Public Key Infrastructure

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> In our last section,
00:01
we left off with a few questions unanswered.
00:01
We'd been discussing a scenario where a client connects
00:01
to a banking server with a secure connection.
00:01
We talked about the use of public and private key,
00:01
basically, asymmetric cryptography being
00:01
used to distribute a symmetric key.
00:01
That's a session key that's going to be
00:01
used to protect the communication channel.
00:01
But we said there's still some mysteries.
00:01
How did we get those asymmetric keys?
00:01
What happens if a private key is compromised?
00:01
How do I know how to request a public-key?
00:01
All those issues.
00:01
We're going to solve that by looking at
00:01
public key infrastructure, PKI.
00:01
We're going to talk about digital certificates
00:01
and how they're used in SSL,
00:01
TLS, as well as other applications,
00:01
like email and so on.
00:01
We'll talk about some of the elements of a PKI,
00:01
and then we'll talk about
00:01
the public key infrastructure and
00:01
its ability to deal with security violations,
00:01
like revoking certificates, for instance.
00:01
Let's talk a little bit about proving our identity.
00:01
But before we talk about that,
00:01
let's talk about me.
00:01
Well, it's my favorite subject.
00:01
Let's talk about the fact that I might
00:01
be a little bit of a fast driver.
00:01
I might occasionally have a heavy foot.
00:01
It is possible that I was just invited
00:01
to drive in the state of North Carolina
00:01
for a short period of time.
00:01
All big misunderstanding.
00:01
But at any rate, if you're like I am,
00:01
you may have been pulled over by
00:01
a police officer at some point in time.
00:01
I'm driving down the road.
00:01
I think what's that blue light flashing?
00:01
Then that awareness dawns on you, "Men, no."
00:01
Officer pulls me over,
00:01
walks up to the window.
00:01
What's the first thing he wants from me?
00:01
He's going to say, "Can I have
00:01
your license and registration?"
00:01
Now I'm going to get my license and registration out.
00:01
While I'm doing that,
00:01
he may ask me my name.
00:01
Now, would you agree that the name I give him,
00:01
they might tell who I am,
00:01
should match the name that's on
00:01
my driver's license or we have started poorly.
00:01
I can guarantee you that's the case.
00:01
Right off the bat,
00:01
if he asked me my name,
00:01
it better be the same name that's on my license.
00:01
Now, the next thing the officer
00:01
looks at when I give him my licenses,
00:01
is he looks for the expiration date.
00:01
The license should be current.
00:01
I shouldn't be driving with an expired license.
00:01
There's a reason license expire.
00:01
After so long, they're not good.
00:01
The image may not be valid. Lots of reasons.
00:01
It looks great.
00:01
My license has not expired.
00:01
Now the next thing that he looks
00:01
at is he looks at the class.
00:01
If I'm driving a motorcycle,
00:01
I need a class M. If I'm driving a commercial vehicle,
00:01
I think it's a class A.
00:01
But the class indicates what I'm
00:01
authorized to do while I'm on the road.
00:01
You have different classes for
00:01
different types of activities.
00:01
The next thing he's going to look at is
00:01
he's going to look at my driver's license number.
00:01
We'll call it our serial number for now.
00:01
That driver's license number,
00:01
something he's going to be using in a few minutes.
00:01
He's going to go back
00:01
>> and he's going to call in and say,
00:01
>> "Hey, is this license valid?"
00:01
Then the last thing he's going to do is he's going to
00:01
tilt that driver's license
00:01
back and forth in the sunlight.
00:01
What he's looking for, he's looking for that hologram.
00:01
The idea behind that hologram is that is
00:01
something that only the Department of Motor Vehicles
00:01
can put on the license.
00:01
It's very easy to create a document
00:01
>> that looks very similar to a driver's license.
00:01
>> But in theory, only the DMV
00:01
should be able to put on the hologram.
00:01
Now, that being said,
00:01
we know anything can be counterfeited.
00:01
But I grew up in
00:01
the 70s and 80s and the driver's license were so basic.
