Chapter 6: Digital Certificates: Prof Bill Buchanan OBE

Chapter
6: Digital
Certificates
Introduction
Authentication Methods
PKI
Digital Certificate Passing
Prof Bill Buchanan OBE

http://asecuritysite.com/crypto06
http://asecuritysite.com/encryption
Identity on the Internet
Identifies it is trusted Keeps communications

(Digital Certificate) secure (encryption)
Trent
Bob Trap-door
Eve
Fundamental
principles
Authentication.
Confidence/Assurance.
Privacy/Confidentiality.
Authentication
(Device, Confidentiality Assurance
User, Servers, (Encryption) (Integrity)
Connections, etc)
Bob
Introduction
Fred
Bert
Authentication
Author: Prof Bill Buchanan

Authentication
Eve Authentication is a
fundamental issue in security.
Bob Alice
Public-key
Introduction
How do we know that it was really Bob

who sent the data, as anyone can get
Authentication
Alice’s public key, and thus pretend to

be Bob?
Authentication
Eve
Authentication is a
Bob
Alice
Public-key
Introduction
How can we tell that the message has

not been tampered with?
Authentication

Authentication
Eve Authentication is a
Alice
Bob
Public-key
Introduction
How does Bob distribute his public key

to Alice, without having to post it onto a
Authentication
Web site or for Bob to be on-line when

Alice reads the message?
Authentication
Authentication is a
Trent
Bob
Alice
Introduction
Who can we really trust to properly

authenticate Bob? Obviously we can’t
Authentication
Eve
trust Bob to authenticate that he really
is Bob.

Chapter 6: Digital
Certificates
Introduction

What to authenticate?
Systems.
Users.
Data.
Servers.
Devices
Methods
Users
Authentication
Hello. How are you? Is this

okay?
Data Systems

Where authenticated?
End-to-end. User to service.

Intermediate. Part of the
authentication process.
User
Device Server Service
Intermediate Intermediate
device device
End-to-end authentication
Methods
User
Device Server Service
Intermediate
Authentication
Intermediate
device device
Intermediate authentication
Authentication type
Device Server One-way server.

One-way client.
Two-way.
One-way server authentication. Server provides

User authentication to the client, such as SSL (HTTPS,
FTPS, etc). ID
Device
One-way client authentication. Client provides

User
Methods
authentication to the server such as EAP-TLS in

ID
Wireless.
Authentication
Mutual authentication. Client and server provide ID

User to authenticate each other. Examples include PEAP in
ID ID
wireless.
Authentication type
One-way server.
One-way client.
User Two-way.
Device Server
Service
Intermediate Intermediate
device device
Device name
Username/password Digital Certificate
Digital Certificate Pass phrase
Token Card MAC address
Soft Tokens Encryption key
Methods
Session key
Pass phrase
Biometrics
Authentication

Authentication
methods
Iris scans Something you have

Something you know
Something you are
Retina Digital
scan certificate
Network/physical
Palm address
prints
Methods
Something you
Something you
Finger prints are
have
Smart card
Authentication
Mother’s maiden name

Username/
password Something you
know
Chapter 6: Digital
Certificates
Introduction
PKI

Eve Digital Certificates
Digital certificates are a soft

token of authentication, and
require a trust mechanism.
Alice
Bob
Public-key
One method is the digital certificate

which can carry the public key (and
also the private key, if nesc.)
Digital Cert.
How does Bob distribute his

Now that we need the public key to Alice, without
public key to either having to post it onto a Web
encrypt data for a site or for Bob to be on-line
receipiant, or to
Authentication
when Alice reads the

authenticate a sender... message?
How to store the private key and pass the public key?
Bob
Details
Public-key
Digital Cert.
Authentication
Issuer
Thumbprint
Digital certificate contains a thumbprint to verify it

Bob
This certificate has both

This certificate has only public and private key
the public key
Digital Cert.
Authentication
Digital certificates should only be distributed with the public key

P7b format
-----BEGIN CERTIFICATE-----
Bob MIID2zCCA4WgAwIBAgIKWHROcQAAAABEujANBgkqhkiG9w0BAQUFADBgMQswCQYD
VQQGEwJHQjERMA8GA1UEChMIQXNjZXJ0aWExJjAkBgNVBAsTHUNsYXNzIDEgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1Bc2NlcnRpYSBDQSAxMB4XDTA2
MTIxNzIxMDQ0OVoXDTA3MTIxNzIxMTQ0OVowgZ8xJjAkBgkqhkiG9w0BCQEWF3cu
YnVjaGFuYW5AbmFwaWVyLmFjLnVrMQswCQYDVQQGEwJVSzEQMA4GA1UECBMHTG90
aGlhbjESMBAGA1UEBxMJRWRpbmJ1cmdoMRowGAYDVQQKExFOYXBpZXIgVW5pdmVy
c2l0eTELMAkGA1UECxMCSVQxGTAXBgNVBAMTEFdpbGxpYW0gQnVjaGFuYW4wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvCFETyJL8VXAhbEMRzQI0gM81
ci75nMmsOamjZcb6fhGeMgoWmYcoscmQkrVjAKnoS+4mXznhcy3mdOb+sZbwOVaX
M5FOxhSrV+Q86hsK8cDc+1sqyJ8TQtufuDNs0NfNY6tR6q7CgGqQ8/VjSxNqzK39
iLUF1ahhyCet/ab6O/qWzL4iVsz2nmL4dyAuyilhLPlVbppHGdE6sDQXWYd0CpfV
ZN7pauD5fqBESfO6bUkCieI47AzRMQj3kHuDt7MexVW7aoX+nXLP4wn7IamaxasF
QvhdOKyCZhYs82JQDGatXRCqkklztmZW5i6GkPsE7XVuX265WJQ5afhp2hYlAgMB
AAGjggEXMIIBEzAdBgNVHQ4EFgQUzyZ/YcCJwT5opPHLPlcQKkOlkJwwYwYDVR0j
BFwwWoAUlP5Zh0V700k6CorvRMWB9ifVkBmhP6Q9MDsxCzAJBgNVBAYTAkdCMREw
DwYDVQQKEwhBc2NlcnRpYTEZMBcGA1UEAxMQQXNjZXJ0aWEgUm9vdCBDQYIBDTBN
BgNVHR8ERjBEMEKgQKA+hjxodHRwOi8vd3d3LmFzY2VydGlhLmNvbS9PbmxpbmVD
QS9jcmxzL0FzY2VydGlhQ0ExL2NsYXNzMS5jcmwwPgYIKwYBBQUHAQEEMjAwMC4G
CCsGAQUFBzAChiJodHRwOi8vb2NzcC5nbG9iYWx0cnVzdGZpbmRlci5jb20vMA0G
CSqGSIb3DQEBBQUAA0EATOCwGJ1tS0kTlupmpjkMl8IdxMmD5WuhszjBlGsMhPxI
H+vXhL9yaOw+Prpzy7ajS4/3xXU8vRANhyU9yU4qDA==
-----END CERTIFICATE-----
Digital Cert.
Authentication
The main certificate

formats include:
• P7b. Text format
• PFX/P12. Binary.
• SST. Binary.
Digital certificates should only be distributed with the public key

Eve A. Bob creates the message.
B. Bob encrypts with Alice’s public key
and sends Alice the encrypted message
C. Alice decrypts with her private key
D. Alice receives the message
Bob
Alice
A
Communications
Encryption Channel Decryption
Digital Cert.
Alice sends
B her digital
Hello certificate with
her public key
on it
C
Authentication
H&$d. Alice’s private

key
D Hello
Encrypting messages to Alice

Bob
Alice
A
Communications
Encryption/ Channel Encryption/
Decryption Decryption
Hello B
Hash C
Alice’s private
Digital Cert.
H&$d. key
Bob’s private
key D Hello
Hash
Authentication
Bob sends his

Digital certificate Alice checks the hash
to authenticate using Bob’s public key
himself from his certificate
Authenticating Bob
Chapter 6: Digital
Certificates
Introduction
PKI

Eve Digital Certificates
Digital certificates are a soft

token of authentication, and
require a trust mechanism.
Alice
Bob
Trent
Digital Cert.
Who do we trust to get

Bob’s certificate … we
can’t trust Bob, as he
Authentication
may be Eve… meet Trent.
Who can we trust to get the digital certificate from?

