certificate transparency: new part of pki infrastructure
DESCRIPTION
Certificate transparency: New part of PKI infrastructure. A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014. About PKI *). - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/1.jpg)
Certificate transparency:New part of PKI infrastructure
A presentation by Dmitry Belyavsky, TCI
ENOG 7Moscow, May 26-27, 2014
![Page 2: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/2.jpg)
About PKI *)
*) PKI (public-key infrastructure) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates
![Page 3: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/3.jpg)
Check the server certificate
Many trusted CAs
The server certificate
signed correctly by any of them?
We warn the user Everything seems to be ok!
YESNO
![Page 4: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/4.jpg)
DigiNotar case
OCSP requests for the fake *.google.com certificate Source: FOX-IT, Interim Report, http://cryptome.org/0005/diginotar-insec.pdf
![Page 5: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/5.jpg)
PKI: extra trust
PKI Independent source
Trusted certificate
DANE (RFC 6698)
Limited browsers support
Certificate pinning
Mozilla Certificate Patrol, Chrome cache for Google certificates
Certificate transparency (RFC 6962)
Inspired by Google (Support in Chrome appeared)One of the authors - Ben Laurie (OpenSSL Founder)
CA support – Comodo
![Page 6: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/6.jpg)
Certificate Transparency: how it works
• Log accepts cert => SCT
•Is SCT present and signed correctly?Client
•Is SCT present and signed correctly?Client
•Does log server behave correctly?Auditor
•Any suspicious certs?Monitor
![Page 7: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/7.jpg)
Certificate Transparency: how it works
Source: http://www.certificate-transparency.org
![Page 8: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/8.jpg)
Certificate Transparency how it works
Source: http://www.certificate-transparency.org
![Page 9: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/9.jpg)
Google Chrome Support (33+)
Google Cert EV plan
Certificate Transparency current state
http://www.certificate-transparency.org/ev-ct-plan
http://www.certificate-transparency.org/certificate-transparency-in-chrome
![Page 10: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/10.jpg)
Open source code
2 pilot logs
Certificate Transparency current state
![Page 11: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/11.jpg)
Certificate Transparency: protect from what?
Do NOT SAVE from HEARTBLEED!
Warning from browserSite owner can watch logs for certs
SAVE from MITM attack
![Page 12: Certificate transparency: New part of PKI infrastructure](https://reader036.vdocuments.us/reader036/viewer/2022081502/56815b3a550346895dc91178/html5/thumbnails/12.jpg)
Certificate transparency and Russian GOST crypto
Russian GOST does not save from the MITM attack
SHA-256 >>> GOSTR34.11-2012
Algorithm
>>> GOST R 34.10-2012
Key