Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Transcription

1 Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE

2 Identity on the Internet Identifies it is trusted (Digital Certificate) Keeps communications secure (encryption) Trent Trap-door Eve

3 Fundamental principles. Confidence/Assurance. Privacy/Confidentiality. (Device, User, Servers, Connections, etc) Confidentiality (Encryption) Assurance (Integrity) Introduction Bert Fred

4 Eve is a fundamental issue in security. Alice Public-key Introduction How do we know that it was really who sent the data, as anyone can get Alice s public key, and thus pretend to be?

5 Eve is a fundamental issue in security. Alice Public-key Introduction How can we tell that the message has not been tampered with?

6 Eve is a fundamental issue in security. Alice Public-key Introduction How does distribute his public key to Alice, without having to post it onto a Web site or for to be on-line when Alice reads the message?

7 is a fundamental issue in security. Trent Alice Introduction Who can we really trust to properly authenticate? Obviously we can t trust to authenticate that he really is. Eve

8 Chapter 6: Digital Certificates Introduction Methods Prof Bill Buchanan OBE

9 What to authenticate? Systems. Users. Data. Servers. Devices Methods Users Hello. How are you? Is this okay? Data Systems

10 Where authenticated? User Device Server End-to-end. User to service. Intermediate. Part of the authentication process. Service Intermediate device Intermediate device End-to-end authentication Methods User Device Server Service Intermediate device Intermediate device Intermediate authentication

11 Device Server type One-way server. One-way client. Two-way. User One-way server authentication. Server provides authentication to the client, such as SSL (HTTPS, FTPS, etc). ID Device Methods User ID One-way client authentication. Client provides authentication to the server such as EAP-TLS in Wireless. User ID Mutual authentication. Client and server provide ID to authenticate each other. Examples include PEAP in wireless. ID

12 type User Device Server One-way server. One-way client. Two-way. Service Intermediate device Intermediate device Methods Username/password Digital Certificate Token Card Soft Tokens Session key Pass phrase Biometrics Device name Digital Certificate Pass phrase MAC address Encryption key

13 methods Iris scans Something you have Something you know Something you are Retina scan Digital certificate Methods Finger prints Palm prints Something you are Smart card Network/physical address Something you have Username/ password Mother s maiden name Something you know

14 Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE

15 How to store the private key and pass the public key? Eve Digital Certificates Digital certificates are a soft token of authentication, and require a trust mechanism. Alice Public-key One method is the digital certificate which can carry the public key (and also the private key, if nesc.) Digital Cert. Now that we need the public key to either encrypt data for a receipiant, or to authenticate a sender... How does distribute his public key to Alice, without having to post it onto a Web site or for to be on-line when Alice reads the message?

16 Digital certificate contains a thumbprint to verify it Details Public-key Digital Cert. Thumbprint Issuer

17 Digital certificates should only be distributed with the public key This certificate has only the public key This certificate has both public and private key Digital Cert.

18 Digital certificates should only be distributed with the public key P7b format -----BEGIN CERTIFICATE----- MIID2zCCA4WgAwIBAgIKWHROcQAAAABEujANBgkqhkiG9w0BAQUFADBgMQswCQYD VQQGEwJHQjERMA8GA1UEChMIQXNjZXJ0aWExJjAkBgNVBAsTHUNsYXNzIDEgQ2Vy dglmawnhdgugqxv0ag9yaxr5mrywfaydvqqdew1bc2nlcnrpysbdqsaxmb4xdta2 MTIxNzIxMDQ0OVoXDTA3MTIxNzIxMTQ0OVowgZ8xJjAkBgkqhkiG9w0BCQEWF3cu YnVjaGFuYW5AbmFwaWVyLmFjLnVrMQswCQYDVQQGEwJVSzEQMA4GA1UECBMHTG90 aglhbjesmbaga1uebxmjrwrpbmj1cmdomrowgaydvqqkexfoyxbpzxigvw5pdmvy c2l0etelmakga1uecxmcsvqxgtaxbgnvbamtefdpbgxpyw0gqnvjagfuyw4wggei MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvCFETyJL8VXAhbEMRzQI0gM81 ci75nmmsoamjzcb6fhgemgowmycoscmqkrvjaknos+4mxznhcy3mdob+szbwovax M5FOxhSrV+Q86hsK8cDc+1sqyJ8TQtufuDNs0NfNY6tR6q7CgGqQ8/VjSxNqzK39 iluf1ahhycet/ab6o/qwzl4ivsz2nml4dyauyilhlplvbpphgde6sdqxwyd0cpfv ZN7pauD5fqBESfO6bUkCieI47AzRMQj3kHuDt7MexVW7aoX+nXLP4wn7IamaxasF QvhdOKyCZhYs82JQDGatXRCqkklztmZW5i6GkPsE7XVuX265WJQ5afhp2hYlAgMB AAGjggEXMIIBEzAdBgNVHQ4EFgQUzyZ/YcCJwT5opPHLPlcQKkOlkJwwYwYDVR0j BFwwWoAUlP5Zh0V700k6CorvRMWB9ifVkBmhP6Q9MDsxCzAJBgNVBAYTAkdCMREw DwYDVQQKEwhBc2NlcnRpYTEZMBcGA1UEAxMQQXNjZXJ0aWEgUm9vdCBDQYIBDTBN BgNVHR8ERjBEMEKgQKA+hjxodHRwOi8vd3d3LmFzY2VydGlhLmNvbS9PbmxpbmVD QS9jcmxzL0FzY2VydGlhQ0ExL2NsYXNzMS5jcmwwPgYIKwYBBQUHAQEEMjAwMC4G CCsGAQUFBzAChiJodHRwOi8vb2NzcC5nbG9iYWx0cnVzdGZpbmRlci5jb20vMA0G CSqGSIb3DQEBBQUAA0EATOCwGJ1tS0kTlupmpjkMl8IdxMmD5WuhszjBlGsMhPxI H+vXhL9yaOw+Prpzy7ajS4/3xXU8vRANhyU9yU4qDA== -----END CERTIFICATE----- Digital Cert. The main certificate formats include: P7b. Text format PFX/P12. Binary. SST. Binary.

