CERTIFICATES

What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure business and personal transactions across communication networks.

How do they secure the data? Authentication Integrity Encryption Token verification

Certification Authority(CA) Trusted entity which issue and manage certificates for a population of public-private key-pair holders. A digital certificate is issued by a CA and is signed with CA’s private key.

X.509 Version 3 Digital Certificate

Types of Certificates Root or Authority certificates These are self signed by the CA that created them Institutional authority certificates Also called as “campus certificates” Client certificates These are also known as end-entity certificates,identity certificates,or personal certificates. Web server certificates used for secure communications to and from Web servers

Getting a Certificate Create an encryption Private and Public key pair. Create a Certificate Request based on your key. Send all the required details Like Server,company,Location, state,country and also the documents proving your identity. Send the certificate request to your choice of CA. CA confirms the accuracy of the information submitted. The certificate is signed by a device that holds the private key of the CA. The certificate is sent to the subscriber and also a copy of it may be submitted to the certificate repository, such as a directory service for publication.

Distribution of Certificates Systems and channels that are not necessarily protected by confidentiality,authentication and integrity. The certificate is self-protecting: The CA’s digital signature inside the certificate provides both authentication and integrity protection. Distribution via Directory Services: Lightweight Directory Access Protocol (LDAP). This is nothing more than access protocol used to retrieve the certificate for recipient.

X.509 Certificate Format Version: Indicator of version 1,2 or 3. Serial number: Unique identifying number for this certificate. Signature:Algorithm identifier of the digital signature algorithm. Issuer: X.500 name of the issuing CA. Validity:Start and expiration dates and times of the certificate. Subject:X.500 name of the holder of the private key(subscriber). Subject public-key information:The value of the public-key for the subject together with an identifier of the algorithm with which this public-key to be used. Issuer unique identifier: An optional bit string used to make the issuing certification authority name unambiguous. Subject unique identifier: An optional bit string used to make the subject name unambiguous.

X.509 Certificate Format Extensions: Used for incorporating any number of additional fields into the certificate. Extension Type: contains an object identifier value i.e. governs the basic data type (text string,date….etc). Criticality indicator: Simple flag that indicates whether an occurrence of an extension is critical or non-critical. The purpose of this is to accommodate environments in which different system implementations recognize different sets of extensions.

X.509 Certificate Format Standard Certificate Extensions. Key Information: These are used to allow the administrators to limit the purpose for which certificates and certified keys can be used. Like CRL-signing,certificate signing …..etc. Policy Information: convey certificate policy i.e. use of these extensions which relate to the CA’s practices. Subject and Issuer attributes:Support alternative names for certificate subjects and issuers. Certification path constraints: Help different domains link their infrastructures together. Extensions related to CRL’s

Certificate Revocation Canceling a certificate before than its originally scheduled validity period. Certificate Revocation Lists (CRL) A CRL is a time-stamped list of revoked certificates that has been digitally signed by a CA and made available to certificate users. Each revoked certificate is identified in a CRL by its certificate serial number – generated by the issuing CA.

X.509 Certificate Revocation List

X.509 CRL Format Version: Indicator of version 1 or 2 format Signature: Indicator of the algorithm used in signing this CRL Issuer:Name of the authority that issued this CRL This update: Date and time of issue of this CRL Next update: Date and time of issue of next CRL (optional) Certificate Serial Number: Serial number of a revoked or suspended certificate. Revocation date: Effective date of revocation or suspension of a particular certificate. CRL entry extensions: Additional fields CRL extensions: Additional fields that must be attached to the full CRL.

X.509 CRL Formats Extensions and Entry-Level Extensions General Extensions:: Like CRL number – incrementing number for each CRL issued in sequence covering the same certificate population. Invalidity date:: This is CRL entry extension field indicates a date when it is known or suspected that a private key was compromised. CRL Distribution Point :: Identifies the point or points that distribute CRL’s on which a revocation notification for this certificate would appear if this certificate were to be revoked. Delta-CRL’s: It is a digitally signed list of the changes that occurred since the issuance of the prior base CRL.

X.509 CRL Format of Extensions Indirect CRL’s : Allows a CRL to be issued by a different authority from the one that issued the certificate. Certificate Suspension: An item may be held on a CRL rather than revoked. It can be specified in the entry-level extensions as “certificate hold”. Status Referrals: It is a signed,time stamped list of CRL’s and their respective CRL scopes that a certification authority currently uses.

Distributing CRL’s  Issuing CRLs regularly such as hourly,daily or weekly…. Decision of CA. Can be distributed easily using the communications and server systems which do not need much security – as these are digitally signed.  Limitation: Time granularity of revocation is limited to the CRL issue period.  Online Status Checking: uses OCSP ( Online Certificate Status Protocol). The responder is the CA or the authorized person by the CA. The OCSP response is digitally signed, contains the identifier of the responder, time of response, status.  Limitation: Very expensive.

Using Pre-existing certificates (Verisign) IF the IP address or Domain name is changed – then the certificate needs to be changed. If you are changing your Server Software – because verisign issues the certificates considering the server software and IP address / domain name configuration.

It is a check for a digital certificate. Its checks 3 things for each certificate back to its path. 1)Check each certificate is within its validity period. 2)Check each certificate’s signature is correct. 3)Check each certificate has not been revoked. Each certificate has a path back to a root certificate. For each certificate in the path:

What trust models does PGP support? Direct trust (peer to peer) Hierarchical trust (central signing authority, sub-authorities) PGP supports 3 levels of signing authorities, without many of the limitations other cert formats have Similar to x.509 trust model Web of Trust useful between divisions of different companies collaboration/competition

Key Recovery Encrypted Key Encrypt Decrypt with Key Recovery Private Key Key Recovery Keys Public Keys Encrypted Passphrase Key and Passphrase place A very safe

How does PGP provide data recovery? Additional Decryption Key technology Not key recovery; user holds their own private key at all times Each session key used to encrypt a message is encrypted to the recipient’s public key, and also to an ADK (pub key) Holder of the ADK can decrypt any information encrypted to the ADK Enforced on the client and on the mail server (PMA) ADKs can be split and shared among upper management

Additional Decryption Keys (ADKs) Incoming vs. Outgoing Diffie-Hellman only Enforcement Splitting the ADKs Multiple ADKs Departmental level ADKs