Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Published byVirginia Caldwell Modified over 8 years ago

Similar presentations

Presentation on theme: "CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure."— Presentation transcript:

1 CERTIFICATES

2 What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure business and personal transactions across communication networks.

3 How do they secure the data? Authentication Integrity Encryption Token verification

4 Certification Authority(CA) Trusted entity which issue and manage certificates for a population of public-private key-pair holders. A digital certificate is issued by a CA and is signed with CA’s private key.

5 X.509 Version 3 Digital Certificate

6 Types of Certificates Root or Authority certificates These are self signed by the CA that created them Institutional authority certificates Also called as “campus certificates” Client certificates These are also known as end-entity certificates,identity certificates,or personal certificates. Web server certificates used for secure communications to and from Web servers

7 Getting a Certificate Create an encryption Private and Public key pair. Create a Certificate Request based on your key. Send all the required details Like Server,company,Location, state,country and also the documents proving your identity. Send the certificate request to your choice of CA. CA confirms the accuracy of the information submitted. The certificate is signed by a device that holds the private key of the CA. The certificate is sent to the subscriber and also a copy of it may be submitted to the certificate repository, such as a directory service for publication.

8 Distribution of Certificates Systems and channels that are not necessarily protected by confidentiality,authentication and integrity. The certificate is self-protecting: The CA’s digital signature inside the certificate provides both authentication and integrity protection. Distribution via Directory Services: Lightweight Directory Access Protocol (LDAP). This is nothing more than access protocol used to retrieve the certificate for recipient.

9 X.509 Certificate Format Version: Indicator of version 1,2 or 3. Serial number: Unique identifying number for this certificate. Signature:Algorithm identifier of the digital signature algorithm. Issuer: X.500 name of the issuing CA. Validity:Start and expiration dates and times of the certificate. Subject:X.500 name of the holder of the private key(subscriber). Subject public-key information:The value of the public-key for the subject together with an identifier of the algorithm with which this public-key to be used. Issuer unique identifier: An optional bit string used to make the issuing certification authority name unambiguous. Subject unique identifier: An optional bit string used to make the subject name unambiguous.

10 X.509 Certificate Format Extensions: Used for incorporating any number of additional fields into the certificate. Extension Type: contains an object identifier value i.e. governs the basic data type (text string,date….etc). Criticality indicator: Simple flag that indicates whether an occurrence of an extension is critical or non-critical. The purpose of this is to accommodate environments in which different system implementations recognize different sets of extensions.

11 X.509 Certificate Format Standard Certificate Extensions. Key Information: These are used to allow the administrators to limit the purpose for which certificates and certified keys can be used. Like CRL-signing,certificate signing …..etc. Policy Information: convey certificate policy i.e. use of these extensions which relate to the CA’s practices. Subject and Issuer attributes:Support alternative names for certificate subjects and issuers. Certification path constraints: Help different domains link their infrastructures together. Extensions related to CRL’s

12 Certificate Revocation Canceling a certificate before than its originally scheduled validity period. Certificate Revocation Lists (CRL) A CRL is a time-stamped list of revoked certificates that has been digitally signed by a CA and made available to certificate users. Each revoked certificate is identified in a CRL by its certificate serial number – generated by the issuing CA.

13 X.509 Certificate Revocation List

14 X.509 CRL Format Version: Indicator of version 1 or 2 format Signature: Indicator of the algorithm used in signing this CRL Issuer:Name of the authority that issued this CRL This update: Date and time of issue of this CRL Next update: Date and time of issue of next CRL (optional) Certificate Serial Number: Serial number of a revoked or suspended certificate. Revocation date: Effective date of revocation or suspension of a particular certificate. CRL entry extensions: Additional fields CRL extensions: Additional fields that must be attached to the full CRL.

15 X.509 CRL Formats Extensions and Entry-Level Extensions General Extensions:: Like CRL number – incrementing number for each CRL issued in sequence covering the same certificate population. Invalidity date:: This is CRL entry extension field indicates a date when it is known or suspected that a private key was compromised. CRL Distribution Point :: Identifies the point or points that distribute CRL’s on which a revocation notification for this certificate would appear if this certificate were to be revoked. Delta-CRL’s: It is a digitally signed list of the changes that occurred since the issuance of the prior base CRL.

16 X.509 CRL Format of Extensions Indirect CRL’s : Allows a CRL to be issued by a different authority from the one that issued the certificate. Certificate Suspension: An item may be held on a CRL rather than revoked. It can be specified in the entry-level extensions as “certificate hold”. Status Referrals: It is a signed,time stamped list of CRL’s and their respective CRL scopes that a certification authority currently uses.

17 Distributing CRL’s  Issuing CRLs regularly such as hourly,daily or weekly…. Decision of CA. Can be distributed easily using the communications and server systems which do not need much security – as these are digitally signed.  Limitation: Time granularity of revocation is limited to the CRL issue period.  Online Status Checking: uses OCSP ( Online Certificate Status Protocol). The responder is the CA or the authorized person by the CA. The OCSP response is digitally signed, contains the identifier of the responder, time of response, status.  Limitation: Very expensive.

18 Using Pre-existing certificates (Verisign) IF the IP address or Domain name is changed – then the certificate needs to be changed. If you are changing your Server Software – because verisign issues the certificates considering the server software and IP address / domain name configuration.

19 It is a check for a digital certificate. Its checks 3 things for each certificate back to its path. 1)Check each certificate is within its validity period. 2)Check each certificate’s signature is correct. 3)Check each certificate has not been revoked. Each certificate has a path back to a root certificate. For each certificate in the path:

20 What trust models does PGP support? Direct trust (peer to peer) Hierarchical trust (central signing authority, sub-authorities) PGP supports 3 levels of signing authorities, without many of the limitations other cert formats have Similar to x.509 trust model Web of Trust useful between divisions of different companies collaboration/competition

21 Key Recovery Encrypted Key Encrypt Decrypt with Key Recovery Private Key Key Recovery Keys Public Keys Encrypted Passphrase Key and Passphrase place A very safe

22 How does PGP provide data recovery? Additional Decryption Key technology Not key recovery; user holds their own private key at all times Each session key used to encrypt a message is encrypted to the recipient’s public key, and also to an ADK (pub key) Holder of the ADK can decrypt any information encrypted to the ADK Enforced on the client and on the mail server (PMA) ADKs can be split and shared among upper management

23 Additional Decryption Keys (ADKs) Incoming vs. Outgoing Diffie-Hellman only Enforcement Splitting the ADKs Multiple ADKs Departmental level ADKs

Download ppt "CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google