19 Encrypting messages to Alice Eve A. creates the message. B. encrypts with Alice s public key and sends Alice the encrypted message C. Alice decrypts with her private key D. Alice receives the message A Alice Encryption Communications Channel Decryption Digital Cert. Hello H&$d. C B D Hello Alice sends her digital certificate with her public key on it Alice s private key

20 Authenticating A Alice Encryption/ Decryption Communications Channel Encryption/ Decryption Hello B Digital Cert. s private key Hash H&$d. C D Alice s private key Hello sends his Digital certificate to authenticate himself Alice checks the hash using s public key from his certificate Hash

21 Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE

22 Who can we trust to get the digital certificate from? Eve Digital Certificates Digital certificates are a soft token of authentication, and require a trust mechanism. Alice Trent Digital Cert. Who do we trust to get s certificate we can t trust, as he may be Eve meet Trent.

23 Public Key Infrastructure (PKI) The Trusted Root CE (Trent) checks s identity and creates a certificate which he signs Trusted Root CA Certificate Authority (CA) - Able to grant certificates Examples; Verisign, Entrust, Microsoft Trust. Trent Trusted root certificates are installed as a default on the machine (or installed with the user s permission) Trusted root certificate PKI Alice checks the signature of the certificate to validate. Both Alice and trust the CA (Trent) as a third party. Alice

24 Drawbacks of PKI Eve tricks the CA to get a certificate with s name Trusted Root CA Certificate Authority (CA) - Able to grant certificates Examples; Verisign, Entrust, Microsoft Trust. Trent Eve Trusted root certificates are installed as a default on the machine (or installed with the user s permission) Trusted root certificate PKI Alice checks the signature of the certificate to validate. Both Alice and trust the CA (Trent) as a third party. Alice

25 Levels of trust Trusted Root CA - always trusted Trusted Root CA Trent Certificate purposes: Secure . Server authentication. Code signing. Driver authentication. Time stamping. Client authentication. IP tunnelling. EFS (Encrypted File System). PKI Self signed - Can never be trusted Trust2 Intermediate CA - Can be trusted for some things

26 Real or fake? The two main problems with digital certificates are: Lack of understanding of how they work. They can be spoofed. PKI So let s look at a few are they real or fake? Eve

27 Real or fake? PKI Eve Real or fake?

28 Real or fake? PKI Real!

29 Real or fake? PKI Eve Real or fake?

30 Real or fake? PKI Eve Fake!

31 Real or fake? PKI Eve Real or fake?

32 Real or fake? PKI Real

33 Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE

34 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Alice s Public Key s Public Key Alice s Private Key

35 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Alice s Public Key s Public Key Alice s Public Key Alice s Private Key

36 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Alice s Public Key s Public Key Alice s Public Key Alice s Private Key

37 Public key encryption secret identity... trust Eve Trent MegaCorp Alice s Public Key s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key Alice s Private Key

38 Public key encryption secret identity... trust Eve Trent MegaCorp Alice s Public Key s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key s Private Key Alice s Private Key

39 Public key encryption secret identity... trust Eve Trent MegaCorp Alice s Public Key s Private Key Alice s Public Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key Alice s Private Key

40 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key Which key to open the message? Alice s Private Key

41 Public key encryption secret identity... trust MegaCorp Eve Trent s Private Key Alice s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key Which key to open the message? Alice s Private Key

42 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key Which key to we open the signature with? Alice s Private Key

43 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key s Public Key Alice s Private Key

44 Public key encryption secret identity... trust Eve Trent MegaCorp s Private Key Hello Alice, Wish you were here! - Alice s Public Key s Public Key Alice s Private Key

45 Using s private key to authenticate himself Message Message MD5 Encrypted MD5 The magic private key s private key s public key

46 encrypts the message/hash with Alice s public key Message Message MD5 Encrypted MD5 The magic private key s public key s private key Encrypted Content Alice s public key Alice Alice s private key

47 encrypts the message/hash with Alice s public key Message MD5 Message Encrypted MD5 Encrypted Content s private key The magic private key s public key Encrypted Content Alice s public key Alice s private key Alice

48 Alice decrypts the message Message MD5 Message Encrypted MD5 Encrypted Content s private key The magic private key s public key Alice Encrypted Content Message Encrypted MD5 Alice s public key Alice s private key

49 Alice decrypts the message Message MD5 Message Encrypted MD5 Encrypted Content s private key The magic private key s public key Alice Encrypted Content Message Encrypted MD5 MD5 (message) MD5 (result) Alice compares the MD5 values. If they are the same sent the message

50 Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE

51 Info MD5 Info ZIP IDEA Mail RSA Sig Key Private-key encryption key RSA Alice Public-key Cardspace Sender Hello. 1. Secret-key Is used to encrypt message. &54FGds Secret-key 2. RSA is used to encrypt secret key with the recipients public key. Recipients &54FGds Secret-key Private-key 2. RSA is used to encrypt secret key with the recipients public key. Public-key Alice Cardspace