Trusted Root CA
Certificate Authority (CA)
Trent
The Trusted Root CE - Able to grant
(Trent) checks Bob’s certificates
identity and creates a Examples; Verisign,
certificate which he Entrust, Microsoft Trust.
signs
Trusted root certificates

are installed as a default
on the machine (or
installed with the user’s
permission)
Bob Trusted root certificate
PKI
Alice checks the signature of the

certificate to validate Bob.
Alice
Both Alice and Bob trust the
Authentication
CA (Trent) as a third party.
Public Key Infrastructure (PKI)

Trusted Root CA
Certificate Authority (CA)
Trent
- Able to grant
Eve tricks the CA to certificates
get a certificate with Examples; Verisign,
Bob’s name Entrust, Microsoft Trust.
Trusted root certificates

are installed as a default
on the machine (or
installed with the user’s
Eve permission)
Trusted root certificate
PKI
Alice checks the signature of the

certificate to validate Bob.
Alice
Both Alice and Bob trust the
Authentication
CA (Trent) as a third party.
Drawbacks of PKI
Trusted Root CA Certificate purposes:
• Secure email.
• Server authentication.
Trent • Code signing.

• Driver authentication.
• Time stamping.
• Client authentication.
• IP tunnelling.
• EFS (Encrypted File
System).
Trusted Root CA
- always trusted
PKI
Bob
Self signed
- Can never be trusted Trust2
Authentication
Intermediate CA
- Can be trusted for some
things
Levels of trust
The two main problems with digital
certificates are:
• Lack of understanding of how they

work.
• They can be spoofed.
So let’s look at a few … are they real or

fake?
PKI
Bob Eve
Authentication
Real or fake?
PKI
Bob Eve
Authentication
Real or fake?
Real or fake?
PKI
Bob
Authentication
Real!
Real or fake?
PKI
Bob Eve
Authentication
Real or fake?
Real or fake?
PKI
Eve
Authentication
Fake!
Real or fake?
PKI
Bob Eve
Authentication
Real or fake?
Real or fake?
PKI
Bob
Authentication
Real
Real or fake?
Chapter 6: Digital
Certificates
Introduction
PKI

Public key encryption … secret … identity ... trust
MegaCorp
Eve Trent
Alice’s Public Key

Bob’s Private Key
Bob’s Public Key Alice’s Private Key

MegaCorp
Eve Trent

Bob’s Private Key

MegaCorp
Eve Trent

Bob’s Private Key

MegaCorp
Eve Trent
Hello Alice, Alice’s Public Key

Bob’s Private Key Wish you were
here!
- Bob

MegaCorp
Eve Trent
Hello Alice, Alice’s Public Key

Bob’s Private Key Wish you were
here!
- Bob

Bob’s Private Key
MegaCorp
Eve Trent


Bob’s Private Key
Hello Alice,
Wish you were
here!
- Bob

MegaCorp
Eve Trent
Hello Alice,
Wish you were
Bob’s Private Key
here!
- Bob
Which key to open

Bob’s Public Key the message? Alice’s Private Key
MegaCorp
Eve Trent
Alice’s Private Key

Hello Alice,
Wish you were
Bob’s Private Key
here!
- Bob
Which key to open

Bob’s Public Key the message? Alice’s Private Key
MegaCorp
Eve Trent
Hello Alice,
Wish you were Alice’s Public Key
Bob’s Private Key here!
- Bob
Which key to we
open the signature
with? Alice’s Private Key
Bob’s Public Key
MegaCorp
Eve Trent
Hello Alice,
- Bob
Bob’s Public
Key

MegaCorp
Eve Trent
Hello Alice,
- Bob

Message
Message
Encrypted
MD5
MD5
The magic private key
Bob’s
private
key
Bob’s
Bob public
key
Authentication
Using Bob’s private key to authenticate himself

