So here's how this is working. Like I said, I think really the best way to see this street used something like SSL.
Okay, so in, of course S S L T l s really is what we're primarily using but the same ideas. Stuart's the same one. All right, So let's say that we have a server, maybe a Web server for Bank Bank of America.
And I have a client who's trying to make a secure connection
so that client's gonna initiate a secure connection. Using a CPS is it's protocol hypertext transfer protocol secure. And when that secure says is that tells faith America, we want to set up a secure connection so brave American needs to send the client the public eats.
So I'll call this guy the client.
We'll be talking about BankAmerica's the server. So basically, this s says, Hey, server, shouldn't your public eat?
Now? Remember, there is nothing secret about a public key.
Bank of America will happily send them their own public e.
So by America comes that with thanks America's public key.
we could go with this public key Now, when the client wants to sense something secret Bank of America. It could use Bank America's public. He do so and that's true.
But then what? One Bank of America used to send information to the client?
Well, the client doesn't have a public key. There's nobody that's given the flying public. He it may or may not have one.
And even if that were the case, each individual message would be encrypted. Something different, very cumbersome in a lot of overhead.
So this is the first step.
This is the second step.
But here's where things get interesting. That's a cell
with the third sick. The client will generate
Okay, so this client specifically finds Web browser generates its heat.
We'll say that he is 8439 now, obviously being much longer key. But just for brevity, say we're saying that's the symmetric key to client Generate?
Well, it cost the client generated it.
The client knows key. It's the one that came up,
but with symmetrical Thomas. See, the trouble is how I get this key
to the Bank of America Server.
Bank of America server. That's the problem with symmetric rooftop.
were encrypting a key with the Maquis?
So I've asked making America for the public e They give it to me
and I take the America's public key,
and I use that to grip the session key that I've just generated.
Now that session keys encrypted with Bacon, America's public.
What's the only thing that can decrypt
Bank of America's problems?
So what I've done is after a security key castration
by using asymmetric cryptography.
Why, so that I could get a symmetric he distributed between two parties. And once I have that submission that symmetric he distributed. Now I have symmetric battle takes shape
that's desirable with the symmetric. Cryptography is fast, and we don't know how much data there is to be shaped.
This is a very, very common idea.
That's right. A pleasure keeps change, symmetric that exchange, and we sometimes refer that is, having a secure channel set up
because it's ultimately everything
that is transmitted that it's encrypted with session key. So it's like we're both connected on the same channel, and only these two parties know what channel the tune into
that's what's called Secure Channel. But the idea is, I've used asymmetric cryptography to exchange keys specifically to exchange the session key. Now I could do some metric that exchange very, very common Nike with different geography. Let's use a cement itself the problems that we had.
But ultimately what we really want to do is symmetric
and you see this best in an SSL.
we have one more consideration to make with this, but I really want to make sure that this makes sense because against such a foundational principle,
so asymmetric key exchange cement your dad extra.
But here's the problem with this.
When the client says, Hey, Bank of America, I want a secure connection.
What's to keep somebody from intercepting that very stepping in and saying,
I'm back America and here's my peak.
The answer is right now. No, there's nothing that prevents that because, as you may have noticed, we don't have any built in authenticity to this. I ask Bank of America for a public E. Somebody comes back and says, We have public eat.
It could be an impersonator for all I know, and then everything I'm sending to that impersonators encrypted with their public Keep.
So what? I mean, is it this step? I need some assurance. I need some authenticity.
And here shall that authenticity comes
prior to Bank of America ever being Webster,
a Bank of America is deciding. Hey, we wanna have a Web presence 30 years ago or however long good
what Bank of America did
and really specifically somebody representing the Bank of Miracle Web server
to a company like beer sign.
Their sign is a c A.
And see a stands for certificate authority.
Just get it working.
And I choose bear sign because they're very well respected in the industry. Most folks have heard of Verizon. If you haven't, you may have heard of thought Or Baltimore,
uh, trust they're just a bunch of them. But this being certificate authority that most people respect, all right. A representative from BankAmerica showed up at the beer sign office in person,
provided that with the driver's license, credit card information, financial information on the bed, credit records, all of that stuff.
And they have proved that they are a legitimate organization. Thanks, America,
In exchange for that, what Bank of America did I'm sorry. What Verizon did
is they gave BankAmerica.
Now what's on that certificate?
Well, first of all, the name Bank of America. And if you've ever connected to a server with a secure connection and you've been here a message saying something like the name on the certificate does not match the name you entered,
so there's going wrong with that piece of it.
Now what else is on there?
Well, an expiration date.
Class numbers, because the class and certificate will indicate Hey, this is authorized to be banking.
