Professional Documents
Culture Documents
12 SSL Certificates and PKI
12 SSL Certificates and PKI
2
Cryptographic protocols designed to provide
communication security over a network.
3
Requirement:
● Confidentiality
● Integrity
● Authentication
Introduction to SSL/ TLS
● Non-repudiation
4
● Browser sends a ‘Client Hello’ message to
server with a list of supported ciphers, key
exchange, and hashing algorithm
5
SSL/ TLS Handshake
6
Demo in wireshark
7
Demo:
8
● Key generation
○ Create a key with the request strength using the proper
cipher.
● Certificate Generation
○ Allocate a key to the user
● Distribution
○ Makes the key available to the user
● Storage
○ Secure storage and protection against unauthorized
use.
Key Management Life
● Revocation
Cycle ○ Manage the keys that have been compromised.
● Expiration
○ Certificate have a specific life.
9
● PKI: Policies, procedure, hardware, software,
people
○ Dig Sig: Create, distribute, manage, revoke
& store
1
0
Requirement
11
• Must be widely known and trusted
1
2
Certificate Issuance
1
3
● Some small systems implementations have
CA, RA and VA on same server, but typically
they are distributed on different servers.
1
4
● Also called as trusted root
● Center of the trust model for SSL/TLS
● Every browser has root store (some trust third
party)
● Root certificate is invaluable (cert. signed with
Pr key will be trusted by all)
Root CA ● Trusted roots belongs to CA (CA validates &
issue SSL cert.)
1
5
● CA do not issue server certificates (end user
SSL certificates) directly off of their roots.
1
6
● A Root CA is a Certificate Authority that
owns one or more trusted intermediate
CA.
○ They have roots in the trust stores of the
major browsers.
1
7
http://www.cca.gov.in/cca/
Controller of Certifying
Authorities
1
8
● Controller is the Root certifying authority
responsible for regulating Certifying Authorities
(CAs)
1
9
Certificate Chain
2
0
Top Root CA (2018)
2
1
Structure of an X.509 v3 digital certificate:
■ Version Number
■ Serial Number
■ Signature Algorithm ID
■ Issuer Name
■ Validity period
● Not Before
● Not After
Certificate Architecture ■ Subject name
■ Subject Public Key Info
● Public Key Algorithm
● Subject Public Key
■ Issuer Unique Identifier (optional)
■ Subject Unique Identifier (optional)
■ Extensions (optional)
●…
■ Certificate Signature Algorithm
■ Certificate Signature
2
2
1. End Entity Certificate
2. Intermediate Certificate
3. Root Certificate
Certificate Architecture
2
3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
Validity
Not Before: Nov 21 08:00:00 2016 GMT
Not After : Nov 22 07:59:59 2017 GMT
Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc.,
CN=*.wikipedia.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
00:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5:
af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e:
9d:3b:ef
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Agreement
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt
OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2
X509v3 Certificate Policies:
End Entity Certificate Policy: 1.3.6.1.4.1.4146.1.20
CPS: https://www.globalsign.com/repository/
Policy: 2.23.140.1.2.2
X509v3 Basic Constraints:
2
5
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:44:4e:f0:42:47
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Validity
Not Before: Feb 20 10:00:00 2014 GMT
Not After : Feb 20 10:00:00 2024 GMT
Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization
Validation CA - SHA256 - G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:0e:6c:3f:23:93:7f:cc:70:a5:9d:20:c3:0e:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Intermediate Certificate X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C
Belongs to a Certificate X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Authority CPS: https://www.globalsign.com/repository/
Full Name:
URI:http://crl.globalsign.net/root.crl
keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
2
7
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:15:4b:5a:c3:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA,
CN=GlobalSign Root CA
Validity
Not Before: Sep 1 12:00:00 1998 GMT
Not After : Jan 28 12:00:00 2028 GMT
Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA,
CN=GlobalSign Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Root Certificate 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
...
Exponent: 65537 (0x10001)
Self Signed X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
Signature Algorithm: sha1WithRSAEncryption
d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
...
Its issuer and subject fields are the same, and its
signature can be validated with its own public
key. Validation of the trust chain has to end here 2
8
The client will authenticate the server certificate
it receives by doing the following:
2.PGP
Certificate Standards a. Issuers are not professionals
b. Web of Trust model
c. Decentralized model
d. PGP Keyservers similar to a CA (but we can
choose or create our own)
e. If chain of trust breaks then might be
difficult to figure out
3
0
Digital Certificate: Serves as a proof of identity
of the server.
3
3
SSL Pinning: Used in the client side to avoid
man-in-the-middle attack by validating the server
certificates again even after SSL handshaking.
3
5
To enable this feature for the site:
● Need to return the Public-Key-Pins HTTP header
when site is accessed over HTTPS
● Steps necessary to deliver the HPKP header
depend on the web server
Public-Key-Pins: pin-
sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
max-age=5184000; includeSubDomains;
report-uri="https://www.example.org/hpkp-report"
3
6
Thank you