Uploaded byfaizalkhan673954
PPT, PDF143 views

certificates.ppt

This document provides an overview of cryptography concepts including keys, symmetric encryption, asymmetric encryption, certificates, and how they are used together in a public key infrastructure (PKI) to provide security features like confidentiality, integrity, and authentication on the web. It describes how certificates contain a public key and are used to verify identity through digital signatures. It also gives steps for setting up SSL on a web server and configuring browsers and clients to use certificates for authentication and secure communication.

Embed presentation

Download to read offline
Certificates, Keys, Web Browsers, and Security - Sumanth Gelle
Contents:  Keys  Symmetric Encryption  Asymmetric Encryption  Hybrid Encryption  Certificate  What does Certificate contain  Authentication with certificate  How to set up SSL on a web server  Certificate Revocation Lists  Browser  Internet Explorer
What Does Cryptography Solve?  Confidentiality  Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation  Integrity  Ensure that message has not been modified during the transmission  Authenticity  You can verify that you are talking to the entity you think you are talking to
 Confidentiality--- Encryption is the answer  Integrity--- Hashing is the answer  Authentication--- Digital Certificate is the answer  Cryptography is key management
Keys Symmetric Keys “An intro to PKI and few deploy hints” “AxCvGsmWe#4^, sdgfMwir3:dkJeTs Y8Rs@!q3%” “An intro to PKI and few deploy hints” Clear-text input Clear-text output Cipher-text Same key (shared secret) Encryption Decryption DE S DE S
Symmetric Encryption  Symmetric algorithms require the creation of a key and an initialization vector (IV) that must be kept secret from anyone who should not decrypt your data. TripleDESCryptoServiceProvider TDES = new TripleDESCryptoServiceProvider(); TDES.GenerateIV(); TDES.GenerateKey(); When the previous code is executed, a key and IV are generated when the new instance of TripleDESCryptoServiceProvider is made. Another key and IV are created when the GenerateKey and GenerateIV methods are called.
Asymmetric Encryption  Asymmetric algorithms require the creation of a public key and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key. //Generate a public/private key pair. RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(); //Save the public key information to an RSAParameters structure. RSAParameters RSAKeyInfo =RSA.ExportParameters(false);
Assymetric Encryption Continued…  To create an asymmetric key and save it in a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.  To delete a key from a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor. Set the PersistKeyInCSP property of the class that derives from AsymmetricAlgorithm to false (False in Visual Basic). Call the Clear method of the class that derives from AsymmetricAlgorithm. This method releases all resources of the class and clears the key container.
Example: SSL Priv pub Priv pub Clear text Encrypt Cipher 1 Encrypt Cipher 2 Transmission over the public network Cipher 2 Cipher 1 Decrypt Clear text Decrypt pub  Ensures confidentiality  And integrity if digitally signed  depending on how public key are exchanged  Authenticity, Identity, Non-repudiation pub
Real World: Hybrid Encryption (typical for encrypted file storage) Clear-text message Randomly-Generated symmetric “session” key Symmetrically Encrypted message Symmetric Encryption Digital Envelope Recipient’s public key Asymmetric Encryption of session key Repeat as necessary Digital Envelope Public key of other recipient or recovery agent Asymmetric Encryption of session key ENCRYPTED DOCUMENT
Real World: Hybrid Decryption Symmetrically Encrypted message Clear-text message Symmetric Decryption Digital Envelope ENCRYPTED DOCUMENT Digital Envelope Digital Envelope Asymmetric decryption of session key Private key of the recipient Take the appropriate digital envelope containing the “session” key encrypted using recipient’s public key “session” key is decrypted using the recipient private key UNENCRYPTED DOCUMENT
PKI (Public Key Infrastructure)  Public Key Infrastructure provides the technologies that enable practical distribution of public keys”  Using CERTIFICATES
Certificates
What does Certificate contain?  Owner's public key  Owner's name or alias  Expiration date of the certificate  Serial number of the certificate  Name of the organization that issued the certificate  Digital signature of the organization that issued the certificate
Authentication with Certificates  Owning a Certificate of Gianni does not mean that you are Gianni  Owning a Certificate does not imply you are authenticated  How would you verify that the person who comes to you pretending to be Gianni and showing you a certificate of Gianni is really Gianni ?  You have to challenge him !  Only the real Gianni has the private key that goes in pair with the public key in the certificate.
Authentication with Certificates  Denise gets Gianni’s certificate  She verifies its digital signature  She can trust that the public key really belongs to Gianni  But is it Gianni standing if front of her, or is that Michel ?  Denise challenges Gianni to encrypt for her a random phrase she generated (“I like green tables with flowers”)  Gianni has (if he is the real Gianni) the private key that matches the certificate, so he responds (“deRf35D^&#dvYr8^*$@dff”)  Denise decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she just generated for the challenge then it must really be Gianni himself !
How to Set Up SSL on a Web Server  Step1. Generate a Certificate Request  Step 2. Submit a Certificate Request  Step 3. Issue the Certificate  Step 4. Install the Certificate on the Web server  Step 5. Configure Resources to Require SSL Access
Step 1. Generate a Certificate Request  Start the IIS Microsoft Management Console (MMC) snap- in.  Expand your Web server name and select the Web site for which you want to install a certificate.  Right-click the Web site, and then click Properties.  Click the Directory Security tab.  Click the Server Certificate button within Secure communications to launch the Web Server Certificate Wizard. Note If Server Certificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.
Step2. Submit a Certificate Request  Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard.  Start Internet Explorer and navigate to http:// hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services.  Click Request a Certificate, and then click Next.  On the Choose Request Type page, click Advanced request, and then click Next.  On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.  On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier.  In the Certificate Template combo box, click Web Server.  Click Submit.  Close Internet Explorer.
