Certificates, Keys, Web Browsers, and

Security

- Sumanth Gelle

Contents: Keys

Symmetric Encryption Asymmetric Encryption Hybrid Encryption

Certificate What does Certificate contain Authentication with certificate How to set up SSL on a web server Certificate Revocation Lists

Browser Internet Explorer

What Does Cryptography Solve? Confidentiality

Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation

Integrity Ensure that message has not been modified

during the transmission Authenticity

You can verify that you are talking to the entity you think you are talking to

Confidentiality--- Encryption is the answer Integrity--- Hashing is the answer Authentication--- Digital Certificate is the answer Cryptography is key management

KeysSymmetric Keys

““An intro to An intro to PKI and few PKI and few deploy hints”deploy hints”

““AxCvGsmWe#4^,AxCvGsmWe#4^,sdgfMwir3:dkJeTssdgfMwir3:dkJeTsY8R\s@!q3%”Y8R\s@!q3%”

““An intro to An intro to PKI and few PKI and few deploy hints”deploy hints”

Clear-text inputClear-text input Clear-text outputClear-text outputCipher-textCipher-text

Same keySame key(shared secret)(shared secret)

EncryptionEncryption DecryptionDecryption

DESDES DESDES

Symmetric Encryption Symmetric algorithms require the creation of a key and an

initialization vector (IV) that must be kept secret from anyone who should not decrypt your data.

TripleDESCryptoServiceProvider TDES = new TripleDESCryptoServiceProvider();

TDES.GenerateIV(); TDES.GenerateKey();

When the previous code is executed, a key and IV are generated when the new instance of TripleDESCryptoServiceProvider is made. Another key and IV are created when the GenerateKey and GenerateIV methods are called.

Asymmetric Encryption Asymmetric algorithms require the creation of a public key

and a private key. The public key can be made public to anyone, while the private key must known only by the party who will decrypt the data encrypted with the public key.

//Generate a public/private key pair. RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();

//Save the public key information to an RSAParameters structure.

RSAParameters RSAKeyInfo =RSA.ExportParameters(false);

Assymetric Encryption Continued… To create an asymmetric key and save it in a key container Create a new instance of a CspParameters class and pass the name that you want

to call the key container to the CspParameters.KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually

RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.

To delete a key from a key container

Create a new instance of a CspParameters class and pass the name that you want to call the key container to the CspParameters.KeyContainerName field.

Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually

RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.

Set the PersistKeyInCSP property of the class that derives from AsymmetricAlgorithm to false

(False in Visual Basic). Call the Clear method of the class that derives from AsymmetricAlgorithm. This method releases

all resources of the class and clears the key container.

Example: SSL

PrivPriv

pubpub PrivPriv

pubpub

Clear text

Encrypt

Cipher 1

Encrypt

Cipher 2

Transmission over the public network

Cipher 2

Cipher 1

Decrypt

Clear text

Decryptpubpub

Ensures confidentiality And integrity if digitally

signed depending on how public

key are exchanged Authenticity, Identity, Non-

repudiation

pubpub

Real World: Hybrid Encryption(typical for encrypted file storage)

Clear-textClear-textmessagemessage

Randomly-Generated Randomly-Generated symmetric “session” key symmetric “session” key

SymmetricallySymmetricallyEncryptedEncryptedmessagemessage

SymmetricSymmetricEncryptionEncryption

Digital Digital EnvelopeEnvelope

Recipient’sRecipient’spublicpublic key key

AsymmetricAsymmetricEncryptionEncryption

of session keyof session key

Repeat as necessaryRepeat as necessary Digital Digital EnvelopeEnvelope

Public key ofPublic key ofother recipientother recipientor recovery agentor recovery agent

AsymmetricAsymmetricEncryptionEncryption

of session keyof session key

ENCRYPTEDENCRYPTEDDOCUMENTDOCUMENT

Real World: Hybrid Decryption

SymmetricallySymmetricallyEncryptedEncryptedmessagemessage

Clear-textClear-textmessagemessage

SymmetricSymmetricDecryptionDecryption

Digital Digital EnvelopeEnvelope

ENCRYPTEDENCRYPTEDDOCUMENTDOCUMENT

Digital Digital EnvelopeEnvelope

Digital Digital EnvelopeEnvelope

AsymmetricAsymmetricdecryptiondecryption

of session keyof session key

Private key ofPrivate key ofthe recipientthe recipient

Take the appropriate digital Take the appropriate digital envelope containing the envelope containing the ““session” key encrypted session” key encrypted using recipient’s public keyusing recipient’s public key

““session” key is session” key is decrypted using decrypted using the recipient the recipient private keyprivate key

UNENCRYPTEDUNENCRYPTEDDOCUMENTDOCUMENT

PKI (Public Key Infrastructure) Public Key Infrastructure provides the

technologies that enable practical distribution of public keys” Using CERTIFICATES

Certificates

What does Certificate contain?

