SlideShare a Scribd company logo

Certificates for Authenticity, Authentification or both

Download as PPTX, PDF
team-WIBU
team-WIBU

Digital certificates are a landmark in security history. Since their introduction, vendors and users have taken advantage of encrypted communication in secure email exchanges, file and disk cryptography, and secure logon to local and online systems. Law makers have taken decisive steps in promoting their applications and regulating their usage. Despite their effectiveness however, certificates still appear cryptic and cumbersome to many. With this new presentation, we would like to offer a comprehensive overview about certificate fundamentals and their potent role in relation to software protection, licensing and security. Through certificates, ISVs and intelligent device manufacturers can implement software authenticity and enforce user authentication, thus ensuring software integrity and access rights management. Whether you are dealing with a computer-based or an embedded system application, certificates have reshaped the whole software security sphere. Wibu-Systems technology is certificate-ready for straightforward integration. Smart card chips embedded in our devices, as well as security tools encompassed in our software protection tools simplify the use of certificates. This is your chance to become certificate savvy and embark on a new journey towards a smarter use of certificates. Watch the webinar: https://youtu.be/tIhPs3WsCVo

Software
1 of 60
Certificates for Authenticity, Authentification or both? Wolfgang Voelker | Director Product Management wolfgang.voelker@wibu.com Ruediger Kuegler | Security Expert ruediger.kuegler@wibu.com Certificates 07.08.2015 Certificates for authenticity, authentification or both? 1
What are Certificates? 07.08.2015 Certificates for authenticity, authentification or both? 2
Sender Sending a Signed Message 07.08.2015 Certificates for authenticity, authentification or both? 3 Data Data Signature Calculate Hash Calculate Signature Private Key Data Signature Calculate Hash Verify Signature Public Key Recipient Yes No
The Challenge! 07.08.2015 Certificates for authenticity, authentification or both? 4 How do I know that the public key is genuine?
The Solution 07.08.2015 Certificates for authenticity, authentification or both? 5 Certificates (Public Key Certificate, X.509)
A Certificate 07.08.2015 Certificates for authenticity, authentification or both? 6  Confirms the owner of a public key  Identity:  Person  Company  IT-system (i.e. server)  Signed by issuer  Attributes Certificate Issued for: Common name (CN): Wolfgang Voelker Company (O): WIBU-SYSTEMS AG Business unit (OU): WOPS Serial number: 1be10001000220613… Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71, 0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58, 0xea, 0x3d, 0xdd, 0x36, 0x89, … Issued by: Common name (CN): Root Company (O): WIBU-SYSTEMS AG .. Valid until: 31.12.2015
The next Challenge! 07.08.2015 Certificates for authenticity, authentification or both? 7 How do I know that the certificate is genuine?
The next Solution 07.08.2015 Certificates for authenticity, authentification or both? 8 The certificate is signed by the issuer. (Validation through the public key of the issuer)
The… Challenge! 07.08.2015 Certificates for authenticity, authentification or both? 9 …?
The final Solution 07.08.2015 Certificates for authenticity, authentification or both? 10 I already know a root certificate from a certification authority. (Root Certificate / Certificate Authority)
Examples of Root Certificates 07.08.2015 Certificates for authenticity, authentification or both? 11
Certificate Hierarchy 07.08.2015 Zertifikate für Authentizität, Authentifizierung oder beides? 12 Root Certificate CN: Root Certificate CN: Inter 2 Certificate CN: Wolfgang Certificate CN: Daniel Certificate CN: Marc Certificate CN: Christian Certificate CN: Ruediger Certificate CN: Stefan Certificate CN: Inter 1 Certificate CN: Inter 3
Self-signed Certificates 07.08.2015 Certificates for authenticity, authentification or both? 13  Self-signed  No Root-Certificate  Usually not accepted  Users have to trust the certificate manually Certificate Issued for: Common name (CN): Ruediger Kuegler Company (O): WIBU-SYSTEMS AG Business unit (OU): Professional Services Serial number: 1be10001000220613… Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71, 0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58, 0xea, 0x3d, 0xdd, 0x36, 0x89, … Issued by: Common Name (CN): Ruediger Kuegler Company (O): WIBU-SYSTEMS AG .. Valid until: 31.12.2015
Blacklists  CRL (Certificate Revocation List)  Includes invalid certificates (certificate revocation)  Online enquiry possible, Online Certificate Status Protocol (OCSP) 07.08.2015 Certificates for authenticity, authentification or both? 14
Use Cases 07.08.2015 Certificates for authenticity, authentification or both? 15
Use Cases  Server Certificates  Client Certificates  E-Mail Certificates / VPN Certificates  OPC UA Certificates  Authenticode  Code integrity of software  … 07.08.2015 Certificates for authenticity, authentification or both? 16
