SlideShare a Scribd company logo
#DevoxxFR
Raconte-moi X.509
Anatomie d'une autorité de certification
Jean-Christophe Sirot @jcsirot
Charles Sabourdin @kanedafromparis
1
#DevoxxFR 2
Jean-Christophe Sirot
Tech lead chez Weborama
Charles Sabourin
Architecte chez Ippon
#DevoxxFR
Attention
ce tlak n’est pas un tlak
sur le cyclimse
Merci de votre compréhension
3
#DevoxxFR 4
Un certificat ?
#DevoxxFR
Certifica
+
Un certificat ?
5
#DevoxxFR
Hiérarchie
6
Autorité Racine
Autorité
Intermédiaire 1
End Entity
Autorité
Intermédiaire 2
Autorité
Intermédiaire 3
End Entity
#DevoxxFR
Hiérarchie
7
Autorité Racine
Autorité
Intermédiaire
End Entity
Liste de certificats
révoqués
Liste de certificats
révoqués
#DevoxxFR
Et si on commençait par une démo ?
8
#DevoxxFR
Comment est émis un certificat ?
9
Autorité de
certification
CSRCSR
#DevoxxFR
Et si on continuait avec une autre démo ?
10
#DevoxxFR
Basiquement
11
$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c'
to
cancel):csabourdin@parisjug.org
------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------
(Y)es/(N)o: Y
#DevoxxFR
Basiquement
12
No names were found in your configuration files.
Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to
cancel):sample.parisjug.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sample.parisjug.net
We were unable to find a vhost with a ServerName or Address of
sample.parisjug.net.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
#DevoxxFR
Basiquement
13
We were unable to find a vhost with a ServerName or Address of
sample.parisjug.net.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
#DevoxxFR
Basiquement
14
Created redirect file: le-redirect-sample.parisjug.net.conf
Rollback checkpoint is empty (no changes made?)
-------------------------------------------------------------------------
Congratulations! You have successfully enabled https://sample.parisjug.net
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=sample.parisjug.net
-------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/sample.parisjug.net/fullchain.pem. Your cert
will expire on 2017-07-01. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
#DevoxxFR
Donc, en pratique
15
$sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem
-text -noout | less (1/1)
--
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:d8:db:0f:01:17:b4:c5:3a:fe:dc:c5:96:88:8d:55:f8:3f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Apr 2 18:51:00 2017 GMT
Not After : Jul 1 18:51:00 2017 GMT
Subject: CN=sample.parisjug.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:f9:21:77:6e:08:4e:e6:87:b8:0d:ce:43:62:
a0:6d:8b:d0:7e:30:90:4c:6d:f5:19:0c:30:de:01:
…
Émetteur
Validité
début - fin
Sujet
#DevoxxFR
Donc, en pratique
16
$sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem
-text -noout | less (1/1)
--
ed:0b:6e:8f:72:f7:19:e1:d3:3f:27:ea:a6:32:ce:
02:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
F0:33:2F:F4:87:C3:24:F8:F2:DF:95:42:09:8C:00:A3:32:52:AD:D5
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
Extensions
Informations sur
l’autorité de certification
#DevoxxFR
Donc, en pratique
17
$sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/
fullchain.pem -text -noout | less (1/1)
--
X509v3 Subject Alternative Name:
DNS:sample.parisjug.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:Explicit Text: This Certificate may ….
Signature Algorithm: sha256WithRSAEncryption
14:bb:2b:5d:56:20:fb:ad:3b:3a:6c:c9:de:33:01:a5:1d:86:
a1:c5:b1:94:d6:82:b4:a9:71:2e:63:b9:e4:b8:7f:d4:93:5d:
0c:ed:f7:08:18:53:53:76:31:46:90:ce:34:25:ce:57:b2:0a:
a8:9f:fc:33:c9:fb:8f:83:a0:89:49:ab:7c:29:92:d8:e2:ad:
…
Signature
Extensions
#DevoxxFR
Une AC est un tiers
de confiance
18
#DevoxxFR
Comment créer la
confiance ?
19
#DevoxxFR 20
Organisation
#DevoxxFR
Composants d’une IGC (PKI)
21
L’autorité de
certification (AC)
L’autorité
d’enregistrement (AE)
Le dépôt
#DevoxxFR
Autorité de Certification
22
• Boîte à signer
• Initialisée lors d’une « Cérémonie des clés »
#DevoxxFR
Autorité d’Enregistrement
23
• Composant « administratif »
• Reçoit et archive les demandes de certification et les
demandes de révocation
• S’assure du lien entre le porteur de certificat et la clé
publique
#DevoxxFR
Dépôt
24
• Publie les documents liés au fonctionnement de l’IGC
• Publie les informations de révocation
#DevoxxFR 25
Et si je montais mon AC ?
#DevoxxFR
Politique de Certification
26
• Deux documents : Politique de certification (PC) et Déclaration
des pratiques de certification (DPC)
• Expliquent le fonctionnement de l’AC : gabarits de certificats,
cycle de vie des certificats, génération des clés, hébergement
des infrastructures...
• Références
• RFC 3647 « Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework »
• En France : Politiques types du Référentiel Général de
Sécurité
#DevoxxFR
Mon AC dans Firefox ?
27
• Programme d’inclusion