Step3. Issue the Certificate  Start the Certification Authority tool from the Administrative Tools program group.  Expand your certificate authority, and then select the Pending Requests folder.  Select the certificate request you just submitted.  On the Action menu, point to All Tasks, and then click Issue.  Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.  On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate.  Close the properties window for the certificate.  Close the Certificate Authority tool.
Step4. Install the Certificate on the Web Server  Start Internet Information Services, if it's not already running.  Expand your server name and select the Web site for which you want to install a certificate.  Right-click the Web site, and then click Properties.  Click the Directory Security tab.  Click Server Certificate to launch the Web Server Certificate Wizard.  Click Process the pending request and install the certificate, and then click Next.  Enter the path and file name of the file that contains the response from the CA, and then click Next.  Examine the certificate overview, click Next, and then click Finish. A certificate is now installed on the Web server.
Step5. Configure Resources to Require SSL Access  Start Internet Information Services, if it's not already running.  Expand your server name and Web site. (This must be a Web site that has an installed certificate.)  Right-click a virtual directory, and then click Properties.  Click the Directory Security tab.  Under Secure communications, click Edit.  Click Require secure channel (SSL). Client's browsing to this virtual directory must now use HTTPS.  Click OK, and then click OK again to close the Properties dialog box.  Close Internet Information Services.
How to Set Up Client Certificates  Step 1. Create a Simple Web Application  Step 2. Configure the Web Application to Require Client Certificates  Step 3. Request and Install a Client Certificate  Step 4. Verify Client Certificate Operation
Certificate Stores  Certificates are stored in safe locations called a certificate stores. A certificate store can contain certificates, CRLs, and Certificate Trust Lists (CTLs). Each user has a personal store (called the "MY store") where that user's certificates are stored. The MY store can be physically implemented in a number of locations including the registry, on a local or remote computer, a disk file, a data base, a directory service, a smart device, or another location.  While any certificate can be stored in the MY store, this store should be reserved for a user's personal certificates, that is the certificates used for signing and decrypting that particular user's messages.  In addition to the MY store, Windows also maintains the following certificate stores:  CA and ROOT. This store contains the certificates of certificate authorities that the user trusts to issue certificates to others. A set of trusted CA certificates are supplied with the operating system and others can be added by administrators.  Other. This store contains the certificates of other people to whom the user exchanges signed messages.  The CryptoAPI provides functions to manage certificates. These APIs can be accessed only through unmanaged code. Also, CAPICOM is a COM- based API for the CryptoAPI, which can be accessed via COM Interop.
Certificates Revocation List  X.509 certificates and many other certificates have a valid time duration. A certificate can expire and no longer be valid. A CA can revoke a certificate for a number of reasons. To handle revocations, a CA maintains and distributes a list of revoked certificates called a Certificate Revocation List (CRL). Network users access the CRL to determine the validity of a certificate.
 Certmgr.exe  Makecert.exe The Certificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.
Internet Explorer (IE)  Integrated Windows Authentication. To enable this authentication method, in the Internet Options dialog box, click the Advanced tab, and then select the Enable Integrated Windows Authentication check box.  Server Certificate Revocation. Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection. To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box.
Installing and Removing Trusted Certificates  On the Tools menu, click Internet Options, and then click the Content tab.  Click Certificates.  Click one of the following tabbed categories for the type of certificates you want to install or remove: •Personal. Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category. •Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs. •Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates. •Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA. •Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences
 4.In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list.  5.Work with particular certificates through one of the following methods: •To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate. •To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate. •To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.
 To delete an existing certificate from the list of trusted certificates, click Remove. •To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View.
Adding Trusted Publishers  To designate a trusted publisher for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher.  To add a trusted publisher 1.Use Internet Explorer to download signed active content from the publisher. 2.When the Security Warning dialog box appears, select the Always trust content from trusted publisher check box
To download the software and control and add the publisher to the list of trusted publishers, click Yes.
 Configuring Advanced Security Options for Certificate and Authentication Features  You can easily configure options for certificate and authentication features that your users might need.  To configure advanced security options for certificates 1.On the Tools menu, click Internet Options, and then click the Advanced tab. 2.In the Security area, review the selected options. 3.Depending on the needs of your organization and its users, select or clear the appropriate check boxes. For example, to enable SSL 3.0, select the Use SSL 3.0 check box.
References  http://it-dep-is-techmeet.web.cern.ch/it-dep-is- techmeet/TechMeeting/2003-09-08/PKI- Intro.ppt#338%2c1%2cA-to-Z  http://it-dep-is-techmeet.web.cern.ch/it-dep-is- techmeet/TechMeeting/2003-10-22/2003-10-20-PKI-Intro- Hepix.ppt#394%2c11%2cExample  https://www.microsoft.com/technet/prodtechnol/ie/reskit/6 /part2/c06ie6rk.mspx?mfr=true  http://resources.nznog.org/Friday-240306/RobertLoomans- SSLandTLSCertsForUserAuthentication/NZNOG-client- certs.ppt#294%2c5%2cWhy  http://msdn2.microsoft.com/en-us/bfsktky3.aspx

