Lecture on Certificates and Encryption

Jul 12, 2024

Lecture Notes on Certificates and Encryption

Introduction to Certificates

  • Importance: Used daily, often unnoticed.
  • Example: Website certificate (e.g., onemark50.com) indicates a secure connection (padlock icon).

What is a Certificate?

  • Definition: A document linked to an identity.
  • Example: Nephew's toy driver’s license for his Kick Scooter.
    • Indicates identity and authorization (to drive a Kick Scooter, not an airplane).
    • Self-signed by the nephew (issuer and subject are the same).

Real-World vs. Self-Signed Certificates

  • Real-world licenses: Issued by authorized entities (government), difficult to falsify.
  • Website certificates: Trusted globally based on chain of trust.
    • Chain of trust: Starts with a trusted root certificate authority (CA).

Examining Website Certificates

  • Tool: XCA by Christian Hunstadt (open-source, supports various platforms).
  • Steps:
    1. Export website's certificate (PKCS 7 format in Chrome, full chain PEM in Firefox).
    2. Import into XCA and examine details and certificate chain.
    3. Example: onemark50.com issued by R3, which is issued by ISRG Root X1.

The Chain of Trust

  • Structure: From end-user certificate to root CA.
  • Root CA: Often self-signed, trusted by browsers/OS out of the box.
  • Verification: Based on public and private key mechanisms.

How Public and Private Keys Work

  • RSA Algorithms: Allow encryption, decryption, signing, verification, and authentication.
  • Encryption: Public key encrypts, private key decrypts.
  • Signing: Private key signs, public key verifies.
  • Security: Based on computational difficulty (e.g., prime factorization).

Obtaining Certificates

  • Public CA: Issues based on domain validation (DNS control).
    • Let's Encrypt: Issues certificates based on control over DNS records.
  • Types of Certificates: Server certificates, wildcard certificates (for domains).

Creating Your Own Certificates

  • Methods:
    1. Use public/private services (e.g., Let's Encrypt).
    2. Create a vanity CA (expensive, requires security procedures).
    3. Self-signed certificates (not publicly trusted).
  • Creating a CA: Using XCA to generate a certificate and sign others.
  • Using Certificates: Import CA certificate into browsers for trust.

Using Self-Signed Certificates

  • Scenarios: Control over both server and client, distrust of public CAs, internal networks.
  • Deployment Challenge: Distributing CA certificates to multiple clients.

Future Topics

  • Automating Certificate Requests: Tools like ansible, especially for internal networks.
  • Security Best Practices: Long keys, secure algorithms.
  • Key Management: More critical than the encryption itself.

Conclusion

  • Key Points: Certificates ensure identity and secure communication, using a chain of trust and public/private key mechanisms.
  • Next Steps: Explore key management and further automation in upcoming sessions.

Stay safe and healthy!