This document discusses security and identity on the internet. It covers topics like identity, trust, encryption, and certificates. Symmetrical encryption uses the same key to encrypt and decrypt but can't verify identity. Asymmetrical encryption uses a public/private key pair so identity of the key owner is guaranteed. Certificate authorities issue digital certificates that browsers and operating systems trust to identify website owners. Certificates can be revoked if compromised through certificate revocation lists.
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Certificates pink programming
1. Security and Identity
on the internet
Pink Programming Sunday
October 15th, 2017
1
Jenny Dybedahl, B3IT Init AB
2. Who am I?
How do you know?
2Security and Identity on the Internet
Identity
Who am I? Jenny Dybedahl, from B3IT Init AB
How do you know? Well, you don't. You could ask to see my ID card or driver's license, perhaps?
3. Who do you trust?
What if you need to
trust someone else?
What if you need
someone to trust you?
3Security and Identity on the Internet
Trust
Who do you trust? People you know personally
If you need to trust someone else? You ask someone you know to vouch for them, or they show you some identification from an institution that you trust - such as the
Police, who issue passports, or Transportstyrelsen, who issue drivers' licenses...
If you need someone to trust you? You get someone they trust to vouch for you, or you get a trusted institution to vouch for you. That's where SSL/TLS certificates come
in!
4. Who is listening?
Who is reading?
Who is altering data?
4Security and Identity on the Internet
Security
Who is listening? Usually only the people around you, unless there are bugs. (There are almost never bugs.)
Who is reading? Usually just the people in the room. But who can see the text through the window? Or when you're using your phone, or your tablet, or your computer on
the train or bus?
And on the internet, who can get read access to the data you send and receive?
On the internet, you can't know, unless you're using some form of encryption!
5. Basic
cryptography
5Security and Identity on the Internet
Who am I? Jenny Dybedahl, from B3IT Init AB
How do you know? Well, you don't. You could ask to see my ID card or driver's license, perhaps?
Who do you trust? People you know personally
If you need to trust someone else? You ask someone you know to vouch for them, or they show you some identification from an institution that you trust - such as the
Police, who issue passports, or Transportstyrelsen, who issue drivers' licenses...
6. Security and Identity on the Internet
Symmetrical encryption
Plain
text
Encrypted
text
Shared secret - same "key" used to encrypt and decrypt
Symmetrical encryption cannot verify identity - anyone who has the key can both encrypt and decrypt. You can't know who used the key.
7. Security and Identity on the Internet
Symmetrical encryption
Plain
text
Encrypted
text
Shared secret - same "key" used to encrypt and decrypt
8. Security and Identity on the Internet
Substitution cipher
ROT 13
• A = N, B = O, C = P, [...], N = A, O = B, etc
• Example:
Uryyb Jbeyq!
Hello World!
Rot13 - "rotate 13 steps" - is one example of symmetrical encryption. It's very bad encryption. Its main use has been as a tool to avoid showing spoilers of books or TV
series on discussion forums.
9. Security and Identity on the Internet
Substitution cipher
Playfair cipher
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
This is a better substitution cipher. I won't explain it here; you should get the book by Dorothy L Sayers. It's got a whole chapter explaining the cipher and it's a really
good book!
10. Security and Identity on the Internet
Asymmetrical encryption
•A pair of keys
•One is kept secret - called private key
•One is made public - called public key
Asymmetrical encryption still does not guarantee identity - but it does guarantee which key has been used.
If something can be decrypted with the public key, that means that you can be sure that it was encrypted with the private key.
So if I sign something with my private key, you can verify it by using the public key.
11. Security and Identity on the Internet
Private key
Encrypted
text
Plain
text
Plain
text
Encrypted
textPublic key
Text encrypted with one key can only
be decrypted with the other paired key
If something can be decrypted with the private key, that means that you can be sure that it was encrypted with the public key.
This can be used to sign things - emails, code...
12. Security and Identity on the Internet
Private key
Encrypted
text
Plain
text
Plain
text
Encrypted
text
Public key
Text encrypted with one key can only
be decrypted with the other paired key
If something has been encrypted with the public key, that means that you can be sure that only the person who has the private key can decrypt it.
That way, if someone has my public key, they can send me a message that only I can read.
13. • How do you know that a
public key belongs to me?
• It gets signed by someone
you trust!
Security and Identity on the Internet
Identity
14. • Who do you trust?
• What if you need to
trust someone else?
• What if you need
someone to trust you?
14Security and Identity on the Internet
Trust
I know I said this before, but it bears repeating...
Who do you trust? People you know personally
If you need to trust someone else? You ask someone you know to vouch for them, or they show you some identification from an institution that you trust - such as the
Police, who issue passports, or Transportstyrelsen, who issue drivers' licenses...
If you need someone to trust you? You get someone they trust to vouch for you, or you get a trusted institution to vouch for you. That's where SSL/TLS certificates come
in!
15. How do you start
trusting someone?
15Security and Identity on the Internet
When you float on a sea of uncertainty, and you want to create some security, the first thing you do is to anchor yourself to something you trust. (It's really called "trust
anchors", that's not just me being poetic!)