More Related Content

PPTX
Secure socket layer
byBU
 
ODP
Lotusphere 2011 SHOW104
byWorkFlowStudios
 
PDF
SSL Everywhere!
bySimon Haslam
 
DOC
Certification authority
byproser tech
 
PDF
The world of encryption
byMohammad Yousri
 
PPT
SSL Implementation - IBM MQ - Secure Communications
bynishchal29
 
PDF
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
byNetgate
 
PPT
Ssl Https Server
byRam Srivastava
 
Secure socket layer
byBU
 
Lotusphere 2011 SHOW104
byWorkFlowStudios
 
SSL Everywhere!
bySimon Haslam
 
Certification authority
byproser tech
 
The world of encryption
byMohammad Yousri
 
SSL Implementation - IBM MQ - Secure Communications
bynishchal29
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
byNetgate
 
Ssl Https Server
byRam Srivastava
 

Similar to certificates.ppt

PPTX
Certificate pinning in android applications
byArash Ramez
 
PPTX
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
byDavid Ochel
 
PDF
Introduction of an SSL Certificate
byCheapSSLUSA
 
PPT
SSL.ppt
byTXCDHRUV
 
PDF
Understanding Digital Certificates & Secure Sockets Layer
byCheapSSLUSA
 
PDF
Ssl tls-beginners-guide
byJosephLamineDIALLO
 
ODP
SSL certificates
byKevin OBrien
 
PPT
Certificates and Web of Trust
byYousof Alsatom
 
ODP
Inro to Secure Sockets Layer: SSL
byDipankar Achinta
 
PPT
Introduction to Secure Sockets Layer
byNascenia IT
 
PPTX
MCSA 70-412 Chapter 06
byComputer Networking
 
PPT
SecureSocketLayer.ppt
byPranavUndre1
 
PPT
SSL
bytheekuchi
 
PPTX
Ssl
byAnandraj Kulkarni
 
PDF
Apache Web Server
bywebhostingguy
 
PPT
Public Key Infrastructure and Application_Applications.ppt
bylanhuongvernon
 
PPTX
Demystfying secure certs
byGary Williams
 
PDF
SSLtalk
byMatthew Aylard
 
PDF
Wildcard and SAN - Understanding Multi Domain SSL Certificate
byCheapSSLsecurity
 
