Sicurezza Informatica: esercitazione 2
|
|
- Florence Underwood
- 5 years ago
- Views:
Transcription
1 Sicurezza Informatica: esercitazione 2 Cataldo Basile < polito.it > Politecnico di Torino Dip. Automatica e Informatica
2 Outline two main topics inspection of PKCS#7 messages certificate validation exercises and questions signature formats (PKCS#7/CMS) differences, peculiarities enveloped data check certificate validity offline with CRL online with OCSP OCSP vs. CRL
3 ASN.1, BER, DER, PEM a schema to describe the structure of binary files the same as XMLSchema for XML documents valid instances obtained with encoding rules Basic Encoding Rules (BER) different encodings allowed not unique representation Distinguished Encoding Rules (DER) exactly one way to encode data Privacy Enhanced Mail (PEM) Base64 of data encoded with DER
4 Structure contentinfo contenttype content... 1 N contenttype content
5 ContentType data encoding of a generic sequence of bytes signeddata data + (1..N) parallel signatures envelopeddata data encrypted with symmetric crypto + key encrypted with asymmetric crypto (RSA) signedandenvelopeddata asymmetric encryption of data + signatures (RSA) digestdata data + digest encrypteddata data encrypted with symmetric algorithm
6 SignedData signeddata content version digestalgorithm contentinfo [certificates] [crls] signerinfo version issuer + SN encrypteddigest signerinfo
7 Signed-data (ASN.1) SignedData ::= SEQUENCE { version CMSVersion, digestalgorithms DigestAlgorithmIdentifiers, encapcontentinfo EncapsulatedContentInfo, certificates [0] IMPLICIT CertificateSet OPTIONAL, crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, signerinfos SignerInfos } SignerInfo ::= SEQUENCE { version CMSVersion, sid SignerIdentifier, digestalgorithm DigestAlgorithmIdentifier, signedattrs [0] IMPLICIT SignedAttributes OPTIONAL, signaturealgorithm SignatureAlgorithmIdentifier, signature SignatureValue, unsignedattrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
8 Signed-data (ASN.1) DigestAlgorithmIdentifiers ::= SET OF SignedData ::= SEQUENCE { DigestAlgorithmIdentifier version CMSVersion, digestalgorithms DigestAlgorithmIdentifiers, encapcontentinfo EncapsulatedContentInfo, certificates [0] IMPLICIT CertificateSet OPTIONAL, crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, signerinfos SignerInfos } SignerInfo ::= SEQUENCE { SignerInfos ::= SET OF version CMSVersion, SignerInfo sid SignerIdentifier, digestalgorithm DigestAlgorithmIdentifier, signedattrs [0] IMPLICIT SignedAttributes OPTIONAL, signaturealgorithm SignatureAlgorithmIdentifier, signature SignatureValue, unsignedattrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
9 Prepare the environment create a test CA /usr/lib/ssl/misc/ca.pl -newca create a certificate request for Alice openssl req -new -newkey rsa:2048 -keyout alice_pkey.pem -out alice_creq.pem issue the user certificate and view its content openssl ca -in alice_creq.pem -out alice_cert.pem openssl x509 -in alice_cert.pem -text -noout cat index.txt (check serial numbers): we ll need them create Bob s certificate (required later on) openssl req -new -newkey rsa:2048 -keyout bob_pkey.pem -out bob_creq.pem openssl ca -in bob_creq.pem -out bob_cert.pem
10 Detached signature create the doc to sign echo This is a message used to test the pkcs7 format > msg create detached signature: openssl smime -sign -in msg -out p7s.pem -outform PEM -signer alice_cert.pem -inkey alice_pkey.pem -certfile democa/cacert.pem user_pkey.pem contains the private key (of the signer) user_cert.pem contains the user certificate p7s.pem contains the detached signature on the message msg in PKCS#7 format to view the pkcs#7 envelope openssl asn1parse -in p7s.pem -i less you can check the provided material p7s.asn1 p7s.asn1
11 PKCS#7: p7s.pem with asn1parse (1) 0:d=0 hl=4 l=2462 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signeddata ContentType 15:d=1 hl=4 l=2447 cons: cont [ 0 ] 19:d=2 hl=4 l=2443 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :01 26:d=3 hl=2 l= 15 cons: SET DigestAlgorithmIdentifier 28:d=4 hl=2 l= 13 cons: SEQUENCE 30:d=5 hl=2 l= 9 prim: OBJECT :sha256 41:d=5 hl=2 l= 0 prim: NULL Data signed: empty!! 43:d=3 hl=2 l= 11 cons: SEQUENCE (because it's a detached sig) 45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 56:d=3 hl=4 l=1787 cons: cont [ 0 ] 60:d=4 hl=4 l= 870 cons: SEQUENCE 64:d=5 hl=4 l= 590 cons: SEQUENCE Certificate of issuer CA of signer: serial number 68:d=6 hl=2 l= 3 cons: cont [ 0 ] 70:d=7 hl=2 l= 1 prim: INTEGER :02 73:d=6 hl=2 l= 9 prim: INTEGER :D55EADBB85373D61
12 PKCS#7: p7s.pem with asn1parse (2) 84:d=6 hl=2 l= 13 cons: SEQUENCE AlgorithmIdentifier 86:d=7 hl=2 l= 9 prim: OBJECT :sha256withrsaencryption 97:d=7 hl=2 l= 0 prim: NULL 99:d=6 hl=2 l= 72 cons: SEQUENCE 101:d=7 hl=2 l= 11 cons: SET 103:d=8 hl=2 l= 9 cons: SEQUENCE 105:d=9 hl=2 l= 3 prim: OBJECT :countryname Issuer of CA 110:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT certificate 114:d=7 hl=2 l= 19 cons: SET of signer 116:d=8 hl=2 l= 17 cons: SEQUENCE 118:d=9 hl=2 l= 3 prim: OBJECT :stateorprovincename 123:d=9 hl=2 l= 10 prim: UTF8STRING :Some-State 135:d=7 hl=2 l= 15 cons: SET 137:d=8 hl=2 l= 13 cons: SEQUENCE 139:d=9 hl=2 l= 3 prim: OBJECT :organizationname 144:d=9 hl=2 l= 6 prim: UTF8STRING :Polito 152:d=7 hl=2 l= 19 cons: SET
13 PKCS#7: p7s.pem with asn1parse (3) 154:d=8 hl=2 l= 17 cons: SEQUENCE 156:d=9 hl=2 l= 3 prim: OBJECT :commonname 161:d=9 hl=2 l= 10 prim: UTF8STRING :My demo CA 173:d=6 hl=2 l= 30 cons: SEQUENCE Validity of CA certificate 175:d=7 hl=2 l= 13 prim: UTCTIME : Z 190:d=7 hl=2 l= 13 prim: UTCTIME : Z 205:d=6 hl=2 l= 72 cons: SEQUENCE 207:d=7 hl=2 l= 11 cons: SET Subject of CA certificate 209:d=8 hl=2 l= 9 cons: SEQUENCE of the signer 211:d=9 hl=2 l= 3 prim: OBJECT :countryname 216:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT 220:d=7 hl=2 l= 19 cons: SET 222:d=8 hl=2 l= 17 cons: SEQUENCE 224:d=9 hl=2 l= 3 prim: OBJECT :stateorprovincename 229:d=9 hl=2 l= 10 prim: UTF8STRING :Some-State 241:d=7 hl=2 l= 15 cons: SET 243:d=8 hl=2 l= 13 cons: SEQUENCE
14 PKCS#7: p7s.pem with asn1parse (4) 243:d=8 hl=2 l= 13 cons: SEQUENCE 245:d=9 hl=2 l= 3 prim: OBJECT :organizationname 250:d=9 hl=2 l= 6 prim: UTF8STRING :Polito 258:d=7 hl=2 l= 19 cons: SET Subject of CA certificate of signer 260:d=8 hl=2 l= 17 cons: SEQUENCE 262:d=9 hl=2 l= 3 prim: OBJECT :commonname 267:d=9 hl=2 l= 10 prim: UTF8STRING :My demo CA 279:d=6 hl=4 l= 290 cons: SEQUENCE 283:d=7 hl=2 l= 13 cons: SEQUENCE 285:d=8 hl=2 l= 9 prim: OBJECT :rsaencryption 296:d=8 hl=2 l= 0 prim: NULL 298:d=7 hl=4 l= 271 prim: BIT STRING 573:d=6 hl=2 l= 83 cons: cont [ 3 ] Extensions in CA certificate of signer 575:d=7 hl=2 l= 81 cons: SEQUENCE 577:d=8 hl=2 l= 29 cons: SEQUENCE 579:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
15 PKCS#7: p7s.pem with asn1parse (5) 584:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04141AC5E984339F5FD1D2A34D592C0FFFD3B7818DE8 608:d=8 hl=2 l= 31 cons: SEQUENCE 610:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 615:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]: AC5E984339F5FD1D2A34D592C0FFFD3B7818DE8 641:d=8 hl=2 l= 15 cons: SEQUENCE 643:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 648:d=9 hl=2 l= 1 prim: BOOLEAN : :d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]: FF 658:d=5 hl=2 l= 13 cons: SEQUENCE 660:d=6 hl=2 l= 9 prim: OBJECT :sha256withrsaencryption 671:d=6 hl=2 l= 0 prim: NULL 673:d=5 hl=4 l= 257 prim: BIT STRING 934:d=4 hl=4 l= 909 cons: SEQUENCE Extensions in CA certificate of signer 938:d=5 hl=4 l= 629 cons: SEQUENCE 942:d=6 hl=2 l= 3 cons: cont [ 0 ]
16 PKCS#7: p7s.pem with asn1parse (6) Certificate of the signer: 944:d=7 hl=2 l= 1 prim: INTEGER :02 serial number 947:d=6 hl=2 l= 9 prim: INTEGER :D55EADBB85373D62 958:d=6 hl=2 l= 13 cons: SEQUENCE 960:d=7 hl=2 l= 9 prim: OBJECT :sha256withrsaencryption 971:d=7 hl=2 l= 0 prim: NULL 973:d=6 hl=2 l= 72 cons: SEQUENCE 975:d=7 hl=2 l= 11 cons: SET Certificate of the signer: Issuer 977:d=8 hl=2 l= 9 cons: SEQUENCE 979:d=9 hl=2 l= 3 prim: OBJECT :countryname 984:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT 988:d=7 hl=2 l= 19 cons: SET 990:d=8 hl=2 l= 17 cons: SEQUENCE 992:d=9 hl=2 l= 3 prim: OBJECT :stateorprovincename 997:d=9 hl=2 l= 10 prim: UTF8STRING :Some-State 1009:d=7 hl=2 l= 15 cons: SET 1011:d=8 hl=2 l= 13 cons: SEQUENCE 1013:d=9 hl=2 l= 3 prim: OBJECT :organizationname
17 PKCS#7: p7s.pem with asn1parse (7) 1013:d=9 hl=2 l= 3 prim: OBJECT :organizationname 1018:d=9 hl=2 l= 6 prim: UTF8STRING :Polito 1026:d=7 hl=2 l= 19 cons: SET 1028:d=8 hl=2 l= 17 cons: SEQUENCE 1030:d=9 hl=2 l= 3 prim: OBJECT :commonname 1035:d=9 hl=2 l= 10 prim: UTF8STRING :My demo CA 1047:d=6 hl=2 l= 30 cons: SEQUENCE Certificate of the signer: validity 1049:d=7 hl=2 l= 13 prim: UTCTIME : Z 1064:d=7 hl=2 l= 13 prim: UTCTIME : Z 1079:d=6 hl=2 l= 71 cons: SEQUENCE 1081:d=7 hl=2 l= 11 cons: SET Certificate of the signer: Subject 1083:d=8 hl=2 l= 9 cons: SEQUENCE 1085:d=9 hl=2 l= 3 prim: OBJECT :countryname 1090:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT 1094:d=7 hl=2 l= 19 cons: SET 1096:d=8 hl=2 l= 17 cons: SEQUENCE 1098:d=9 hl=2 l= 3 prim: OBJECT :stateorprovincename
18 PKCS#7: p7s.pem with asn1parse (8) 1098:d=9 hl=2 l= 3 prim: OBJECT :stateorprovincename 1103:d=9 hl=2 l= 10 prim: UTF8STRING :Some-State 1115:d=7 hl=2 l= 15 cons: SET 1117:d=8 hl=2 l= 13 cons: SEQUENCE 1119:d=9 hl=2 l= 3 prim: OBJECT :organizationname 1124:d=9 hl=2 l= 6 prim: UTF8STRING :Polito 1132:d=7 hl=2 l= 18 cons: SET Certificate of the signer: common name 1134:d=8 hl=2 l= 16 cons: SEQUENCE 1136:d=9 hl=2 l= 3 prim: OBJECT :commonname 1141:d=9 hl=2 l= 9 prim: UTF8STRING :User cert 1152:d=6 hl=4 l= 290 cons: SEQUENCE 1156:d=7 hl=2 l= 13 cons: SEQUENCE 1158:d=8 hl=2 l= 9 prim: OBJECT :rsaencryption 1169:d=8 hl=2 l= 0 prim: NULL 1171:d=7 hl=4 l= 271 prim: BIT STRING 1446:d=6 hl=2 l= 123 cons: cont [ 3 ] 1448:d=7 hl=2 l= 121 cons: SEQUENCE
19 PKCS#7: p7s.pem with asn1parse (9) 1450:d=8 hl=2 l= 9 cons: SEQUENCE 1452:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 1457:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]: :d=8 hl=2 l= 44 cons: SEQUENCE 1463:d=9 hl=2 l= 9 prim: OBJECT :Netscape Comment 1474:d=9 hl=2 l= 31 prim: OCTET STRING [HEX DUMP]: 161D4F70656E53534C E :d=8 hl=2 l= 29 cons: SEQUENCE 1509:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 1514:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]: DF E95AE0653EA6D705770DD0 1538:d=8 hl=2 l= 31 cons: SEQUENCE 1540:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 1545:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]: AC5E984339F5FD1D2A34D592C0FFFD3B7818DE8 1571:d=5 hl=2 l= 13 cons: SEQUENCE
