Certificates, Keys, Web Browsers, and Security - Sumanth Gelle
Contents: Keys Symmetric Encryption Asymmetric Encryption Hybrid Encryption Certificate What does Certificate contain Authentication with certificate How to set up SSL on a web server Certificate Revocation Lists Browser Internet Explorer
What Does Cryptography Solve? Confidentiality Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation Integrity Ensure that message has not been modified during the transmission Authenticity You can verify that you are talking to the entity you think you are talking to
Confidentiality--- Encryption is the answer Integrity--- Hashing is the answer Authentication--- Digital Certificate is the answer Cryptography is key management
Keys Symmetric Keys “An intro to PKI and few deploy hints” “AxCvGsmWe#4^, sdgfMwir3:dkJeTs “An intro to PKI and few deploy hints” Clear-text input Clear-text output Cipher-text Same key (shared secret) EncryptionDecryption DE S
Symmetric Encryption Symmetric algorithms require the creation of a key and an initialization vector (IV) that must be kept secret from anyone who should not decrypt your data. TripleDESCryptoServiceProvider TDES = new TripleDESCryptoServiceProvider(); TDES.GenerateIV(); TDES.GenerateKey(); When the previous code is executed, a key and IV are generated when the new instance of TripleDESCryptoServiceProvider is made. Another key and IV are created when the GenerateKey and GenerateIV methods are called.
Asymmetric Encryption Asymmetric algorithms require the creation of a public key and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key. //Generate a public/private key pair. RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(); //Save the public key information to an RSAParameters structure. RSAParameters RSAKeyInfo =RSA.ExportParameters(false);
Assymetric Encryption Continued… To create an asymmetric key and save it in a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field.CspParametersCspParameters.KeyContainerName Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.AsymmetricAlgorithm To delete a key from a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor. Set the PersistKeyInCSP property of the class that derives from AsymmetricAlgorithm to false (False in Visual Basic). Call the Clear method of the class that derives from AsymmetricAlgorithm. This method releases all resources of the class and clears the key container.
Example: SSL Priv pub Priv pub Clear text Encrypt Cipher 1 Encrypt Cipher 2 Transmission over the public network Cipher 2Cipher 1 Decrypt Clear text Decrypt pub Ensures confidentiality And integrity if digitally signed depending on how public key are exchanged Authenticity, Identity, Non-repudiation pub
Real World: Hybrid Encryption (typical for encrypted file storage) Clear-textmessage Randomly-Generated symmetric “session” key SymmetricallyEncryptedmessage SymmetricEncryption Digital Envelope Recipient’s public key AsymmetricEncryption of session key Repeat as necessary Digital Envelope Public key of other recipient or recovery agent AsymmetricEncryption of session key ENCRYPTEDDOCUMENT
Real World: Hybrid Decryption SymmetricallyEncryptedmessage Clear-textmessage SymmetricDecryption Digital Envelope ENCRYPTEDDOCUMENT Asymmetricdecryption of session key Private key of the recipient Take the appropriate digital envelope containing the “session” key encrypted using recipient’s public key “session” key is decrypted using the recipient private key UNENCRYPTEDDOCUMENT
PKI (Public Key Infrastructure) Public Key Infrastructure provides the technologies that enable practical distribution of public keys” Using CERTIFICATES
Certificates
What does Certificate contain? Owner's public key Owner's name or alias Expiration date of the certificate Serial number of the certificate Name of the organization that issued the certificate Digital signature of the organization that issued the certificate
Authentication with Certificates Owning a Certificate of Gianni does not mean that you are Gianni Owning a Certificate does not imply you are authenticated How would you verify that the person who comes to you pretending to be Gianni and showing you a certificate of Gianni is really Gianni ? You have to challenge him ! Only the real Gianni has the private key that goes in pair with the public key in the certificate.
Authentication with Certificates Denise gets Gianni’s certificate She verifies its digital signature She can trust that the public key really belongs to Gianni But is it Gianni standing if front of her, or is that Michel ? Denise challenges Gianni to encrypt for her a random phrase she generated (“I like green tables with flowers”) Gianni has (if he is the real Gianni) the private key that matches the certificate, so he responds Denise decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she just generated for the challenge then it must really be Gianni himself !
How to Set Up SSL on a Web Server Step1. Generate a Certificate Request Step 2. Submit a Certificate Request Step 3. Issue the Certificate Step 4. Install the Certificate on the Web server Step 5. Configure Resources to Require SSL Access
Step 1. Generate a Certificate Request Start the IIS Microsoft Management Console (MMC) snap- in. Expand your Web server name and select the Web site for which you want to install a certificate. Right-click the Web site, and then click Properties. Click the Directory Security tab. Click the Server Certificate button within Secure communications to launch the Web Server Certificate Wizard. Note If Server Certificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.
Step2. Submit a Certificate Request Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard. Start Internet Explorer and navigate to hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services. Click Request a Certificate, and then click Next. On the Choose Request Type page, click Advanced request, and then click Next. On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next. On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier. In the Certificate Template combo box, click Web Server. Click Submit. Close Internet Explorer.
