side certificates Typically relies on Trust and Date only

14 How is a certificate associated with something
External packaging: Certificate label Certificate alias Key ring – either by certificate label or default Internal property of certificate: Certificate Serial number Certificate Distinguished Name (DN)

15 What are all the fields Object Identifiers OIDs
OID Repository OIDs Well known OIDs Less well know OIDs Show up as string of numbers…

16 Examples

17 Examples Wildcard certificate Does URL match? Is issuer trusted?
Is it within date?

18 Examples

19 Examples Appears as OID number in Windows XP

20 Examples

21 Examples DumpASN1 output 806 48: SEQUENCE { 808 10: OBJECT IDENTIFIER
: verisignOnsiteJurisdictionHash ( ) : OCTET STRING, encapsulates { : IA5String '57b72cafdc7db03de21761e541d8ba27' : } : } : SEQUENCE { : OBJECT IDENTIFIER : Unknown Verisign VPN extension ( ) : OCTET STRING, encapsulates { : BIT STRING 3 unused bits : '10000'B (bit 4)

22 Examples

23 Examples

24 Examples On the face of it, it looks perfectly normal, Or does it?

25 Examples

26 Examples

27 Examples Certificate issued in error from TÜRK TRUST – interesting example, let’s take a closer look…

28 Examples Distinguished Name (DN) 239 110: SEQUENCE { 241 11: SET {
: OBJECT IDENTIFIER countryName ( ) : PrintableString 'TR' : } : } : SET { : SEQUENCE { : OBJECT IDENTIFIER stateOrProvinceName ( ) : UTF8String 'ANKARA' : SET { : SEQUENCE { : OBJECT IDENTIFIER localityName ( ) : UTF8String 'ANKARA' : SET { : SEQUENCE { : OBJECT IDENTIFIER organizationName ( ) : UTF8String 'EGO' : SET { : SEQUENCE { : OBJECT IDENTIFIER organizationalUnitName ( ) : UTF8String 'EGO BILGI ISLEM' : SET { : SEQUENCE { : OBJECT IDENTIFIER commonName ( ) : UTF8String '*.EGO.GOV.TR' : }

29 Examples keyUsage AIA authority Info Access 717 14: SEQUENCE {
: OBJECT IDENTIFIER keyUsage ( ) : BOOLEAN TRUE : OCTET STRING, encapsulates { : BIT STRING 1 unused bit : ' 'B : } : } : SEQUENCE { : OBJECT IDENTIFIER authorityInfoAccess ( ) : OCTET STRING, encapsulates { : SEQUENCE { : SEQUENCE { : OBJECT IDENTIFIER caIssuers ( ) : [6] : ' : 'ST_Elektronik_Sunucu_Sertifikasi_Hizmetleri_s2.c' : 'rt' : } : SEQUENCE { : OBJECT IDENTIFIER ocsp ( ) : [6] ' : } : } : } AIA authority Info Access

30 Examples Oops – looks like someone else has also noticed it can be used as a Certificate Authority and used to issue trusted certificates…

31 Examples

32 Examples It's worth mentioning that when the certificate has a subject alternative domain name specified, as in this example, the browser doesn't check the Subject's Common Name. X

33 subjectAltName DNS Name=*.google.com DNS Name=*.google.it
DNS Name=*.android.com DNS Name=*.appengine.google.com DNS Name=*.cloud.google.com DNS Name=*.google-analytics.com DNS Name=*.google.ca DNS Name=*.google.cl DNS Name=*.google.co.in DNS Name=*.google.co.jp DNS Name=*.google.co.uk DNS Name=*.google.com.ar DNS Name=*.google.com.au DNS Name=*.google.com.br DNS Name=*.google.com.co DNS Name=*.google.com.mx DNS Name=*.google.com.tr DNS Name=*.google.com.vn DNS Name=*.google.de DNS Name=*.google.es DNS Name=*.google.fr DNS Name=*.google.hu DNS Name=*.google.it DNS Name=*.google.nl DNS Name=*.google.pl DNS Name=*.google.pt DNS Name=*.googleapis.cn DNS Name=*.googlecommerce.com DNS Name=*.gstatic.com DNS Name=*.urchin.com DNS Name=*.url.google.com DNS Name=*.youtube-nocookie.com DNS Name=*.youtube.com DNS Name=*.ytimg.com DNS Name=android.com DNS Name=g.co DNS Name=goo.gl DNS Name=google-analytics.com DNS Name=google.com DNS Name=googlecommerce.com DNS Name=urchin.com DNS Name=youtu.be DNS Name=youtube.com

34 Examples Class 3 EV SGC

35 Examples

36 Examples

37 Examples Really useful online certificate tools

38 Examples

39 How are they managed with RACF
RACDCERT commands ADD GENREQ GENCERT LIST EXPORT DELETE CONNECT tricky syntax ! ADDRING LISTRING DELRING SETROPTS REFRESH RACLIST(DIGTCERT,DIGTRING) Certificate commands Keyring commands

40 How are they managed with RACF
RLIST DIGTCERT * RLIST DIGTRING * SR CLASS(DIGTCERT) SR CLASS(DIGTRING) RACDCERT ID(USER) LIST RACDCERT CERTAUTH LIST Limited use as cannot be ‘filtered’