Where's another tough certificate? May not have that high degree of authorization, a serial number
So it's the certificate authority that binds a publican private key pair
to the identity of surfing. Vera Sign says Bank of America is public. He 8767530 no,
whatever that might be.
But how I know it really comes from theirs and how I know that it comes from their son that hasn't been modified in trades. We already know the answer to that.
How do we know this certificate hasn't been modified with a spear sign? Do before it gives it to Bank of America.
It hash is here and to the entire
well, have a line. Looking from Verizon.
What is fair signing? Crypto hash? Shouldn't crypto hash
with the certificate authority
If I've been decrypt that hash with Verizon's public key,
I know it came from Paris on
hash. This certificate of my cash matches the hash on there. I know it hasn't been months, so this just continues to build on the principles we talked about.
Okay, so this happened years ago.
Baby America has a certificate. So when I say hey, server Cindy, your call a key Bank of America doesn't just send a string of characters back over the line. Anybody could do that
what Bank America does sends me their certificate in. That certificate, of course, contains their public key. But because it's essentially signed by trusted authority like Verizon, I have that gear and tea. And let me just say there are no guarantees in this world of death and taxes. So
when I say 30 I mean we get a good, solid, reasonable assurance
that that really is Bank of America because they're able to give me a certificate signed by someone I trust that says this is America and here's their public e.
So this is really just building on the ideas that we talked about.
What makes all this necessary or what makes all this possible
and that public key infrastructure says we must have a certificate of authority and it's not cheap or easy to set up a series of certificate authorities.
There's not just a single, very signed certificate authority, right
tons of your signed certificate, authorities,
the process of being America having, um, age to query
this certificate authority their side and say, Hey, I need a certificate.
Me is applying. Having software to understand certificates means applying it, being able to check and see if Bass America's certificate has been revoked.
And one of the ways that used to be handled
is by me contacting the issue of authority and say, Hey, can you send me your certificate revocation list? So when you talk about bringing public and private keys in here,
uh, in asymmetric cryptography, there's a lot that has to happen. This isn't cheap or easy.
You need your ticket authorities, you need certificates. You need a way to buying those two users. Ivy's You need to have fusion applications and protocols that understand certificates
in Petain. Public Key is
so It's not easy to make this work,
not to mention the fact that we've got to find some way to make sure the client has fierce on
and all those other certificate authorities.
So we've got quite a bit that's going on here that's necessary in order to make this work.
Now, we'll refer to their son as a trusted authority.
And yet here signs will know they've been in the business for a long time. People knew steps that go through in order to verify, think America's identity, for they never give a certificate. But when we talk about trust, it's actually much more than this.
We talked about trusting their sign with that really means trust
really means I have the certificate authorities
public. So when I say I trust their son, that means I have very signs couple keep
and how I got there signs public key,
uh, was that within my browser,
it's automatically been living for
essentially, I'm trust fear sign
because Microsoft says thou shalt trust fear, sign and As a matter of fact, if we do
open up our browser, okay. So as I mentioned just a minute it when we say that we trust a certificate authority,
what that really means is that in our Web browser, we've essentially been told to trust and the way I'll just open up the next floor that's very commonly used.
So again, essentially trust because Mike yourself says to trust
so loaded into our Web browser, we have trusted certification authorities
and you can see many of theirs. Did you, sir, go, Daddy? Of all things
I thought so on but their spirits on. And if I open up that certificate that's automatically populated in my browser, by the way we see how the hash on rhythm is shot one. Just like we expect.
R. S A is an asymmetric algorithm that creates the signature for us.
But as I scroll down to see a zay scroll down,
there's the public key of their side
so that public key is in my Web browser, and it's this public key
is able to decrypt the hash on the certificate. Then I know that certificate was issued by their song.
If the hash that I produced matches the hash of the certificate. I know it hasn't been modified,
so the real meaning of the certificate is that it's signed by trusting authority.
It was signed by somebody else that may be a rogue CIA, or it may not be your alive.
So essentially what happens is Microsoft says these were distributed authorities we deem to be relied. Well, that's fine. But in a more secure environment, what we would likely do is remove every one of these and on Lee, populate them with ones that we feel are trustworthy.
This may be shocking, but we may not always
trust Microsoft's judgment for security purposes. Who went the reality that sink in with shock and all settle just for a few minutes.
But the bottom line is, any time you allow things to happen automatically, you know you give up some control for ease of use updates so very important to keep your system up today.
But calls sometimes thes updates, push out fraudulent certificate. Authorities were certificate authorities that have been compromised. Did you know Tara had a compromise last year? They were out of his is a very, very short period of time. So basically, this is a weight pushing out and say, Wait, the trustees
and you'll also see ones that look legitimate, like, uh,
Microsoft, Google or whatever. But ultimately, their fraudulent certificates now also mentioned that within my environment, let's say that Eyes Instructor wanted to set up a Web server. And I want all my students to be able to connect in,
download this room the whole work securely.