PPT
Web security
byMuhammad Usman
 
Certificate pinning in android applications
byArash Ramez
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
byDavid Ochel
 
Introduction of an SSL Certificate
byCheapSSLUSA
 
SSL.ppt
byTXCDHRUV
 
Understanding Digital Certificates & Secure Sockets Layer
byCheapSSLUSA
 
Ssl tls-beginners-guide
byJosephLamineDIALLO
 
SSL certificates
byKevin OBrien
 
Certificates and Web of Trust
byYousof Alsatom
 
Inro to Secure Sockets Layer: SSL
byDipankar Achinta
 
Introduction to Secure Sockets Layer
byNascenia IT
 
MCSA 70-412 Chapter 06
byComputer Networking
 
SecureSocketLayer.ppt
byPranavUndre1
 
SSL
bytheekuchi
 
Ssl
byAnandraj Kulkarni
 
Apache Web Server
bywebhostingguy
 
Public Key Infrastructure and Application_Applications.ppt
bylanhuongvernon
 
Demystfying secure certs
byGary Williams
 
SSLtalk
byMatthew Aylard
 
Wildcard and SAN - Understanding Multi Domain SSL Certificate
byCheapSSLsecurity
 
Web security
byMuhammad Usman
 

Recently uploaded

PDF
Age of exploration - ppt presentation_EAPT
byericaangelatoledo06
 
PPTX
Photogrammetry_Implant_Dentistry_Summary.pptx
byJeldiKusuma
 
PPTX
PHIVOLCS FAULT FINDER grade - 7 power point
byfelicityguitang
 
PPT
Thermodynamics Chapter-2 by Cengel and Boles
byrasoolurfa
 
PDF
Control and Coordination - Short Notes (Prashant Kirad) (1).pdf
byAnu kumari
 
PPT
ch7_Acids&Bases.ppt. acid and bases , reactions of acids and bases, equilibri...
bykhadijaHijazi1
 
PPTX
ELectromagnitism.pptx ELectromagnitism.p
byLeahJaneMalinao1
 
PPT
Electric Fields and capacitance AQA A-level Physics
bybensonr1993
 
PDF
How common are oxygenic photosynthesis and large coal deposits on exoplanets?
bySérgio Sacani
 
PPTX
1. BEHAVIOURAL SCIENCE An Introduction for Medical Students.pptx
bygbadamosiayomide
 
PDF
The Crab Nebula Revisited Using HST/WFC3
bySérgio Sacani
 
PDF
Gas-depleted planet formation occurred in the four-planetsystem around the re...
bySérgio Sacani
 
PPTX
Cell cycle ( mitosis and meiosis)Msc.pptx
byPallabiBehera9
 
PDF
ExomoonsearchwithVLTI/GRAVITYaroundthesubstellar companionHD206893B
bySérgio Sacani
 
PPTX
VIRULENCE FACTOR OF BACTERIA: STRUCTURAL ELEMENT, ENZYMES, TOXINS...
byBIOSPHERE OF KNOWLEDGE
 
PDF
Bio - Molecules ( जैव अणु ) - PDF Notes - Irfanullah Mehar - JJ Sir Chemistry...
byWorld of Wisdom
 
PDF
Probiotic bacteria and their importance in aquaculture.pdf
byChinaSamy1
 
PPTX
History_Taking_and_Physical_Examination_of_Cardiovascular_System.pptx
byalirazzaghi137900
 
DOC
Grade 7 maths unit 3 worksheet for students .doc
bymahadiilove
 
PPTX
Mount and repair a fishing net for fishi
byelsavant25
 
Age of exploration - ppt presentation_EAPT
byericaangelatoledo06
 
Photogrammetry_Implant_Dentistry_Summary.pptx
byJeldiKusuma
 
PHIVOLCS FAULT FINDER grade - 7 power point
byfelicityguitang
 
Thermodynamics Chapter-2 by Cengel and Boles
byrasoolurfa
 
Control and Coordination - Short Notes (Prashant Kirad) (1).pdf
byAnu kumari
 
ch7_Acids&Bases.ppt. acid and bases , reactions of acids and bases, equilibri...
bykhadijaHijazi1
 
