certificates
play

Certificates A ubiquitous form of authentication Generally used - PowerPoint PPT Presentation

Sep 21, 2022 •49 likes •339 views

Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document proving you are who you claim to be Often used to help distribute other keys Lecture 5 Page 1 CS 236

  1. Certificates • A ubiquitous form of authentication • Generally used with public key cryptography • A signed electronic document proving you are who you claim to be • Often used to help distribute other keys Lecture 5 Page 1 CS 236 Online

  2. Public Key Certificates • The most common kind of certificate • Addresses the biggest challenge in widespread use of public keys – How do I know whose key it is? • Essentially, a copy of your public key signed by a trusted authority • Presentation of the certificate alone serves as authentication of your public key Lecture 5 Page 2 CS 236 Online

  3. Implementation of Public Key Certificates • Set up a universally trusted authority • Every user presents his public key to the authority • The authority returns a certificate – Containing the user’s public key signed by the authority’s private key • In essence, a special type of key server Lecture 5 Page 3 CS 236 Online

  4. Checking a Certificate • Every user keeps a copy of the authority’s public key • When a new user wants to talk to you, he gives you his certificate • Decrypt the certificate using the authority’s public key • You now have an authenticated public key for the new user • Authority need not be checked on-line Lecture 5 Page 4 CS 236 Online

  5. Scaling Issues of Certificates • If there are 1-2 billion Internet users needing certificates, can one authority serve them all? • Probably not • So you need multiple authorities • Does that mean everyone needs to store the public keys of all authorities? Lecture 5 Page 5 CS 236 Online

  6. Certification Hierarchies • Arrange certification authorities hierarchically • Single authority at the top produces certificates for the next layer down • And so on, recursively Lecture 5 Page 6 CS 236 Online

  7. Using Certificates From Hierarchies • I get a new certificate • I don’t know the signing authority • But the certificate also contains that authority’s certificate • Perhaps I know the authority who signed this authority’s certificate Lecture 5 Page 7 CS 236 Online

  8. Extracting the Authentication • Using the public key of the higher level authority, – Extract the public key of the signing authority from the certificate • Now I know his public key, and it’s authenticated • I can now extract the user’s key and authenticate it Lecture 5 Page 8 CS 236 Online

  9. A Example Alice gets a message with a certificate Then she uses Give me a to check certificate Should Alice saying that believe that he’s So she uses I’m really ? to check Alice has never How can heard of prove who But she has he is? heard of Lecture 5 Page 9 CS 236 Online

  10. Certification Hierarchies Reality • Not really what’s used – For the most part • Instead, we rely on large numbers of independent certifying authorities – Exception is that each of them may have internal hierarchy • Essentially, a big list • Is this really better? Lecture 5 Page 10 CS 236 Online

  11. Certificates and Trust • Ultimately, the point of a certificate is to determine if something is trusted – Do I trust the request enough to perform some financial transaction? • So, Trustysign.com signed this certificate • How much confidence should I have in the certificate? Lecture 5 Page 11 CS 236 Online

  12. Potential Problems in the Certification Process • What measures did Trustysign.com use before issuing the certificate? • Is the certificate itself still valid? • Is Trustysign.com’s signature/ certificate still valid? • Who is trustworthy enough to be at the top of the hierarchy? Lecture 5 Page 12 CS 236 Online

  13. Trustworthiness of Certificate Authority • How did Trustysign.com issue the certificate? • Did it get an in-person sworn affidavit from the certificate’s owner? • Did it phone up the owner to verify it was him? • Did it just accept the word of the requestor that he was who he claimed to be? • Has authority been compromised? Lecture 5 Page 13 CS 236 Online

  14. What Does a Certificate Really Tell Me? • That the certificate authority (CA) tied a public/private key pair to identification information • Generally doesn’t tell me why the CA thought the binding was proper • I may have different standards than that CA Lecture 5 Page 14 CS 236 Online

  15. Showing a Problem Using the Example What if uses ‘s lax Alice likes how policies to verifies identity pretend to be ? But is she equally happy with how verifies identity? Does she even know how verifies identity? Lecture 5 Page 15 CS 236 Online

  16. Another Big Problem • Things change – E.g., 2012 compromise of Adobe private keys • One result of change is that what used to be safe or trusted isn’t any more • If there is trust-related information out in the network, what will happen when things change? Lecture 5 Page 16 CS 236 Online

  17. Revocation • A general problem for keys, certificates, access control lists, etc. • How does the system revoke something related to trust? • In a network environment • Safely, efficiently, etc. • Related to revocation problem for capabilities Lecture 5 Page 17 CS 236 Online

  18. Revisiting Our Example Someone discovers that has obtained a false certificate for How does Alice make sure that she’s not accepting ‘s false certificate? Lecture 5 Page 18 CS 236 Online

  19. Realities of Certificates • Most OSes come with set of “pre-trusted” certificate authorities • System automatically processes (i.e., trusts) certificates they sign • Usually no hierarchy • If not signed by one of these, present it to the user – Who always accepts it . . . Lecture 5 Page 19 CS 236 Online