20 PKCS#7: p7s.pem with asn1parse (10) 1573:d=6 hl=2 l= 9 prim: OBJECT :sha256withrsaencryption 1584:d=6 hl=2 l= 0 prim: NULL 1586:d=5 hl=4 l= 257 prim: BIT STRING 1847:d=3 hl=4 l= 615 cons: SET 1851:d=4 hl=4 l= 611 cons: SEQUENCE 1855:d=5 hl=2 l= 1 prim: INTEGER : :d=5 hl=2 l= 85 cons: SEQUENCE 1860:d=6 hl=2 l= 72 cons: SEQUENCE Signer Info fields 1862:d=7 hl=2 l= 11 cons: SET 1864:d=8 hl=2 l= 9 cons: SEQUENCE 1866:d=9 hl=2 l= 3 prim: OBJECT :countryname 1871:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IT 1875:d=7 hl=2 l= 19 cons: SET 1877:d=8 hl=2 l= 17 cons: SEQUENCE 1879:d=9 hl=2 l= 3 prim: OBJECT :stateorprovincename 1884:d=9 hl=2 l= 10 prim: UTF8STRING :Some-State 1896:d=7 hl=2 l= 15 cons: SET
21 PKCS#7: p7s.pem with asn1parse (11) 1896:d=7 hl=2 l= 15 cons: SET 1898:d=8 hl=2 l= 13 cons: SEQUENCE 1900:d=9 hl=2 l= 3 prim: OBJECT :organizationname 1905:d=9 hl=2 l= 6 prim: UTF8STRING :Polito 1913:d=7 hl=2 l= 19 cons: SET Signer Info: Issuer + serial number 1915:d=8 hl=2 l= 17 cons: SEQUENCE 1917:d=9 hl=2 l= 3 prim: OBJECT :commonname 1922:d=9 hl=2 l= 10 prim: UTF8STRING :My demo CA 1934:d=6 hl=2 l= 9 prim: INTEGER :D55EADBB85373D :d=5 hl=2 l= 13 cons: SEQUENCE 1947:d=6 hl=2 l= 9 prim: OBJECT :sha :d=6 hl=2 l= 0 prim: NULL 1960:d=5 hl=3 l= 228 cons: cont [ 0 ] 1963:d=6 hl=2 l= 24 cons: SEQUENCE 1965:d=7 hl=2 l= 9 prim: OBJECT :contenttype 1976:d=7 hl=2 l= 11 cons: SET 1978:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
22 PKCS#7: p7s.pem with asn1parse (12) 1989:d=6 hl=2 l= 28 cons: SEQUENCE 1991:d=7 hl=2 l= 9 prim: OBJECT :signingtime 2002:d=7 hl=2 l= 15 cons: SET Signed attributes 2004:d=8 hl=2 l= 13 prim: UTCTIME : Z 2019:d=6 hl=2 l= 47 cons: SEQUENCE 2021:d=7 hl=2 l= 9 prim: OBJECT :messagedigest 2032:d=7 hl=2 l= 34 cons: SET 2034:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]: A9BDA626D22F1A3181BF65734C9E4ECCB184E241D872D3C67FE33935AB :d=6 hl=2 l= 121 cons: SEQUENCE 2070:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities 2081:d=7 hl=2 l= 108 cons: SET 2083:d=8 hl=2 l= 106 cons: SEQUENCE 2085:d=9 hl=2 l= 11 cons: SEQUENCE 2087:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc 2098:d=9 hl=2 l= 11 cons: SEQUENCE
23 PKCS#7: p7s.pem with asn1parse (13) 2100:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc 2111:d=9 hl=2 l= 11 cons: SEQUENCE 2113:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc 2124:d=9 hl=2 l= 10 cons: SEQUENCE 2126:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 2136:d=9 hl=2 l= 14 cons: SEQUENCE 2138:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2148:d=10 hl=2 l= 2 prim: INTEGER : :d=9 hl=2 l= 13 cons: SEQUENCE 2154:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2164:d=10 hl=2 l= 1 prim: INTEGER : :d=9 hl=2 l= 7 cons: SEQUENCE 2169:d=10 hl=2 l= 5 prim: OBJECT :des-cbc 2176:d=9 hl=2 l= 13 cons: SEQUENCE 2178:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2188:d=10 hl=2 l= 1 prim: INTEGER : :d=5 hl=2 l= 13 cons: SEQUENCE
24 PKCS#7: p7s.pem with asn1parse (14) 2193:d=6 hl=2 l= 9 prim: OBJECT :rsaencryption Signature 2204:d=6 hl=2 l= 0 prim: NULL 2206:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:7DF636E86464E3D61C4A51788C5A242E472A55722BB338181E4DF7B1 30EBA355EBD2A5C37DA DF0F7F4567DA00AEFF5E01AD648925E3538 AE5715F561A DF70D BB47F9F925347F34440AC06995F25B6 B5C318C51F240EAC6BCAA97CA9B7B856F B3C774A946E9E1B7E618 04A5BB2D5B6AD68875B66211E07895F458D1E0A217FD D4264FF894F4 F65206E323B7D3A965E8362EB94E696755E233A0BC2C1046DFE82A1C0FECF2 950E57E0E2E54FF4087B21AFE7746E1022E1E99E092EEAE14C84F57A7A6ECF DF802AF8A73876F475DB267FE6D896F046032AE30ABD50646C616DF1A40959 D84C28280C5E060EC9F6B6
25 Detached signature: dumpasn1 for DER dumpasn1 is an ASN.1 parsing tool implemented by Peter Gutmann apt-get install dumpasn1 convert the PKCS#7 envelope in DER format openssl pkcs7 -in p7s.pem -outform DER -out p7s.der view p7s.der with the tool dumpasn1 dumpasn1 p7s.der same information as with asn1parse but more structured!! note also the fields SubjectKeyIdentifier and AuthorityKeyIdentifier you can check the provided material p7s.dumpasn1 p7s.dumpasn1
26 Opaque signature generate an opaque signature openssl smime -sign nodetach -in msg -out p7snd.pem -outform PEM -signer user_cert.pem -inkey user_pkey.pem -certfile./democa/cacert.pem check the provided material p7snd.asn1 NOTE: data are in the envelope! p7snd.asn1
27 EnvelopedData version issuer + SN encalgorithm enckey envelopeddata content version encryptedcontentinfo recipientinfo... recipientinfo contenttype encryptionalgorithm encryptedcontent
28 Enveloped data encrypt data (for a specific recipient, e.g., Bob) openssl smime -encrypt -aes-128-cbc -in msg -out p7e.pem -outform PEM bob_cert.pem note the recipientinfo field recipient certificate referenced with Issuer and serial number the encrypted key the encrypted data the recipient can decrypt the received data: openssl smime -decrypt -in p7e.pem -inform PEM -inkey bob_pkey.pem check the provided material p7e.asn1 p7e.asn1