Step3. Issue the Certificate Start the Certification Authority tool from the Administrative Tools program group. Expand your certificate authority, and then select the Pending Requests folder. Select the certificate request you just submitted. On the Action menu, point to All Tasks, and then click Issue. Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it. On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate. Close the properties window for the certificate. Close the Certificate Authority tool.
Step4. Install the Certificate on the Web Server Start Internet Information Services, if it's not already running. Expand your server name and select the Web site for which you want to install a certificate. Right-click the Web site, and then click Properties. Click the Directory Security tab. Click Server Certificate to launch the Web Server Certificate Wizard. Click Process the pending request and install the certificate, and then click Next. Enter the path and file name of the file that contains the response from the CA, and then click Next. Examine the certificate overview, click Next, and then click Finish. A certificate is now installed on the Web server.
Step5. Configure Resources to Require SSL Access Start Internet Information Services, if it's not already running. Expand your server name and Web site. (This must be a Web site that has an installed certificate.) Right-click a virtual directory, and then click Properties. Click the Directory Security tab. Under Secure communications, click Edit. Click Require secure channel (SSL). Client's browsing to this virtual directory must now use HTTPS. Click OK, and then click OK again to close the Properties dialog box. Close Internet Information Services.
How to Set Up Client Certificates Step 1. Create a Simple Web Application Step 2. Configure the Web Application to Require Client Certificates Step 3. Request and Install a Client Certificate Step 4. Verify Client Certificate Operation
Certificate Stores Certificates are stored in safe locations called a certificate stores. A certificate store can contain certificates, CRLs, and Certificate Trust Lists (CTLs). Each user has a personal store (called the "MY store") where that user's certificates are stored. The MY store can be physically implemented in a number of locations including the registry, on a local or remote computer, a disk file, a data base, a directory service, a smart device, or another location. While any certificate can be stored in the MY store, this store should be reserved for a user's personal certificates, that is the certificates used for signing and decrypting that particular user's messages. In addition to the MY store, Windows also maintains the following certificate stores: CA and ROOT. This store contains the certificates of certificate authorities that the user trusts to issue certificates to others. A set of trusted CA certificates are supplied with the operating system and others can be added by administrators. Other. This store contains the certificates of other people to whom the user exchanges signed messages. The CryptoAPI provides functions to manage certificates. These APIs can be accessed only through unmanaged code. Also, CAPICOM is a COM- based API for the CryptoAPI, which can be accessed via COM Interop.
Certificates Revocation List X.509 certificates and many other certificates have a valid time duration. A certificate can expire and no longer be valid. A CA can revoke a certificate for a number of reasons. To handle revocations, a CA maintains and distributes a list of revoked certificates called a Certificate Revocation List (CRL). Network users access the CRL to determine the validity of a certificate.
Certmgr.exe Makecert.exe The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.
Internet Explorer (IE) Integrated Windows Authentication. To enable this authentication method, in the Internet Options dialog box, click the Advanced tab, and then select the Enable Integrated Windows Authentication check box. Server Certificate Revocation. Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection. To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box.
Installing and Removing Trusted Certificates On the Tools menu, click Internet Options, and then click the Content tab. Click Certificates. Click one of the following tabbed categories for the type of certificates you want to install or remove: Personal. Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category. Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs. Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates. Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA. Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences
4.In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list. 5.Work with particular certificates through one of the following methods: To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate. To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate. To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.
To delete an existing certificate from the list of trusted certificates, click Remove. To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View.
Adding Trusted Publishers To designate a trusted publisher for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher. To add a trusted publisher 1.Use Internet Explorer to download signed active content from the publisher. 2.When the Security Warning dialog box appears, select the Always trust content from trusted publisher check box
To download the software and control and add the publisher to the list of trusted publishers, click Yes.
Configuring Advanced Security Options for Certificate and Authentication Features You can easily configure options for certificate and authentication features that your users might need. To configure advanced security options for certificates 1.On the Tools menu, click Internet Options, and then click the Advanced tab. 2.In the Security area, review the selected options. 3.Depending on the needs of your organization and its users, select or clear the appropriate check boxes. For example, to enable SSL 3.0, select the Use SSL 3.0 check box.
References techmeet/TechMeeting/ /PKI- Intro.ppt#338%2c1%2cA-to-Z techmeet/TechMeeting/ /PKI- Intro.ppt#338%2c1%2cA-to-Z techmeet/TechMeeting/ / PKI-Intro- Hepix.ppt#394%2c11%2cExample techmeet/TechMeeting/ / PKI-Intro- Hepix.ppt#394%2c11%2cExample /part2/c06ie6rk.mspx?mfr=true /part2/c06ie6rk.mspx?mfr=true SSLandTLSCertsForUserAuthentication/NZNOG-client- certs.ppt#294%2c5%2cWhy SSLandTLSCertsForUserAuthentication/NZNOG-client- certs.ppt#294%2c5%2cWhy