0% found this document useful (0 votes)

43 views39 pages

Cryptography

The document discusses X.509 digital certificates and public key infrastructure (PKI). It describes the components of an X.509 certificate including issuer, subject, validity period, signature algorithm and extensions. It also provides an example of a certificate signing request. Additionally, it illustrates how PKI is used to establish secure connections and authenticate users through a chain of trust from a principal CA to subordinate CAs and end entities.

Uploaded by

Tanvir Khasru Adnan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

43 views39 pages

Cryptography

Uploaded by

Tanvir Khasru Adnan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 39

•

–
–
–
–

•
–
–
–
–
•
–
–
–

•
–
•
–
–
–
•
–
•
•
•
–
–
–

•
–

–
•
–
–
–
–
•

•
•

Cross-certification

CA1 CA2 Principal CA

Certification Certification
Subordinate CA
path path
Sub CA1.1 Sub CA1.2 Sub CA2.1
CA certificate path

Certification
EE End entity (subject)
path
EE EE EE EE
•
–
•
–

•
–

•
–
•
–
•
–

•
–

•
–
•
–

C=US Employee HR
C=US Country system
O=US Government Organization
O=US Government
OU=Department of the Interior Organizational Unit

OU=NBC Organizational Unit Public Key

ERP Workflow
Infrastructure (PKI)
OU=DOI OU=Security Administrator Organizational Unit

CN=Alice Cryptographer Common Name X.500-based

LDAP Directory
[email protected] E-mail Address Service
OU=NBC
UserCertificate=<binary data….> Digital Certificate

Key Management Single Sign-On

OU=Security Infrastructure (SSO) (HTTP/
OU=Security OU=IT (KMI) HTTPS)
Administrator

Secure E-mail
CN=Alice CN=Alice CN=Alice (S/MIME)
Cryptographer Cryptographer Cryptographer
•
–
–
–

• Department of States & Bridge CA

Homeland Local

– Department of
Security
(DHS)
Government Principal CA

Subordinate CA
Justice (DoJ)
- FBI
Bridge cross
Bridge CA certificate pair

– CA certificate

Principal CA
USGS
(A Subordinate CA) FWS
(A Subordinate CA)

NPS
PIV Card Reader (A Subordinate CA)

OSM
` (A Subordinate CA)
DOI User
User Workstation
Local CA
BOR
AD/DC (A Subordinate CA)
NBC
(A Subordinate CA)
Fingerprint Scanner

DOI Enterprise PKI Security Domain

(A Hierarchical PKI)
• Certificate:

• Data:
Version: 3 (0x2)

•
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte

• Consulting cc,
OU=Certification Services Division,
CN=Thawte Server CA/[email protected]

• Validity
Not Before: Aug 1 00:00:00 1996 GMT

– Not After : Dec 31 23:59:59 2020 GMT

Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte
Consulting cc,
– OU=Certification Services Division,
CN=Thawte Server CA/[email protected]

• Subject Public Key Info:

Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
• Modulus (1024 bit):
00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:

– 68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:
85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
– 6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:
29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:

• 6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:

•
3a:c2:b5:66:22:12:d6:87:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE

• Signature Algorithm: md5WithRSAEncryption

07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
• 3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
70:47
•

•
•

–
–

–
•
–

•
–

•
–
–
–
–
•
–
–
–
–

•
–

–
•
–
–
–
–

•
–

–
•

–
–
–
–
–
–
•

–
–

–
• User Verisign
(Principal CA)
Online Merchant

– John Doe
`
Home PC

–
Principle CA/RA Web Server

Initiate a HTTPS connection request

– Website digital certificate

Web Server’s
Request validates the

–
Certificate
certificate path

Principle validates the

certificate path

– Negotiate encryption algorithm

Begin secured web service

–
Client Web Container Server Web Container

Client Program Server Program

SSL/TLS Server
SSL/TLS Client

Secure Pipe
Message (SSL/TLS) Message

Message encrypted back

and forth
Message in plaintext Message in plaintext
Client Server

• client hello

server hello

certificate

server key exchange

Request for client’s certificate

• server hello done

certificate

client key exchange

certificate verification

change cipher specification

– finished

change cipher specification

finished

– Application Data...

