Certificates, Keys, Web Browsers, and Security

1
Certificates, Keys, Web Browsers, and Security

• - Sumanth Gelle

2
Contents

• Keys
• Symmetric Encryption
• Asymmetric Encryption
• Hybrid Encryption
• Certificate
• What does Certificate contain
• Authentication with certificate
• How to set up SSL on a web server
• Certificate Revocation Lists
• Browser
• Internet Explorer

3
What Does Cryptography Solve?

• Confidentiality
• Ensure that nobody can get knowledge of what you
  transfer even if listening the whole conversation
• Integrity
• Ensure that message has not been modified during
  the transmission
• Authenticity
• You can verify that you are talking to the entity
  you think you are talking to

4

• Confidentiality---
• Encryption is the answer
• Integrity---
• Hashing is the answer
• Authentication---
• Digital Certificate is the answer
• Cryptography is key management

5
Keys

• Symmetric Keys

Clear-text input
Clear-text output
Cipher-text
AxCvGsmWe4,sdgfMwir3dkJeTsY8R\s_at_!q3
An intro to PKI and few deploy hints
An intro to PKI and few deploy hints
DES
DES
Encryption
Decryption
Same key(shared secret)
6
Symmetric Encryption

• Symmetric algorithms require the creation of a
  key and an initialization vector (IV) that must
  be kept secret from anyone who should not decrypt
  your data.
• TripleDESCryptoServiceProvider TDES new
  TripleDESCryptoServiceProvider()
• TDES.GenerateIV()
• TDES.GenerateKey()
• When the previous code is executed, a key and
  IV are generated when the new instance of
  TripleDESCryptoServiceProvider is made. Another
  key and IV are created when the GenerateKey and
  GenerateIV methods are called.

7
Asymmetric Encryption

• Asymmetric algorithms require the creation of a
  public key and a private key. The public key can
  be made public to anyone, while the private key
  must known only by the party who will decrypt the
  data encrypted with the public key.
• //Generate a public/private key pair.
  RSACryptoServiceProvider RSA new
  RSACryptoServiceProvider()
• //Save the public key information to an
  RSAParameters structure.
• RSAParameters RSAKeyInfo RSA.ExportParameters(
  false)

8
Assymetric Encryption Continued

• To create an asymmetric key and save it in a key
  container
• Create a new instance of a CspParameters
  class and pass the name that you want
  to call the key container to the
  CspParameters.KeyContainerName field.
• Create a new instance of a class that
  derives from the AsymmetricAlgorithm class
  (usually RSACryptoServiceProvider or
  DSACryptoServiceProvider) and pass the
  previously created CspParameters object to its
  constructor.
• To delete a key from a key container
• Create a new instance of a CspParameters
  class and pass the name that you want to call the
  key container to the CspParameters.KeyContainerNam
  e field.
• Create a new instance of a class that
  derives from the AsymmetricAlgorithm class
  (usually RSACryptoServiceProvider or
  DSACryptoServiceProvider) and pass the previously
  created CspParameters object to its constructor.
• Set the PersistKeyInCSP property of the
  class that derives from AsymmetricAlgorithm to
  false (False in Visual Basic).
• Call the Clear method of the class that
  derives from AsymmetricAlgorithm. This method
  releases all resources of the class and clears
  the key container.

9
Example SSL

• Ensures confidentiality
• And integrity if digitally signed
• depending on how public key are exchanged
• Authenticity, Identity, Non-repudiation

Clear text
10
Real World Hybrid Encryption(typical for
encrypted file storage)
Clear-text message
11
Real World Hybrid Decryption
Symmetrically Encrypted message
Digital Envelope
Digital Envelope
Digital Envelope
12
PKI (Public Key Infrastructure)

• Public Key Infrastructure provides the
  technologies that enable practical distribution
  of public keys
• Using CERTIFICATES

13
Certificates
14
What does Certificate contain?

• Owner's public key 
• Owner's name or alias 
• Expiration date of the certificate 
• Serial number of the certificate 
• Name of the organization that issued the
  certificate 
• Digital signature of the organization that issued
  the certificate 

15
Authentication with Certificates

• Owning a Certificate of Gianni does not mean that
  you are Gianni
• Owning a Certificate does not imply you are
  authenticated
• How would you verify that the person who comes to
  you pretending to be Gianni and showing you a
  certificate of Gianni is really Gianni ?
• You have to challenge him !
• Only the real Gianni has the private key that
  goes in pair with the public key in the
  certificate.

16
Authentication with Certificates

• Denise gets Giannis certificate
• She verifies its digital signature
• She can trust that the public key really belongs
  to Gianni
• But is it Gianni standing if front of her, or is
  that Michel ?
• Denise challenges Gianni to encrypt for her a
  random phrase she generated (I like green tables
  with flowers)
• Gianni has (if he is the real Gianni) the private
  key that matches the certificate, so he responds
  (deRf35DdvYr8_at_dff)
• Denise decrypts this with the public key she has
  in the certificate (which she trusts) and if it
  matches the phrase she just generated for the
  challenge then it must really be Gianni himself !