https://www.mozilla.org/en-US/about/governance/policies/
security-group/certs/policy/
• Nécessite (entre autres) un audit de l’autorité de certification

ETSI EN 319 411, ETSI TS 102 042, WebTrust…
• Processus discrétionnaire
#DevoxxFR
Merci !
28

More Related Content

What's hot

TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...
TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...
TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...
tdc-globalcode
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
SecuRing
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
NoNameCon
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
Nutan Kumar Panda
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hoster
Combell NV
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc  2015 HTTP 1, HTTP 2 and folksDevoxx Maroc  2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Nicolas Martignole
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Emotion Classification in Movie Reviews
Emotion Classification in Movie ReviewsEmotion Classification in Movie Reviews
Emotion Classification in Movie Reviews
선웅 김
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshooting
Roman Tereschenko
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
wremes
 
ZN27112015
ZN27112015ZN27112015
ZN27112015
Denis Kolegov
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
Simone Onofri
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 

What's hot (20)

TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...
TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...
TDC2016POA | Trilha Ruby - Stack Level too Deep e Tail Call Optimization: É u...
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hoster
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc  2015 HTTP 1, HTTP 2 and folksDevoxx Maroc  2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Emotion Classification in Movie Reviews
Emotion Classification in Movie ReviewsEmotion Classification in Movie Reviews
Emotion Classification in Movie Reviews
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshooting
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
ZN27112015
ZN27112015ZN27112015
ZN27112015
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 

Similar to Raconte-moi X.509 : anatomie d'une autorité de certification

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
Frank Denis
 
ENCOR_350-401_June_2023-v1.8.pdf
ENCOR_350-401_June_2023-v1.8.pdfENCOR_350-401_June_2023-v1.8.pdf
ENCOR_350-401_June_2023-v1.8.pdf
CCIEHOMER
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
inovia
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
Olle E Johansson
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 Poster
Paulo Freitas
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒
Toki Kanno
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
owaspsd
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
Julien Vermillard
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
 
Understanding gRPC Authentication Methods
Understanding gRPC Authentication MethodsUnderstanding gRPC Authentication Methods
Understanding gRPC Authentication Methods
Anthony Chow
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
Jamshoo Lakhani
 
Cisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on prem
Cisco Canada
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
xsist10
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
Barney Hanlon
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
Sehla Loussaief Zayen
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
Angel Borroy López
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
Edorian
 

Similar to Raconte-moi X.509 : anatomie d'une autorité de certification (20)

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
ENCOR_350-401_June_2023-v1.8.pdf
ENCOR_350-401_June_2023-v1.8.pdfENCOR_350-401_June_2023-v1.8.pdf
ENCOR_350-401_June_2023-v1.8.pdf
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 Poster
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
Understanding gRPC Authentication Methods
Understanding gRPC Authentication MethodsUnderstanding gRPC Authentication Methods
Understanding gRPC Authentication Methods
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
Cisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on premCisco Connect Ottawa 2018 secure on prem
Cisco Connect Ottawa 2018 secure on prem
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
 

Recently uploaded

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Raconte-moi X.509 : anatomie d'une autorité de certification