00:01
If you wanted to create a fake ID,
00:01
all you needed was a red background and
00:01
a typewriter and some plastic.
00:01
It was just very,
00:01
very easy to counterfeit.
00:01
This is all second-hand knowledge, by the way.
00:01
I would know nothing about
00:01
this firsthand I've just heard.
00:01
But it was very easy to counterfeit driver's license.
00:01
Now, at least with that hologram,
00:01
takes a lot more effort,
00:01
a lot more skill,
00:01
a lot more sophistication to counterfeit.
00:01
I'm not saying it's perfect,
00:01
but it adds that bit of
00:01
assurance that the license came from the DMV.
00:01
Because if I show him a license
00:01
that doesn't have that hologram,
00:01
things are not going any better
00:01
>> with Mr. Police Officer.
00:01
>> "No. I'm not accepting this as a license.
00:01
It's not from the DMV."
00:01
You don't just get to create your own license.
00:01
They have to come from a trusted authority.
00:01
Now the reason the officer knows where to
00:01
look for all this information and knows
00:01
the hologram and all these pieces
00:01
is because driver's license are
00:01
standardized from state to state.
00:01
At one point in time, it used to be
00:01
that every state did their own thing for
00:01
driver's license and for driver's license numbers too.
00:01
Alabama used to use
00:01
people's social security number
00:01
for their driver's license.
00:01
But driver's license have different formats,
00:01
different information stored, different places.
00:01
Ultimately, we wound up
00:01
standardizing them throughout the states.
00:01
Standardization is really helpful
00:01
because that means that anybody that
00:01
accepts standards-based authentication is
00:01
going to accept the standard document.
00:01
We can have a consistency
00:01
that we all agree upon to use for identification.
00:01
Now, last piece, this
00:01
sadly is not the part where the officer says,
00:01
"You have a nice day and slow it down,
00:01
Ms. Handerhan. We'll see you next time."
00:01
Now, the officer takes my driver's license.
00:01
He goes back to the car.
00:01
What's he doing? You know what he's doing.
00:01
He's calling in to see if my license has been revoked.
00:01
A license might expire just
00:01
because of an administrative error on my part.
00:01
I forgot to get it renewed.
00:01
But if the license is revoked,
00:01
that's usually because of a security violation.
00:01
That's usually a much bigger deal.
00:01
You can't look at a license
00:01
and tell if it's been revoked or not.
00:01
They don't come out literally knock on your door,
00:01
and grab your license, and run away.
00:01
They just revoke it from an administrative perspective.
00:01
An officer calls in,
00:01
says, "Has this license been revoked?"
00:01
Now one of the ways he could verify it,
00:01
is he could call the DMV and he could say, "Hey,
00:01
fax me over a list of
00:01
every driver's license that's been
00:01
revoked in the last five years.
00:01
I'll scan that list
00:01
and I'll see if this one's been revoked."
00:01
>> We don't do it that way,
00:01
of course, that's ridiculous.
00:01
That puts a lot of overhead on
00:01
the DMV and it puts a lot of overhead on the officer.
00:01
Instead, he calls a special line and he says,
00:01
"Has licensed number T134-7835-5001 been revoked?"
00:01
He gives the serial number and says,
00:01
"Has this license been revoked?"
00:01
He calls a special number that
00:01
just deals with revocation.
00:01
That's much more efficient.
00:01
Now, I want you to remember all of this.
00:01
It's probably not going to shock you that
00:01
our discussion really has
00:01
not been about driver's license,
00:01
been about digital certificates.
00:01
Now, the information that we talked about
00:01
with the drivers license
00:01
>> applies 100 percent to certificates.
00:01
>> First of all, digital certificates follow a standard.
00:01
The standard for digital certificates
00:01
is the X.509 standard,
00:01
we're on version 4 now.
00:01
X.509 v.4 is the standard,
00:01
that simply means that your certificates have
00:01
certain types of information formatted in certain ways.
00:01
If you have a standards-based browser,
00:01
you can use standards-based certificates,
00:01
and if you're a standards-based web server,
00:01
you can accept and exchange
00:01
and use these certificates as well.