ELectromagnitism.pptx ELectromagnitism.p
byLeahJaneMalinao1
 
Electric Fields and capacitance AQA A-level Physics
bybensonr1993
 
How common are oxygenic photosynthesis and large coal deposits on exoplanets?
bySérgio Sacani
 
1. BEHAVIOURAL SCIENCE An Introduction for Medical Students.pptx
bygbadamosiayomide
 
The Crab Nebula Revisited Using HST/WFC3
bySérgio Sacani
 
Gas-depleted planet formation occurred in the four-planetsystem around the re...
bySérgio Sacani
 
Cell cycle ( mitosis and meiosis)Msc.pptx
byPallabiBehera9
 
ExomoonsearchwithVLTI/GRAVITYaroundthesubstellar companionHD206893B
bySérgio Sacani
 
VIRULENCE FACTOR OF BACTERIA: STRUCTURAL ELEMENT, ENZYMES, TOXINS...
byBIOSPHERE OF KNOWLEDGE
 
Bio - Molecules ( जैव अणु ) - PDF Notes - Irfanullah Mehar - JJ Sir Chemistry...
byWorld of Wisdom
 
Probiotic bacteria and their importance in aquaculture.pdf
byChinaSamy1
 
History_Taking_and_Physical_Examination_of_Cardiovascular_System.pptx
byalirazzaghi137900
 