29 Enveloped data is it useful to encrypt data for the recipient only? who (originally) encrypted cannot decrypt his data anymore encrypt for at least two recipients himself and the (intended) recipient the command for encrypting for user and user2 is as follows: openssl smime -encrypt -aes-128-cbc -in msg -out p7e_2recipients.pem -outform PEM user_cert.pem user2_cert.pem p7e_2recipients.asn1
30 Certificate validation with CRL and OCSP
31 Manually verify a certificate against a CRL (1) steps: 1. obtain the certificate you wish to check for revocation 2. determine the URL of the CRL 3. obtain the CRL and verify it obtain the certificate of the authority issuing CRL (CA) 4. check the certificate against the CRL step 1. assume we have to check a user cert aldocert.pem step 2. check the certificate extensions openssl x509 -in aldocert.pem -text -noout X.509 CRL Distribution Points Full Name: URI:
32 Manually verify a certificate against a CRL (2) openssl x509 -in aldocert.pem -noout -text grep crl step 3. download the CRL (in PEM) from: wget location of Issuing (CA) certificate from several sources user cert: CA Issuers in Authority Information Access e.g. URI: openssl x509 -in aldocert.pem -noout -text grep CA OOB received together with the user certificate (in a degenerated PKCS#7 structure) published on CA s web site
33 Manually verify a certificate against a CRL (3) verify the CRL: openssl crl -in polito_crl.crl -inform DER -CAfile PolitecnicodiTorinoCertificationAuthority.crt -noout output: verify OK convert the CRL from DER to PEM openssl crl -in polito_crl.crl -out polito_crl.pem -inform DER -outform PEM
34 Manually verify a certificate against a CRL (4) step 4. verify the certificate against CRL combine the CRL and the Chain OpenSSL needs a single PEM file that concatenates all the certificates in the chain and the CRL cat EuroPKIrootCA.crt EuroPKIItalianCA.crt PolitecnicodiTorinoCertificationAuthority.crt polito_crl.pem > crl_chain.pem verify the certificate against CRL openssl verify -crl_check -CAfile crl_chain.pem aldocert.pem output: aldocert.pem: OK or
35 Manually verify a certificate against a CRL (5) or determine the serial number of the certificate you wish to check openssl x509 -in aldocert.pem -noout -serial convert the CRL into a human-readable format and inspect it manually openssl crl -in polito_crl.crl -inform DER -text -noout grep previously_found_serial_number
36 Checking the status with OCSP openssl (1) steps: 1. obtain the certificate you wish to check for revocation 2. obtain the issuing certificate (CA) 3. determine the URL of the OCSP responder 4. submit an OCSP request and observe the response step 1: assume we want to check bob_cert.pem step 2: issuer of bob is democa (cacert.pem) step 3: URL OCSP responder can be got from several sources: Authority Information Access extension (pre) configured communicated OOB or found on the CA web site
37 Checking the status with OCSP openssl (2) create an OCSP responder certificate openssl req -new -keyout ocspresp_pkey.pem -out ocspresp_req.pem openssl ca -in ocspresp_req.pem -out ocspresp_cert.pem start OCSP server: openssl ocsp -index democa/index.txt -port rsigner ocspresp_cert.pem -rkey ocspresp_pkey.pem -CA democa/cacert.pem -text start OCSP client: openssl ocsp -issuer democa/cacert.pem -cert bob_cert.pem -text -url -noverify
38 Checking the status with OCSP openssl (3) analyze the OCSP Request and Response: good (for the certificate status), which are the alternatives? Revoked, unknown note the OCSP nonce both in requests and responses to protect from replay attacks note the This Update field! OCSP cannot be used to get the validity status of a certificate in a given moment in time issuer identified through Issuer name hash and Issuer key hash
Obsoletes: 3369 July 2004 Category: Standards Track
Network Working Group R. Housley Request for Comments: 3852 Vigil Security Obsoletes: 3369 July 2004 Category: Standards Track Status of this Memo Cryptographic Message Syntax (CMS) This document specifies
More informationObsoletes: 2630, 3211 August 2002 Category: Standards Track
Network Working Group R. Housley Request for Comments: 3369 RSA Laboratories Obsoletes: 2630, 3211 August 2002 Category: Standards Track Status of this Memo Cryptographic Message Syntax (CMS) This document
More informationPKCS #7: Cryptographic Message Syntax Standard
PKCS #7: Cryptographic Message Syntax Standard An RSA Laboratories Technical Note Version 1.5 Revised November 1, 1993 * 1. Scope This standard describes a general syntax for data that may have cryptography
More informationData representation and PKI
Data representation and PKI Many systems use the same data Systems have Different architecture Different OS Different programs for reading/interpreting the data Data must be interpreted the same everywhere
More informationThe X.509 standard, PKI and electronic documents
The X.509 standard, PKI and electronic documents Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dipartimento di Automatica e Informatica Certification Authority (1) Kpub, Anna PC Certification
More informationCertification Authority. The X.509 standard, PKI and electronic documents. X.509 certificates. X.509 version 3. Critical extensions.