00:01
Standardization is really important,
00:01
and what do we have on certificates?
00:01
Well, like before, we have
00:01
the name of the server that's using the certificate.
00:01
If I'm connecting to Bank of America with TLS,
00:01
and I say, "HTPS, Bank of America."
00:01
that says, "Send me your key."
00:01
What it really says is
00:01
>> send me your digital certificate,
00:01
>> this is how keys are exchanged in the real-world.
00:01
I don't just say send me your key and
00:01
your system sends across a string of characters,
00:01
what you actually do is you return
00:01
>> to me your public key
00:01
>> that's on a digital certificate
00:01
>> that also has your name,
00:01
>> it has your class,
00:01
what class your certificate is,
00:01
indicates what you're authorized to do on the Internet,
00:01
so the higher the class,
00:01
the higher the degree of assurance.
00:01
A class 1 might be
00:01
a very low level of security that just says,
00:01
Kelly Handerhan can be reached at
00:01
this email address or a class
00:01
3 or 4 are necessary for financial transactions.
00:01
Just like with the license,
00:01
the class indicates what you're able to do
00:01
with a certain certificate, expiration dates,
00:01
the public keys on there, but don't forget,
00:01
arguably the most important part
00:01
of that driver's license was
00:01
the hologram that indicated
00:01
the license was issued from a trusted authority.
00:01
Well, that comes to us with certificates as well,
00:01
that's what we get from a digital signature.
00:01
When I go out to get a certificate
00:01
>> from a company like Verisign or something,
00:01
>> they are the certificate authority.
00:01
In our instance, the good folks at Bank of America,
00:01
long before they ever put a web server online,
00:01
went out to Verisign,
00:01
provided them with a ton of authentication information.
00:01
Here's our public records,
00:01
here's our credit rating,
00:01
here's our business license.
00:01
In exchange, once all that information is verified,
00:01
Verisign would issue a digital certificate
00:01
that the folks at Bank of America
00:01
can go back and install on their server.
00:01
When I connect to Bank of America,
00:01
and say give me your public key,
00:01
they provide me with
00:01
a digital certificate that's signed by Verisign.
00:01
Verisign is a well-respected
00:01
trusted certificate authority, so basically,
00:01
they give me that certificate,
00:01
and because it's digitally signed,
00:01
I know it hasn't been modified.
00:01
I know it's been issued by a trusted authority,
00:01
so I except the contents of the certificate.
00:01
I say, "Okay,
00:01
I believe you really are Bank of America,
00:01
here's your public key,
00:01
now we're going to communicate."
00:01
When you look at SSL and TLS,
00:01
the real heart of the matter is
00:01
the public key infrastructure that has to be in place.
00:01
Just going back to this slide
00:01
that we looked at in a few minutes ago.
00:01
If I skip back here really quickly,
00:01
long before even this HTTPS connection,
00:01
where as a client are connecting,
00:01
the piece that we don't see on
00:01
this slide is months, years,
00:01
decades before folks at Bank of America
00:01
obtained a digital certificate
00:01
from a certificate authority.
00:01
The second step where it says Bank of America,
00:01
sends it's public key,
00:01
that public key is on a digital certificate.
00:01
That's how I know
00:01
because it's digitally signed by Verisign,
00:01
that I literally have connected to the correct server
00:01
>> and that I now know their public key.
00:01
>> When we're using this SSL, TLS process,
00:01
or many of the other processes,
00:01
it requires a public key infrastructure in
00:01
place and they exchange digital certificates.
00:01
Within our public key infrastructure,
00:01
we have to have our certificate authority.
00:01
Verisign is one thought, GoDaddy.
00:01
I don't necessarily associate
00:01
GoDaddy with trust, but there you go.
00:01
You've got GoDaddy, there's Baltimore,
00:01
there's Equifax are all organizations
00:01
that issue certificates,
00:01
they're all certificate authorities.
00:01
Some companies hire registration authorities that allow
00:01
customers to go to
00:01
a registration authority and
00:01
get all their security checks cleared,
00:01
and then they go to the certificate authority
00:01
>> to get the actual certificate.