Owner's public key  Owner's name or alias  Expiration date of the certificate  Serial number of the certificate  Name of the organization that issued the certificate  Digital signature of the organization that issued the

certificate 

Authentication with Certificates

Owning a Certificate of Gianni does not mean that you are Gianni Owning a Certificate does not imply you are

authenticated How would you verify that the person who

comes to you pretending to be Gianni and showing you a certificate of Gianni is really Gianni ? You have to challenge him ! Only the real Gianni has the private key that goes in

pair with the public key in the certificate.

Authentication with Certificates Denise gets Gianni’s certificate She verifies its digital signature

She can trust that the public key really belongs to Gianni But is it Gianni standing if front of her, or is that Michel ?

Denise challenges Gianni to encrypt for her a random phrase she generated (“I like green tables with flowers”)

Gianni has (if he is the real Gianni) the private key that matches the certificate, so he responds (“deRf35D^&#dvYr8^*$@dff”)

Denise decrypts this with the public key she has in the certificate (which she trusts) and if it matches the phrase she just generated for the challenge then it must really be Gianni himself !

How to Set Up SSL on a Web Server Step1. Generate a Certificate Request Step 2. Submit a Certificate Request Step 3. Issue the Certificate Step 4. Install the Certificate on the Web server Step 5. Configure Resources to Require SSL

Access

Step 1. Generate a Certificate Request Start the IIS Microsoft Management Console (MMC) snap-in. Expand your Web server name and select the Web site for

which you want to install a certificate. Right-click the Web site, and then click Properties. Click the Directory Security tab. Click the Server Certificate button within Secure

communications to launch the Web Server Certificate Wizard. Note   If Server Certificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.

Step2. Submit a Certificate Request Use Notepad to open the certificate file generated in the previous

procedure and copy its entire contents to the clipboard. Start Internet Explorer and navigate to http:// hostname/CertSrv, where

hostname is the name of the computer running Microsoft Certificate Services.

Click Request a Certificate, and then click Next. On the Choose Request Type page, click Advanced request, and

then click Next. On the Advanced Certificate Requests page, click Submit a

certificate request using a base64 encoded PKCS#10 file, and then click Next.

On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier.

In the Certificate Template combo box, click Web Server. Click Submit. Close Internet Explorer.

Step3. Issue the Certificate Start the Certification Authority tool from the

Administrative Tools program group. Expand your certificate authority, and then select the

Pending Requests folder. Select the certificate request you just submitted. On the Action menu, point to All Tasks, and then click

Issue. Confirm that the certificate is displayed in the Issued

Certificates folder, and then double-click it to view it. On the Details tab, click Copy to File, and save the

certificate as a Base-64 encoded X.509 certificate. Close the properties window for the certificate. Close the Certificate Authority tool.

Step4. Install the Certificate on the Web Server

Start Internet Information Services, if it's not already running.

Expand your server name and select the Web site for which you want to install a certificate.

Right-click the Web site, and then click Properties. Click the Directory Security tab. Click Server Certificate to launch the Web Server

Certificate Wizard. Click Process the pending request and install the

certificate, and then click Next. Enter the path and file name of the file that contains the

response from the CA, and then click Next. Examine the certificate overview, click Next, and then

click Finish. A certificate is now installed on the Web server.

Step5. Configure Resources to Require SSL Access

Start Internet Information Services, if it's not already running.

Expand your server name and Web site. (This must be a Web site that has an installed certificate.)

Right-click a virtual directory, and then click Properties. Click the Directory Security tab. Under Secure communications, click Edit. Click Require secure channel (SSL). Client's browsing

to this virtual directory must now use HTTPS. Click OK, and then click OK again to close the Properties

dialog box. Close Internet Information Services.

How to Set Up Client Certificates Step 1. Create a Simple Web Application Step 2. Configure the Web Application to

Require Client Certificates Step 3. Request and Install a Client

Certificate Step 4. Verify Client Certificate Operation

Certificate Stores Certificates are stored in safe locations called a certificate stores. A

certificate store can contain certificates, CRLs, and Certificate Trust Lists (CTLs). Each user has a personal store (called the "MY store") where that user's certificates are stored. The MY store can be physically implemented in a number of locations including the registry, on a local or remote computer, a disk file, a data base, a directory service, a smart device, or another location.

While any certificate can be stored in the MY store, this store should be reserved for a user's personal certificates, that is the certificates used for signing and decrypting that particular user's messages.