Server Certificates 07.08.2015 Certificates for authenticity, authentification or both? 17
Client Server Certificate 07.08.2015 Certificates for authenticity, authentification or both? 18 Server Private Key Server Root Certificate CN: Root https Certificate CN: wibu.com Client verifies the identity of the server
Server Certificate – Secure Connection 07.08.2015 Certificates for authenticity, authentification or both? 19
Server Configuration… SSLEngine on SSLCertificateKeyFile "c:/cert/my_private_key.pem" SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt" 07.08.2015 Certificates for authenticity, authentification or both? 20
… Server Configuration  SSLEngine on  Activates SSL, SSL mode must be enabled  SSLCertificateKeyFile „c:/cert/my_private_key.pem“  Private Key  SSLCertificateFile „c:/cert/the_cert_I_got_from_verisign.crt “  Certificate 07.08.2015 Certificates for authenticity, authentification or both? 21
Client Certificates 07.08.2015 Certificates for authenticity, authentification or both? 22
Client Client Certificate 07.08.2015 Certificates for authenticity, authentification or both? 23 Server Private Key Server Root Certificate CN: Root https Certificate CN: wibu.com Client verifies the identity of the server Client Private Key Certificate CN: user Root Certificate CN: Wibu Root Server verifies the identity of the client
Server Configuration for Client Certificates SSLEngine on SSLCertificateKeyFile "c:/cert/my_private_key.pem" SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt" SSLCACertificateFile "c:/cert/my_own_ca_root_cert.crt" SSLVerifyClient require SSLVerifyDepth 10 SSLRequire %{SSL_CLIENT_S_DN_CN} eq "user@domain.de" SSLOptions +StdEnvVars 07.08.2015 Certificates for authenticity, authentification or both? 24
… Server Configuration for the Client Certificate  SSLCACertificateFile „c:/cert/my_own_ca_root_cert.crt“  Certificate Authority (CA) for Client Certificates  SSLVerifyClient require  Client Certificate required  SSLRequire %{SSL_CLIENT_S_DN_CN} eq user@domain.de  Example of a validation  SSLOptions +StdEnvVars  Transmission of the parameters to PHP / Application 07.08.2015 Certificates for authenticity, authentification or both? 25
Issuance of a Client Certificate (recommended)  Client:  Generate the key pair  Generate the Certificate Signing Request (CSR)  Send the CSR to a CA  CA / Server:  Generate a certificate  Send the certificate to a client  Client:  Import the certificate 07.08.2015 Certificates for authenticity, authentification or both? 26
Creation of a Client Certificate (easy)  CA / Server:  Generate the key pair  Generate the certificate  Export the private key  Send certificate + private key to a client  Client:  Import the certificate  Import the private key 07.08.2015 Certificates for authenticity, authentification or both? 27
Certificate / Private Key Storage 07.08.2015 Certificates for authenticity, authentification or both? 28
Saving Private Keys  File on the file system (PEM file with key)  Certificate Storage  PKCS#11  Microsoft CSP (Crypto Service Provider)  Physical medium  On a disk  In a token 07.08.2015 Certificates for authenticity, authentification or both? 29
PKCS#11 / Microsoft CSP 07.08.2015 Certificates for authenticity, authentification or both? 30 PKCS#11 Microsoft CSP CmDongle Internet Explorer OutlookFirefox OpenVPN My Application
Example with a Token: CSSI Middleware 07.08.2015 Certificates for authenticity, authentification or both? 31
Authenticode 07.08.2015 Certificates for authenticity, authentification or both? 32
Motivation: the Application 07.08.2015 Certificates for authenticity, authentification or both? 33  Signed Application
Started Application 07.08.2015 Certificates for authenticity, authentification or both? 34
Motivation: the Patch 07.08.2015 Certificates for authenticity, authentification or both? 35
Motivation: the Question 07.08.2015 Certificates for authenticity, authentification or both? 36  Is the application still runnig?
Started Application (with invalid signature) 07.08.2015 Certificates for authenticity, authentification or both? 37
Is the application still runnig? 07.08.2015 Certificates for authenticity, authentification or both? 38 The scary answer: YES
Summary  Microsoft Windows starts any application  Without signature  With valid signature  With invalid signature  On-board tools are not suitable for copy / integrity protection 07.08.2015 Certificates for authenticity, authentification or both? 39
Yes, but… Yes, but… 07.08.2015 Certificates for authenticity, authentification or both? 40
Software Check  Signature validation  Valid / Invalid?  Who has signed?  When was the application signed?  Reaction in case of invalid signature  Exit (hiding the calls?)  „Wrong calculation“ !? 07.08.2015 Certificates for authenticity, authentification or both? 41
Started Application (with Authenticode check via API) 07.08.2015 Certificates for authenticity, authentification or both? 42
