PKI Continued

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Building on our last two lessons,
00:00
we said that before bank provides online banking,
00:00
it goes to a certificate authority
00:00
and it obtains a digital certificate.
00:00
Then the bank installs that certificate on
00:00
its web server so that when
00:00
a client requests a secure connection,
00:00
the bank provides that certificate.
00:00
Let's talk about certificates
00:00
>> a little bit more in depth.
00:00
>> But first, I want to talk about driving,
00:00
and you'll see the parallels in just a few minutes.
00:00
Maybe you've had this experience or maybe you haven't.
00:00
But if you have what we call lead fight,
00:00
you may have been pulled over for speeding before,
00:00
and you know that when an officer
00:00
pulls you over for speeding,
00:00
he'll typically ask you for
00:00
your driver's license and registration.
00:00
While you are looking for those things,
00:00
he will probably ask you your name.
00:00
Now, wouldn't you agree
00:00
that the name you should give should
00:00
probably match the name that
00:00
appears on your driver's license?
00:00
Otherwise, you might have a problem on your hands.
00:00
The next thing he would likely check is
00:00
that the license is not expired,
00:00
and then the next thing he checks for is the class.
00:00
This is an indication on the type of
00:00
vehicle you are authorized to drive.
00:00
Then he's likely to check the serial number on
00:00
your license so that way he can
00:00
look it up and make sure it's not revoked.
00:00
The reason he knows what information
00:00
he can find on the driver's license
00:00
and where it will be is that
00:00
the driver's licenses are standardize,
00:00
that way regardless of what state you are in,
00:00
the license should be accepted and
00:00
understood anywhere in the United States.
00:00
Then the last thing the officer might do is
00:00
tilt the license back and forth in the sunlight.
00:00
Why does he do that? Well,
00:00
he does that so you can see the hologram or watermark.
00:00
That tells him that the license was
00:00
issued by a trusted authority,
00:00
and if it doesn't have that,
00:00
it's a strong indication that it's counterfeit.
00:00
If there is no way to be sure it was
00:00
issued by a trusted authority,
00:00
then nothing on that license really matters.
00:00
This is exactly the way certificates work in the PKI.
00:00
Then the folks at Bank of America
00:00
go get a certificate from
00:00
Verisign or whoever is their certificate authority,
00:00
the name of that server will be on the certificate.
00:00
That's how you would know that you
00:00
are connected to the right server.
00:00
It shouldn't be an expired certificate.
00:00
It also has a class.
00:00
The higher the class,
00:00
the more authorized the certificate should be.
00:00
Meaning a class 1 certificate
00:00
only indicates a match with an email address.
00:00
Whereas if you get to class 3 or 4,
00:00
you get digital signing and
00:00
other rights and trust levels.
00:00
Now, it will also have a serial
00:00
>> number or license number
00:00
>> that'll be used to determine whether
00:00
the certificate has been revoked.
00:00
We'll see that in a few minutes.
00:00
Is it standardized?
00:00
Yes. The standard for digital certificates is X.509.
00:00
You'll need to know that standard for the test.
00:00
Then the last piece is,
00:00
was it issued by a trusted authority?
00:00
Yes, and it is
00:00
digitally signed by that certificate authority.
00:00
Certificates have a lot in common with
00:00
driver's licenses. Let's look at one.
00:00
You can see this digital certificate
00:00
which follows the standard of
00:00
X.509 and you can
00:00
see some of the fields on the certificate.
00:00
You can see the public key there
00:00
and if I scroll up on this screenshot,
00:00
you'd be able to see the name and the expiration date.
00:00
You can see that it's digitally signed
00:00
using SHA1 and RSA,
00:00
and this is how a server authenticates its SSL or TLS,
00:00
and proves who it is.
00:00
It provides it the public key that is
00:00
issued by a trusted authority and you know
00:00
that because it's hash and the hash is
00:00
encrypted with that trusted authorities' private key.
00:00
When your public key can decrypt that hash,
00:00
you know it came from a trusted authority.
00:00
The heart and soul of public key infrastructure
00:00
is the certificate authority
00:00
because the trust and the certificate
00:00
comes from the trust and the certificate authority.
00:00
Now, there's some other elements
00:00
that make up a public key infrastructure.
00:00
The certificate authority is
00:00
>> the most important element.
00:00
>> There are also registration authorities, or RA,
00:00
which takes some off
00:00
the off-loaded work from the certificate authority.
00:00
Verisign might hire a company
00:00
to do the verification and checks,
00:00
and that company would be the RA.
00:00
In our bank scenario,
00:00
when the bank provides us all of
00:00
its proof and documentation,
00:00
there might be an RA that does that verification,
00:00
but only the CIA can issue the certificate.
00:00
There's also a certificate repository.
00:00
Your browsers, where you hold digital certificates
00:00
for Verisign and all the other trusted authorities.
00:00
That's the certificate repository.
00:00
Then also traditionally,
00:00
there have been a certificate revocation list or CRL.
00:00
The clients have had to download to verify whether
00:00
the server certificate is valid and
00:00
>> hasn't been revoked.
00:00
>> In a few minutes, we'll see how
00:00
>> this has been modernized.
00:00
>> For a longtime clients had to download
00:00
the entire CRL and verify
00:00
certificates revocation status every
00:00
time they received a certificate.
00:00
Now since then, we've evolved past that.
00:00
We're now dealing with a protocol called OCSP,
00:00
online certificate status protocol.
00:00
Now OCSP has mean it more streamlined
00:00
to determine a certificate's revocation status.
00:00
What happens is that the certificate authority will
00:00
publish the CRL on a regular basis.
00:00
It's the job of the OCSP responder to pull
00:00
from the CRL periodically throughout the day.
00:00
When my client goes to the OCSP server
00:00
and asks whether the certificate has been revoked,
00:00
the OCSP responder will
00:00
indicate whether it has been revoked or not,
00:00
as of the last time that it was updated.
00:00
To recap, you have certificate authorities
00:00
and registration authorities,
00:00
both are involved in getting
00:00
the client or server a certificate.
00:00
Certificates are used to authenticate.
00:00
The trust of a certificate is based on
00:00
the trust of the certificate authority.
00:00
We have the CRL and the OCSP
00:00
to make sure that certificates are up-to-date.
00:00
That pretty much wraps up public key infrastructure.
00:00
Keep in mind that this is a lot of
00:00
overhead and takes a lot of effort to maintain,
00:00
and as we will see,
00:00
this can be too much overhead for some organizations.
Up Next