The X.509 standard, PKI and electronic uments Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dipartimento di Automatica e Informatica Certification Authority (4) cert repository (cert, CRL) Certification
More informationAdvantages of modular PKI for implementation in information systems
Advantages of modular PKI for implementation in information systems Petr Vaněk, Jiří Mrnuštík AEC spol. s r.o. Bayerova 799/30 602 00 Brno, Czech Republic Abstract PKI implementation in practice is not
More informationThe X.509 standard, PKI and electronic documents
The X.509 standard, PKI and electronic documents Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dipartimento di Automatica e Informatica Certification Authority (1) Kpub, Anna PC Certification
More informationThe X.509 standard, PKI and electronic documents. Certification Authority. X.509 version 3. A.Lioy - Politecnico di Torino ( ) 1
The X.509 standard, PKI and electronic documents Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dipartimento di Automatica e Informatica Certification Authority (1) Kpub, Anna PC Certification
More informationCMS Long-Term Signature Profile Version 1.0
CMS Long-Term Profile Version 1.0 March 2006 Next Generation Electronic Commerce Promotion Council of Japan (ECOM) 1/23 Introduction The following documents define specifications for long-term signature
More informationMachine Readable Travel Documents
Machine Readable Travel Documents GUIDANCE DOCUMENT PKI for Machine Readable Travel Documents Version -1.0 Date - 22 June, 2011 Pg. 1 of 24 Table of Contents 1 Introduction... 5 2 Structure of the document...
More informationElectronic Signature Format. ECOM Interoperability Plug Test 2005
Electronic Signature Format ECOM Interoperability Plug Test 2005 Final Report Executive Summary January 2006 Next Generation Electronic Commerce Promotion Council of Japan (ECOM) Security Working Group
More informationSecurity in practice: Cryptography exercises with OpenSSL library
Security in practice: Cryptography exercises with OpenSSL library Diana Berbecaru diana.berbecaru@polito.it Course master in e-business and ICT security (2011) OpenSSL SSLeay: developed in 1995 by Eric
More informationSecurity in practice:
Security in practice: Cryptography exercises with OpenSSL library Diana Berbecaru diana.berbecaru@polito.it Course master in e-business and ICT security (2011) OpenSSL SSLeay: developed in 1995 by Eric
More informationdraft-ietf-smime-msg-06.txt December 14, 1998 Expires in six months S/MIME Version 3 Message Specification Status of this memo
Internet Draft draft-ietf-smime-msg-06.txt December 14, 1998 Expires in six months Editor: Blake Ramsdell, Worldtalk Status of this memo S/MIME Version 3 Message Specification This document is an Internet-Draft.
More informationInformation technology Security techniques Authentication context for biometrics
INTERNATIONAL STANDARD ISO/IEC 24761:2009 TECHNICAL CORRIGENDUM 1 Published 2013-03-01 INTERNATIONAL ORGANIZATION FOR STANDARDIZATION МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ ORGANISATION INTERNATIONALE
More informationInternet-Draft Intended status: Standards Track Expires: September 7, K. Teichel PTB. R. Housley Vigil Security March 06, 2015
NTP Working Group Internet-Draft Intended status: Standards Track Expires: September 7, 2015 D. Sibold PTB S. Roettger Google Inc. K. Teichel PTB R. Housley Vigil Security March 06, 2015 Protecting Network
More informationUsing Cryptography CMSC 414. October 16, 2017
Using Cryptography CMSC 414 October 16, 2017 Digital Certificates Recall: K pub = (n, e) This is an RSA public key How do we know who this is for? Need to bind identity to a public key We can do this using
More informationCrypto Programming with OpenSSL. (Creating Certificates)
Crypto Programming with OpenSSL (Creating Certificates) Secure Host-to-Host Communication Secure communication between hosts is necessary to prevent successful MITM attacks The communication channel is
More informationSecurity Protocols and Infrastructures. Winter Term 2015/2016
Security Protocols and Infrastructures Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 5: Standards for Security Infrastructures Contents Introduction and naming scheme X.509 and its core
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Online Certificate Status Protocol (OCSP) University of Tartu Spring 2017 1 / 24 CRL shortcomings: Size of CRLs Online Certificate Status Protocol Client side complexity
More informationStandards for Hash-Linking Based Time-Stamping Schemes
U N I V E R S I T Y O F T A R T U FACULTY OF MATHEMATICS AND COMPUTER SCIENCE Institute of Computer Science Ahto Truu Standards for Hash-Linking Based Time-Stamping Schemes Master s Thesis (60 ECP) Supervisor:
More informationCard Payment Protocols Security Version 2.1 1st April 2017
1 2 3 4 Card Payment Protocols Security 5 6 7 8 9 10 11 12 13 14 Version 2.1 1st April 2017 2017 nexo AISBL All rights reserved. This information is protected by international intellectual property laws
More informationSecure Communication with TLS
Secure Communication with TLS BRUCE MOMJIAN TLS/SSL forms the backbone of secure digital communication. This presentation explains how it works for websites and Postgres. Creative Commons Attribution License
More informationHPE Knowledge Article
HPE Knowledge Article HPE 5930/5940 Switch Series - Connect to OVSDB Client Article Number mmr_sf-en_us000021071 Environment HPE 5930/5940 switches can be configured as OVSDB servers. One common use case
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Public Key Infrastructure (PKI) Public Key Certificates (X.509) University of Tartu Spring 2017 1 / 45 The hardest problem Key Management How to obtain the key of the other
More informationSecurity Protocols and Infrastructures
Security Protocols and Infrastructures Dr. Michael Schneider michael.schneider@h-da.de Chapter 5: Standards for Security Infrastructures November 13, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Introduction
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationOnline Certificate Status Protocol Mobile Profile
