Certificates

Digital Certificates

  • Definition: A digital certificate is a file containing both a public key and a digital signature.
  • Analogy: Functions similarly to a digital version of an identification card, offering capabilities beyond mere authentication.

Purpose of Digital Certificates

  • Trust Creation:
    • Essential in IT security for establishing trust when granting access to systems.
    • Digital certificates provide assurance that the individual using a username/password is indeed the authorized entity.
  • Certificate Authority (CA):
    • Digital certificates can be signed by a Certificate Authority, which acts as a trusted third party.
    • If the CA trusts the individual, users similarly trust the individual based on the CA's validation.

Methods of Establishing Trust

  • Web of Trust:
    • An alternative to centralized CAs where individuals sign each other's certificates, creating a decentralized trust model.
    • Example: Trusting a friend who has signed the certificate of a third party leads to the assumption that the third party can be trusted as well.
  • Internal Certificate Authority:
    • Organizations can create their own certificates without a third-party CA, utilizing tools like Microsoft Windows Domain Services or various third-party software options.

Certificate Information and Format

  • Web Browser Indicators:

    • When connected to a secure website, indicators like a lock icon in the address bar appear, allowing users to view certificate details.
    • The universal format for digital certificates is called X.509, allowing diverse systems to read the certificates.

  • Contents of X.509 Certificates:

    • Serial Number
    • Version
    • Signature Algorithm
    • Issuer Information: Who issued the certificate.
    • Subject (Holder) Information: Who owns the certificate.
    • Public Key: Essential for cryptographic operations.
    • Additional Information: Various data that helps enhance security.

Trust Validation Process

  • Trusted Third Party:
    • Browsers use trusted CAs to validate the trustworthiness of a site.
    • When visiting a new site, validation occurs in real-time, allowing users to verify authenticity through browser checks.
    • Root of Trust: The fundamental trust anchor provided by either hardware, software, or firmware.

Certificate Creation Process

  1. Certificate Signing Request (CSR):
    • Generated using a public key along with identifying information for the server and organization.
    • The CSR is sent to a Certificate Authority.
  2. Validation by CA:
    • The CA performs a validation process to confirm ownership of the website associated with the CSR.
  3. Signing the Certificate:
    • If validated, the CA signs the certificate using its private key and returns it to the requester.
    • This signing is crucial as it associates trust with the issued certificate.

Internal CA Setup

  • Local Certificate Authority:
    • Organizations accustomed to internal applications can set up their own CA.
    • Installation involves deploying the CA's public certificate on all organizational devices to establish trust locally.
  • Software Options for Internal CA:
    • Microsoft Windows Certificate Services
    • OpenCA
    • Other third-party options.

Subject Alternative Name (SAN) and Wildcard Certificates

  • Wildcard Certificates:
    • Good for organizations with multiple subdomains; can use a single certificate to cover numerous services (e.g., *.example.com covers example.com, mail.example.com, etc.)
    • Facilitates ease of management across various domain services with minimal configuration.

Revocation of Certificates

  • Certificate Revocation List (CRL):

    • Maintained by the CA, this list contains all revoked certificates. It ensures that outdated or compromised certificates are flagged.

  • Case Study - Heartbleed Vulnerability:

    • Discovered in April 2014, the Heartbleed attack compromised server private keys, necessitating revocation of all affected certificates.

  • How to Access CRL Information:

    • Browsers link to CRL via “CRL Distribution Points” present in the certificate details.
    • Browsers download the CRL to verify if the certificate being used is still valid.

Online Certificate Status Protocol (OCSP)

  • Purpose of OCSP:
    • Provides an efficient way to check certificate revocation status without downloading a lengthy CRL.
    • Uses a digital signature from the CA to authenticate the status message.
  • OCSP Stapling:
    • Embeds the status information within the SSL handshake process, reducing dependency on external servers.
    • Browsers, if supported, can handle validity checks more rapidly and seamlessly as they connect to web servers.
  • Support Limitations:
    • Some older browsers or improperly configured newer browsers may not fully implement or support OCSP, leading to potential security vulnerabilities.

Conclusion

  • Understanding digital certificates and their functionalities is key for both personal security practices and organizational IT security measures. The entire process of creating, validating, and managing certificates is designed to foster trust in digital communications and transactions.