Cybersecurity - Week 4 - Certificates
What is the root CA?
A root CA can certify itself by signing on its own public key using its private key so as to produce a self-signed certificate.
Illustrate the certificate issuing process
1. Alice sends certificate request with a. public key of Alice b. Signature of Alice (Alice's signature on her public key) c. Alice identity 2. CA checks Alice identity 3. CA verifies Alice's request using - public key of Alice - Signature of Alice using Alice's claimed public key (CA verifies Alice signature using Alice's public key) (If the signature is valid, CA assures that Alice knows PriKey of alice because otherwise she won't be able to generate the signature)
Illustrate the certificate verification process
1. Bob wants to use Alice's public key 2. He obtains Alice's certificate 3. Bob verify Alice's certificate by checking if the certificate has expired. Then verify the CA signature with the PK of CA (Repeat 3 until we reach root CA) 4. Check Alice's certificate against the latest certificate revocation list signed by CA
A certificate is an authoritative binding between an ______ and the _____'s _______ key
A certificate is an authoritative binding between an entity and the entity's public key.
In the certificate issuing process, why does Alice sign on her public key using her private key?
Because Alice sends the public key and the signature over to CA in the certificate issuing process, when CA verifies the signature against Alice public key, it means that Alice public key is indeed Alice's. If the public key is wrong, the verification would fail because the signature was signed using the private key of Alice and can only be verified using Alice's public key.
What does CA sends back after verifying that both the idenitity and signature of Alice is correct?
CA encrypts the certificate of Alice with Alice's public key and sends it back to Alice
What is the difference between CA's signature and thumbprint?
CA's signature authenticates the subject's public key --- binds the subject's identity and its key Thumbprint is used for exchanging and storage (in a database) of key information. It is an encoded, hexadecimal string
CRL is issued _________ (time)
CRL is issued periodically
In brief, what information does the digital certifiate contain?
Certificates contains information about public key, identity of its owner (called subject), information about the CA (issuer) and the CA's digital signature over the certificate content
How does one ensure that the public key contained in the certificate is able to be used for secure communication purposes?
Have to verify if the signature of the certificate is valid.
What are the two properties achieved when CA signs the certificate? Explain.
Integrity and authenticity. When CA signs over the information using it's private key, unless someone else has the private key, nobody can tamper with the information anymore.
What is the term used for "CA" in digital certificate?
Issuer
Describe the availability problem
In a hybrid encryption, the sender uses AES to encrypt the message using the shared key - C1. The sender then uses RSA to encrypt the shared key with the recipient's public key - C2. The availability problems comes when an attacker replaces the public key of the recipient which causes the recipient to be unable to decrypt C2 to get the shared key to decrypt C1. Ie to say, the recipient cannot even see the message.
What does the "Validity Period" in the public key certificate components contains?
Starting and ending date/time
Security originates from?
Security originates from trust
Digital Certificate
Signature over a public key
Who is the subject in the context of TLS certificates?
The certificate subject is typically a computer, server or other devices
Who is the subject in the context of email certificates?
The certificate subject is typically a person or an organization
Getting a certificate is not free (T/F)
True. It is not free and it comes at a price.
What happens if someone replaces the digital certificate?
Verification won't check out because identities are different
What happens when someone modifies the digital certificate?
Verification won't check out because signature is different
What is certificate revocation?
When Alice wants to revoke her certificate in the event her private key was compromised, lost or ID of alice changes (e.g. resigns from her organization)
What is the term used for "Owner" in digital certificate?
Subject
A root CA is trusted in a sense that it does NOT need to be certified by any other CA (T/F)
True
Modern browsers are pre-installed with certificates signed by trusted CAs (T/F)
True
Root CA is the final trusted origin because security has to originate from somewhere and it originates from trust. (T/F)
True
Users can manually add/delete root CA certificates (T/F)
True
What does the "CA's signature" in the public key certificate components used for?
Used to verify the validity of the certificate. The signature is computed upon all the certificate data
How can the sender get the genuine public key of the recipient? (To address the availability problem)
Using public key certificate (Digital certificate)
CA keeps a list called "certificate revocation list" or CRL in short. What does this list contain?
- Signature algorithm - CA identity info - Last update - Next update - Serial number of list of certificates which has been revoked - CA signature
(Public key certificate) Mandatory components (X.509 standard)
1. Version number 2. Serial Number 3. Subject identifier: the public key owner's unique name 4. Issuer's identifier: the CA's unique name 5. Owner's public key info: values of public key 6. Validity period: starting and ending date/time 7. CA's signature: used to verify the validity of the certificate. The signature is computed upon all the certificate data 8. Thumbprint
What is the Certificate Revocation List (CRL)?
A CRL is a signed list of certificates issued by CA, which contains the serial numbers of revoked certificates. CRL is issued periodically
Who are CA (Certification Authority)?
A trusted third party that issues public key certificates to users. CA must be trusted
How can Bob verify Alice's certificate in a certificate verification process?
Bob has to verify all CA's certificates along the chain (bottom-up), until the root CA's certificate. Then, he decides whether the root CA is trustworthy
Digital certificate proves the __________ of the _______ key
Digital certificate proves the ownership of the public key
In the certificate issuing process, if both (identity and signature) are correct, CA issues a certificate for Alice's _____ and her _____ ____ with CA's signature
In the certificate issuing process, if both (identity and signature) are correct, CA issues a certificate for Alice's identity and her public key with CA's signature
Example of CA locally and worldwide
Singapore's Netrust Verisign Worldwide
What does the "Issuer's identifier" in the public key certificate components contains?
The CA's unique name
What does the "Subject Identifier" in the public key certificate components contains?
The public key owner's unique name. Also contains: Identify information such as IP address, email address
Why do we need CA's signature in the digital certificate?
To ensure information (Alice identity and public key) cannot be tampered/modified.
What does the "Owner's public key info" in the public key certificate components contains?
values of public key