CERTIFICATES

“a document containing a certified statement, especially as to the truth of something”

What is a Digital Certificate? Electronic counterparts to driver

licenses,passports. Enable individuals and

organizations to secure business and personal transactions across communication networks.

How do they secure the data? Authentication Integrity Encryption Token verification

Certification Authority(CA) Trusted entity which issue and

manage certificates for a population of public-private key-pair holders.

A digital certificate is issued by a CA and is signed with CA’s private key.

X.509 Version 3 Digital Certificate

Types of Certificates Root or Authority certificates

These are self signed by the CA that created them Institutional authority certificates

Also called as “campus certificates” Client certificates

These are also known as end-entity certificates,identity certificates,or personal certificates.

Web server certificates used for secure communications to and from Web servers

Getting a Certificate

Create an encryption Private and Public key pair.

Create a Certificate Request based on your key. - Send all the required details Like Server,company,Location, state,country and also the documents

proving your identity. Send the certificate request to your choice of CA .

CA confirms the accuracy of the information submitted .

The certificate is signed by a device that holds the private key of the CA.

The certificate is sent to the subscriber and also a copy of it may be submitted to the certificate repository, such as a directory service

for publication.

Distribution of Certificates

Systems and channels that are not necessarily protected by confidentiality,authentication and integrity.

The certificate is self-protecting: The CA’s digital signature inside the certificate provides both authentication and integrity protection.

Distribution via Directory Services: Lightweight Directory Access Protocol (LDAP). This is nothing more than access protocol used to retrieve the certificate for recipient.

X.509 Certificate Format

Version: Indicator of version 1,2 or 3. Serial number: Unique identifying number for this certificate. Signature:Algorithm identifier of the digital signature algorithm. Issuer: X.500 name of the issuing CA. Validity:Start and expiration dates and times of the certificate. Subject:X.500 name of the holder of the private

key(subscriber). Subject public-key information:The value of the public-key

for the subject together with an identifier of the algorithm with which this public-key to be used.

Issuer unique identifier: An optional bit string used to make the issuing certification authority name unambiguous.

Subject unique identifier: An optional bit string used to make the subject name unambiguous.

X.509 Certificate Format

Extensions: Used for incorporating any number of additional fields into the certificate.

Extension Type: contains an object identifier value i.e. governs the basic data type (text string,date….etc) .

Criticality indicator: Simple flag that indicates whether an occurrence of an extension is critical or non-critical. The purpose of this is to accommodate environments in which different system implementations recognize different sets of extensions.

X.509 Certificate Format

Standard Certificate Extensions. Key Information: These are used to allow the administrators

to limit the purpose for which certificates and certified keys can be used. Like CRL-signing,certificate signing …..etc.

Policy Information: convey certificate policy i.e. use of these extensions which relate to the CA’s practices.

Subject and Issuer attributes:Support alternative names for certificate subjects and issuers.

Certification path constraints: Help different domains link their infrastructures together.

Extensions related to CRL’s

Certificate Revocation

Canceling a certificate before than its originally scheduled validity period.

Certificate Revocation Lists (CRL) A CRL is a time-stamped list of revoked certificates that

has been digitally signed by a CA and made available to certificate users.

Each revoked certificate is identified in a CRL by its certificate serial number – generated by the issuing CA.

X.509 Certificate Revocation List

X.509 CRL Format Version: Indicator of version 1 or 2 format Signature: Indicator of the algorithm used in signing this

CRL Issuer:Name of the authority that issued this CRL This update: Date and time of issue of this CRL Next update: Date and time of issue of next CRL (optional) Certificate Serial Number: Serial number of a revoked or

suspended certificate. Revocation date: Effective date of revocation or

suspension of a particular certificate. CRL entry extensions: Additional fields CRL extensions: Additional fields that must be attached to

the full CRL.

X.509 CRL Format of Extensions and Entry-Level Extensions

General Extensions:: Like CRL number – incrementing number for each CRL issued in sequence covering the same certificate population. Invalidity date:: This is CRL entry extension field indicates a date when it is known or suspected that a private key was compromised.

CRL Distribution Point :: Identifies the point or points that distribute CRL’s on which a revocation notification for this certificate would appear if this certificate were to be revoked.

Delta-CRL’s: It is a digitally signed list of the changes that occurred since the issuance of the prior base CRL.

X.509 CRL Format of Extensions

Indirect CRL’s : Allows a CRL to be issued by a different authority from the one that issued the certificate.

Certificate Suspension: An item may be held on a CRL rather than revoked. It can be specified in the entry-level extensions as “certificate hold”.

Status Referrals: It is a signed,time stamped list of CRL’s and their respective CRL scopes that a certification authority currently uses.

Distributing CRL’s

Issuing CRLs regularly such as hourly,daily or weekly…. Decision of CA. Can be distributed easily using the communications and server systems which do not need much security – as these are digitally signed. Limitation: Time granularity of revocation is limited to the CRL issue period.

Online Status Checking: uses OCSP ( Online Certificate Status Protocol). The responder is the CA or the authorized person by the CA. The OCSP response is digitally signed, contains the identifier of the responder, time of response, status. Limitation: Very expensive.

Using Pre-existing certificates (verisign)

IF the IP address or Domain name is changed – then the certificate needs to be changed.

If you are changing your Server Software – because verisign

issues the certificates considering the server software and IP address/domain name configuration.

Digital Certificates In SSL(Secure Socket Layer)

SSL is used to create a secure connection between a user and a web page on the Internet.

It uses the Digital Certificates to authenticate the identities of the parties involved in the transaction.

IT works as following: Once you access a secure URL the browser passes the

following information to the server: Browser’s SSL version number, list of the encryption algorithms it supports, and a string of randomly generated data.

Then the Server replies with the same information as above along with it’s Digital Certificate.

Digital Certificates In SSL(Secure Socket Layer)

If the server requires client authentication, it will send a request asking for the client’s digital certificate.

Now the Browser will first authenticate the identity of the server : validity dates of the server’s certificate

trusts" the CA that issued the server certificate(by looking for the root certificate from the CA .

Then it will decrypt the digital signature on the server’s certificate

If the browser can successfully decrypt the signature, it accepts the certificate as valid proof of the server’s identity.

Digital Certificates In SSL(Secure Socket Layer)

The browser now determines the strongest encryption algorithm supported by both parties and creates a "premaster secret" from the data involved in the transaction thus far. The premaster secret is encrypted using the server’s public key and is passed to the server.

The server may also verify the validity of the client, then it will also check for all the corresponding details. Once the client validity is confirmed…. The server will decrypt the premaster secret .

Since both know the this value they will perform a series of calculations and calculate the “ master secret ”.Both should have arrived at the same value..so now they create a “session key”.

Digital Certificates In SSL(Secure Socket Layer)

The SSL secure connection is now in place and the browser and server begin exchanging data using the symmetric session key.