  20. An Example • Firefox web browser • Makes extensive use of certificates to validate entities – As do all web browsers • Comes preconfigured with several certificate authorities – Over 200 of them Lecture 5 Page 20 CS 236 Online

  21. Firefox Preconfigured Certificate Authorities • Some you’d expect: – Microsoft, RSA Security, Verisign, etc. • Some you’ve probably never heard of: • Unizeto Sp. z.o.o., Netlock Halozatbiztonsagi Kft.,Chungwa Telecom Co. Ltd. Lecture 5 Page 21 CS 236 Online

  22. The Upshot • If Netlock Halozatbiztonsagi Kft. says someone’s OK, I trust them – I’ve never heard of Netlock Halozatbiztonsagi Kft. – I have no reason to trust Netlock Halozatbiztonsagi Kft. – But my system’s security depends on them Lecture 5 Page 22 CS 236 Online

  23. The Problem in the Real World • In 2011, a Dutch authority (DigiNotar) was compromised • Attackers generated lots of bogus certificates signed by DigiNotar – “Properly” signed by that authority – For popular web sites • Until compromise discovered, everyone trusted them Lecture 5 Page 23 CS 236 Online

  24. Effects of DigiNotar Compromise • Attackers could transparently redirect users to fake sites – What looked like Twitter was actually attacker’s copycat site • Allowed attackers to eavesdrop without any hint to users • Apparently used by authorities in Iran to eavesdrop on dissidents Lecture 5 Page 24 CS 236 Online

  25. How Did the Compromise Occur? • DigiNotar had crappy security – Out-of date antivirus software But how – Poor software patching were you – Weak passwords supposed to – No auditing of logs know that? – Poorly designed local network • A company providing security services paid little attention to security Lecture 5 Page 25 CS 236 Online

  26. Another Practicality • Certificates have expiration dates – Important for security – Otherwise, long-gone entities would still be trusted • But perfectly good certificates also expire – Then what? Lecture 5 Page 26 CS 236 Online

  27. The Reality of Expired Certificates • When I hear my server’s certificate has expired, what do I do? – I trust it anyway – After all, it’s my server • But pretty much everyone does that – For pretty much every certificate • Not so secure Lecture 5 Page 27 CS 236 Online

  28. The Core Problem With Certificates • Anyone can create some certificate • Typical users have no good basis for determining whose certificates to trust – They don’t even really understand what they mean • Therefore, they trust almost any certificate Lecture 5 Page 28 CS 236 Online

  29. Should We Worry About Certificate Validity? • Starting to be a problem – Stuxnet is one example – Compromise of DigiNotar and Adobe also – Increasing incidence of improper issuance, like Verisign handing out Microsoft certificates • Not the way most attackers break in today • With all their problems, still not the weakest link – But now being exploited, mostly by most sophisticated adversaries Lecture 5 Page 29 CS 236 Online

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with

RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with

https://res212.telecom-paristech.fr TP01v2 2018/05/22 RES212 Lab #1 Certificates, TLS and VPN The goal of this lab is to let you become acquainted with creating and managing cryptographic certificates for use in your application, for the Web

851 views • 16 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides
Simplification & Integration www.apprenticeships.org.uk/certificates Apprenticeship

Simplification & Integration www.apprenticeships.org.uk/certificates Apprenticeship

Workshop: Simplification & Integration www.apprenticeships.org.uk/certificates Apprenticeship Certificates England (ACE) Gregg Moreton UK Systems Integration Manager Gregg.moreton@fisss.org www.apprenticeships.org.uk/certificates MY

812 views • 17 slides
Welcome to todays webinar on RET exemption certificates The webinar will commence at 2:00 PM

Welcome to todays webinar on RET exemption certificates The webinar will commence at 2:00 PM

Welcome to todays webinar on RET exemption certificates The webinar will commence at 2:00 PM (AEDT) Friday 14 December 2018 To hear the webinar, phone 1800 896 323 and enter code 33532697# Am I eligible for RET exemption certificates? For

357 views • 15 slides
Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study Robert Biddle,

Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study Robert Biddle,

Browser Interfaces and Extended Validation SSL Certificates: An Empirical Study Robert Biddle, P.C. van Oorschot, Andrew S. Patrick, Jennifer Sobey, Tara Whalen Carleton University, Ottawa, ON, Canada SSL Certificates & Cloud Computing

378 views • 34 slides
Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL

Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL

Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL Configuration (1) 3 Client completed verification of received certificate chain Testing SSL Configuration (2) 4 Received certificate chain (two

623 views • 49 slides
Certificates of Participation Presented to Board of Trustees February 25, 2020 Agenda Review

Certificates of Participation Presented to Board of Trustees February 25, 2020 Agenda Review

Discussion Certificates of Participation Presented to Board of Trustees February 25, 2020 Agenda Review Facts of Current Certificates of Participation (COP) History of Funding MJUSD Facilities Improvements Reasons COPs Were Needed