Started Application (Patched) 07.08.2015 Certificates for authenticity, authentification or both? 43
The Vulnerability 07.08.2015 Certificates for authenticity, authentification or both? 44 Own Software WINTRUST.DLL
The Vulnerability  A well known and documented Windows API verifies the signature !?  Attacks:  Patching WINTRUST.DLL  Hooking function with standard tools  Overwriting functions in the dll at runtime from the patched application 07.08.2015 Certificates for authenticity, authentification or both? 45
Overwrite at runtime ... fake[0] := $31; fake[1] := $C0; fake[2] := $C3; lib := LoadLibrary('WINTRUST.DLL'); p := GetProcAddress(lib, 'WinVerifyTrust'); VirtualProtect(p, 3, PAGE_EXECUTE_READWRITE, old); move(fake, p^, 3); VirtualProtect(p, 3, old, old); ... 07.08.2015 Certificates for authenticity, authentification or both? 46
Started Application (Patched + Code Inject) 07.08.2015 Certificates for authenticity, authentification or both? 47
Conclusion: Authenticode  Certificates provide security only if the validation occurs in a trusted environment  Authenticode = Protect the user from viruses  Authenticode ≠ Protection against piracy 07.08.2015 Certificates for authenticity, authentification or both? 48
Code Signature with AxProtector 07.08.2015 Certificates for authenticity, authentification or both? 49
Protection Suite Wibu-Systems Protection Suite 07.08.2015 Certificates for authenticity, authentification or both? Automatic Proctection (IP Protection) Anti-Debug Methods Used CodeMeter Variant Individual Encryption of Functions Integrity Protection (Tamper Protection) Authenticity of Software (Secure Loader / Authenticity) Java SE Java EE Embedded Operating System .NETPC (Windows, Linux, OS X) CodeMeter Runtime CodeMeter Runtime CodeMeter Runtime CodeMeter Embedded CodeMeter Embedded IxProtector AxProtector AxProtector .NET AxProtector Java AxProtector CmE ExProtector 50
Functions of Protection Suite  Software authenticity (Secure Load)  Prevention of the execution of non-validated software  Integrity Protection (Tamper Protection)  Detection of changes (in memory!) and reaction  Automatic Protection (IP Protection)  Protection against reverse engineering and piracy  Anti-Debug Methods  Individual Encryption of Functions  Encryption at method level 07.08.2015 Certificates for authenticity, authentification or both? 51
AxProtector 07.08.2015 Certificates for authenticity, authentification or both? 52 Protected ApplicationCompiled Application Header AxEngine (Security Engine + Public Key) AxProtector Encrypted Code Section Encrypted Data Section Encrypted Resource Section Header Data Section Resource Section Code Section Signature Private Key Public Key
Self-Check 07.08.2015 Certificates for authenticity, authentification or both? 53 Executable Signature Check Signature (Hash, Public Key, Signature) Calculate Hash of the Executable Error Yes No AxEngine (Security Engine + Public Key)
Check of another Module 07.08.2015 Certificates for authenticity, authentification or both? 54 Executable Dynamic Link Library AxEngine (Security Engine + Public Key) Signature AxEngine (Security Engine + Public Key) Signature exe - exe exe - dll dll - dll dll - exe
AxProtector [WIBU-SYSTEMS Control File] ... [Commandline] ... -cav ... [CheckCodeIntegrity Dlls] Image1 = ShowHex.dll ... 07.08.2015 Certificates for authenticity, authentification or both? 55 Check of other modules Self Check
ExProtector  ExProtector = Protection of executable files on embedded operating systems  Integration of the "AxEngine" as ExEngine in the loader of the operating system / boot loader  Use of signatures and certificates  Rights Management: Who can sign the applications? 07.08.2015 Certificates for authenticity, authentification or both? 56
Usage of certificates within CodeMeter 07.08.2015 Certificates for authenticity, authentification or both? 57
Secure Firmware Update  There is a Wibu root certificate  There are production certificates, derived from the root certificate  Each CmDongle gets the public root key during production  Firmware update is signed with a production certificate  Old firmware checks the update (signature and certificate) before it applies the new firmware into the CmDongle 07.08.2015 Certificates for authenticity, authentification or both? 58
CodeMeter Universal Firm Code  Licenses are signed by the vendor  Licenses consist of a certificate and an encrypted part  The license certificate can contain an authorization for license transfer  In case of transfer, the original certificate is sent through and a new certificate of the issuing CmContainer is generated  With CodeMeter, everything is done transparently in the background 07.08.2015 Certificates for authenticity, authentification or both? 59
Deutschland: +49-721-931720 USA: +1-425-7756900 China: +86-21-55661790 http://www.wibu.com info@wibu.com Germany: +49-721-931720 USA: +1-425-7756900 China: +86-21-55661790 http://www.wibu.com info@wibu.com Thank you for your attention 07.08.2015 Certificates for authenticity, authentification or both? 60 Vielen Dank für Ihre Aufmerksamkeit

Recommended

Larutanelektrolitnonelektrolit 120326201144-phpapp02
Larutanelektrolitnonelektrolit 120326201144-phpapp02Larutanelektrolitnonelektrolit 120326201144-phpapp02
Larutanelektrolitnonelektrolit 120326201144-phpapp02You-lii Ssi
 
My Norfolk
My NorfolkMy Norfolk
My NorfolkIntercommunale Leiedal
 
Story board
Story boardStory board
Story boardYou-lii Ssi
 
Tusedv7i2a5
Tusedv7i2a5Tusedv7i2a5
Tusedv7i2a5You-lii Ssi
 
4 junal-henky-irawan
4 junal-henky-irawan4 junal-henky-irawan
4 junal-henky-irawanYou-lii Ssi
 
4 junal-henky-irawan
4 junal-henky-irawan4 junal-henky-irawan
4 junal-henky-irawanYou-lii Ssi
 
Vol1 2 28-41
Vol1 2 28-41Vol1 2 28-41
Vol1 2 28-41You-lii Ssi
 
SRAVYA
SRAVYASRAVYA
SRAVYApvpsit
 

Recommended

Larutanelektrolitnonelektrolit 120326201144-phpapp02
Larutanelektrolitnonelektrolit 120326201144-phpapp02Larutanelektrolitnonelektrolit 120326201144-phpapp02
Larutanelektrolitnonelektrolit 120326201144-phpapp02You-lii Ssi
 
My Norfolk
My NorfolkMy Norfolk
My NorfolkIntercommunale Leiedal
 
Story board
Story boardStory board
Story boardYou-lii Ssi
 
Tusedv7i2a5
Tusedv7i2a5Tusedv7i2a5
Tusedv7i2a5You-lii Ssi
 
4 junal-henky-irawan
4 junal-henky-irawan4 junal-henky-irawan
4 junal-henky-irawanYou-lii Ssi
 
4 junal-henky-irawan
4 junal-henky-irawan4 junal-henky-irawan
4 junal-henky-irawanYou-lii Ssi
 
Vol1 2 28-41
Vol1 2 28-41Vol1 2 28-41
Vol1 2 28-41You-lii Ssi
 
SRAVYA
SRAVYASRAVYA
SRAVYApvpsit
 
Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificatesteam-WIBU
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedinovia
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsSylvain Maret
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Bulletproof Microservices with Spring and Kubernetes
Bulletproof Microservices with Spring and KubernetesBulletproof Microservices with Spring and Kubernetes
Bulletproof Microservices with Spring and KubernetesVMware Tanzu
 
EMV Terminal Integration Test Solutions
EMV Terminal Integration Test SolutionsEMV Terminal Integration Test Solutions
EMV Terminal Integration Test SolutionsSteve Lacourt
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityEvernym
 
Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and ComplianceQuestionPro
 
Evernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Authentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenIDAuthentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenIDFrederik Questier
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustInformation Security Services SA
 
A A A
A A AA A A
A A ACristian Vat
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Unlocking the Future: Empowering Industrial Security
Unlocking the Future: Empowering Industrial SecurityUnlocking the Future: Empowering Industrial Security
Unlocking the Future: Empowering Industrial Securityteam-WIBU
 

More Related Content

Similar to Certificates for Authenticity, Authentification or both

Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificatesteam-WIBU
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedinovia
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsSylvain Maret
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Bulletproof Microservices with Spring and Kubernetes
Bulletproof Microservices with Spring and KubernetesBulletproof Microservices with Spring and Kubernetes
Bulletproof Microservices with Spring and KubernetesVMware Tanzu
 
EMV Terminal Integration Test Solutions
EMV Terminal Integration Test SolutionsEMV Terminal Integration Test Solutions
EMV Terminal Integration Test SolutionsSteve Lacourt
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityEvernym
 
Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and ComplianceQuestionPro
 
Evernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market ResearchTetsuyuki Oishi
 
Authentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenIDAuthentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenIDFrederik Questier
 

Similar to Certificates for Authenticity, Authentification or both (20)

Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificates
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & Axsionics
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Bulletproof Microservices with Spring and Kubernetes
Bulletproof Microservices with Spring and KubernetesBulletproof Microservices with Spring and Kubernetes
Bulletproof Microservices with Spring and Kubernetes
 
EMV Terminal Integration Test Solutions
EMV Terminal Integration Test SolutionsEMV Terminal Integration Test Solutions
EMV Terminal Integration Test Solutions
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
 
Guide: Security and Compliance
Guide: Security and ComplianceGuide: Security and Compliance
Guide: Security and Compliance
 
Evernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym May 2021 Product Update
Evernym May 2021 Product Update
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Proof of existence Market Research
Proof of existence Market ResearchProof of existence Market Research
Proof of existence Market Research
 
Authentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenIDAuthentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenID
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
A A A
A A AA A A
A A A
 

More from team-WIBU

Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Unlocking the Future: Empowering Industrial Security
Unlocking the Future: Empowering Industrial SecurityUnlocking the Future: Empowering Industrial Security
Unlocking the Future: Empowering Industrial Securityteam-WIBU
 
The Power of Partnership: Enabling Success Together
The Power of Partnership: Enabling Success TogetherThe Power of Partnership: Enabling Success Together
The Power of Partnership: Enabling Success Togetherteam-WIBU
 
Unleash the Power of CodeMeter - CodeMeter Basics
Unleash the Power of CodeMeter - CodeMeter BasicsUnleash the Power of CodeMeter - CodeMeter Basics
Unleash the Power of CodeMeter - CodeMeter Basicsteam-WIBU
 
Keine Zeit für Leerlauf – Lizenzverfügbarkeit für Geschäftskontinuität
Keine Zeit für Leerlauf – Lizenzverfügbarkeit für GeschäftskontinuitätKeine Zeit für Leerlauf – Lizenzverfügbarkeit für Geschäftskontinuität
Keine Zeit für Leerlauf – Lizenzverfügbarkeit für Geschäftskontinuitätteam-WIBU
 