17
How to Set Up SSL on a Web Server

• Step1. Generate a Certificate Request
• Step 2. Submit a Certificate Request
• Step 3. Issue the Certificate
• Step 4. Install the Certificate on the Web server
  
• Step 5. Configure Resources to Require SSL Access

18
Step 1. Generate a Certificate Request

• Start the IIS Microsoft Management Console (MMC)
  snap-in.
• Expand your Web server name and select the Web
  site for which you want to install a certificate.
  
• Right-click the Web site, and then click
  Properties.
• Click the Directory Security tab.
• Click the Server Certificate button within Secure
  communications to launch the Web Server
  Certificate Wizard. Note   If Server Certificate
  is unavailable, you probably selected a virtual
  directory, directory, or file. Go back to Step 2
  and select a Web site.

19
Step2. Submit a Certificate Request

• Use Notepad to open the certificate file
  generated in the previous procedure and copy its
  entire contents to the clipboard.
• Start Internet Explorer and navigate to http//
  hostname/CertSrv, where hostname is the name of
  the computer running Microsoft Certificate
  Services.
• Click Request a Certificate, and then click Next.
  
• On the Choose Request Type page, click Advanced
  request, and then click Next.
• On the Advanced Certificate Requests page, click
  Submit a certificate request using a base64
  encoded PKCS10 file, and then click Next.
• On the Submit a Saved Request page, click in the
  Base64 Encoded Certificate Request (PKCS 10 or
  7) text box and press CTRLV to paste the
  certificate request you copied to the clipboard
  earlier.
• In the Certificate Template combo box, click Web
  Server.
• Click Submit.
• Close Internet Explorer.

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Step3. Issue the Certificate

• Start the Certification Authority tool from the
  Administrative Tools program group.
• Expand your certificate authority, and then
  select the Pending Requests folder.
• Select the certificate request you just
  submitted.
• On the Action menu, point to All Tasks, and then
  click Issue.
• Confirm that the certificate is displayed in the
  Issued Certificates folder, and then double-click
  it to view it.
• On the Details tab, click Copy to File, and save
  the certificate as a Base-64 encoded X.509
  certificate.
• Close the properties window for the certificate.
• Close the Certificate Authority tool.

26
Step4. Install the Certificate on the Web Server

• Start Internet Information Services, if it's not
  already running.
• Expand your server name and select the Web site
  for which you want to install a certificate.
• Right-click the Web site, and then click
  Properties.
• Click the Directory Security tab.
• Click Server Certificate to launch the Web Server
  Certificate Wizard.
• Click Process the pending request and install the
  certificate, and then click Next.
• Enter the path and file name of the file that
  contains the response from the CA, and then click
  Next.
• Examine the certificate overview, click Next, and
  then click Finish. A certificate is now installed
  on the Web server.

27
Step5. Configure Resources to Require SSL Access

• Start Internet Information Services, if it's not
  already running.
• Expand your server name and Web site. (This must
  be a Web site that has an installed certificate.)
  
• Right-click a virtual directory, and then click
  Properties.
• Click the Directory Security tab.
• Under Secure communications, click Edit.
• Click Require secure channel (SSL). Client's
  browsing to this virtual directory must now use
  HTTPS.
• Click OK, and then click OK again to close the
  Properties dialog box.
• Close Internet Information Services.

28
How to Set Up Client Certificates

• Step 1. Create a Simple Web Application
• Step 2. Configure the Web Application to Require
  Client Certificates
• Step 3. Request and Install a Client Certificate
• Step 4. Verify Client Certificate Operation

29
Certificate Stores

• Certificates are stored in safe locations called
  a certificate stores. A certificate store can
  contain certificates, CRLs, and Certificate Trust
  Lists (CTLs). Each user has a personal store
  (called the "MY store") where that user's
  certificates are stored. The MY store can be
  physically implemented in a number of locations
  including the registry, on a local or remote
  computer, a disk file, a data base, a directory
  service, a smart device, or another location.
• While any certificate can be stored in the MY
  store, this store should be reserved for a user's
  personal certificates, that is the certificates
  used for signing and decrypting that particular
  user's messages.
• In addition to the MY store, Windows also
  maintains the following certificate stores
• CA and ROOT. This store contains the certificates
  of certificate authorities that the user trusts
  to issue certificates to others. A set of trusted
  CA certificates are supplied with the operating
  system and others can be added by administrators.
  
• Other. This store contains the certificates of
  other people to whom the user exchanges signed
  messages.
• The CryptoAPI provides functions to manage
  certificates. These APIs can be accessed only
  through unmanaged code. Also, CAPICOM is a
  COM-based API for the CryptoAPI, which can be
  accessed via COM Interop.

30
Certificates Revocation List

• X.509 certificates and many other certificates
  have a valid time duration. A certificate can
  expire and no longer be valid. A CA can revoke a
  certificate for a number of reasons. To handle
  revocations, a CA maintains and distributes a
  list of revoked certificates called a Certificate
  Revocation List (CRL). Network users access the
  CRL to determine the validity of a certificate.