41 Problem solving techniques
Make sure keyring looks correct ! OpenSSL – especially for Server side SSL (online OpenSSL) Firefox – why and how Notepad++

42 OpenSSL Sample commands:
openssl.exe s_client -connect host:1414 -CAfile mq-roots.cer -state -verify 1 -tls1 -cipher NULL openssl.exe s_client -connect host:1414 -CAfile mq-roots.cer -state -verify 1 -ssl3 -cipher NULL openssl.exe s_client -connect host:1414 -CAfile mq-roots.cer -state -verify 1 -tls1 SSL-Session: Protocol : TLSv1 Cipher : NULL-SHA Protocol : SSLv3 Cipher : RC4-SHA

43 Firefox

44 Firefox

45 Significance of NULL SSL v3.0 cipher suites
SSL_RSA_WITH_NULL_MD NULL-MD5 SSL_RSA_WITH_NULL_SHA NULL-SHA _________________________________________________________ SSL_RSA_EXPORT_WITH_RC4_40_MD EXP-RC4-MD5 SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_WITH_RC4_128_MD RC4-MD5 SSL_RSA_WITH_RC4_128_SHA RC4-SHA SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA

46 How to set-up for the purpose of encrypting 3270 sessions, SSL sessions
First thing, make sure you know what it should look like when done READY RACDCERT ID(TCPIP) LISTRING(TNRING) Digital ring information for user TCPIP: Ring: >TNRING< Certificate Label Name Cert Owner USAGE DEFAULT ROOT CERTAUTH CERTAUTH NO TN ID(TCPIP) PERSONAL YES

47 How to set-up for the purpose of encrypting 3270 sessions, SSL sessions
Generate new certificate /* RACDCERT ID(TCPIP) + GENCERT + SUBJECTSDN(CN('common.name') + OU('Organisational Unit') + O('Organisation') + L('Location') + SP('State Province') + C('Country')) + SIZE(2048) + NOTBEFORE(DATE( )) + NOTAFTER(DATE( )) + WITHLABEL('TN3270') + SIGNWITH(CERTAUTH LABEL('ROOT')) + KEYUSAGE(HANDSHAKE,DATAENCRYPT) + + URI(' + DOMAIN('common.name') + IP( )) Max length = 64 Max length = 32

48 How to set-up for the purpose of encrypting 3270 sessions, SSL sessions
CONNECT example /* RACDCERT + ID(TCPIP) + CONNECT(ID(TCPIP) + LABEL('TN3270') + RING(TNRING) + DEFAULT + USAGE(PERSONAL)) SETROPTS REFRESH RACLIST(DIGTCERT,DIGTRING) RACDCERT ID(TCPIP) LIST(LABEL('TN3270')) RACDCERT ID(TCPIP) LISTRING(TNRING) Ring owner Certificate owner

49 How to set-up for the purpose of encrypting 3270 sessions, SSL sessions
/* RACDCERT ID(TCPIP) + ADD('HLQ.TCPIP.NEW') + TRUST + WITHLABEL('TN3270') + PASSWORD('********') _________________________________________________________________________ READY RACDCERT ID(USERID) ADD('HLQ.CERT') WITHLABEL('test import') IRRD103I An error was encountered processing the specified input data set. ADD gotchas - input dataset must be allocated as VB in order to avoid Base64 specification always has maximum line length. If file has come from a Unix system and only has LF instead of CR/LF then RACF will fail to process the data as max line length will have been exceeded.

50 More gotchas If ‘withlabel’ parameter is omitted from RACDCERT command, it defaults to: LABEL LABEL etc. Certificates are ‘owned’ by ID – deleting the owning ID automatically deletes ALL certificates owned by that ID !

51 SMPE Example

52 SMPE Example READY RACDCERT ID(******) LISTRING(SMPERING) Digital ring information for user ******: Ring: >SMPERING< Certificate Label Name Cert Owner USAGE DEFAULT Equifax Secure CA CERTAUTH CERTAUTH NO SMPE CLIENT CERT ID(******) CERTAUTH NO

53 Discuss code from racf.co.uk
RACF119 List every certificate in RACF RACF133 Export every certificate in RACF RACF109 Search for certificates in RACF RACF109 is a search engine like search which searches serial number, common name* certificate owner and certificate label. * Remember RACF unload uses CN of issuer, not the actual CN of the certificate!

54 Tools Portecle http://portecle.sourceforge.net/
Base64 Certmgr.msc Microsoft Windows DumpASN1 Firefox Notepad++ OpenSSL Portecle RACF PC Utilities

55

56 Digital Certificates Principles of operation
Nigel Pentland National Australia Group

Download ppt "Digital Certificates Principles of operation"

Similar presentations

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
CP3397 ECommerce.

CP3397 ECommerce.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Digital Certificates – GSE 2007 Nigel Pentland. Let’s consider a Server certificate What are we trying to achieve? How will we generate the certificates?

Digital Certificates – GSE 2007 Nigel Pentland. Let’s consider a Server certificate What are we trying to achieve? How will we generate the certificates?
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Similar presentations

Ads by Google