No Time to Idle – License availability for business continuity
No Time to Idle – License availability for business continuityNo Time to Idle – License availability for business continuity
No Time to Idle – License availability for business continuityteam-WIBU
 
Cloud-Based Licensing in Offline Scenarios
Cloud-Based Licensing in Offline ScenariosCloud-Based Licensing in Offline Scenarios
Cloud-Based Licensing in Offline Scenariosteam-WIBU
 
Optimizing Cloud Licensing: Strategies and Best Practices
Optimizing Cloud Licensing: Strategies and Best PracticesOptimizing Cloud Licensing: Strategies and Best Practices
Optimizing Cloud Licensing: Strategies and Best Practicesteam-WIBU
 
For a Few Licenses More
For a Few Licenses MoreFor a Few Licenses More
For a Few Licenses Moreteam-WIBU
 
App Management on the Edge
App Management on the EdgeApp Management on the Edge
App Management on the Edgeteam-WIBU
 
Protecting and Licensing .NET Applications
Protecting and Licensing .NET ApplicationsProtecting and Licensing .NET Applications
Protecting and Licensing .NET Applicationsteam-WIBU
 
A Bit of License Management Magic
A Bit of License Management MagicA Bit of License Management Magic
A Bit of License Management Magicteam-WIBU
 
The first step is always the most decisive
The first step is always the most decisiveThe first step is always the most decisive
The first step is always the most decisiveteam-WIBU
 
Protection and monetization of 3D printed objects in the spare parts business...
Protection and monetization of 3D printed objects in the spare parts business...Protection and monetization of 3D printed objects in the spare parts business...
Protection and monetization of 3D printed objects in the spare parts business...team-WIBU
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesteam-WIBU
 
How and Why to Create and Sell Consumption-Based Licenses
How and Why to Create and Sell Consumption-Based LicensesHow and Why to Create and Sell Consumption-Based Licenses
How and Why to Create and Sell Consumption-Based Licensesteam-WIBU
 
Serving Up Features-on-Demand for Every Appetite
Serving Up Features-on-Demand for Every AppetiteServing Up Features-on-Demand for Every Appetite
Serving Up Features-on-Demand for Every Appetiteteam-WIBU
 
Security and Protection for Machine Learning.pptx
Security and Protection for Machine Learning.pptxSecurity and Protection for Machine Learning.pptx
Security and Protection for Machine Learning.pptxteam-WIBU
 
License Portal - The DIY Solution
License Portal - The DIY SolutionLicense Portal - The DIY Solution
License Portal - The DIY Solutionteam-WIBU
 
Running code in secure hardware or cloud environments
Running code in secure hardware or cloud environmentsRunning code in secure hardware or cloud environments
Running code in secure hardware or cloud environmentsteam-WIBU
 

More from team-WIBU (20)

Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Unlocking the Future: Empowering Industrial Security
Unlocking the Future: Empowering Industrial SecurityUnlocking the Future: Empowering Industrial Security
Unlocking the Future: Empowering Industrial Security
 
The Power of Partnership: Enabling Success Together
The Power of Partnership: Enabling Success TogetherThe Power of Partnership: Enabling Success Together
The Power of Partnership: Enabling Success Together
 
Unleash the Power of CodeMeter - CodeMeter Basics
Unleash the Power of CodeMeter - CodeMeter BasicsUnleash the Power of CodeMeter - CodeMeter Basics
Unleash the Power of CodeMeter - CodeMeter Basics
 
Keine Zeit für Leerlauf – Lizenzverfügbarkeit für Geschäftskontinuität
Keine Zeit für Leerlauf – Lizenzverfügbarkeit für GeschäftskontinuitätKeine Zeit für Leerlauf – Lizenzverfügbarkeit für Geschäftskontinuität
Keine Zeit für Leerlauf – Lizenzverfügbarkeit für Geschäftskontinuität
 
No Time to Idle – License availability for business continuity
No Time to Idle – License availability for business continuityNo Time to Idle – License availability for business continuity
No Time to Idle – License availability for business continuity
 
Cloud-Based Licensing in Offline Scenarios
Cloud-Based Licensing in Offline ScenariosCloud-Based Licensing in Offline Scenarios
Cloud-Based Licensing in Offline Scenarios
 
Optimizing Cloud Licensing: Strategies and Best Practices
Optimizing Cloud Licensing: Strategies and Best PracticesOptimizing Cloud Licensing: Strategies and Best Practices
Optimizing Cloud Licensing: Strategies and Best Practices
 
For a Few Licenses More
For a Few Licenses MoreFor a Few Licenses More
For a Few Licenses More
 
App Management on the Edge
App Management on the EdgeApp Management on the Edge
App Management on the Edge
 
Protecting and Licensing .NET Applications
Protecting and Licensing .NET ApplicationsProtecting and Licensing .NET Applications
Protecting and Licensing .NET Applications
 
A Bit of License Management Magic
A Bit of License Management MagicA Bit of License Management Magic
A Bit of License Management Magic
 
The first step is always the most decisive
The first step is always the most decisiveThe first step is always the most decisive
The first step is always the most decisive
 
Protection and monetization of 3D printed objects in the spare parts business...
Protection and monetization of 3D printed objects in the spare parts business...Protection and monetization of 3D printed objects in the spare parts business...
Protection and monetization of 3D printed objects in the spare parts business...
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevices
 
How and Why to Create and Sell Consumption-Based Licenses
How and Why to Create and Sell Consumption-Based LicensesHow and Why to Create and Sell Consumption-Based Licenses
How and Why to Create and Sell Consumption-Based Licenses
 
Serving Up Features-on-Demand for Every Appetite
Serving Up Features-on-Demand for Every AppetiteServing Up Features-on-Demand for Every Appetite
Serving Up Features-on-Demand for Every Appetite
 
Security and Protection for Machine Learning.pptx
Security and Protection for Machine Learning.pptxSecurity and Protection for Machine Learning.pptx
Security and Protection for Machine Learning.pptx
 
License Portal - The DIY Solution
License Portal - The DIY SolutionLicense Portal - The DIY Solution
License Portal - The DIY Solution
 
Running code in secure hardware or cloud environments
Running code in secure hardware or cloud environmentsRunning code in secure hardware or cloud environments
Running code in secure hardware or cloud environments
 

Recently uploaded

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 

Recently uploaded (20)

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 

Certificates for Authenticity, Authentification or both

  • 1. Certificates for Authenticity, Authentification or both? Wolfgang Voelker | Director Product Management wolfgang.voelker@wibu.com Ruediger Kuegler | Security Expert ruediger.kuegler@wibu.com Certificates 07.08.2015 Certificates for authenticity, authentification or both? 1
  • 2. What are Certificates? 07.08.2015 Certificates for authenticity, authentification or both? 2
  • 3. Sender Sending a Signed Message 07.08.2015 Certificates for authenticity, authentification or both? 3 Data Data Signature Calculate Hash Calculate Signature Private Key Data Signature Calculate Hash Verify Signature Public Key Recipient Yes No
  • 4. The Challenge! 07.08.2015 Certificates for authenticity, authentification or both? 4 How do I know that the public key is genuine?
  • 5. The Solution 07.08.2015 Certificates for authenticity, authentification or both? 5 Certificates (Public Key Certificate, X.509)
  • 6. A Certificate 07.08.2015 Certificates for authenticity, authentification or both? 6  Confirms the owner of a public key  Identity:  Person  Company  IT-system (i.e. server)  Signed by issuer  Attributes Certificate Issued for: Common name (CN): Wolfgang Voelker Company (O): WIBU-SYSTEMS AG Business unit (OU): WOPS Serial number: 1be10001000220613… Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71, 0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58, 0xea, 0x3d, 0xdd, 0x36, 0x89, … Issued by: Common name (CN): Root Company (O): WIBU-SYSTEMS AG .. Valid until: 31.12.2015
  • 7. The next Challenge! 07.08.2015 Certificates for authenticity, authentification or both? 7 How do I know that the certificate is genuine?
  • 8. The next Solution 07.08.2015 Certificates for authenticity, authentification or both? 8 The certificate is signed by the issuer. (Validation through the public key of the issuer)
  • 9. The… Challenge! 07.08.2015 Certificates for authenticity, authentification or both? 9 …?
  • 10. The final Solution 07.08.2015 Certificates for authenticity, authentification or both? 10 I already know a root certificate from a certification authority. (Root Certificate / Certificate Authority)
  • 11. Examples of Root Certificates 07.08.2015 Certificates for authenticity, authentification or both? 11
  • 12. Certificate Hierarchy 07.08.2015 Zertifikate für Authentizität, Authentifizierung oder beides? 12 Root Certificate CN: Root Certificate CN: Inter 2 Certificate CN: Wolfgang Certificate CN: Daniel Certificate CN: Marc Certificate CN: Christian Certificate CN: Ruediger Certificate CN: Stefan Certificate CN: Inter 1 Certificate CN: Inter 3
  • 13. Self-signed Certificates 07.08.2015 Certificates for authenticity, authentification or both? 13  Self-signed  No Root-Certificate  Usually not accepted  Users have to trust the certificate manually Certificate Issued for: Common name (CN): Ruediger Kuegler Company (O): WIBU-SYSTEMS AG Business unit (OU): Professional Services Serial number: 1be10001000220613… Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71, 0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58, 0xea, 0x3d, 0xdd, 0x36, 0x89, … Issued by: Common Name (CN): Ruediger Kuegler Company (O): WIBU-SYSTEMS AG .. Valid until: 31.12.2015
  • 14. Blacklists  CRL (Certificate Revocation List)  Includes invalid certificates (certificate revocation)  Online enquiry possible, Online Certificate Status Protocol (OCSP) 07.08.2015 Certificates for authenticity, authentification or both? 14
  • 15. Use Cases 07.08.2015 Certificates for authenticity, authentification or both? 15
  • 16. Use Cases  Server Certificates  Client Certificates  E-Mail Certificates / VPN Certificates  OPC UA Certificates  Authenticode  Code integrity of software  … 07.08.2015 Certificates for authenticity, authentification or both? 16