Online Certificate Status Protocol Mobile Profile Approved Version V1.0 03 Apr 2007 Open Mobile Alliance OMA-WAP-OCSP_MP-V1_0-20070403-A Continues the Technical Activities Originated in the WAP Forum OMA-WAP-OCSP_MP-V1_0-20070403-A
More informationPKCS #10 v1.7: Certification Request Syntax Standard (Final draft)
PKCS #10 v1.7: Certification Request Syntax Standard (Final draft) RSA Laboratories May 4 th, 2000 Editor s note: This is the final draft of PKCS #10 v1.7, which is available for a 14-day public review
More informationPrincess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)
Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Prepared by Dr. Samia Chelloug E-mail: samia_chelloug@yahoo.fr Content
More informationNetwork Working Group. Updates: 2634 August 2007 Category: Standards Track
Network Working Group J. Schaad Request for Comments: 5035 Soaring Hawk Consulting Updates: 2634 August 2007 Category: Standards Track Status of This Memo Enhanced Security Services (ESS) Update: Adding
More informationSpecification document for OCSP
Nets DanID A/S Lautrupbjerg 10 DK 2750 Ballerup T +45 87 42 45 00 F +45 70 20 66 29 info@danid.dk www.nets-danid.dk CVR no. 30808460 Specification document for OCSP DanID A/S 4 June 2014 Page 1-11 Table
More informationMore about Certificates
More about Certificates From Previous Tutorial We already saw how to set up our own Certificate Authority (CA), as well as how to create our self-signed certificates, a couple of tutorials ago using OpenSSL
More informationPublic Key Infrastructure. What can it do for you?
Public Key Infrastructure What can it do for you? What is PKI? Centrally-managed cryptography, for: Encryption Authentication Automatic negotiation Native support in most modern Operating Systems Allows
More informationTLS encryption and mutual authentication using syslog-ng Open Source Edition
TLS encryption and mutual authentication using syslog-ng Open Source Edition March 02, 2018 Copyright 1996-2018 Balabit, a One Identity business Table of Contents 1. Creating self-signed certificates...
More informationNetwork Working Group Request for Comments: 5275 Category: Standards Track June 2008
Network Working Group S. Turner Request for Comments: 5275 IECA Category: Standards Track June 2008 Status of This Memo CMS Symmetric Key Management and Distribution This document specifies an Internet
More informationChapter 5 Electronic mail security
Chapter 5 Electronic mail security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. Pretty good privacy 2. S/MIME Pretty Good
More informationPKI architecture and technical specifications (v2) Activity Livrable v2
PKI architecture and technical specifications (v2) Activity 2.4.4 Livrable 2.4.4 6 v2 Version : 2.0 Date : 6 th November 2015 Revision History Nous avons modifié le document envoyé par le projet ISE (ISX
More informationIntended status: Standards Track. Google Inc. R. Housley Vigil Security July 06, 2015
NTP Working Group Internet-Draft Intended status: Standards Track Expires: January 7, 2016 D. Sibold K. Teichel PTB S. Roettger Google Inc. R. Housley Vigil Security July 06, 2015 Protecting Network Time
More informationICS 180 May 4th, Guest Lecturer: Einar Mykletun
ICS 180 May 4th, 2004 Guest Lecturer: Einar Mykletun 1 Symmetric Key Crypto 2 Symmetric Key Two users who wish to communicate share a secret key Properties High encryption speed Limited applications: encryption
More informationPublic Key Infrastructures
Public Key Infrastructures How to authenticate public keys? Chapter 4 Certificates Cryptography and Computeralgebra Johannes Buchmann 1 2 Authenticated by digital signature 3 4 Click on icon Click on view
More informationInternet Engineering Task Force (IETF) Request for Comments: 6032 Category: Standards Track. December 2010
Internet Engineering Task Force (IETF) Request for Comments: 6032 Category: Standards Track ISSN: 2070-1721 S. Turner IECA R. Housley Vigil Security December 2010 Cryptographic Message Syntax (CMS) Encrypted
More informationX.509 and SSL. A look into the complex world of X.509 and SSL USC Linux Users Group 4/26/07
X.509 and SSL A look into the complex world of X.509 and SSL http://www.phildev.net/ssl/ USC Linux Users Group 4/26/07 Phil Dibowitz http://www.phildev.net/ The Outline Introduction of concepts X.509 SSL
More informationDisplaying SSL Configuration Information and Statistics
CHAPTER 7 Displaying SSL Configuration Information and Statistics This chapter describes the show commands available for displaying CSS SSL configuration information and statistics and an explanation of
More informationSpecification document for OCSP
Nets DanID A/S Lautrupbjerg 10 DK 2750 Ballerup T +45 87 42 45 00 F +45 70 20 66 29 www.nets.dk CVR no. 30808460 Specification document for OCSP Nets DanID A/S 9 March 2015 Page 1-11 Table of Contents
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: January 2010
Internet Engineering Task Force (IETF) S. Turner Request for Comments: 5753 IECA Obsoletes: 3278 D. Brown Category: Informational Certicom ISSN: 2070-1721 January 2010 Abstract Use of Elliptic Curve Cryptography
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Hash functions and HMAC University of Tartu Spring 2017 1 / 23 Cryptographic hash function A hash function is a function that takes an arbitrary block of data and returns
More informationAzure AD Configuration Script for Cisco Security
Azure AD Configuration Script for Cisco Email Security Contents Introduction Prerequisites Requirements Components Used Azure AD Configuration Script for Cisco Email Security Related Information Introduction
More informationCertificate and CRL Profiles
Certificate and CRL Profiles Candidate Version 1.1 15 Jun 2004 Open Mobile Alliance OMA-Security-CertProf-V1_1-20040615-C Continues the Technical Activities Originated in the WAP Forum OMA-Security-CertProf-V1_1-20040615-C
More informationCategory: Standards Track July Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS)
Network Working Group R. Housley Request for Comments: 3560 Vigil Security Category: Standards Track July 2003 Status of this Memo Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message
More informationSSH Communications Tectia SSH
Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: December 8, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product
