140 likes | 366 Views
X.509 Certificate management in .Net . By, Vishnu Kamisetty skamiset@cs.odu.edu. Overview of the topic. General Discussion X.509 as in .NET Certificate Management Tools Web Services and X.509. Terminology.
E N D
X.509 Certificate management in .Net By, Vishnu Kamisetty skamiset@cs.odu.edu
Overview of the topic • General Discussion • X.509 as in .NET • Certificate Management Tools • Web Services and X.509
Terminology • Public Keys • These are numbers associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. Public keys are used to verify signatures. • Digitally Signed • If some data is digitally signed it has been stored with the "identity" of an entity, and a signature that proves that entity knows about the data. The data is rendered unforgeable by signing with the entitys' private key. • Identity • A known way of addressing an entity. In some systems the identity is the public key, in others it can be anything from a Unix UID to an Email address to an X.509 Distinguished Name.
Terminology (contd..) • Signature • A signature is computed over some data using the private key of an entity (the signer). • Private Keys • These are numbers, each of which is supposed to be known only to the particular entity whose private key it is (that is, it's supposed to be kept secret). Private and public keys exist in pairs in all public key cryptography systems (also referred to as "public key crypto systems"). In a typical public key crypto system, such as DSA, a private key corresponds to exactly one public key. Private keys are used to compute signatures. • Entity • An entity is a person, organization, program, computer, business, bank, or something else you are trusting to some degree.
X.509 certificate in general • What is a certificate? • A public-key certificate is a digitally signed statement from one entity, saying that the public key (and some other information) of another entity has some specific value. • A certificate securely binds a public key to the entity that holds the corresponding private key. • Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. This creates a trust relationship between two unknown entities. • The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format).
It has the following properties: Version Serial Number Signature Algorithm Identifier Issuer Name Validity Period Subject Name Subject Public Key Information ‘To-be-performed’ actions on the certificates: Generate Display Import Export Access Manage (Java API : Certificate Factory, Certificate, CRL, X509Certificate, X509Extension etc) Properties of X.509 certificates
X.509 Certificates in .NET • Managing X.509 Certificates • Signing a SOAP Message Using an X.509 Certificate • Verifying Digital Signatures of SOAP Messages Signed by an X.509 Certificate • Encrypting a SOAP Message Using an X.509 Certificate • Decrypting a SOAP Message Encrypted with an X.509 Certificate
Managing X.509 Certificates • Obtain an X.509 Certificate • Using the X.509 Certificate Management Tools • Making X.509 Certificates Accessible to WSE • Specifying the Certificate Authority Certificate Chain Used to Verify Signatures
Signing a SOAP Message Using an X.509 Certificate • Obtain the X.509 certificate. • Create a custom policy assertion. • Override the Secure Message method. • Add references • Add Imports • Add code to get an X.509 certificate. • Get the client's X.509 certificate • Add the X.509 certificate • Create a new instance of the Message Signature class • Add the digital signature to the SOAP header.
Verifying Digital Signatures of SOAP • To configure WSE to validate digital signatures for incoming SOAP messages. • To use code to require incoming SOAP messages be signed using an X.509 certificate and that it signed the required XML elements.
Encrypting a SOAP Message Using an X.509 Certificate • Obtain the recipient's X.509 certificate. • Install the recipient's X.509 certificate • Create a custom policy assertion. • Override the Secure Message method • Add references to the Microsoft.Web.Services3 and System.Web.Services assemblies. • Add Imports • Add code to get an X.509 certificate. • Encrypt and optionally sign the SOAP message.
Decrypting a SOAP Message Encrypted with an X.509 Certificate • Include an <soapServerProtocolFactory> Element element in the <webServices> section. • Apply a policy to the Web service that requires SOAP messages to be encrypted by an X.509 certificate.
Examples • To verify that incoming SOAP messages are signed using a X509SecurityToken security token. • For signing and encrypting a SOAP request to a Web service.
References • http://msdn2.microsoft.com/En-US/library/aa529568.aspx • http://www.codeproject.com/useritems/X509Certificate.asp • http://www.eggheadcafe.com/articles/20021231.asp • http://www.aspfree.com/c/a/VB.NET/Securing-Web-Services-with-X509-Certificates/