Section 8.75 Digital Certificates Flashcards
Objectives 1.4 Explain the importance of using appropriate cryptographic solutions. Objectives 2.3 Explain various types of vulnerabilities. Objectives 2.4 Given a scenario, you must be able to analyse indicators of malicious activity.
Digital Certificate
Digitally signed electronic documents that binds public key with a users identity
Users can be individuals, servers, workstations, or devices
Digital Certificate
X.509 Standard
■ Use the X.509 Standard
Commonly used standard for digital certificates within PKI
Contains owner’s/user’s information and certificate authority details
Types of Digital Certifactes
Wildcard Certificate
● Allows multiple subdomains to use the same public key certificate and have it displayed as valid
● PROs: Easier management, cost-effective for subdomains
● CONs: Any Compromise will affects all subdomains
Easy to get new wildcard certificates if compromised which is good
Online platforms that require an overhaul to perform well on mobile devices usually host their mobile sites under dedicated subdomains. For example, Facebook crafted a distinct interface for its mobile users under m.facebook.com. The company shaped the layout to fit a mobile device’s oblong shape.
Types of Digital Certifactes
SAN (Subject Alternate Name) field
Certificate that specifies what additional domains and IP addresses are going to be supported
● Used when domain names don’t have the same root domain
Types of Digital Certifactes
Single-Sided and Dual-Sided Certificates
● Single-sided:
○ Only requires the server to be validated so only one side of authetication is happening.
e.g If I wanted to connect to another persons website and create a secure session. This could be established between the websites server which has the digital certificate and my browswer.e.g Public website)
● Dual-sided:
○ Both server and user validate each other e.g Banking / Government / Organisations
○ Dual-sided for higher security, requires more processing power so it used in high security environments
Types of Digital Certifactes
Self-Signed Certificates
Digital certificate that is signed by the same entity whose identity it certifies
● Provides encryption but lacks third-party trust
● Used in testing or closed systems or non production systems (Internally used)
Types of Digital Certifactes
Third-party certificates
Digital certificate issued and signed by trusted certificate authorities (CAs)
● Trusted by browsers and systems
● Preferred for public-facing websites
High degree of trust for online transactions or encrypted communications and this makes third party certificates a preferred choice for any public facing websites or applications you may be hosting
Key concepts
Root of Trust
Each certificate is validated using the concept of a root of trust or the chain of trust
● Trusted by browsers and systems
● Preferred for public-facing websites
e.g Amazon or Google
like a family tree - succession of trust
The RoT is the first component in the chain of trust, and the trust in the RoT is inherited by the entire chain. If the RoT is compromised, the entire chain is contaminated
Key concepts
Certificate Authority (CA)
Trusted third party that issues digital certificates therfore contains the CA’s name, digital signature, the serial number for the certificate, issue date, expiration date and the version of that certificate
Key concepts
Registration Authority (RA)
Users needs to register for a CA via the RA. The RA will request identifying information from the user and forwards certificate request up to the CA to create a digital certificate for the user.
● Collects user information for certificates
● Assists in the certificate issuance process
Key concepts
Certificate Signing Request (CSR)
A block of encoded text with information about the entity requesting the certificate
● Includes the public key
● Submitted to CA for certificate issuance
● Private key remains secure with the requester
How the process works:
A user or device sends a certificate request to the RA.
The RA verifies the requestor’s identity and authenticity using acceptable forms of identification.
If the request is authenticated, the RA generates a key pair and sends a CSR to the CA.
The CA issues a signed certificate to the RA, who then passes it on to the requesting user or device.
Key concepts
Certificate Revocation List (CRL)
● Maintained by CAs
● List of all digital certificates that the certificate authority has already revoked
● Checked before validating a certificate
Key concepts
Online Certificate Status Protocol (OCSP)
● Determines certificate revocation status of any digital certificate using the
certificate’s serial number
● Faster but less secure than CRL
Key concepts
OCSP Stapling
● Alternative to OCSP
● Allows the certificate holder to get the OCSP record from the server at regular intervals
● Includes OCSP record in the SSL/TLS handshake
● Speeds up the secure tunnel creation
Key Escrow Agents
● Securely store copies of private keys
● Ensures key recovery in case of loss
● Requires strong access controls
