Digital Certificates

1. Digital Certificates

Presented by
Sunit Chauhan
Copyright, 1996 © Dale Carnegie & Associates, Inc.

2. Basic Terms

• Public Key Cryptographic Standards, PKCS
A collection of 12 papers PKCS #1 to PKCS #12
developed by RSA Labs and representatives from
the academia and industry.
PKCS #1
RSA Algorithm
PKCS #3
Diffie-Hellman Algorithm
PKCS #7
Cryptographic Message Syntax Std
PKCS #10
Key Certification Request
PKCS #11
Standard API for developers
PKCS #12
Certificate Interchange Format
PKCS #13
Elliptic Curves Algorithm

3. Basic Terms

• Digital Signatures
• DSS issued by NIST
• Message Digest Algorithms
• Non Reversible (One way function)
• Examples
Message Digest
Algorithm
Organization
MD2, MD4, MD5
RSA Data Security Inc.
SHA, SHA-1
US Government
Digest Length
128 bits
160 bits

4. Digital Certificates

Certificates are the framework for
identification information, and bind
identities with public keys.
They provide a foundation for
• identification ,
• authentication and
• non-repudiation.

5. Sample View of a Certificate

Certificate Types :
• Private/Personal
Server
Developer

6.

7. X.509 v3 Certificate Format

• Version
• Certificate Serial Number
• Signature Algorithm Identifier
• Issuer Name
• Validity Period
• Subject Name
• Subject Public Key Information
• Optional Fields

8. X.509 v3 Extension Fields

• Associate additional information for
subjects ,public keys ,managing
certification hierarchy and certificate
revocation lists.
• Extension type
• Extension value
• Criticality indicator

9. X.509 Profiles

Tailor the authentication model of X.509 to
specific environments based on Risk perception.
• IETF Public Key Infrastructure (PKIX -1) :
Application-independent certificate based key
distribution mechanism.
• SET Standard :
Secure messaging for payment-service transactions
over open-networks.

10. Certification Authorities

• Trusted
organization that
issues certificates
and maintains
status information
about certificates.
• Certification
Practice Statement
Certification Authority’s
Private Key
X.509 v3
Format
Certificate
CA’s Digital
Signature
Generate Digital
Signature

11. How Digital Certificates work?

• Generate Public and Private Keys.
• Get Certificate from the CA
• Sign the document/page using the private
key.
• Send signed document over open
networks along with the CA’s certificate.
• Recipient verifies using the signing CA’s
public key
• Trust Chain and Fingerprints

12. Web Server Security

• Server Authentication using SSL
• Information to/from the correct Web Site
• Information in encrypted form
• Setting up SSL on a Web Site
• Create a Server Certificate Request
• Obtain the Server Certificate from a CA/locally
• Install it on the Web Server
• Establishing an SSL connection
• Need root certificate of the issuing CA

13. Client Authentication

• Anonymous
• Basic
• Challenge Response (NT)
• SSL Client Authentication

14. Certification and Registration

• Application
• Subject Authentication
• Certificate Generation
• Certificate Distribution
• Certificate Revocation

15. Subject Authentication

• Confirm the identity of the subject
• Based on the class of certificate
• Local Registration Authority(LRA) model
End Entity
CA
Request
Enrolment
Renewal
LRA
Certificate
Issuance
Revocation
Suspension
Renewal
Repository
Get Certificate
Applications
Authentication
Generate Key
Pairs
Revocations
• Example : Verisign Onsite

16. Importing a Certificate

To send an encrypted message or document to
a person who has a certificate.
• From a Certification Authority
• From a Directory Service (LDAP)
• From a signed message
• From a local file (encoded Binary PKCS #7)

17. Certificate Revocation Lists

• A data structure that has the list of all the
serial numbers of the revoked certificates.
• Standard X.509 CRL format (ISO/ITU)
• Propagation
• Polling for CRLs
• Pushing CRLs
• Online status checking

18. Formal Specification (PKCS #7)

• Abstract Syntax Notation (ASN.1)
Design tool used for expressing syntax of messages.
Widely used to describe protocols interfaces etc.
SignedData ::= SEQUENCE {
version
Version
digestAlgorithms
DigestAlgorithmIdentifiers
contentInfo
ContentInfo
certificates
[0] IMPLICIT
ExtendedCertificatesAndCertificates OPTIONAL
crls
CertificateRevocationLists
signerInfos
SignerInfos
}
PKCS #7 syntax for SignedData type
• ASN.1objects are encoded using BER/DER.

19. Key Certification Request

CertificationRequest ::= SEQUENCE {
certificationRequestInfo
CertificationRequestInfo
signatureAlgorithms
SignatureAlgorithmIdentifiers
signature
Signature
}
CertificationRequestInfo ::= SEQUENCE {
version
Version
subject
Name
subjectpublickeyInfo
SubjectPublicKeyInfo
attributes
[0] IMPLICIT Attributes
}
Version ::= INTEGER
Attributes ::= Set (Name = Value pair)
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
Signature ::= BIT STRING
PKCS #10 syntax using ASN.1 notation

20. Certificate Management

Value and Validity of Certificates will be
questioned
• Cross Certification (Multiple CA’s)
Forest of Top-Down Hierarchies
Top-Down Hierarchical Structure

21. Applications of Certificates

• Sandbox
• Code Signing Vs Shrink-Wrapped Software
• Accountability and Authenticity
• Microsoft Authenticode 1.0
• based on X.503 v3 and PKCS #7
• Commercial Vs Individual Publishers
• Object Signing
• Netscape’s technology
• Signs any kind of Files

22. Applications (continued)

• Secure Messaging & S/MIME
• Web Server Security
• Microsoft ASP for Access Control