Publickey Infrastructure Computer Center CS NCTU 2 Publickey

Public-key Infrastructure

Computer Center, CS, NCTU 2 Public-key Infrastructure q A set of hardware, software, people, policies, and procedures. q To create, manage, distribute, use, store, and revoke digital certificates. q Encryption, authentication, signature q Bootstrapping secure communication protocols.

Computer Center, CS, NCTU 3 CA: Certificate Authority (1) q In God We Trust

Computer Center, CS, NCTU CA: Certificate Authority (2) q Certificate • Contains data of the owner, such as Company Name, Server Name, Email, Address, … • Public key of the owner. • Followed by some digital signatures. Ø Sign for the certificate. • In X. 509 Ø A certificate is signed by a CA. Ø To verify the correctness of the certificate, check the signature of CA. 4

Computer Center, CS, NCTU CA: Certificate Authority (3) q Certificate Authority (CA) • “憑證授權” in Windows CHT version. • In X. 509, it is itself a certificate. Ø The data of CA. Ø To sign certificates for others. • Each CA contains a signature of Root CA. • To verify a valid certificate Ø Check the signature of Root CA in the certificate of CA. Ø Check the signature of CA in this certificate. • Reference: http: //www. imacat. idv. tw/tech/sslcerts. html 5

Computer Center, CS, NCTU 6 What is a CA ? (1) q q Certificate Authority (認證中心) Trusted server which signs certificates One private key and relative public key Tree structure of X. 509 • Root CA

Computer Center, CS, NCTU What is a CA ? (2) q Root CA (最高層認證中心) • In Microsoft: 「根目錄授權憑證」 • Root CA do not sign the certificates for users. Ø Authorize CA to sign the certificates for users, instead. • Root CA signs for itself. Ø It is in the sky. • To trust Root CA Ø Install the certificate of Root CA via secure channel. 7

Computer Center, CS, NCTU What is a CA ? (3) q Tree structure of CA q Cost of certificate • • • 8 Hi. Trust : NT $30, 000 / per year / per domain TWCA: NT $30, 000 / per year / per domain Go. Get. SSL (Comodo): USD 7. 85 / per year / per domain Go. Get. SSL (Comodo Wildcard): USD 70. 95 / per year Myself : NT $0

Computer Center, CS, NCTU Certificate (1) q Digital Certificate, Public-key Certificate, Network Identity q A certificate is issued by a CA X q A certificate of a user A consists: • The name of the issuer CA X • His/her public key Apub • The signature Sig(Xpriv, A, Apub) by the CA X • The expiration date • Applications Ø Encryption / Signature 9

Computer Center, CS, NCTU Certificate (2) Alice: (1) Generate Apub, Apriv (2) Alice, Apub, ID proof CA X: (3) Generate Sig(Xpriv, Alice, Apub, T) (4) Sig(Xpriv, Alice, Apub, T) Cert. A, X=[Alice, Apub, Sig(Xpriv, Alice, Apub, T)] Note: Note CA does not know Apriv 10

Computer Center, CS, NCTU Certificate (3) q Guarantee of CA and certificate • Guarantee the public key is of someone • Someone is not guaranteed to be safe q Security of transmitting DATA • Transmit session key first Ø Public-key cryptosystem • Transmit DATA by session key Ø Symmetric-key cryptosystem 11

Open. SSL

Computer Center, CS, NCTU 13 Open. SSL q http: //www. openssl. org/ q In system • /usr/src/crypto/openssl q In pkg • openssl

Example: Apache SSL settings

Computer Center, CS, NCTU Example: Apache SSL settings – Flow q Flow • Generate random seed • Generate Root. CA Ø Generate private key of Root. CA Ø Fill the Request of Certificate. Ø Sign the certificate itself. • Generate certificate of Web Server Ø Generate private key of Web Server Ø Fill the Request of certificate Ø Sign the certificate using Root. CA • Modify apache configuration restart apache 15

Computer Center, CS, NCTU 16 Example: Apache SSL settings – Generate random seed q openssl rand -out rnd-file num % openssl rand -out /etc/ssl/Root. CA/private/. rnd 1024 q chmod go-rwx rnd-file % chmod go-rwx /etc/ssl/Root. CA/private/. rnd

Computer Center, CS, NCTU Example: Apache SSL settings – Certificate Authority (8) • Include etc/apache 22/extra/httpd-ssl. conf SSLEngine on SSLHonor. Cipher. Order on SSLCompression off SSLSession. Tickets Off SSLCipher. Suite "ECDHE-RSA-AES 256 -GCM-SHA 384: ECDHE-RSA-AES 256 -SHA: AES 256 -GCM-SHA 384" SSLCertificate. File /etc/ssl/nasa. crt. pem SSLCertificate. Key. File /etc/ssl/nasa/private/nasa. key. pem # OCSP Stapling, only in httpd 2. 3. 3 and later SSLUse. Stapling on SSLStapling. Responder. Timeout 5 SSLStapling. Return. Responder. Errors off # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always add Strict-Transport-Security "max-age=15768000; preload“ # Public Key Pinning (HPKP) ##Header set Public-Key-Pins "pinsha 256="kl. O 23 n. T 2 eh. FDXCfx 3 e. HTDRESMz 3 asj 1 mu. O+4 a. Idjiu. Y="; pinsha 256="633 lt 352 PKRXb. Owf 4 x. SEa 1 M 517 scp. D 3 l 5 f 79 x. MD 9 r 9 Q="; max-age=2592000; include. Sub. Domains" 23

Appendix: PGP

Computer Center, CS, NCTU PGP q Pretty Good Privacy q Public key system • Encryption • Signature q security/gnupg q Will talk more in Network Administration q Ref: http: //security. nknu. edu. tw/textbook/chap 15. pdf 25