1 of 8

SEC 260 �Web and Applications Security��7- Certificates and Certificate Authorities

2 of 8

More about Digital Certificates

  • Digital Certificates provide:
    • Confidentiality: Contain the Public Key used for encryption
    • Authentication: Signed by Trusted Certificate Authority (CA)

  • Remember- Certificates contain the Public Key plus other public information about a server or user

  • Certificates must have a corresponding Private Key that only the server or user should have.

3 of 8

More about Digital Certificates

  • Certificate Authority: Service that creates and issues certificates
    • Listed as “Issuer” on certificates

  • Operating systems (and some Browsers) have a Certificate Store
    • Certificate Manager in Windows
    • Keychain in OSX
    • Firefox has the Mozilla certificate store
    • Includes the “Trusted Root Certificates”

  • Many server services will keep certificates and keys on file system.

4 of 8

How CA’s Work with TLS

  1. CA has a Private/Public Key Pair
  2. Client (Alice) has a copy of the CA Public Key in Trusted CA List
  3. Server (Bob)has it’s Certificate Signed by CA’s Private Key
  4. Client knows that Server Certificate is valid by checking the signature with CA Pub Key

5 of 8

Certificate Revocation

How do you know if a certificate has been compromised – should no longer be trusted?

  • 2 common methods

  • Certificate Revocation List (CRL): The Certificate Authority (CA) publishes a list with the certificates it has revoked.
    • Clients check that website to verify that the cert is still valid
    • Must parse the full list (can be 1000’s) to see if the certificate is revoked

  • Online Certificate Status Protocol (OCSP)
    • Clients poll a web service for the specific (single) certificate
    • More efficient

6 of 8

CRL and OCSP

7 of 8

In the real world…

  • Certificate revocation checking can be difficult
    • CRL lists are long files which are hard to keep synched
    • Lots of HTTPS traffic, so checking for all transactions would generate a lot of traffic – even with OCSP
    • OCSP services by CA’s can be unreliable – which could affect browsing if browsers were aggressive at checking OCSP

  • OCSP Stapling is the compromise approach and gaining popularity
    • Web server checks its own status with OCSP
    • And then sends it along with its certificate to the client
    • As the OCSP response is signed by the CA, the client can trust it

8 of 8

OCSP Stapling