Well, I can certainly do that. But the problem with that is, if you're gonna be able to connect to be securely using SS allergy, unless I need a certificate
well, very side in a certificate you're saying with The problem with that is I'm too cheap to go to their side and get a certificate because the certificate from fair Sign could cost hundreds or even thousands of dollars not gonna happen.
So what? I could do this. I could set up my own certificate of authority,
and I could issue certificates. Kelly's Webster. Now, that's kind of an environment where
I vouch for myself, if you know what I mean. This is Kelly's Web server because Kelly says it's Kelly's Webster.
You would never want to do something like that for with the strings actions. But for an internal office environment, why not set your own P K I?
Well, there's over head with it,
but it may save your money overboard. Move here, sign it may give you greater
greater control, greater security. So if I do have a certificate authority,
and I want you to trust that, see, A every Web browser has the option where you could enforce certificates into the Web browser or even better, after we push that out with policy and group policy will talk about some this week because it's just a quick, easy way to push out software to push out certificates or configuration seven.
So I've been set up in internal chaos.
Well, when somebody tries to connect to that Web server, they're gonna get the certificate message
a word of caution. We are so desensitized to error messages and morning messages.
Often when someone gets a security warning saying you know the certificate authority that is signed, the certificate untrusting
or the name on this certificate does not match to the and you typed in
most people stop process goes like this.
What is the first Latin. I can click on to make this pesky air message go away.
So I think hurry upsetting my credit card to some unknown stranger on the Internet.
And that's really what's happening with people go off cancelled.
I started this business 20 years ago working help. This
used to drive me crazy. You'd show up but somebody's desk and they'd say, or they call you. I'm getting this weird air A message. What was it? What did it say? I get my pencil ready to write it down alive, although I should cancel.
You know, we're so desensitized to these fear messages every now and then that you're a message might actually figure help you figure out what's going on.
But the bottom line is, we're allowing their users become so desensitized. I can't tell you how many times I've seen the network admin say, Just play. Cancel that air message. Don't worry about it.
Well, that's okay. Except now the user in their mind they security messages or be cancelled out.
What they are enforcing training their employees to do is disregard security messages. That's dangerous. That's a problem. That is a flaw in the things that we do.
I said My piece. That's just my little soapbox. I'd like to get on because so many times his network at
for the sake of expediency were miss training or or trading
are. So That's the essential nature of certificates. When a server gives you their public key, you need to know that that servers public, he really is legitimate.
Who did it come from? Who says that's bank miracles public? Why do I trust that?
Well, we have trusted certificate authorities than trust of the certificate is only as good as the trust of the authorities
and the trust of the public keeping is only as good as the trust.
So all this stuff that we build on with Krypton you just builds and builds and builds, and it's what comes together to make a couple.
and I would certainly expect civil certificate questions on me, Sam, because it is very about
one of the saying, I inventions that. So I go to Bank America's A client, and I say, Give me your niche.
Bank America comes back and tells me they're searching. Send me back
what as a client I should do is say, Hang on, Bank America, Let me go check and make sure the certificate has not been revoked.
Now, I mentioned you guys earlier A list called krill, The C r l.
And that stood for certificate
revocation. I also So I want you to know that after him I also want you to know the acronym O. C s
online certificate status.
And that's the protocol that streamlines the ability
a certificate has been.
And I know I'm right at the bottom with war may not be ableto read my handwriting, so O. C s online certificate status
online should get says for the whole purpose of this is to make it easier for clients to check whether an honest little bit has been with and that's a configuration setting in your Web browser. And for a long time, it was a very cumbersome process. So clients never even checked to see if the certificate has been revoked.
It's like if you were gonna speaking,
the police officer pulls you over and looks at your driver's license. Just because you have a driver's license doesn't mean it's a valid.
That officer should always go back to the car called it in the driver's license. Make sure it hasn't been suspended. Vote, say my field certificates. So online certificate satisfy protocol makes it easier for clients to check and see if the certificate has been with
now. That's quite a bit of information with a public key public infrastructure certificate. Authorities have some of that work. This is something that is testable. Certainly, obviously this expensive. I'm on it. You really want with you this material and make sure that you're solid.
There's so many things that we'll just talk about matter exactly
moving for her bro's. Or later we will talk that DNA said. Or a little further in SSL. Whatever. So many things that we do are gonna just require that you haven't understand symmetric versus a SIM entry
certificates, public key infrastructure. So I would encourage you before you move for really to review that section is very important