  • 1. #DevoxxFR Raconte-moi X.509 Anatomie d'une autorité de certification Jean-Christophe Sirot @jcsirot Charles Sabourdin @kanedafromparis 1
  • 2. #DevoxxFR 2 Jean-Christophe Sirot Tech lead chez Weborama Charles Sabourin Architecte chez Ippon
  • 3. #DevoxxFR Attention ce tlak n’est pas un tlak sur le cyclimse Merci de votre compréhension 3
  • 6. #DevoxxFR Hiérarchie 6 Autorité Racine Autorité Intermédiaire 1 End Entity Autorité Intermédiaire 2 Autorité Intermédiaire 3 End Entity
  • 7. #DevoxxFR Hiérarchie 7 Autorité Racine Autorité Intermédiaire End Entity Liste de certificats révoqués Liste de certificats révoqués
  • 8. #DevoxxFR Et si on commençait par une démo ? 8
  • 9. #DevoxxFR Comment est émis un certificat ? 9 Autorité de certification CSRCSR
  • 10. #DevoxxFR Et si on continuait avec une autre démo ? 10
  • 11. #DevoxxFR Basiquement 11 $ sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):csabourdin@parisjug.org ------------------------------------------------------------------------ Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------- (Y)es/(N)o: Y
  • 12. #DevoxxFR Basiquement 12 No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):sample.parisjug.net Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for sample.parisjug.net We were unable to find a vhost with a ServerName or Address of sample.parisjug.net. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------- 1: ssl.conf | | HTTPS | Enabled ------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
  • 13. #DevoxxFR Basiquement 13 We were unable to find a vhost with a ServerName or Address of sample.parisjug.net. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------- 1: ssl.conf | | HTTPS | Enabled ------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
  • 14. #DevoxxFR Basiquement 14 Created redirect file: le-redirect-sample.parisjug.net.conf Rollback checkpoint is empty (no changes made?) ------------------------------------------------------------------------- Congratulations! You have successfully enabled https://sample.parisjug.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.parisjug.net ------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem. Your cert will expire on 2017-07-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
  • 15. #DevoxxFR Donc, en pratique 15 $sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem -text -noout | less (1/1) -- Certificate: Data: Version: 3 (0x2) Serial Number: 03:d8:db:0f:01:17:b4:c5:3a:fe:dc:c5:96:88:8d:55:f8:3f Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Apr 2 18:51:00 2017 GMT Not After : Jul 1 18:51:00 2017 GMT Subject: CN=sample.parisjug.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:f9:21:77:6e:08:4e:e6:87:b8:0d:ce:43:62: a0:6d:8b:d0:7e:30:90:4c:6d:f5:19:0c:30:de:01: … Émetteur Validité début - fin Sujet
  • 16. #DevoxxFR Donc, en pratique 16 $sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/fullchain.pem -text -noout | less (1/1) -- ed:0b:6e:8f:72:f7:19:e1:d3:3f:27:ea:a6:32:ce: 02:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: F0:33:2F:F4:87:C3:24:F8:F2:DF:95:42:09:8C:00:A3:32:52:AD:D5 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ Extensions Informations sur l’autorité de certification
  • 17. #DevoxxFR Donc, en pratique 17 $sudo openssl x509 -in /etc/letsencrypt/live/sample.parisjug.net/ fullchain.pem -text -noout | less (1/1) -- X509v3 Subject Alternative Name: DNS:sample.parisjug.net X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice:Explicit Text: This Certificate may …. Signature Algorithm: sha256WithRSAEncryption 14:bb:2b:5d:56:20:fb:ad:3b:3a:6c:c9:de:33:01:a5:1d:86: a1:c5:b1:94:d6:82:b4:a9:71:2e:63:b9:e4:b8:7f:d4:93:5d: 0c:ed:f7:08:18:53:53:76:31:46:90:ce:34:25:ce:57:b2:0a: a8:9f:fc:33:c9:fb:8f:83:a0:89:49:ab:7c:29:92:d8:e2:ad: … Signature Extensions
  • 18. #DevoxxFR Une AC est un tiers de confiance 18
  • 21. #DevoxxFR Composants d’une IGC (PKI) 21 L’autorité de certification (AC) L’autorité d’enregistrement (AE) Le dépôt
  • 22. #DevoxxFR Autorité de Certification 22 • Boîte à signer • Initialisée lors d’une « Cérémonie des clés »
  • 23. #DevoxxFR Autorité d’Enregistrement 23 • Composant « administratif » • Reçoit et archive les demandes de certification et les demandes de révocation • S’assure du lien entre le porteur de certificat et la clé publique
  • 24. #DevoxxFR Dépôt 24 • Publie les documents liés au fonctionnement de l’IGC • Publie les informations de révocation
  • 25. #DevoxxFR 25 Et si je montais mon AC ?
  • 26. #DevoxxFR Politique de Certification 26 • Deux documents : Politique de certification (PC) et Déclaration des pratiques de certification (DPC) • Expliquent le fonctionnement de l’AC : gabarits de certificats, cycle de vie des certificats, génération des clés, hébergement des infrastructures... • Références • RFC 3647 « Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework » • En France : Politiques types du Référentiel Général de Sécurité
  • 27. #DevoxxFR Mon AC dans Firefox ? 27 • Programme d’inclusion
 
 https://www.mozilla.org/en-US/about/governance/policies/ security-group/certs/policy/ • Nécessite (entre autres) un audit de l’autorité de certification
 ETSI EN 319 411, ETSI TS 102 042, WebTrust… • Processus discrétionnaire