  • 17. Server Certificates 07.08.2015 Certificates for authenticity, authentification or both? 17
  • 18. Client Server Certificate 07.08.2015 Certificates for authenticity, authentification or both? 18 Server Private Key Server Root Certificate CN: Root https Certificate CN: wibu.com Client verifies the identity of the server
  • 19. Server Certificate – Secure Connection 07.08.2015 Certificates for authenticity, authentification or both? 19
  • 20. Server Configuration… SSLEngine on SSLCertificateKeyFile "c:/cert/my_private_key.pem" SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt" 07.08.2015 Certificates for authenticity, authentification or both? 20
  • 21. … Server Configuration  SSLEngine on  Activates SSL, SSL mode must be enabled  SSLCertificateKeyFile „c:/cert/my_private_key.pem“  Private Key  SSLCertificateFile „c:/cert/the_cert_I_got_from_verisign.crt “  Certificate 07.08.2015 Certificates for authenticity, authentification or both? 21
  • 22. Client Certificates 07.08.2015 Certificates for authenticity, authentification or both? 22
  • 23. Client Client Certificate 07.08.2015 Certificates for authenticity, authentification or both? 23 Server Private Key Server Root Certificate CN: Root https Certificate CN: wibu.com Client verifies the identity of the server Client Private Key Certificate CN: user Root Certificate CN: Wibu Root Server verifies the identity of the client
  • 24. Server Configuration for Client Certificates SSLEngine on SSLCertificateKeyFile "c:/cert/my_private_key.pem" SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt" SSLCACertificateFile "c:/cert/my_own_ca_root_cert.crt" SSLVerifyClient require SSLVerifyDepth 10 SSLRequire %{SSL_CLIENT_S_DN_CN} eq "user@domain.de" SSLOptions +StdEnvVars 07.08.2015 Certificates for authenticity, authentification or both? 24
  • 25. … Server Configuration for the Client Certificate  SSLCACertificateFile „c:/cert/my_own_ca_root_cert.crt“  Certificate Authority (CA) for Client Certificates  SSLVerifyClient require  Client Certificate required  SSLRequire %{SSL_CLIENT_S_DN_CN} eq user@domain.de  Example of a validation  SSLOptions +StdEnvVars  Transmission of the parameters to PHP / Application 07.08.2015 Certificates for authenticity, authentification or both? 25
  • 26. Issuance of a Client Certificate (recommended)  Client:  Generate the key pair  Generate the Certificate Signing Request (CSR)  Send the CSR to a CA  CA / Server:  Generate a certificate  Send the certificate to a client  Client:  Import the certificate 07.08.2015 Certificates for authenticity, authentification or both? 26
  • 27. Creation of a Client Certificate (easy)  CA / Server:  Generate the key pair  Generate the certificate  Export the private key  Send certificate + private key to a client  Client:  Import the certificate  Import the private key 07.08.2015 Certificates for authenticity, authentification or both? 27
  • 28. Certificate / Private Key Storage 07.08.2015 Certificates for authenticity, authentification or both? 28
  • 29. Saving Private Keys  File on the file system (PEM file with key)  Certificate Storage  PKCS#11  Microsoft CSP (Crypto Service Provider)  Physical medium  On a disk  In a token 07.08.2015 Certificates for authenticity, authentification or both? 29
  • 30. PKCS#11 / Microsoft CSP 07.08.2015 Certificates for authenticity, authentification or both? 30 PKCS#11 Microsoft CSP CmDongle Internet Explorer OutlookFirefox OpenVPN My Application
  • 31. Example with a Token: CSSI Middleware 07.08.2015 Certificates for authenticity, authentification or both? 31
  • 32. Authenticode 07.08.2015 Certificates for authenticity, authentification or both? 32
  • 33. Motivation: the Application 07.08.2015 Certificates for authenticity, authentification or both? 33  Signed Application
  • 34. Started Application 07.08.2015 Certificates for authenticity, authentification or both? 34
  • 35. Motivation: the Patch 07.08.2015 Certificates for authenticity, authentification or both? 35
  • 36. Motivation: the Question 07.08.2015 Certificates for authenticity, authentification or both? 36  Is the application still runnig?
  • 37. Started Application (with invalid signature) 07.08.2015 Certificates for authenticity, authentification or both? 37
  • 38. Is the application still runnig? 07.08.2015 Certificates for authenticity, authentification or both? 38 The scary answer: YES
  • 39. Summary  Microsoft Windows starts any application  Without signature  With valid signature  With invalid signature  On-board tools are not suitable for copy / integrity protection 07.08.2015 Certificates for authenticity, authentification or both? 39
  • 40. Yes, but… Yes, but… 07.08.2015 Certificates for authenticity, authentification or both? 40
  • 41. Software Check  Signature validation  Valid / Invalid?  Who has signed?  When was the application signed?  Reaction in case of invalid signature  Exit (hiding the calls?)  „Wrong calculation“ !? 07.08.2015 Certificates for authenticity, authentification or both? 41
  • 42. Started Application (with Authenticode check via API) 07.08.2015 Certificates for authenticity, authentification or both? 42