Grade 7 maths unit 3 worksheet for students .doc
bymahadiilove
 
Mount and repair a fishing net for fishi
byelsavant25
 

certificates.ppt

  • 1.
    Certificates, Keys, Web Browsers,and Security - Sumanth Gelle
  • 2.
    Contents:  Keys  SymmetricEncryption  Asymmetric Encryption  Hybrid Encryption  Certificate  What does Certificate contain  Authentication with certificate  How to set up SSL on a web server  Certificate Revocation Lists  Browser  Internet Explorer
  • 3.
    What Does CryptographySolve?  Confidentiality  Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation  Integrity  Ensure that message has not been modified during the transmission  Authenticity  You can verify that you are talking to the entity you think you are talking to
  • 4.
     Confidentiality--- Encryption isthe answer  Integrity--- Hashing is the answer  Authentication--- Digital Certificate is the answer  Cryptography is key management
  • 5.
    Keys Symmetric Keys “An introto PKI and few deploy hints” “AxCvGsmWe#4^, sdgfMwir3:dkJeTs Y8Rs@!q3%” “An intro to PKI and few deploy hints” Clear-text input Clear-text output Cipher-text Same key (shared secret) Encryption Decryption DE S DE S
  • 6.
    Symmetric Encryption  Symmetricalgorithms require the creation of a key and an initialization vector (IV) that must be kept secret from anyone who should not decrypt your data. TripleDESCryptoServiceProvider TDES = new TripleDESCryptoServiceProvider(); TDES.GenerateIV(); TDES.GenerateKey(); When the previous code is executed, a key and IV are generated when the new instance of TripleDESCryptoServiceProvider is made. Another key and IV are created when the GenerateKey and GenerateIV methods are called.
  • 7.
    Asymmetric Encryption  Asymmetricalgorithms require the creation of a public key and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key. //Generate a public/private key pair. RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(); //Save the public key information to an RSAParameters structure. RSAParameters RSAKeyInfo =RSA.ExportParameters(false);
  • 8.
    Assymetric Encryption Continued… To create an asymmetric key and save it in a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.  To delete a key from a key container Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor. Set the PersistKeyInCSP property of the class that derives from AsymmetricAlgorithm to false (False in Visual Basic). Call the Clear method of the class that derives from AsymmetricAlgorithm. This method releases all resources of the class and clears the key container.
  • 9.
    Example: SSL Priv pub Priv pub Cleartext Encrypt Cipher 1 Encrypt Cipher 2 Transmission over the public network Cipher 2 Cipher 1 Decrypt Clear text Decrypt pub  Ensures confidentiality  And integrity if digitally signed  depending on how public key are exchanged  Authenticity, Identity, Non-repudiation pub
  • 10.
    Real World: HybridEncryption (typical for encrypted file storage) Clear-text message Randomly-Generated symmetric “session” key Symmetrically Encrypted message Symmetric Encryption Digital Envelope Recipient’s public key Asymmetric Encryption of session key Repeat as necessary Digital Envelope Public key of other recipient or recovery agent Asymmetric Encryption of session key ENCRYPTED DOCUMENT
  • 11.
    Real World: HybridDecryption Symmetrically Encrypted message Clear-text message Symmetric Decryption Digital Envelope ENCRYPTED DOCUMENT Digital Envelope Digital Envelope Asymmetric decryption of session key Private key of the recipient Take the appropriate digital envelope containing the “session” key encrypted using recipient’s public key “session” key is decrypted using the recipient private key UNENCRYPTED DOCUMENT
  • 12.
    PKI (Public KeyInfrastructure)  Public Key Infrastructure provides the technologies that enable practical distribution of public keys”  Using CERTIFICATES
  • 13.
  • 14.
    What does Certificatecontain?  Owner's public key  Owner's name or alias  Expiration date of the certificate  Serial number of the certificate  Name of the organization that issued the certificate  Digital signature of the organization that issued the certificate
  • 15.
    Authentication with Certificates Owning a Certificate of Gianni does not mean that you are Gianni  Owning a Certificate does not imply you are authenticated  How would you verify that the person who comes to you pretending to be Gianni and showing you a certificate of Gianni is really Gianni ?  You have to challenge him !  Only the real Gianni has the private key that goes in pair with the public key in the certificate.
  • 16.
    Authentication with Certificates Denise gets Gianni’s certificate  She verifies its digital signature  She can trust that the public key really belongs to Gianni  But is it Gianni standing if front of her, or is that Michel ?  Denise challenges Gianni to encrypt for her a random phrase she generated (“I like green tables with flowers”)  Gianni has (if he is the real Gianni) the private key that matches the certificate, so he responds (“deRf35D^&#dvYr8^*$@dff”)  Denise decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she just generated for the challenge then it must really be Gianni himself !
  • 17.
    How to SetUp SSL on a Web Server  Step1. Generate a Certificate Request  Step 2. Submit a Certificate Request  Step 3. Issue the Certificate  Step 4. Install the Certificate on the Web server  Step 5. Configure Resources to Require SSL Access
  • 18.
    Step 1. Generatea Certificate Request  Start the IIS Microsoft Management Console (MMC) snap- in.  Expand your Web server name and select the Web site for which you want to install a certificate.  Right-click the Web site, and then click Properties.  Click the Directory Security tab.  Click the Server Certificate button within Secure communications to launch the Web Server Certificate Wizard. Note If Server Certificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.
  • 19.
    Step2. Submit aCertificate Request  Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard.  Start Internet Explorer and navigate to http:// hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services.  Click Request a Certificate, and then click Next.  On the Choose Request Type page, click Advanced request, and then click Next.  On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.  On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier.  In the Certificate Template combo box, click Web Server.  Click Submit.  Close Internet Explorer.
  • 25.
    Step3. Issue theCertificate  Start the Certification Authority tool from the Administrative Tools program group.  Expand your certificate authority, and then select the Pending Requests folder.  Select the certificate request you just submitted.  On the Action menu, point to All Tasks, and then click Issue.  Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.  On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate.  Close the properties window for the certificate.  Close the Certificate Authority tool.