00:01
>> The RA offloads some of the work from the CA.
00:01
>> It's like people come to me and show me their ID and
00:01
I stamp their request that it's approved,
00:01
but then they still have to go to
00:01
the CA to get a certificate.
00:01
When you get a certificate from a CA,
00:01
you install that certificate
00:01
into your certificate repository.
00:01
On a web server,
00:01
there's a storage location for
00:01
your certificates so that it can be
00:01
used on your client systems.
00:01
If you go to the "Run" command
00:01
>> and type out certificates,
00:01
>> you'll see that you have
00:01
storage within your operating system is
00:01
a location for certificates that you've been issued.
00:01
Now, the last piece,
00:01
this idea of a certificate revocation list,
00:01
we've got to be able to find a way
00:01
for certificate authorities to revoke certificates.
00:01
Usually, that's done as a result
00:01
of some security compromise.
00:01
For instance, maybe my private key gets compromised.
00:01
Well, if there's a private key compromise,
00:01
you have to revoke the public and private key,
00:01
and then you need to be re-issued new ones.
00:01
I want to make sure that we have a means for
00:01
our clients to know if certificates have been revoked.
00:01
Traditionally, revoked certificates have
00:01
been published to a list called the CRL, the C-R-L.
00:01
The certificate authority, every time
00:01
a certificate was revoked,
00:01
would take that information,
00:01
upload it to a specific location
00:01
where the CRL was stored,
00:01
and you would have this massive list of
00:01
all the certificates that have been revoked,
00:01
and then the client would have to go.
00:01
Each time somebody gave the client a certificate,
00:01
the client would have to go up,
00:01
download the CRL, and verify
00:01
whether or not that
00:01
specific certificate had been revoked.
00:01
That's very clunky and cumbersome.
00:01
That's like the police officer calling
00:01
the DMV and saying, "Hey,
00:01
send me all the records of
00:01
everybody who's had a certificate revoked,
00:01
I'm going to look for one from Kelly."
00:01
That doesn't make sense.
00:01
What we now have is we have a specific system that is
00:01
dedicated to responding to
00:01
requests about whether a certificate has been revoked.
00:01
That specific server is
00:01
usually referred to as an online responder,
00:01
and it's using a protocol called OCSP,
00:01
Online Certificate Status Protocol.
00:01
This is the protocol that enables the specific server,
00:01
this OCSP server to be aware
00:01
of what certificates have been
00:01
revoked and which ones have not.
00:01
Now, what happens is,
00:01
when a client needs to verify
00:01
certificates revocation status,
00:01
it connects directly to the OCSP server,
00:01
and says, has this specific serial number been revoked?
00:01
The OCSP responder will come back with
00:01
the answer of yes, no, or maybe.
00:01
This is an illustration.
00:01
Basically, the OCSP responder
00:01
is in direct contact with the certificate authority.
00:01
When it gets the request that says,
00:01
"Hey, is this certificate good?"
00:01
It'll come back and say,
00:01
"As of 8:00 AM this morning,
00:01
that certificate was valid."
00:01
OCSP is the way that we
00:01
currently deal with certificate revocation,
00:01
and it by far streamlines the older process and makes
00:01
it much more efficient and we have much less latency.
00:01
We talked about a public key infrastructure
00:01
in this last section,
00:01
and it said that a PKI is really the heart
00:01
and soul of many of these hybrid environments,
00:01
where we have asymmetric key change
00:01
in symmetric data exchange.
00:01
That first piece, when
00:01
we talk about the exchange of a public key,
00:01
that public key is
00:01
exchanged through digital certificates.
00:01
Certificate authorities
00:01
>> issue those digital certificates.
00:01
>> We also talked about registration authorities
00:01
and their responsibilities,
00:01
as well as looking at
00:01
the CRL certificate revocation list.
00:01
Then ultimately how we
00:01
make sure we have a streamlined process
00:01
for verifying revocation status
00:01
through the use of the OCSP protocol.
Up Next