16. Why trust an anchor?
16Security and Identity on the Internet
• You know them
• Someone you trust knows
them
• They have documentations,
rules and processes that are
trustworthy
17. Trust anchors
In the 3D-world:
17Security and Identity on the Internet
• The Police
- passports
- National ID cards
• Transportstyrelsen
- Driving license
18. How does it work?
18Security and Identity on the Internet
• People trust things that are
issued or signed by
someone they trust
• A public key that has been
signed by someone is called
a certificate
23. 23Security and Identity on the Internet
Valid usage
Identification
This license is valid for motorcycle, car with heavy trailer, and heavy trucks with trailer
25. How does it work?
25Security and Identity on the Internet
• People trust things that are
issued or signed by
someone they trust
• A public key that has been
signed by someone is called
a certificate
26. Trust anchors
On the Internet
26Security and Identity on the Internet
• Certificate Authorities
- Everyone that your operating system
trusts
- Everyone that your web browser trusts
This is who you are trusting every day!
27. 27Security and Identity on the Internet
You are trusting everyone that your
operating system and/or web browser trusts
168 items
Trust anchors
On the Internet
My computer is trusting 168 certificate authorities! (Though some of them are my own personal lab environment, for instance "Admin-Root-CA" in the list above. But at
least 160 of them are there because Apple has chosen to trust them!)
28. Trust anchors
28Security and Identity on the Internet
https://cabforum.org
The CA Browser Forum is an organisation that checks out certificate authorities, and tries to make sure that they aren't issuing certificates to the wrong people or in the
wrong way. They have a lot of interesting information if you are interested in the processes and regulations of certificate authorities.
29. Web site identification
29Security and Identity on the Internet
Here's a web site that uses a certificate. If you click on the green padlock, you get some information about the certificate. Note that it doesn't say anything about who
owns the domain!
30. Web site certificates
30Security and Identity on the Internet
Subject
Valid from
Valid until
Issued by
Valid usage
Serial
The web site certificate contains basically the same kind of information as the drivers license!
31. Web site certificates
31Security and Identity on the Internet
openssl x509 -in pinkprogrammingse.crt -noout -subject
-issuer -dates -purpose -serial
subject= /CN=pinkprogramming.se
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
notBefore=Aug 27 14:20:00 2017 GMT
notAfter=Nov 25 14:20:00 2017 GMT
serial=038A11933134D6A51AC6BFE4AD60261847C3
Certificate purposes:
SSL client : Yes
SSL server : Yes
Here's the same information again, in another format.
32. Who is listening?
Who is reading?
Who is altering data?
32Security and Identity on the Internet
Security
Yes, I said this before - but the questions are important!
Who is listening? Usually only the people around you, unless there are bugs. (There are almost never bugs.)
Who is reading? Usually just the people in the room. But who can see the text through the window? And on the internet, who can get read access to the data you send
and receive?
On the internet, you can't know, unless you're using some form of encryption!
33. • Only someone who
has the key can
decipher data
33Security and Identity on the Internet
Who's listening/reading?
This means that TLS/SSL protects against eavesdroppers on the internet!
You should still be careful when using your laptop, tablet or phone in public, though...
34. • If you alter a signed
document, the
signature becomes
invalid
34Security and Identity on the Internet
Who is altering data?
This means that if you are using encryption, such as TLS/SSL, nobody can know alter the data. For instance, nobody will be able inject an order for your bank to send
money to a scammer.
35. • Common certificates only
identify the domain name
• Extended Validation
certificates identify the
domain owner
35Security and Identity on the Internet
Identity
The difference between "ordinary" certificate and Extended Validation certificates.
36. Extended Validation
36Security and Identity on the Internet
"Ordinary" certificates don't really tell you anything about the identity of the organisation behind the domain. They just show that the web server is set up by someone
who has ownership of the domain.
"Extended validation" certificates are only issued after verifying the identity of the organisation, and their ownership of the domain
37. • Certificates can be
revoked
• It's up to the browser
or application to
check for revocation
37Security and Identity on the Internet
Revocation
A certificate can be cancelled, just like a credit card can be cancelled if you find out that it's been skimmed or stolen. For certificates, this is called revocation.
38. • Certificate Revocation
Lists - CRL:s
• Issued at intervals,
contain all revoked
certificates
38Security and Identity on the Internet
Revocation
39. Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID
Server CA A52
Last Update: Oct 14 00:36:18 2017 GMT
Next Update: Oct 15 00:36:18 2017 GMT
Revoked Certificates:
Serial Number: 7F00000100000152892D02C7007200A1
Revocation Date: Jan 28 18:44:54 2016 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
39Security and Identity on the Internet
CRL
Here's an example of a certificate revocation list.
40. • Online Certificate
Status Protocol -
OCSP
• Answers directly
40Security and Identity on the Internet
Revocation
41. Web site certificates
41Security and Identity on the Internet
https://letsencrypt.org
If you want to use certificates in your web server or application, this is a good place to start!