  • 26.
    Step4. Install theCertificate on the Web Server  Start Internet Information Services, if it's not already running.  Expand your server name and select the Web site for which you want to install a certificate.  Right-click the Web site, and then click Properties.  Click the Directory Security tab.  Click Server Certificate to launch the Web Server Certificate Wizard.  Click Process the pending request and install the certificate, and then click Next.  Enter the path and file name of the file that contains the response from the CA, and then click Next.  Examine the certificate overview, click Next, and then click Finish. A certificate is now installed on the Web server.
  • 27.
    Step5. Configure Resourcesto Require SSL Access  Start Internet Information Services, if it's not already running.  Expand your server name and Web site. (This must be a Web site that has an installed certificate.)  Right-click a virtual directory, and then click Properties.  Click the Directory Security tab.  Under Secure communications, click Edit.  Click Require secure channel (SSL). Client's browsing to this virtual directory must now use HTTPS.  Click OK, and then click OK again to close the Properties dialog box.  Close Internet Information Services.
  • 28.
    How to SetUp Client Certificates  Step 1. Create a Simple Web Application  Step 2. Configure the Web Application to Require Client Certificates  Step 3. Request and Install a Client Certificate  Step 4. Verify Client Certificate Operation
  • 29.
    Certificate Stores  Certificatesare stored in safe locations called a certificate stores. A certificate store can contain certificates, CRLs, and Certificate Trust Lists (CTLs). Each user has a personal store (called the "MY store") where that user's certificates are stored. The MY store can be physically implemented in a number of locations including the registry, on a local or remote computer, a disk file, a data base, a directory service, a smart device, or another location.  While any certificate can be stored in the MY store, this store should be reserved for a user's personal certificates, that is the certificates used for signing and decrypting that particular user's messages.  In addition to the MY store, Windows also maintains the following certificate stores:  CA and ROOT. This store contains the certificates of certificate authorities that the user trusts to issue certificates to others. A set of trusted CA certificates are supplied with the operating system and others can be added by administrators.  Other. This store contains the certificates of other people to whom the user exchanges signed messages.  The CryptoAPI provides functions to manage certificates. These APIs can be accessed only through unmanaged code. Also, CAPICOM is a COM- based API for the CryptoAPI, which can be accessed via COM Interop.
  • 30.
    Certificates Revocation List X.509 certificates and many other certificates have a valid time duration. A certificate can expire and no longer be valid. A CA can revoke a certificate for a number of reasons. To handle revocations, a CA maintains and distributes a list of revoked certificates called a Certificate Revocation List (CRL). Network users access the CRL to determine the validity of a certificate.
  • 31.
     Certmgr.exe  Makecert.exe TheCertificate Creation tool generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.
  • 32.
    Internet Explorer (IE) Integrated Windows Authentication. To enable this authentication method, in the Internet Options dialog box, click the Advanced tab, and then select the Enable Integrated Windows Authentication check box.  Server Certificate Revocation. Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection. To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box.
  • 34.
    Installing and RemovingTrusted Certificates  On the Tools menu, click Internet Options, and then click the Content tab.  Click Certificates.  Click one of the following tabbed categories for the type of certificates you want to install or remove: •Personal. Certificates in the Personal category have an associated private key. Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category. •Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs. •Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates. •Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA. •Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences
  • 36.
     4.In theIntended Purpose box, select the filter for the types of certificates that you want to be displayed in the list.  5.Work with particular certificates through one of the following methods: •To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate. •To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate. •To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.
  • 38.
     To deletean existing certificate from the list of trusted certificates, click Remove. •To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View.
  • 39.
    Adding Trusted Publishers To designate a trusted publisher for Internet Explorer, use the Security Warning dialog box that appears when you attempt to download software from that publisher.  To add a trusted publisher 1.Use Internet Explorer to download signed active content from the publisher. 2.When the Security Warning dialog box appears, select the Always trust content from trusted publisher check box
  • 40.
    To download thesoftware and control and add the publisher to the list of trusted publishers, click Yes.
  • 41.
     Configuring AdvancedSecurity Options for Certificate and Authentication Features  You can easily configure options for certificate and authentication features that your users might need.  To configure advanced security options for certificates 1.On the Tools menu, click Internet Options, and then click the Advanced tab. 2.In the Security area, review the selected options. 3.Depending on the needs of your organization and its users, select or clear the appropriate check boxes. For example, to enable SSL 3.0, select the Use SSL 3.0 check box.
  • 43.
    References  http://it-dep-is-techmeet.web.cern.ch/it-dep-is- techmeet/TechMeeting/2003-09-08/PKI- Intro.ppt#338%2c1%2cA-to-Z  http://it-dep-is-techmeet.web.cern.ch/it-dep-is- techmeet/TechMeeting/2003-10-22/2003-10-20-PKI-Intro- Hepix.ppt#394%2c11%2cExample https://www.microsoft.com/technet/prodtechnol/ie/reskit/6 /part2/c06ie6rk.mspx?mfr=true  http://resources.nznog.org/Friday-240306/RobertLoomans- SSLandTLSCertsForUserAuthentication/NZNOG-client- certs.ppt#294%2c5%2cWhy  http://msdn2.microsoft.com/en-us/bfsktky3.aspx