More informationSummary of PGP Services
Table 15.1 Summary of PGP Services Function Algorithms Used Description Digital signature Message encryption Compression Email compatibility DSS/SHA or RSA/SHA CAST or IDEA or Three-key Triple DES with
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 19 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources
More informationSigntrust. ISIS-MTT Assessment Report
Deutsche Post Com GmbH ISIS-MTT Assessment Report Version 1.0 Date October 28, 2005 Petra Barzin, Hans-Joachim Knobloch Secorvo Security Consulting GmbH Ettlinger Straße 12-14 D-76137 Karlsruhe Tel. +49
More informationHow to Enable Client Certificate Authentication on Avi
Page 1 of 11 How to Enable Client Certificate Authentication on Avi Vantage view online Overview This article explains how to enable client certificate authentication on an Avi Vantage. When client certificate
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More information6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename
6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename Certificate formats (DER, PEM, PKCS #12) 6.2 Certificate Authorities
More informationLecture 16 Public Key Certification and Revocation
Lecture 16 Public Key Certification and Revocation 1 CertificationTree / Hierarchy Logical tree of CA-s root PK root [PK CA1 CA1 ]SK root CA3 [PK CA3 ]SK root [PK CA2 CA2 ]SK CA1 CA4 [PK CA4 ]SK CA3 2
More informationEUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures
EN 319 122-1 V1.1.1 (2016-04) EUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures 2 EN 319 122-1 V1.1.1 (2016-04)
More informationETSI TS V1.5.1 ( )
TS 101 733 V1.5.1 (2003-12) Technical Specification Electronic Signatures and Infrastructures (ESI); Electronic Signature Formats 2 TS 101 733 V1.5.1 (2003-12) Reference RTS/ESI-000017 Keywords electronic
More informationValidation Policy r tra is g e R ANF AC MALTA, LTD
Maltese Registrar of Companies Number C75870 and VAT number MT ANF AC MALTA, LTD B2 Industry Street, Qormi, QRM 3000 Malta Telephone: (+356) 2299 3100 Fax:(+356) 2299 3101 Web: www.anfacmalta.com Security
More informationEncryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018
Encryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018 Agenda Basic Theory: encryption and hashing Digital Certificates Tools for Digital Certificates Design
More informationInternet Engineering Task Force (IETF) Category: Standards Track August 2018 ISSN:
Internet Engineering Task Force (IETF) R. Housley Request for Comments: 8419 Vigil Security Category: Standards Track August 2018 ISSN: 2070-1721 Use of Edwards-Curve Digital Signature Algorithm (EdDSA)
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationand Web Security
Email and Web Security Computer Security Lecture 14 Mike Just 1 School of Informatics University of Edinburgh 4th March 2010 1 Based on original lecture notes by David Aspinall Outline Secure Email: PGP
More informationUpdating OCSP. David Cooper
Updating OCSP David Cooper Background Concerns raised about text in RFC 2560 being misinterpreted, particularly Section 4.2.2.2 on Authorized Responders Working group agreed to develop an update to RFC
More informationKerberos5 1. Kerberos V5
Kerberos5 1 Kerberos V5 Kerberos5 2 ASN.1 data representation language: data structure (ß definition C struct, union), but variable length-arrays, optional elements, labeling,... data representation on
More informationDocument T10/ rev. 0
To: T10 Committee From: Gerry Houlder, Seagate Technology, gerry_houlder@seagate.com Developed for Trusted Computing Group, www.trustedcomputinggroup.org Subj: SPC-3 Security Commands proposal Date: April
More informationSHS Version 1.2 CA. The Swedish Agency for Public Management oct This version:
SHS Version 1.2 CA 1 (11) SHS Version 1.2 CA The Swedish Agency for Public Management oct 2003 This version: http://www.statskontoret.se/shs/pdf/1.2ca.pdf Latest version: http://www.statskontoret.se/shs/pdf/shs-ca.pdf
More informationInternet Engineering Task Force (IETF) Obsoletes: 6485 Category: Standards Track August 2016 ISSN:
Internet Engineering Task Force (IETF) G. Huston Request for Comments: 7935 G. Michaelson, Ed. Obsoletes: 6485 APNIC Category: Standards Track August 2016 ISSN: 2070-1721 Abstract The Profile for Algorithms
More informationand Web Security
Email and Web Security Computer Security Lecture 15 David Aspinall School of Informatics University of Edinburgh 3rd March 2008 Outline Secure Email: PGP and S/MIME Issues of trust Web security: transport
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Smart Cards 2 University of Tartu Spring 2014 1 / 20 Security Model Parties involved in smart card based system: Cardholder Data owner Terminal Card issuer Card manufacturer
More informationOCSP Client Tool V2.2 User Guide
Ascertia Limited 40 Occam Road Surrey Research Park Guildford Surrey GU2 7YG Tel: +44 1483 685500 Fax: +44 1483 573704 www.ascertia.com OCSP Client Tool V2.2 User Guide Document Version: 2.2.0.2 Document
More informationInternet Engineering Task Force (IETF) Request for Comments: 5754 Updates: 3370 January 2010 Category: Standards Track ISSN:
Internet Engineering Task Force (IETF) S. Turner Request for Comments: 5754 IECA Updates: 3370 January 2010 Category: Standards Track ISSN: 2070-1721 Abstract Using SHA2 Algorithms with Cryptographic Message
More informationDirectTrust X.509 Certificate and Certificate Revocation List (CRL) Profiles
DirectTrust X.509 Certificate and Certificate Revocation List (CRL) Profiles DirectTrust.org Certificate Policy & Practices (CPP) Work Group December 14, 2016 1 Revision History Table Date Version Description
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationsyslog-ng Open Source Edition 3.16 Mutual authentication using TLS
syslog-ng Open Source Edition 3.16 Mutual authentication using TLS Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software
More informationAttestation Service for Intel Software Guard Extensions (Intel SGX): API Documentation. Revision: 3.0
Attestation Service for Intel Software Guard Extensions (Intel SGX): API Documentation Revision: 3.0 1 1 Abbreviations... 4 2 Attestation Service for Intel SGX... 5 Supported environments... 5 Authentication...
