Section 8.75 Digital Certificates Flashcards
Objectives 1.4 Explain the importance of using appropriate cryptographic solutions. Objectives 2.3 Explain various types of vulnerabilities. Objectives 2.4 Given a scenario, you must be able to analyse indicators of malicious activity.
Digital Certificate
Digitally signed electronic documents that binds public key with a users identity
Users can be individuals, servers, workstations, or devices
Digital Certificate
X.509 Standard
■ Use the X.509 Standard
Commonly used standard for digital certificates within PKI
Contains owner’s/user’s information and certificate authority details
Types of Digital Certifactes
Wildcard Certificate
● Allows multiple subdomains to use the same public key certificate and have it displayed as valid
● PROs: Easier management, cost-effective for subdomains
● CONs: Any Compromise will affects all subdomains
Easy to get new wildcard certificates if compromised which is a good thing
Types of Digital Certifactes
SAN (Subject Alternate Name) field
Certificate that specifies what additional domains and IP addresses are going to be supported
● Used when domain names don’t have the same root domain
Types of Digital Certifactes
Single-Sided and Dual-Sided Certificates
● Single-sided:
○ Only requires the server to be validated so only one side of authetication is happening.
e.g If I wanted to connect to another persons website a create a secure session, this could be established between the websites server which has the digital certificate and my browswer.
● Dual-sided:
○ Both server and user validate each other
○ Dual-sided for higher security, requires more processing power so it sused in high security environments
Types of Digital Certifactes
Self-Signed Certificates
Digital certificate that is signed by the same entity whose identity it certifies
● Provides encryption but lacks third-party trust
● Used in testing or closed systems or non production systems
Types of Digital Certifactes
Third-party certificates
Digital certificate issued and signed by trusted certificate authorities (CAs)
● Trusted by browsers and systems
● Preferred for public-facing websites
High degree of trust for online transactions or encrypted communications and this makes third party certificates a preferred choice for any public facing websites or applications you may be hosting
Types of Digital Certifactes
Root of Trust
Each certificate is validated using the concept of a root of turst or the chain of trust
● Trusted by browsers and systems
● Preferred for public-facing websites
e.g Amazon or Google
like a family tree - succession of trust
Types of Digital Certifactes
Certificate Authority (CA)
Trusted third party that issues digital certificates therfore contains the CA’s name, digital signature, the serial number for the certificate, issue date, expiration date and the version of that certificate
Types of Digital Certifactes
Registration Authority (RA)
Users needs to register for a CA via the RA. The RA will eequest identifying information from the user and forwards certificate request up to the CA to create a digital certificate for the user.
● Collects user information for certificates
● Assists in the certificate issuance process
Types of Digital Certifactes
Certificate Signing Request (CSR)
A block of encoded text with information about the entity requesting the certificate
● Includes the public key
● Submitted to CA for certificate issuance
● Private key remains secure with the requester
Types of Digital Certifactes
Certificate Revocation List (CRL)
● Maintained by CAs
● List of all digital certificates that the certificate authority has already revoked
● Checked before validating a certificate
Types of Digital Certifactes
Online Certificate Status Protocol (OCSP)
● Determines certificate revocation status or any digital certificate using the
certificate’s serial number
● Faster but less secure than CRL
Types of Digital Certifactes
OCSP Stapling
● Alternative to OCSP
● Allows the certificate holder to get the OCSP record from the server at regular intervals
● Includes OCSP record in the SSL/TLS handshake
● Speeds up the secure tunnel creation
Public Key Pinning
● Allows an HTTPS website to resist impersonation attacks from users who are trying to present fraudulent certificates
● Presents trusted public keys to the users browsers as part of the HTTP header
● Alerts users if a fraudulent certificate is detected