  • 43. Started Application (Patched) 07.08.2015 Certificates for authenticity, authentification or both? 43
  • 44. The Vulnerability 07.08.2015 Certificates for authenticity, authentification or both? 44 Own Software WINTRUST.DLL
  • 45. The Vulnerability  A well known and documented Windows API verifies the signature !?  Attacks:  Patching WINTRUST.DLL  Hooking function with standard tools  Overwriting functions in the dll at runtime from the patched application 07.08.2015 Certificates for authenticity, authentification or both? 45
  • 46. Overwrite at runtime ... fake[0] := $31; fake[1] := $C0; fake[2] := $C3; lib := LoadLibrary('WINTRUST.DLL'); p := GetProcAddress(lib, 'WinVerifyTrust'); VirtualProtect(p, 3, PAGE_EXECUTE_READWRITE, old); move(fake, p^, 3); VirtualProtect(p, 3, old, old); ... 07.08.2015 Certificates for authenticity, authentification or both? 46
  • 47. Started Application (Patched + Code Inject) 07.08.2015 Certificates for authenticity, authentification or both? 47
  • 48. Conclusion: Authenticode  Certificates provide security only if the validation occurs in a trusted environment  Authenticode = Protect the user from viruses  Authenticode ≠ Protection against piracy 07.08.2015 Certificates for authenticity, authentification or both? 48
  • 49. Code Signature with AxProtector 07.08.2015 Certificates for authenticity, authentification or both? 49
  • 50. Protection Suite Wibu-Systems Protection Suite 07.08.2015 Certificates for authenticity, authentification or both? Automatic Proctection (IP Protection) Anti-Debug Methods Used CodeMeter Variant Individual Encryption of Functions Integrity Protection (Tamper Protection) Authenticity of Software (Secure Loader / Authenticity) Java SE Java EE Embedded Operating System .NETPC (Windows, Linux, OS X) CodeMeter Runtime CodeMeter Runtime CodeMeter Runtime CodeMeter Embedded CodeMeter Embedded IxProtector AxProtector AxProtector .NET AxProtector Java AxProtector CmE ExProtector 50
  • 51. Functions of Protection Suite  Software authenticity (Secure Load)  Prevention of the execution of non-validated software  Integrity Protection (Tamper Protection)  Detection of changes (in memory!) and reaction  Automatic Protection (IP Protection)  Protection against reverse engineering and piracy  Anti-Debug Methods  Individual Encryption of Functions  Encryption at method level 07.08.2015 Certificates for authenticity, authentification or both? 51
  • 52. AxProtector 07.08.2015 Certificates for authenticity, authentification or both? 52 Protected ApplicationCompiled Application Header AxEngine (Security Engine + Public Key) AxProtector Encrypted Code Section Encrypted Data Section Encrypted Resource Section Header Data Section Resource Section Code Section Signature Private Key Public Key
  • 53. Self-Check 07.08.2015 Certificates for authenticity, authentification or both? 53 Executable Signature Check Signature (Hash, Public Key, Signature) Calculate Hash of the Executable Error Yes No AxEngine (Security Engine + Public Key)
  • 54. Check of another Module 07.08.2015 Certificates for authenticity, authentification or both? 54 Executable Dynamic Link Library AxEngine (Security Engine + Public Key) Signature AxEngine (Security Engine + Public Key) Signature exe - exe exe - dll dll - dll dll - exe
  • 55. AxProtector [WIBU-SYSTEMS Control File] ... [Commandline] ... -cav ... [CheckCodeIntegrity Dlls] Image1 = ShowHex.dll ... 07.08.2015 Certificates for authenticity, authentification or both? 55 Check of other modules Self Check
  • 56. ExProtector  ExProtector = Protection of executable files on embedded operating systems  Integration of the "AxEngine" as ExEngine in the loader of the operating system / boot loader  Use of signatures and certificates  Rights Management: Who can sign the applications? 07.08.2015 Certificates for authenticity, authentification or both? 56
  • 57. Usage of certificates within CodeMeter 07.08.2015 Certificates for authenticity, authentification or both? 57
  • 58. Secure Firmware Update  There is a Wibu root certificate  There are production certificates, derived from the root certificate  Each CmDongle gets the public root key during production  Firmware update is signed with a production certificate  Old firmware checks the update (signature and certificate) before it applies the new firmware into the CmDongle 07.08.2015 Certificates for authenticity, authentification or both? 58
  • 59. CodeMeter Universal Firm Code  Licenses are signed by the vendor  Licenses consist of a certificate and an encrypted part  The license certificate can contain an authorization for license transfer  In case of transfer, the original certificate is sent through and a new certificate of the issuing CmContainer is generated  With CodeMeter, everything is done transparently in the background 07.08.2015 Certificates for authenticity, authentification or both? 59
  • 60. Deutschland: +49-721-931720 USA: +1-425-7756900 China: +86-21-55661790 http://www.wibu.com info@wibu.com Germany: +49-721-931720 USA: +1-425-7756900 China: +86-21-55661790 http://www.wibu.com info@wibu.com Thank you for your attention 07.08.2015 Certificates for authenticity, authentification or both? 60 Vielen Dank für Ihre Aufmerksamkeit