–
•
Remote Client Server

Client Application Server Application

–
(with embedded support for (with embedded support for
SSL/TLS) SSL/TLS)

SSLv3/TLSv1 SSLv3/TLSv1

– TCP/IP stack TCP/IP stack

Data-Link Layer Data-Link Layer

•
SSL/TLS encrypted
payload using e.g.
2048 RSA, 3DES

–
Remote Client DOI ESN Networks

Server Applications Server Applications

Server Applications Server Applications
Server Applications Server Applications

–
Server Applications Server Applications

TCP/IP stack TCP/IP stack

– SSLv3/TLSv1 Tunnel Client

Software
SSLv3/TLSv1 Tunnel
Security Gateway

SSLv3/TLSv1 SSLv3/TLSv1

TCP/IP stack TCP/IP stack

Data-Link Layer Data-Link Layer

Proprietary transparent SSL/

TLS encrypted VPN tunnel
using e.g. 2048 RSA, 3DES
•
Client Server

client hello

server hello

certificate

• server key exchange

Request for client’s certificate

server hello done

certificate

• client key exchange

certificate verification

change cipher specification

finished

• change cipher specification

finished

Application Data...
•
•
–

•
–
IPsec Module 1 IPsec Module 2

IPsec Key
Exchange (IKE)
ISAKMP ISAKMP
Application
Layer

Security
Security
Association (SA)
Security Transport
IPSP IPSP
Association Association Layer
Database Database
AH protection
ESP protection

Security Association Security Association

Database Database
•
–
–

–
–

Bits

0 4 8 12 16 20 24 28 31
1 Next Header Payload Length Reserved

2 Security Parameters Index (SPI)

Words

3 Sequence Number

4 Authentication Data (variable)

•

–
Bits

–
0 4 8 12 16 20 24 28 31
1 Security Parameters Index (SPI)

2 Sequence Number
–

Words
3 Payload Data (variable)

4 Payload Data... Padding... Pad Length Next Header

– 5 Authentication Data (variable)

–
•
–

–
–

–
•
–

–
• Host

Application
SSH Client
Client

Secure SSH Connection

Target

Application
SSH Server

•
Server

–
•
–
•
•
–
•

•
–
–
–

–
–
•
–

•
–
–

–
•
–

•
–
–

–
Users Directory Service Principle CA SOA Components

`
Sponsor
User Wks Identity Mgmt Srvr Certification Authority Web Server App. Server

•
(IdM) (CA) &
Web Service Policy Mgmt.

Initiate a HTTPS connection request

• Website digital certificate

Certificate Negotiate encryption algorithm

Begin secured web service

Request for user authentication

User authenticates Request certificate

to IdM & provide certificate verification

• Authorize user access validate certificate

Request for application

Request for application services
services

Request for user authentication

Security Assertion

User web browser asserts user’s certificate with credential

• Request identity & credential verification

validate identity & credential

Authorize and present

Begin secured web service w/ access controlled information access controlled web
services
•
–
–
–
–
–

–
–
•
–
–
•
–
–
–
•
–
–
–
CRL

•
CRL

•
•

EE1
EE2 EE3 EE4 EE5

EE5 EE2
EE2 EE3 EE4 EE1 EE1
Certification
paths
CA certificate path

EE End entity (subject)

EE4 EE3
EE1 EE2 EE3 EE1 EE2
• Certificate:
Data:
Version: 3 (0x2)

• Serial Number: 1 (0x1)

Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte
Consulting cc,
OU=Certification Services Division,
CN=Thawte Server CA/[email protected]

– Validity
Not Before: Aug 1 00:00:00 1996 GMT

–
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte
Consulting cc,

–
OU=Certification Services Division,
CN=Thawte Server CA/[email protected]
Subject Public Key Info:

–
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):

• 00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:
68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:

•
85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:

– 29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:
6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:

– 3a:c2:b5:66:22:12:d6:87:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
• X509v3 Basic Constraints: critical
CA:TRUE

• Signature Algorithm: md5WithRSAEncryption

07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:

–
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:

– 70:47
•
–
–
–

•
–
–