31

• Certmgr.exe
• Makecert.exe
• The Certificate Creation tool generates
  X.509 certificates for testing purposes only. It
  creates a public and private key pair for digital
  signatures and stores it in a certificate file.
  This tool also associates the key pair with a
  specified publisher's name and creates an X.509
  certificate that binds a user-specified name to
  the public part of the key pair.

32
Internet Explorer (IE)

• Integrated Windows Authentication.
• To enable this authentication method, in
  the Internet Options dialog box, click the
  Advanced tab, and then select the Enable
  Integrated Windows Authentication check box.
• Server Certificate Revocation.
• Internet Explorer 6 includes support for
  server certificate revocation, which verifies
  that an issuing CA has not revoked a server
  certificate. This feature checks for CryptoAPI
  revocation when certificate extensions are
  present. If the URL for the revocation
  information is unresponsive, Internet Explorer
  cancels the connection.
• To enable server certificate revocation,
  in the Internet Options dialog box, click the
  Advanced tab, and then select the Check for
  server certificate revocation check box.

33
(No Transcript)
34
Installing and Removing Trusted Certificates

• On the Tools menu, click Internet Options, and
  then click the Content tab. 
• Click Certificates. 
• Click one of the following tabbed categories for
  the type of certificates you want to install
  or remove
• Personal. Certificates in the Personal
  category have an associated private key.
  Information signed by using personal certificates
  is identified by the user's private key data. By
  default, Internet Explorer places all
  certificates that will identify the user (with a
  private key) in the Personal category. 
• Other People. Certificates in the Other
  People category use public key cryptography to
  authenticate identity, based on a matching
  private key that is used to sign the information.
  By default, this category includes all
  certificates that are not in the Personal
  category (the user does not have a private key)
  and are not from CAs.
•  Intermediate Certification Authorities.
  This category contains all certificates for CAs
  that are not root certificates.
•  Trusted Root Certification Authorities.
  This category includes only self-signed
  certificates in the root store. When a CA's root
  certificate is listed in this category, you are
  trusting content from sites, people, and
  publishers with credentials issued by the CA. 
  Trusted Publishers. This category contains only
  certificates from trusted publishers whose
  content can be downloaded without user
  intervention, unless downloading active content
  is disabled in the settings for a specific
  security zone. Downloading active content is not
  enabled by default. For each available security
  zone, users can choose an appropriate set of
  ActiveX security preferences

35
(No Transcript)
36

• 4.In the Intended Purpose box, select the filter
  for the types of certificates that you want to be
  displayed in the list.
•  5.Work with particular certificates through one
  of the following methods
• To add other certificates to the list,
  click Import. The Certificate Manager Import
  Wizard steps you through the process of adding a
  certificate.
• To export certificates from the list,
  click Export. The Certificate Manager Export
  Wizard steps you through the process of exporting
  a certificate.
•   To specify the default drag-and-drop
  export file format (when the user drags a
  certificate from the Certificate Manager and
  drops it into a folder), click Advanced.

37
(No Transcript)
38

• To delete an existing certificate from the list
  of trusted certificates, click Remove. 
• To display the properties for a selected
  certificate, including the issuer of the
  certificate and its valid dates, click View. 

39
Adding Trusted Publishers

• To designate a trusted publisher for Internet
  Explorer, use the Security Warning dialog box
  that appears when you attempt to download
  software from that publisher.
• To add a trusted publisher
• 1.Use Internet Explorer to download signed
  active content from the publisher.
•  2.When the Security Warning dialog box
  appears, select the Always trust content
  from trusted publisher check box

40
To download the software and control and add the
publisher to the list of trusted publishers,
click Yes. 
41

• Configuring Advanced Security Options for
  Certificate and Authentication Features
• You can easily configure options for certificate
  and authentication features that your users might
  need.
• To configure advanced security options for
  certificates
• 1.On the Tools menu, click Internet
  Options, and then click the Advanced tab. 
• 2.In the Security area, review the
  selected options. 
• 3.Depending on the needs of your
  organization and its users, select or clear the
  appropriate check boxes. For example, to enable
  SSL 3.0, select the Use SSL 3.0 check box. 

42
(No Transcript)
43
References

• http//it-dep-is-techmeet.web.cern.ch/it-dep-is-te
  chmeet/TechMeeting/2003-09-08/PKI-Intro.ppt3382c
  12cA-to-Z
• http//it-dep-is-techmeet.web.cern.ch/it-dep-is-te
  chmeet/TechMeeting/2003-10-22/2003-10-20-PKI-Intro
  -Hepix.ppt3942c112cExample
• https//www.microsoft.com/technet/prodtechnol/ie/r
  eskit/6/part2/c06ie6rk.mspx?mfrtrue
• http//resources.nznog.org/Friday-240306/RobertLoo
  mans-SSLandTLSCertsForUserAuthentication/NZNOG-cli
  ent-certs.ppt2942c52cWhy
• http//msdn2.microsoft.com/en-us/bfsktky3.aspx