2. Digital Certificates
• Digital Certificates use asymmetric cryptography to
facilitate the secure exchange of public keys.
• Rely upon the use of trusted Certificate Authorities
– Certificate Authorities responsible for vouching for identity of
certificate “subjects”.
– Usually used for servers, can also be used by individuals.
– Organization proves its identity to the CA and the CA provides a
signed certificate that can be used to prove identity to others.
• To a CA, trust is essential!
3. What’s in a Digital Certificate?
•
•
•
•
•
•
•
Name of the certificate subject
Subject’s public key
Name of the CA
Serial number
Signature algorithm
Validity period
CA’s digital signature
Source: Apple Computer
3
4. Using Certificates in HTTPS
• HTTPS uses digital certificates to ensure secure
web communications
• It supplements the standard HTTP protocol with
SSL/TLS encryption
1.
2.
You access a secure site using your web browser
Your browser retrieves the site certificate and verifies it
•
3.
Your browser then chooses a symmetric key, encrypts it with the
server’s public key and sends it to the server
•
4.
4
What does a certificate error mean?
Why don’t they just communicate using the server’s public key?
Everything from that point forward is encrypted with the symmetric
key
7. Simpler Version of the Same Flaw
Default return value set
to 1
Goto bypasses attempt
to change return value
Source: imperialviolet.org
Default value (1) always
returned by function
8. Impact
• Digital signatures on ephemeral keys not
verified
• Certificate itself is verified
• Link between certificate and key not checked
• Clients always trust presented ephemeral keys
because the certificate checked out OK