301 views • 13 slides
Remediation Certificates 101 Outline What are they? Regulatory basis for issuing

Remediation Certificates 101 Outline What are they? Regulatory basis for issuing

Remediation Certificates 101 Outline What are they? Regulatory basis for issuing remediation certificates Definitions and brief history of the program Why should I want one? Benefits for the site owner Benefits for the

325 views • 19 slides
Designing and Pricing Certificates Nima Haghpanah joint with Nageeb Ali, Xiao Lin, Ron Siegel

Designing and Pricing Certificates Nima Haghpanah joint with Nageeb Ali, Xiao Lin, Ron Siegel

Designing and Pricing Certificates Nima Haghpanah joint with Nageeb Ali, Xiao Lin, Ron Siegel May 8, 2020 1 / 15 Certification Labor markets, Financial markets, Products What certificates would an agent acquire and disclose? How would a

308 views • 15 slides
Who are you ? How can you identify someone? Certificates, Protocols: Machine to Machine

Who are you ? How can you identify someone? Certificates, Protocols: Machine to Machine

Who are you ? How can you identify someone? Certificates, Protocols: Machine to Machine Human to Machine ? Lets have some suggestions Be creative, not necessarily computer oriented Classification of identification methods

1.37k views • 97 slides
TLS/SSL and Certificates (CS 642) Earlence Fernandes earlence@cs.wisc.edu * Some slides are

TLS/SSL and Certificates (CS 642) Earlence Fernandes earlence@cs.wisc.edu * Some slides are

Transport Layer Security: TLS/SSL and Certificates (CS 642) Earlence Fernandes earlence@cs.wisc.edu * Some slides are borrowed from Clarkson, Shmatikov, Jana UW-Madison 1 Internet: The network of computers History - Started as (D)ARPANET

548 views • 33 slides
PROCAL / PROCAL-TRACK Using ProCal, ProCert or ProCal-Track PRINTING CERTIFICATES - Overview

PROCAL / PROCAL-TRACK Using ProCal, ProCert or ProCal-Track PRINTING CERTIFICATES - Overview

PROCAL / PROCAL-TRACK Using ProCal, ProCert or ProCal-Track PRINTING CERTIFICATES - Overview Certificate printing can be achieved using the following programs ProCert allows existing certificates to be re- printed at any time. ProCert can be

93 views • 5 slides
JMH Consulting Online marketing for degrees & certificates Certificate programs

JMH Consulting Online marketing for degrees & certificates Certificate programs

JMH Consulting Online marketing for degrees & certificates Certificate programs Lead generation & enrollment management 4 Reasons to choose JMH Premier universities trust us We carefully select our clients

631 views • 34 slides
Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid

Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid

Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid Computing T h e A m e r i c a s G r i d Policy Management Authority Prof. Vinod Rebello Instituto de Computao Universidade F ederal F

768 views • 18 slides
Long-term Storage of Forgery-Proof Certificates Patrick Roth, Omar Benkacem, Anne Ronchi, Pierre

Long-term Storage of Forgery-Proof Certificates Patrick Roth, Omar Benkacem, Anne Ronchi, Pierre

Long-term Storage of Forgery-Proof Certificates Patrick Roth, Omar Benkacem, Anne Ronchi, Pierre L'hostis, Rolf Brugger, Cline Restrepo Zea Long-term Storage of Forgery-Proof Certificates (WP 1.4) NTICE An exploratory study and reflections

536 views • 9 slides
Cryptography (+ Web Security): Certificates Spring 2015

Cryptography (+ Web Security): Certificates Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography (+ Web Security): Certificates Spring 2015 Franziska (Franzi) Roesner

505 views • 21 slides
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything weve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.

661 views • 50 slides
Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J.

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J.

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman University of Michigan Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric HTTPS and TLS How does HTTPS and the CA ecosystem

449 views • 24 slides
CYBER SECURITY By Sachin Dedhia CISA, CEH, ISO 27001 L.A., Ethical Hacker & Digital

CYBER SECURITY By Sachin Dedhia CISA, CEH, ISO 27001 L.A., Ethical Hacker & Digital

CYBER SECURITY By Sachin Dedhia CISA, CEH, ISO 27001 L.A., Ethical Hacker & Digital Forensics Expert Founder Skynet Secure Solutions , skynetsecure.com Email : Sachin@skynetsecure.com Phone : 91- 9867700095 Web Conference Security

828 views • 11 slides
PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Wes Hubert Computing in Kansas Information Services June 3, 2004 The University of Kansas Why? PKI adoption will continue growing to support

1.28k views • 46 slides
Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson Lifecycle of a typical WebPKI certfcate www.liu.se Certificate Certificate Authority Server 1. Issuance www.liu.se Hello 2. Use Certificate

377 views • 10 slides
Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

465 views • 22 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 11: Public-Key Infrastructure Main Topics of this Lecture 1. Digital

433 views • 25 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides

More recommend