CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers digital certificates. Digital certificates are the X.509 v.4 standard and provide authenticity of a servers public key. Digital certificates are necessary to avoid MITM attacks with servers using SSL or TLS. They are digitally signed by a certificate authority. This lesson also covers the public key infrastructure (PKI): - Certificate authority (CA) - Registration Authority (RA) - Certificate repository - Certificate revocation list

Video Transcription

00:04
Okay, so there's a lot of information symmetric versus asymmetric. Then how we get privacy, authenticity, integrity and non repudiation. Really, Just one more piece that we have to add to this to make it Ah ah to make it complete. And that's when the fact that we need to talk about digital certificates Okay,
00:23
let's go back to that idea of S s l
00:25
If you'll remember, or of course, t l s today. If you'll remember, we said I'm gonna start the connection using H T. T. P. S right. And that signals to my banking server. I want a secure connection,
00:38
right? And then my banking server sends me back there public key.
00:43
But here's the problem with that.
00:45
I don't know. I don't have any assurance that I'm really talking to my legitimate banking server. If all I do is sitting out a query that says, Hey, Bank of America, semi your public key
00:56
and I get some numbers back, I can assume that's Bank of America. But really we could be in the middle of a man in the middle attack. Somebody could have stepped in and said, uh im Bank of America here is my public key
01:07
and given me their own public key, everything I'm encrypting with that key, or at least the session keep. So basically, the problem is, if I asked you for a key and all you send me back or string of characters across the wire, there's no proof that that's really your key. So how can I get a guarantee that I'm
01:26
getting the legitimate Keith
01:27
from the server I'm attempting to connect with? Well, the answer is through the use of a digital certificate. Now don't get me wrong. Nothing is foolproof. And I'm not trying to say that by any stretch of the imagination. That's why all week long we're going to continue to talk about layer defense layer defense, layer defense so important
01:47
no one means to rely upon for security.
01:49
But ultimately, when I asked Bank of America for a secure connection, what I'm wanting is their public key. But they don't just send me the public, he on the line. What they do is they send me a digital certificate.
02:01
Okay, so what that digital certificate does is it tells me the name of the server.
02:07
It tells me that servers public, he and you can't see all the fields on the certificate now, But it's going to tell me the name of the server. So I'll know I'm talking to Bank of America. It's gonna tell me its expiration date. So I know the certificates valid. It's gonna give me the public key, which is very important. And it's
02:25
also and here's the rial money shot, if you will.
02:30
What makes the certificate meaningful? What guarantees that it wasn't spoofed that it hasn't been changed is this certificate has been hash and the hash has been encrypted by a trusted authority
02:45
and that trusted authority we refer to as a C a a certificate authority.
02:50
Okay, so I get a certificate from Bank of America showing me their public he map to their name, which again, you can't see it on this certain it It's on there. And ultimately, what makes it meaningful? If someone I trust, for instance, very sign is a very well known certificate authority, there are many others. They're stalled in Baltimore and lots of them.
03:09
Ah, but ultimately the fact that this certificate is hashed
03:13
and it's encrypted with Vera signs. Private key.
03:17
What does that mean? I need very signs public key to decrypt
03:22
the hash. And if I can decrypt the hash with various signs public, I know it was encrypted with fire signs private, so it had to have come from Very sign
03:31
I hash and make sure my hash matches that on the certificate. So I know it hasn't been modified. So ultimately now I have very signs assurance that this really is the bank I was trying to connect to. This really is their public key. It hasn't been expired and other types of information.
03:50
So it's really digital certificates
03:52
that make this meaningful. And a digital certificate is on. Leah's trusted as the certificate authority whose issued it.
04:00
If I asked for a secure connection with you and you give me a certificate from
04:03
Billy Bob certification authority, I don't trust that I'm gonna get that air message in my browser that pops up and says, This is an untrusted authority.
04:14
My greatest concern with this is I'll guarantee you 90% of the users when they get a certificate error.
04:20
Their thought process goes like this.
04:24
What is the first button I can click on to make this pesky security warning go away so I can hurry up and give my credit card to an unknown stranger across the Internet.
04:34
And I know that sounds ridiculous, but I cannot tell you how quickly people dismiss error messages today without even reading them. If my bank can't give me a legitimate
04:46
certificate from a trusted authority, we have a problem. It's worth picking up the phone and doing some investigation, but I think we've got so desensitized. We've gotten so desensitized to the security air messages that we just ignore them and go on about our business. We need to slow down. A security message is just that.
05:06
It's a message that indicates to me I may not have a secure connection as I want, so we have to slow down with those messages and be very careful
05:15
in order to make certificates work. It's not just magic. We have to have an infrastructure that supports this Ah, lot of times for our internal network. Like, for instance, maybe I'm teaching a class of 50 students and I want to give them a website that they can connect to and download their homework securely,
05:32
right? So I want them to have a secure connection. Well, I'm not gonna go out and pay. Ah, Vera sign or any of the other certificate authorities for a certificate that's too expensive for what I need.
05:44
So I can actually set up my own internal public key infrastructure, which means I'm gonna need a certificate authority.
05:50
I could just created a new authority called Kelly C A.
05:55
And I can issue my web server certificate signed by Kelly. See A When everybody connects in, they will be issued, or they'll query for on https connection and exchange. I'll give them my certificate.
06:08
But remember that certificate is signed by an unknown entity to the users, right? They don't trust Kelly. See a That's okay. I can push that trust out through group policy, or I can give them Kelly, see a to import into their browsers locally. So the bottom line is, if you set up an internal C A,
06:28
you have to have a certificate authority. You have to create
06:30
that trust. You might also have a registration authority that helps offload some of the work. Poncey, eh? You've gotta have somewhere to store your certificates. You've gotta have somewhere to revoke certificates and some means of expressing that certificates have been revoked as well.
06:46
So you don't just magically wave a wand and get a certificate infrastructure in place.
06:51
There really is a lot of overhead in a lot of work to be done, but again, cost benefit analysis. If it's important that we authenticate and we get non repudiation within our organization, it is worth going these additional steps.

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor