PKI Basics
Issuance: Once a subscriber has a name and key pair the next step is to obtain a leaf certificate from a CA. The CA is going to want to authenticate (prove) two things: 1 - 2 -
- The public key to be bound in the certificate is the subscriber's public key (i.e., the subscriber knows the corresponding private key) - The name to be bound in the certificate is the subscriber's name (The former is typically achieved via a simple technical mechanism: a certificate signing request. The latter is harder. Abstractly, the process is called identity proofing or registration.)
For Web PKI there are three kinds of certificates and the biggest differences are how they identify subscribers and the sort of identity proofing that's employed. They are:
- domain validation (DV) - organization validation (OV) - extended validation (EV) certificates.
A raw certificate encoded using DER will usually carry a ____ extension. Again, there's not much consistency here, so your mileage may vary.
.der
Common extensions for PKCS#7 are _____ and ____
.p7b and .p7c
Certificates are fundamentally really simple. A certificate is a data structure that contains a _______ _______ and a _______. The data structure is then s_______.
A certificate is a data structure that contains a public key and a name. The data structure is then signed.
The PKCS#7 and PKCS#12 envelopes also use _______. That means both can be encoded as raw DER or BER or PEM. That said, in my experience they're almost always raw DER.
ASN.1
ASN stands for
Abstract Syntax Notation (1 stands for One). ASN.1
An entity is:
Anything that exists, even if it only exists logically or conceptually. Your computer is an entity. So is some code you wrote. So are you.
The trust stores used by default by the major browsers - and pretty much everything else that uses TLS - are maintained by four organizations:
Apple's root certificate program used by iOS and macOS Microsoft's root certificate program used by Windows Mozilla's root certificate program used by their products and, because of its open and transparent process, used as the basis for many other trust stores (e.g., for many Linux distributions) Google, which doesn't run a root certificate program (Chrome usually uses the host operating system's trust store) but maintains its own blocklist of roots and specific certificates that it doesn't trust. (ChromeOS builds off of Mozilla's certificate program.)
Don't disable certificate path validation. It's not that hard to do proper TLS, and certificate path validation is the part of TLS that does a___________. People sometimes argue that the channel is still encrypted, so it doesn't matter. That's wrong. It does matter. Encryption without a__________ is pretty worthless.
Authentication Authentication
Before you can use a certificate with a protocol like TLS you need to figure out how to get one from a __
CA
What are Certificate Revocation Lists (CRLs)?
CRLs are defined along with a million other things in RFC 5280. They're simply a signed list of serial numbers identifying revoked certificates. The list is served from a CRL distribution point: a URL that's included in the certificate. The expectation is that relying parties will download this list and interrogate it for revocation status whenever they verify a certificate.
In regards to revocation, there are CRLs. This stands for:
Certificate Revocation Lists (CRLs)
_______ _________ ____ (RFC 6962) mandates that CAs submit every certificate they issue to an impartial observer that maintains a public certificate log.
Certificate Transparency (CT)
C__________ are the building blocks of most PKIs, and C__________ _________ are the foundation. That said, PKI is so much more. It includes libraries, cron jobs, protocols, conventions, clients, servers, people, processes, names, discovery mechanisms, and all the other stuff you'll need to use public key cryptography effectively.
Certificates certificate authorities
PKCS#7 was rebranded to
Cryptographic Message Syntax (CMS) bit IETF
You don't have to worry much about encoding and decoding DER but you definitely will need to figure out whether a particular certificate is a plain ___-_________ X.509 certificate or something fancier.
DER-encoded
__ certificates bind a DNS name and are issued based on proof of control over a domain name.
DV (domain validation) Proofing typically proceeds via a simple ceremony like sending a confirmation email to the administrative contact listed in WHOIS records.
Essentially every Web PKI RP only requires DV level assurance, based on "proof" of control of a d______.
Domain
The verification process for OV certificates is not consistent across CAs. To address this, CAB Forum introduced __ certificates.
EV
The __ process can take days or weeks and can include public records searches and attestations (on paper) signed by corporate officers (with pens). After all this, when you visit a website that uses an __ certificate some browsers display the name of the organization in the URL bar.
EV EV
T/F The EV Certificate Process is fast.
FALSE The EV process can take days or weeks and can include public records searches and attestations (on paper) signed by corporate officers (with pens).
T/F Hash functions are also multi-way
False. They are one-way: it's computationally infeasible to take the output of a hash function and reconstruct its input.
Cryptographic proof of CT submission is included in issued certificates. _____ __________ ______ ___ (HPKP or just "pinning") lets a subscriber (a website) tell an RP (a browser) to only accept certain public keys in certificates for a particular domain.
HTTP Public Key Pinning
HTTP Public Key Pinning: does what?
HTTP Public Key Pinning (HPKP or just "pinning") lets a subscriber (a website) tell an RP (a browser) to only accept certain public keys in certificates for a particular domain.
You interact with Web PKI via your browser whenever you access an:
HTTPS URL
X.509 builds on ASN.1, another___-_ standard (defined by X.208 and X.680).
ITU-T
An identifier is not the same as an:
Identity
If you trust Chef or Puppet or Ansible or Kubernetes to put code on servers, you can trust them for i______ a_______.
Identity attestations
Every entity has an:
Identity. This one's hard to define. Identity is what makes you you, ya know? On computers identity is usually represented as a bag of attributes describing some entity: group, age, location, favorite color, shoe size, whatever.
What are the problems with Online Certificate Signing Protocol (OCSP)?
It raises serious privacy issues for Web PKI: the OCSP responder can see what sites I'm visiting based on the certificate status checks I've submitted. It also adds overhead to every TLS connection: an additional request has to be made to check revocation status. Like CRL, many RPs (including browsers) fail open and assume a certificate is valid if the OCSP responder is down or returns an error.
An identifier is:
It's a unique reference to some entity that has an identity. I'm Mike, but Mike isn't my identity. It's a name - identifier and name are synonyms (at least for our purposes).
A Certificate Signing Request is signed how?
It's self-signed using the private key that corresponds to the public key in the CSR.
What, precisely, does a DV certificate actually prove?
It's supposed to prove that the entity requesting the certificate owns the relevant domain. It actually proves that, at some point in time, the entity requesting the certificate was able to read an email or configure DNS or serve a secret via HTTP. The underlying security of DNS, email, and BGP that these processes rely on is not great. Attacks against this infrastructure have occurred with the intent to obtain fraudulent certificates.
Before you can use a certificate with a protocol like TLS you need to figure out how to get one from a CA. Abstractly this is a pretty simple process: a subscriber that wants a certificate generates a k__ p___ and submits a request to a certificate authority. The CA makes sure the n___ that will be bound in the certificate is correct and, if it is, s____ and returns a certificate.
Key pair name signs
PKCS#12 is commonly used by __________ products.
Microsoft
What is OSCP stapling?
OCSP stapling is a variant of OCSP that's supposed to fix these issues. Instead of the relying party hitting the OCSP responder the subscriber that owns the certificate does. The OCSP response is a signed attestation with a short expiry stating that the certificate is not revoked. The attestation is included in the TLS handshake ("stapled to" the certificate) between subscriber and RP. This provides the RP with a reasonably up-to-date revocation status without having to query the OCSP responder directly. The subscriber can use a signed OCSP response multiple times, until it expires. This reduces the load on the responder, mostly eliminates performance problems, and addresses the privacy issue with OCSP. (short lived certs are much simpler than this)
What does Online Certificate Signing Protocol (OCSP) do?
OCSP, which allows RPs to query an OCSP responder with a certificate serial number to obtain the revocation status of a particular certificate. Like the CRL distribution point, the OCSP responder URL is included in the certificate.
An ___ is like a URI, but more annoying. They're (supposed to be) universally unique identifiers. Structurally, ___s are a sequence of integers in a hierarchical namespace.
OID OID
Operating system trust stores typically ship with the __.
OS
Programming languages and other non-browser stuff like curl typically use the _____ trust store by default.
OS
__ and __ certificates build on DV certificates and include the name and location of the organization that owns the bound domain name.
OV and EV
OSCP stands for:
Online Certificate Signing Protocol (OCSP)
___ is similar: a base64 encoded payload sandwiched between a header and a footer. The ___ header has a label that's supposed to describe the payload. Shockingly, this simple job is mostly botched and ___ labels are often inconsistent between tools
PEM PEM PEM
PEM-encoded certificates will usually carry a ___, .___, or ____ extension.
PEM-encoded certificates will usually carry a .pem, .crt, or .cer extension.
PGP uses certificates, but doesn't use ____.
PGP uses certificates, but doesn't use CAs. Instead it uses a Web of Trust Model.
The envelope formats you're likely to encounter are part of a suite of standards called:
PKCS (Public Key Cryptography Standards)
For this envelope format, Common extensions are .pfx and .p12
PKCS#12
The other common envelope format is ___________ which can contain a certificate chain (like PKCS#7) along with an (encrypted) private key.
PKCS#12
.p7b and .p7c Part of the
PKCS#7 Cryptographic Message Syntax (CMS) bit IETF This is an envelope format.
A subscriber or end entity is an entity that's participating in a
PKI
DER is straight binary, and binary data is hard to copy-paste and otherwise shunt around the web. So most certificates are packaged up in PEM files (which stands for p_____ e_____ e______, another weird historical vestige).
Privacy Enhanced EMail
PKCS means:
Public Key Cryptography Standards published by RSA labs (actually the story is slightly more complicated, but whatever). https://security.stackexchange.com/questions/73156/whats-the-difference-between-x-509-and-pkcs7-certificate
PKI stands for:
Public key infrastructure
____________ is the umbrella term for all of the stuff we need in order to issue, distribute, store, use, verify, revoke, and otherwise manage and interact with certificates and keys.
Public key infrastructure (PKI)
It's pretty common for one entity (code, device, server, etc) to be both an __ and a s_______. Such entities will need to be configured with the root certificate(s) and a certificate and private key.
RP subscriber
self-signed certificates are used in the chain of trust for
Root certificates
___ is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability and it would not be possible without some sort of federation.
SSO
If you want RPs to stop trusting a certificate before it expires, it can (s________) be r_______.
Sometimes Revoked
T/F the EV Certificate process is slow.
TRUE The EV process can take days or weeks and can include public records searches and attestations (on paper) signed by corporate officers (with pens).
What are the problems with Certificate Revocation Lists (CRLs)?
The expectation is that relying parties will download this list and interrogate it for revocation status whenever they verify a certificate. There are some obvious problems here: CRLs can be big, and distribution points can go down. If RPs check CRLs at all they'll heavily cache the response from the distribution point and only sync periodically. On the web CRLs are often cached for days. If it's going to take that long for CRLs to propagate you might as well just use passive revocation. It's also common for RPs to fail open - to accept a certificate if the the CRL distribution point is down. This can be a security issue: you can trick an RP into accepting a revoked certificate by mounting a denial of service attack against the CRL distribution point.
Why is a CSR self-signed using the private key that corresponds to the public key in the CSR?
This signature proves that whatever created the CSR knows the private key. Bonus: It also allows the CSR to be copy-pasted and shunted around without the possibility of modification by some interloper.
When you visit a website that uses an EV certificate some browsers display the name of the organization in the ___ ___
URL bar
Web PKI relying parties (RPs) trust every CA in their trust store to sign certificates for any subscriber. The result is that the overall security of Web PKI is only as good as the least secure ___ ___ __.
Web PKI CA
RP stands for
Web PKI relying parties (RPs) Think users trying to reach the Splunk URL
Why run your own internal PKI if Web PKI already exists? The simple answer is that:
Web PKI wasn't designed to support internal use cases. Even with a CA like Let's Encrypt, which offers free certificates and automated provisioning, you'll have to deal with rate limits and availability. That's no good if you have lots of services that you deploy all the time.
A string is just a string, but if I tag a string with OID 2.5.4.3 then it's no longer an ordinary string - now it's an ____ ________ _____.
X.509 common name.
If you've ever looked at an X.509 certificate and wondered why something designed for the web encodes a locality, state, and country here's your answer:
X.509 wasn't designed for the web. It was designed thirty years ago to build a phone book.
There are two things you can do with a key pair: What are they?
You can encrypt some data with the public key. The only way to decrypt that data is with the corresponding private key. You can sign some data with the private key. Anyone who knows the corresponding public key can verify the signature, proving which private key produced it.
A message authentication code is
a bit of data that's used to verify which entity sent a message, and to ensure that a message hasn't been modified. The basic idea is to feed a shared secret (a password) along with a message through a hash function. The hash output is a MAC. You send the MAC along with the message to some recipient.
RFC 5280 uses ASN.1 to define an X.509 certificate as an object that contains various bits of information: Name 3 of these types of info.
a name, key, signature, etc.
ASN.1 is ________ in the sense that the standard doesn't say anything about how stuff should be represented as bits and bytes.
abstract
In particular, X.509 certificates include a validity period: What is this?
an issued at time, a not before time, and a not after time.
If Some Issuer signs a certificate for Bob, that certificate can be interpreted as the statement: "Some Issuer says Bob's public key is 01:23:42...".This is a claim made by Some Issuer about Bob. The claim is signed by Some Issuer, so if you know Some Issuer's public key you can ____________________ it by verifying the signature.
authenticate
If you've never met me before, but you trust the DMV, you can use my license for ____________.
authentication
If you've never met some computer before, but you trust some certificate authority, you can use a certificate for _____________.
authentication
DER is straight ______, and ______ ____ is hard to copy-paste and otherwise shunt around the web.
binary binary data
So where do trust stores come from? For Web PKI the most important relying parties are ___________.
browsers
Web PKI is important because Web PKI certificates work by default with ________ and pretty much everything else that uses ___.
browsers TLS
Once we've got a name we need to generate a key pair before we can create a c_________.
certificate
Renewal for internal PKI: The easiest thing to do is to use your old ________ with a protocol like mutual TLS to renew. The CA can authenticate the client certificate presented by the subscriber, re-sign it with an extended expiry, and return the new ________ in response.
certificate certificate This makes automated renewal very easy and still forces subscribers to periodically check in with a central authority. You can use this checkin process to easily build monitoring and revocation facilities.
To configure a PKI subscriber you tell it which c______ and p_____ k___ to use (or tell it how to generate its own key pair and exchange a CSR for a certificate itself)
certificate and private key
Fundamentally, a _______ _______ is just another certificate and a corresponding private key that's used to sign other certificates.
certificate authority
Further, with Web PKI you have little or no control over important details like: (5 things)
certificate lifetime, revocation mechanisms, renewal processes, key types, and algorithms
Since intermediate certificates are not included in trust stores they need to be distributed and verified just like leaf certificates. You provide these intermediates when you configure subscribers, as described above. Then subscribers pass them along to RPs. With TLS this happens as part of the handshake that establishes a TLS connection. When a subscriber sends its certificate to a relying party it includes any intermediate(s) necessary to chain back up to a trusted root. The relying party verifies the leaf and intermediate certificates in a process called c______ p_______ v_______.
certificate path validation
The CAB Forum Baseline Requirements stipulate that a root private key belonging to a Web PKI root CA can only be used to sign a certificate by issuing a direct command (see section 4.3.1). In other words, Web PKI root CAs can't automate ________ ________.
certificate signing They can't be online. This is a problem for any large scale CA operation. You can't have someone manually type a command into a machine to fulfill every certificate order.
Certificate signing requests To request a certificate a subscriber submits a _____ ______ _____ to a certificate authority. The CSR is another ASN.1 structure, defined by PKCS#10.
certificate signing request (CSR)
What is a CSR
certificate signing request (CSR)
A relying party is a
certificate user that verifies and trusts certificates issued by a CA. To confuse matters a bit, an entity can be both a subscriber and a relying party. That is, a single entity can have its own certificate and use other certificates to authenticate remote peers (this is what happens with mutual TLS, for instance).
When you edit ~/.ssh/authorized_keys you're configuring a simple c________-l___ form of PKI that SSH uses to bind public keys to names in flat files.
certificate-less
A subscriber or end entity is an entity that's participating in a PKI and can be the subject of a
certificate.
There are documented cases of Web PKI certificate authorities providing governments with fraudulent ___________ in order to snoop on traffic and impersonate websites.
certificates
What if you don't already know my public key? That's what ____________ are for.
certificates are for.
bundle of certificates - leaf, intermediate, root - forms a _____ (called a _________ _______). The leaf is signed by the intermediate, the intermediate is signed by the root, and the root signs itself.
chain certificate chain
The ACME protocol, originally developed and used by Let's Encrypt, improves this process with better automation: instead of using email verification an ACME CA issues a c_________that the s_________ must complete to prove it controls a domain. The c__________ portion of the ACME specification is an extension point.
challenge subscriber challenge challenges
Entities can ____ that they have some particular name.
claim But a claim needn't be related to a name: I can make a claim about anything: my age, your age, access rights, the meaning of life, etc.
PKIX originally specified that the DNS hostname of a website should be bound in the the DN c______ n______. More recently, the CAB Forum has deprecated this practice and made the entire DN optional
common name (see sections 7.1.4.2 of the Baseline Requirements). Instead, the modern best practices is to leverage the subject alternative name (SAN) X.509 extension to bind a name in a certificate.
A signature is
conceptually similar to a MAC, but instead of using a shared secret you use a key pair.
DER is: d______ e_______ r______
distinguished encoding rules
There are a bunch of encoding rules for ASN.1, but there's only one that's commonly used for X.509 certificates and other crypto stuff:
distinguished encoding rules or DER (though the non-canonical basic encoding rules (BER) are also occasionally used).
No one understands d_______ n________. They don't really make sense for the web. Avoid them. If you do use them, keep them simple. You don't have to use every field. In fact, you shouldn't. A c_____ n______ is probably all you need, and perhaps an organization name if you're a thrill seeker.
distinguished names common name
Historically, X.509 used X.500 d________ n________ (DN) to name the subject of a certificate (a subscriber). A DN includes a c____ n_____(for me, that'd be "Mike Malone"). It can also include a locality, country, organization, organizational unit, and a whole bunch of other irrelevant crap (recall that this stuff was originally meant for a digital phone book).
distinguished names (DNs) common name
There are four sorts of SANs in common use, all of which bind names that are broadly used and understood: What are these 4?
domain names (DNS) email addresses IP addresses URIs (These are already supposed to be unique in the contexts we're interested in, and they map pretty well to the things we're interested in identifying: email addresses for people, domain names and IP addresses for machines and code, URIs if you want to get fancy. Use SANs.)
Certificates are like d______ l_______ or p_______ for computers and code.
driver's licenses passports
Certificates are kind of like this analogy: What is the analogy?
driver's licenses for computers and code
ASN.1 is abstract in the sense that the standard doesn't say anything about how stuff should be represented as bits and bytes. For that there are various _______ _____ that specify concrete representations for ASN.1 data values.
encoding rules
A certificate authority (CA) is an
entity that issues certificates to subscribers — a certificate issuer.
in addition to fancier encoding using PEM, a certificate might be wrapped up in fancier packaging. Several _______ _______ define larger data structures (still using ASN.1) that can contain certificates, keys, and other stuff.
envelope formats
Several envelope formats define larger data structures (still using ASN.1) that can contain certificates, keys, and other stuff. Some things ask for "a certificate" when they really want a certificate in one of these __________. So beware.
envelopes
There's nothing stopping a particular RP from accepting an e________ certificate by mistake (or bad design).
expired Certificate use is disaggregated. It's up to each RP to check whether a certificate has expired, and sometimes they mess up. This might happen if your code depends on a system clock that isn't properly synchronized.
If you want better __________ internally (e.g., you want to restrict which certificates your internal CAs can issue) you might try CAA records and properly configured RPs.
federation
Without an expiration date, certificates would be trusted ________.
forever A rule of thumb for security is that, as we approach forever, the probability of a credential becoming compromised approaches 100%. Thus, certificates expire.
Thus, a recipient that only has a public key can verify signatures, but can't
generate them. his gives you tighter control over who can sign stuff.
The 2011 DigiNotar attack demonstrated the problem here: as part of the attack a certificate was fraudulently issued for _______.___. This certificate was trusted by major web browsers and operating systems despite the fact that _______ had no relationship with DigiNotar. Dozens more fraudulent certificates were issued for companies like Yahoo!, Mozilla, and The Tor Project. DigiNotar root certificates were ultimately removed from the major trust stores, but a lot of damage had almost certainly already been done.
google.com Google
Your provisioning infrastructure must have some notion of i______ in order to put the right code in the right place and start things up. And you must trust it.
identity You can leverage this knowledge and trust to configure RP trust stores and bootstrap subscribers into your internal PKI.
For internal PKI you can use any process you want for i_______ p_______.
identity proofing. You can probably do better than relying on DNS or email the way Web PKI does.
CSRs include lots of options for specifying certificate details. In practice most of this stuff is i______ by CAs. Instead most CAs use a t_________ or provide an administrative interface to collect this information.
ignored template
Certificate path validation Since intermediate certificates are not i_______ in trust stores they need to be distributed and verified just like l_____ c_______.
included leaf certificates
If you're using raw AMIs on AWS you can use i_______ i________ d_________.
instance identity documents (GCP and Azure have similar functionality).
bundle of certificates - leaf, intermediate, root - forms a chain (called a certificate chain). The leaf is signed by the _________, the ________ is signed by the ____, and the ____ signs itself.
intermediate intermediate root root
To make certificate issuance scalable (i.e., to make automation possible) when the root CA isn't online, the root private key is only used infrequently to sign a few ________ _________.
intermediate certificates
_______ _____ ________ are used by intermediate CAs (also called subordinate CAs) to sign and issue leaf certificates to subscribers.
intermediate private keys
Finally, the CA/Browser Forum Baseline Requirements actually prohibit Web PKI CAs from binding
internal IPs (e.g., stuff in 10.0.0.0/8) or internal DNS names that aren't fully-qualified and resolvable in public global DNS (e.g., you can't bind a kubernetes cluster DNS name like foo.ns.svc.cluster.local).
If you have local addresses and internal IPs 10.0.0.X/8 internal DNS names etc, and you want to bind this sort of name in a certificate, issue lots of certificates, or control certificate details, you'll need your own ________ _____.
internal PKI
Web PKI is mostly defined by these
is mostly defined by RFC 5280 and the CA/Browser Forum or CAB Forum. Sometimes called Internet PKI or PKIX.
The entity that signs a certificate is called the I______________ or C______ _______.
issuer (or certificate authority) and the entity named in the certificate is called the subject.
How is the CA supposed to authenticate the subscriber before a certificate's been issued?
it depends. For Web PKI there are three kinds of certificates and the biggest differences are how they identify subscribers and the sort of identity proofing that's employed. They are: domain validation (DV), organization validation (OV), and extended validation (EV) certificates.
Certificates and PKI are built on public key cryptography (also called asymmetric cryptography), which uses k__ p_____
key pairs
Certificates that belong to subscribers are sometimes called end entity certificates or
leaf certificates
Intermediate private keys are used by intermediate CAs (also called subordinate CAs) to sign and issue l_____ c_____ to subscribers. Intermediates aren't generally included in trust stores, making them easier to r______ and r______, so certificate issuance from an intermediate typically is online and automated.
leaf certificates revoke and rotate
Some stuff expects the certs to be ordered from -___ to r___, other stuff expects r___ to l____, and some stuff doesn't care. More annoying inconsistency. Google and Stack Overflow help here. Or trial and error.
leaf to root root to leaf
OV and EV certificates build on DV certificates and include the name and location of the organization that owns the bound domain name. They connect a certificate not just to a domain name, but to the......
legal entity that controls it.
Public key cryptography lets computers do something that's otherwise impossible: public key cryptography
lets computers see. public key cryptography lets one computer (or bit of code) prove to another that it knows something without sharing that knowledge directly.
Public Key Cryptography is like vision. If you know what I look like you can tell who I am - authenticate my identity - by
looking at me. But you can't shape-shift to impersonate me.
A federated identity in information technology is the:
means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
If you follow this chain of trust back far enough you'll always find people: every trust chain ends in ___________.
meatspace
In the context of TLS, MAC stands for:
message authentication code
A recipient that also knows the shared secret can produce their own m____ ______ ______ and compare it to the one provided.
message authentication code (MAC)
Identity proofing Once a CA receives a CSR and verifies its signature the next thing it needs to do is figure out whether the ____ to be bound in the certificate is actually the correct name of the _________.
name subscriber This is tricky. The whole point of certificates is to allow RPs to authenticate subscribers.
A certificate is a data structure that contains a public key and a name. The data structure is then signed. The signature binds the public key to the
name.
Web PKI allows for multiple names to be bound in a certificate and allows for wildcards in n_____.
names
BER is b_____ e_______ r____
non-canonical basic encoding rules (BER) - sometimes used instead of DER
ASN.1 has normal data types like integers, strings, sets, and sequences. It also has an unusual type that's important to understand:
object identifiers (OIDs).
A CA that exposes remotely accessible APIs to automate this stuff it's called an o______ CA. A CA with a self-signed root certificate included in trust stores is called a ________ CA.
online root
Revoking X.509 certificates is a big mess. Like expiration, the onus is on RPs to enforce revocations. Unlike expiration, the revocation status can't be encoded in the certificate. The RP has to determine the certificate's revocation status via some o__-o___-b___ p______.
out-of-band process
The complete certificate path validation algorithm is complicated. It includes checking certificate expirations, revocation status, various certificate policies, key use restrictions, and a bunch of other stuff. Proper implementation of this algorithm by PKI RPs is absolutely critical. People are shockingly casual about disabling certificate path validation (e.g., by ______ the ___ flag to curl). Don't do this.
passing the -k flag to curl
For internal PKI the trend is towards accepting this reality and using -p_______ r________. That is, issuing certificates that expire quickly enough that revocation isn't necessary.
passive revocation If you want to "revoke" a certificate you simply disallow renewal and wait for it to expire. For this to work you need to use short-lived certificates. How short? That depends on your threat model (that's how security professionals say ¯\(ツ)/¯). Twenty-four hours is pretty typical, but so are much shorter expirations like five minutes.
Common extensions for PKCS#12 are:
pfx and .p12
A signature can be verified using a public key but can only be generated with a corresponding
private key
Let's repeat that last part because it's important: the security of a public key cryptosystem depends on keeping
private keys private.
Authentication, in general, is the
process of confirming the truth of some claim.
Certificate Transparency (CT) (RFC 6962) mandates that CAs submit every certificate they issue to an impartial observer that maintains a _______ ______ ___ to detect fraudulently issued certificates.
public certificate log
A key pair consists of a _________________ hat can be distributed and shared with the world, and a corresponding ___________________ that should be kept confidential by the owner.
public key private key
Certificates let you use trust, and knowledge of an issuer's _________ , to learn another entity's _________ (in this case, Bob's). That's it. Fundamentally, that's all a certificate is.
public key public key
A signature can be verified using a
public key but can only be generated with a corresponding private key.
Certificates and PKI are built on
public key cryptography (also called asymmetric cryptography), which uses key pairs.
Like a certificate, a CSR is a data structure that contains: (3 things)
public key, a name, and a signature
The only thing that's truly mandatory if you're building a PKI from scratch is that, definitionally, you've got to be using public keys. Everything else can change.
public keys (That said, you probably don't want to build a PKI entirely from scratch.)
For the ACME Protocol, common challenges include serving a r_____ n_______ at a given URL (the ____ challenge) and placing a random number in a ___ TXT record (the ___ challenge).
random number HTTP DNS DNS
Certificates expire, at which point they're no longer trusted by r_____ p______.
relying parties (RPs)
How does the relying party know the issuer's public key?
relying parties are pre-configured with a list of trusted root certificates (or trust anchors) in a trust store.
If you're still using a certificate that's about to expire you're going to want to renew it before that happens. There's actually no standard r______ process for Web PKI
renewal there's no formal way to extend the validity period on a certificate. Instead you just replace the expiring certificate with a new one. So the renewal process is the same as the issuance process: generate and submit a CSR and fulfill any identity proofing obligations.
Web PKI root certificates are broadly distributed in trust stores and hard to ______.
revoke
If a private key is compromised or a certificate's simply no longer needed you might want to r______ it. That is, you might want to actively mark it as i______ so that it stops being trusted by RPs immediately, even before it expires.
revoke invalid Revoking X.509 certificates is a big mess. Like expiration, the onus is on RPs to enforce revocations. Unlike expiration, the revocation status can't be encoded in the certificate. The RP has to determine the certificate's revocation status via some out-of-band process.
By default, most TLS implementations will happily accept r_______ certificates.
revoked
Compromising a ___ ____ _____ ____ would affect literally billions of people and devices. Best practice, therefore, is to keep ____ ____ _____ offline, ideally on some specialized hardware connected to an air gapped machine, with good physical security, and with strictly enforced procedures for use.
root CA private key root private keys
If you can automate r____ c_____ r_______ (e.g., update your trust stores using configuration management or orchestration tools) you can easily r______ a compromised root key.
root certificate rotation rotate
To configure a PKI relying party you tell it which r___ c_______ to use
root certificates
Certificates that belong to CAs are usually called
root certificates or intermediate certificates depending on the sort of CA.
So provenance is critical: a ____-____ c_________ should only be trusted insofar as the process by which it made its way into the trust store is trusted. On macOS the trust store is managed by the _________. On many Linux distributions it's simply some file(s) in /etc or elsewhere on disk. If your users can modify these files you better trust all your users.
self-signed certificate keychain
More recently, Sennheiser got called out for installing a _____-____ ____ ________ in trust stores with their HeadSetup app, then embedding the corresponding ______ ___ in the app's configuration. Anyone can extract this _______ ___ and use it to issue a certificate for any domain. Any computer that has the Sennheiser certificate in its trust store would trust these fraudulent certificates. This completely undermines TLS. Oops.
self-signed root certificate private key private key
Root certificates in trust stores are ____-______.
self-signed. The issuer and the subject are the same. Logically it's a statement like "Mike says Mike's public key is blah blah blah".
Federated identity is related to _______ _____-____ ____, in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations.
single sign-on (SSO)
Hash functions are also one-way: it's computationally infeasible to take the output of a hash function and reconstruct its input. This is critical to maintaining the confidentiality of a shared secret: Otherwise....
some interloper could snoop your MACs, reverse your hash function, and figure out your secrets.
Certificate Authority Authorization (CAA) allows you to restrict which CAs can issue certificates for your domain using a _______ ___ _______.
special DNS record
ou can leverage this knowledge and trust to configure RP trust stores and bootstrap subscribers into your internal PKI. All you need to do is come up with some way for your provisioning infrastructure to tell your CA the identity of whatever's starting up. Incidentally, this is precisely the gap s____ c______ was designed to fill.
step certificates
When setting up the DN, the latest practice for binding a name, instead of using a common name is to use a....
subject alternative name (SAN)
The entity named in the certificate is called the s________.
subject.
The security of a PKI depends critically on a simple invariant: that the only entity that knows a given private key is the s_________ named in the corresponding certificate.
subscriber
Best practice is to have the s__________ generate its own key pair so it's the only thing that ever knows it.
subscriber Definitely avoid transmitting a private key across the network.
When you configure a s________ (e.g., a web server like Apache or Nginx or Linkerd or Envoy) you'll typically need to provide not just the leaf certificate, but a c_____ b______ that includes intermediate(s). PKCS#7 and PKCS#12 are sometimes used here because they can include a full certificate chain.
subscriber certificate bundle
The ITU Telecommunication Standardization Sector coordinates standards for
telecommunications and Information Communication Technology such as X.509 for cybersecurity, Y.3172 for machine learning, and H.264/MPEG-4 AVC for video compression, between its Member States, Private Sector Members, and Academia Members.
What is the goal of PKI?
the goal of certificates and PKI is to bind names to public keys. That's it. The rest is just implementation details.
So if the recipient's MAC matches the one sent with the message it can be confident that
the message was sent by another entity that knows the shared secret. Assuming only trusted entities know the shared secret, the recipient can trust the message.
If you know my public key (what I look like) you can use it to see me across
the network.
If only one entity knows the private key you get a property called non-repudiation: What does that mean?
the private key holder can't deny (repudiate) the fact that they signed some data.
With a MAC, at least two entities need to know the shared secret: Which entities are these?
the sender and the recipient. A valid MAC could have been generated by either party, and you can't tell which.
Certificates let you use ______, and knowledge of an issuer's public key, to learn another entity's public key (in this case, Bob's). That's it. Fundamentally, that's all a certificate is.
trust
In any case, if you run your own internal PKI you should maintain a separate _____ _____ for internal stuff. That is, instead of adding your root certificate(s) to the existing system _____ ______, configure internal TLS requests to use only your roots.
trust store trust store
Firefox ships with its own
trust store (distributed using TLS from mozilla.org — bootstrapping off of Web PKI using some other trust store).
The CA needs to get its certificate distributed in t_____ s______, to accept and process certificate requests, and issue certificates to subscribers.
trust stores
A Certificate Authority (CA) is a _____ ______ ______. It vouches for the binding between a public key and a name by signing a certificate.
trusted certificate issuer
100+ certificate authorities are trusted in the descriptive sense — browsers and other stuff trust certificates issued by these CAs by default. But that doesn't mean they're ___________ in the moral sense.
trustworthy
DER is a pretty simple ____-______-_____ encoding, but you really don't need to worry about it since libraries will do most of the heavy lifting.
type-length-value
You can use an OID to tag a bit of data with a _____
type.
Web PKI allows for multiple names to be bound in a certificate and allows for w_________ in names. A certificate can have m_______ SANs, and can have SANs like *.example.com
wildcards multiple This is useful for websites that respond to multiple names (e.g., example.com and www.example.com).
Internal PKI is PKI
you run yourself, for your own stuff
Hash functions have a simple contract: if you feed them the same input twice
you'll get the exact same output. If the input is different - even by a single bit - the output will be totally different.
