1 / 12

Certificates

Certificates. ID on the Internet. SSL. In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one was buying stuff from Amazon using credit cards, so the potential for serious fraud was low.

Download Presentation

Certificates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Certificates ID on the Internet

  2. SSL • In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one was buying stuff from Amazon using credit cards, so the potential for serious fraud was low. • Plus, grad students (who ran the systems) are inherently trustworthy • You can still see some unencrypted traffic with wireshark if you go to an http site

  3. SSL • Secure Sockets Layer (SSL, sometimes called TLS for Transport Layer Security) addresses this by encrypting the payloads of packets sent on the wire. • Sometimes described as a “shim” between the application and transport layer • First, establish a TCP socket • Then, conduct an additional negotiation to do things like securely exchange session encryption keys • Finally, exchange payload data in encrypted format

  4. SSL • Remember, the payload is encrypted, but the IP and TCP headers are not. This means an attacker can still do traffic analysis on you; they may not be able to tell what the content is, but they can tell you’re communicating with the site and can see source and destination Ips

  5. Certificates • How do you know the server you’re talking to really belongs to, for example, NPS? • Somebody subverts DNS and when you type in www.nps.edu it goes to their IP • Man-in-the-middle attack: there’s someone between you and the real server, talking to both sides • To prevent this (to an extent) we can use certificates

  6. Certificates • How do you know Joe Blow you see on the street is who he says he is? You can ask for his driver’s license • Issued by a trusted third party • Somewhat difficult to forge

  7. Certificates • A certificate is a “driver’s license” form of ID—a trusted third party (called the certificate authority) does some amount of due diligence and confirms you are who you say you are, then issues you a cryptographically signed certificate • For a web server, this includes the server name, institution information, and the public half of a public/private key pair

  8. Certificate Info

  9. Certificate Info • Issued by: GoDaddy • Information about the server • Public key for the server • Signed by GoDaddy (hash of certificate created, then encrypted with the CA’s private key). The encrypted hash can be decoded with the CA’s public key and compared to your own hash of the information in the certificate to confirm the certificate has not been altered

  10. Certificates • The certificate is placed on your web server configuration, with access to your private key • The web server distribution (eg, Firefox, IE Explorer, Safari, etc) have a list of trusted CAs with predefined CA certificates preloaded • These are the “state DMVs” that issue driver’s licenses that we are willing to recognize as valid identification • You can also load your own CAs, for example for DoD, which is not preloaded on most commercial web browsers

  11. Certificates • You go to a web site. It uses https and has a cert. Your browser downloads the cert and checks to see if it is signed by an approved CA. If so, the access is allowed • If not, the browser will usually present you with a dialog that asks whether you want to accept the cert • For development work, many people use “self signed certs,” or set up their own CA and sign the cert themselves.

  12. How Secure? • Sort of! • A number of CAs trusted by web browsers (“DMVs”) have been shown to have lax security measures and their private signing keys were compromised, for example DigiNotar by Iranian authorities • Some CAs are owned by, for example, the PLA. In a more secure environment you’d want to remove these CAs from your browser • Against a state actor relying on the public CAs is risky—stick with the NSA for defense against that • Even sophisticated private actors can sometimes subvert certificate-based security

More Related