Message
Message
Encrypted
MD5
MD5
Bob
Bob’s
private Alice
key Encrypted
Content
Alice’s
Bob’s
public
public
key
key
Authentication
Alice’s
private
key
Bob encrypts the message/hash with Alice’s public key

Message
Message
Encrypted
Content
Encrypted
MD5 MD5
Bob
Bob’s
private
key
Bob’s
public
key
Alice
Alice’s
public
Authentication
key
Encrypted
Content
Alice’s
private
key
Bob encrypts the message/hash with Alice’s public key

Message
Message
Encrypted
Content
Encrypted
MD5 MD5
Bob
Bob’s
private
key
Bob’s
public
key
Alice
Alice’s
public
Message
Authentication
key
Encrypted
Content
Encrypted Alice’s
MD5 private
key
Alice decrypts the message

Message
Message
Encrypted
Content
Encrypted
MD5 MD5
Bob
Bob’s
private
key
Bob’s
public
key
Alice
MD5 (message)
Message
Authentication
Encrypted
Content Alice compares the MD5
Encrypted
MD5 (result) values. If they are the
MD5
same … Bob sent the
message
Alice decrypts the message

Chapter 6: Digital
Certificates
Introduction
PKI

Info MD5
Mail
Info
Bob
ZIP IDEA
RSA Sig Key
Email
Private-key encryption RSA
key
Alice
Public-key
Cardspace
Sender
Recipients
&54FGds
Hello. Private-key
Public-key
1. Secret-key
Is used to
encrypt
Secret-key Alice
message.
2. RSA is used to encrypt
Authentication
secret key with the

recipients public key.
&54FGds
Secret-key
2. RSA is used to encrypt Author: Prof Bill Buchanan

secret key with the
recipients public key.
Cardspace

Chapter 6: Digital Certificates: Prof Bill Buchanan OBE

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 6: Digital Certificates: Prof Bill Buchanan OBE

Uploaded by

Copyright:

Available Formats

Chapter

Prof Bill Buchanan OBE

Identifies it is trusted Keeps communications

Author: Prof Bill Buchanan

How do we know that it was really Bob

Alice’s public key, and thus pretend to

How can we tell that the message has

Author: Prof Bill Buchanan

How does Bob distribute his public key

Web site or for Bob to be on-line when

Who can we really trust to properly

Author: Prof Bill Buchanan

Prof Bill Buchanan OBE

Hello. How are you? Is this

Author: Prof Bill Buchanan

End-to-end. User to service.

Device Server One-way server.

One-way server authentication. Server provides

One-way client authentication. Client provides

authentication to the server such as EAP-TLS in

Mutual authentication. Client and server provide ID

Author: Prof Bill Buchanan

Iris scans Something you have

Mother’s maiden name

Prof Bill Buchanan OBE

Digital certificates are a soft

One method is the digital certificate

How does Bob distribute his

when Alice reads the

Author: Prof Bill Buchanan

Author: Prof Bill Buchanan

Digital certificate contains a thumbprint to verify it

This certificate has both

Author: Prof Bill Buchanan

Digital certificates should only be distributed with the public key

The main certificate

Digital certificates should only be distributed with the public key

H&$d. Alice’s private

Author: Prof Bill Buchanan

Encrypting messages to Alice

Bob sends his

Author: Prof Bill Buchanan

Prof Bill Buchanan OBE

Digital certificates are a soft

Who do we trust to get

may be Eve… meet Trent.

Author: Prof Bill Buchanan

Who can we trust to get the digital certificate from?

Trusted root certificates

Alice checks the signature of the

CA (Trent) as a third party.

Author: Prof Bill Buchanan

Public Key Infrastructure (PKI)

Trusted root certificates

Alice checks the signature of the

CA (Trent) as a third party.

Author: Prof Bill Buchanan

Trent • Code signing.

• Lack of understanding of how they

So let’s look at a few … are they real or

Author: Prof Bill Buchanan

Prof Bill Buchanan OBE