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationManaging TLS Certificate, KeyStore, and TrustStore Files
Managing TLS Certificate, KeyStore, and TrustStore Files This chapter contains the following sections: About the TLS Certificate, KeyStore, and TrustStore Files, page 1 Preparing to Generate the TLS Credentials,
More informationRequest for Comments: May 2006
Network Working Group Request for Comments: 4491 Updates: 3279 Category: Standards Track S. Leontiev, Ed. CRYPTO-PRO D. Shefanovski, Ed. Mobile TeleSystems OJSC May 2006 Status of This Memo Using the GOST
More informationChapter 18: wolfcrypt API Reference
Chapter 18: wolfcrypt API Reference Table of Contents March, 2016 Version 3.9.0 18.1 AES 18.2 Arc4 18.3 ASN 18.4 Blake2 18.5 Camellia 18.6 ChaCha 18.7 ChaCha20 with Poly1305 18.8 Coding 18.9 Compression
More informationManage Certificates. Certificates Overview
Certificates Overview, page 1 Show Certificates, page 3 Download Certificates, page 4 Install Intermediate Certificates, page 4 Delete a Trust Certificate, page 5 Regenerate a Certificate, page 6 Upload
More informationTechnical Specification CMC Interface
Technical Specification CMC Interface Guide for integrating applications with the SwissSign Certificate Authority CMC interface Document Type: Interface Document Author: Ingolf Rauh Classification: C1
More informationSecuring Communications with your Apache HTTP Server. Lars Eilebrecht
with your Apache HTTP Server Lars Eilebrecht Lars@apache.org About Me Lars Eilebrecht Independent IT Consultant Contributor to the Apache HTTP Server project since 1996 Member of the ASF Security Team
More informationTutorial II Computer Security Module
Tutorial II Computer Security Module Mike Just School of Informatics University of Edinburgh March 2010 Purpose of Tutorial More time on some areas of Computer Security Allow for more interaction with
More informationUsing ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients
Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients Author: John Eppich Table of Contents About this Document... 4 Using ISE 2.2 Internal
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Abstract Syntax Notation One (ASN.1) University of Tartu Spring 2014 1 / 20 Abstract Syntax Notation One Notation to describe abstract types and values Describes information
More informationPublic Key Infrastructures. Andreas Hülsing
Public Key Infrastructures Andreas Hülsing How to share Keys with PGP Attach to mail Use Key Server Still need to verify key validity! 28-5-2014 PAGE 1 PGP Keyserver Synchronization Graph http://www.rediris.es/keyserver/graph.html
More informationCoding & Information Theory Lab.
통합인증시스템설계및구현 연세대학교전기 전자공학과정연식, 송홍엽 Coding & Information Theory Lab. Introduction Previous Works Contents Design and Implementation of Public-Key Infrastructure Design and Implementation of Single Sign-On
More informationFlexVPN Between a Router and an ASA with Next Generation Encryption Configuration Example
FlexVPN Between a Router and an ASA with Next Generation Encryption Configuration Example Document ID: 116008 Contributed by Graham Bartlett, Cisco TAC Engineer. Mar 26, 2013 Contents Introduction Prerequisites
More informationGenesys Security Deployment Guide. What You Need
Genesys Security Deployment Guide What You Need 12/27/2017 Contents 1 What You Need 1.1 TLS Certificates 1.2 Generating Certificates using OpenSSL and Genesys Security Pack 1.3 Generating Certificates
More informationDEPLOYMENT GUIDE. SSL Insight Certificate Installation Guide
DEPLOYMENT GUIDE SSL Insight Certificate Installation Guide Table of Contents Introduction...3 Generating CA Certificates for SSL Insight...3 Importing a CA Certificate and Certificate Chain onto the A10
More informationLecture 14. Public Key Certification and Revocation
Lecture 14 Public Key Certification and Revocation 1 CertificationTree / Hierarchy Logical tree of CA-s root PK root CA1 [PKCA1]SKroot CA3 [PK CA3 ]SK root [PK CA2 CA2 ]SK CA1 CA4 [PK CA4]SK CA3 2 Hierarchical
More informationThe client also provides utilities to disassemble signatures (e.g. extracting the signer certificates, digest algorithms used etc.
Krestfield EzSign Client Integration Guide Version 2.1 Copyright Krestfield 2017 Introduction The Krestfield EzSign Client is a lightweight java package which interfaces with the EzSign Server enabling
More informationPackage PKI. September 16, 2017
Version 0.1-5.1 Package PKI September 16, 2017 Title Public Key Infrastucture for R Based on the X.509 Standard Author Maintainer Depends R (>=
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationKerberos V5. Raj Jain. Washington University in St. Louis
Kerberos V5 Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/ 11-1
More informationInternet Engineering Task Force (IETF) Category: Experimental Helsinki Institute for Information Technology ISSN: May 2011
Internet Engineering Task Force (IETF T. Heer Request for Comments: 6253 COMSYS, RWTH Aachen University Updates: 5201 S. Varjonen Category: Experimental Helsinki Institute for Information Technology ISSN:
More information