In addition to the MY store, Windows also maintains the following certificate stores:

CA and ROOT. This store contains the certificates of certificate authorities that the user trusts to issue certificates to others. A set of trusted CA certificates are supplied with the operating system and others can be added by administrators.

Other. This store contains the certificates of other people to whom the user exchanges signed messages.

The CryptoAPI provides functions to manage certificates. These APIs can be accessed only through unmanaged code. Also, CAPICOM is a COM-based API for the CryptoAPI, which can be accessed via COM Interop.

Certificates Revocation List X.509 certificates and many other certificates have a valid

time duration. A certificate can expire and no longer be valid. A CA can revoke a certificate for a number of reasons. To handle revocations, a CA maintains and distributes a list of revoked certificates called a Certificate Revocation List (CRL). Network users access the CRL to determine the validity of a certificate.

Certmgr.exe Makecert.exe The Certificate Creation tool generates X.509 certificates

for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair.

Internet Explorer (IE) Integrated Windows Authentication. To enable this authentication method, in the Internet Options dialog box, click

the Advanced tab, and then select the Enable Integrated Windows Authentication check box.

Server Certificate Revocation. Internet Explorer 6 includes support for server certificate revocation,

which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection.

To enable server certificate revocation, in the Internet Options dialog box, click the Advanced tab, and then select the Check for server certificate revocation check box.

Installing and Removing Trusted Certificates

On the Tools menu, click Internet Options, and then click the Content tab.  Click Certificates.  Click one of the following tabbed categories for the type of certificates you want to

install or remove: •Personal. Certificates in the Personal category have an associated private key.

Information signed by using personal certificates is identified by the user's private key data. By default, Internet Explorer places all certificates that will identify the user (with a private key) in the Personal category. 

•Other People. Certificates in the Other People category use public key cryptography to authenticate identity, based on a matching private key that is used to sign the information. By default, this category includes all certificates that are not in the Personal category (the user does not have a private key) and are not from CAs.

 •Intermediate Certification Authorities. This category contains all certificates for CAs that are not root certificates.

 •Trusted Root Certification Authorities. This category includes only self-signed certificates in the root store. When a CA's root certificate is listed in this category, you are trusting content from sites, people, and publishers with credentials issued by the CA.  •Trusted Publishers. This category contains only certificates from trusted publishers whose content can be downloaded without user intervention, unless downloading active content is disabled in the settings for a specific security zone. Downloading active content is not enabled by default. For each available security zone, users can choose an appropriate set of ActiveX security preferences

4.In the Intended Purpose box, select the filter for the types of certificates that you want to be displayed in the list.

 5.Work with particular certificates through one of the following methods:

•To add other certificates to the list, click Import. The Certificate Manager Import Wizard steps you through the process of adding a certificate.

•To export certificates from the list, click Export. The Certificate Manager Export Wizard steps you through the process of exporting a certificate.

  •To specify the default drag-and-drop export file format (when the user drags a certificate from the Certificate Manager and drops it into a folder), click Advanced.

To delete an existing certificate from the list of trusted certificates, click Remove. 

•To display the properties for a selected certificate, including the issuer of the certificate and its valid dates, click View. 

Adding Trusted Publishers To designate a trusted publisher for Internet Explorer, use

the Security Warning dialog box that appears when you attempt to download software from that publisher.

To add a trusted publisher 1.Use Internet Explorer to download signed active content from

the publisher.  2.When the Security Warning dialog box appears, select the

Always trust content from trusted publisher check box

To download the software and control and add the publisher to the list of trusted publishers, click

Yes. 

Configuring Advanced Security Options for Certificate and Authentication Features

You can easily configure options for certificate and authentication features that your users might need.

To configure advanced security options for certificates 1.On the Tools menu, click Internet Options, and then

click the Advanced tab.  2.In the Security area, review the selected options.  3.Depending on the needs of your organization and its

users, select or clear the appropriate check boxes. For example, to enable SSL 3.0, select the Use SSL 3.0 check box. 

References http://it-dep-is-techmeet.web.cern.ch/it-dep-is-techmeet/

TechMeeting/2003-09-08/PKI-Intro.ppt#338%2c1%2cA-to-Z http://it-dep-is-techmeet.web.cern.ch/it-dep-is-techmeet/

TechMeeting/2003-10-22/2003-10-20-PKI-Intro-Hepix.ppt#394%2c11%2cExample

https://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk.mspx?mfr=true

http://resources.nznog.org/Friday-240306/RobertLoomans-SSLandTLSCertsForUserAuthentication/NZNOG-client-certs.ppt#294%2c5%2cWhy

http://msdn2.microsoft.com/en-us/bfsktky3.aspx