it:network:applications. single key (symmetric) encryption ◦ one “key” or passphrase used to...
TRANSCRIPT
Single Key (Symmetric) encryption◦ One “key” or passphrase used to encrypt and decrypt◦ FAST – good for large amounts of data◦ How do you get the key across the network?◦ Ex: AES, DES, DES3
Dual key (or Asymmetric or public key) encryption◦ Two mathematically related keys◦ Public – used to encrypt / verify signature◦ Private – used to decrypt / sign◦ Slower functioning – not applicable for entire files◦ Ex: RSA, DSA
Server keeps private key Gives out public key to anyone
Want to communicate-◦ Get server’s public key◦ Encrypt my data/request◦ Send to server
Only server has private key – Only server can decrypt request!
“Bad” server could claim to be web server for my bank◦ “Here’s by public key, encrypt your account and
send it to me” How did you know to listen to me on 1st
day?◦ NWTC said so – you trusted NWTC so you trusted
me NWTC is the authority we both trust
Digital construct (X.509) that contains my public key and other info◦ Subject: who owns this key◦ Valid dates: start and expire◦ Issuer of certificate◦ etc
Issuer is someone we both trust◦ Browser recognized issuer, accepts cert◦ Browser doesn’t recognize issuer, rejects cert
Usually asks User what to do
VeriSign, DigiCert, Thawte, GoDaddy etc◦ Pay them and they give you cert◦ Usually underwritten by big bank – TRUST◦ Recognized by most browsers – good for outside
Gen your own◦ e.g., Microsoft Certertificate Server (this is what
we will do) Microsoft CA (Certificate Authority)
◦ e.g., OpenSSL – comes with Linux
Issues certificates for you – Acts as Certificate Authority (CA)
Can implement a CA hierarchy◦ Root server is at top – issues certs for other CA’s◦ Subordinate CA
Gets cert from “higher” CA – sort of like introducing it Issues certs for “lower” CA’s & end servers
Can be Enterprise or Standalone◦ Enterprise requires a Domain Controller/Active
Directory (Domain Member?) Can automate issuing of some certs
◦ Stand-alone can be on any Microsoft Server Must do “issuing” yourself
Installation◦ Add/Remove Windows Components-2003◦ Add Role-2008
Certificate Services mmc – Add “Certificate Authority”
◦ Certificate Templates – used to build rules for auto-issuing of certs by Enterprise CA
◦ Certificates – used to control certs issued to this entity (user, server,…)
Properties of specific Web Site > Directory Security > Server Certificate button
Create new certificate Prepare but send later
◦ as opposed to asking Enterprise CA Give name (this can be anything)
◦ Org and Org Unit Don’t confuse with LDAP Naming
Common Name – Must be fully qualified domain name of web site (acct.abccompany.local)◦ State and City
C:\certreq.txt
Right click on Server name◦ All Tasks◦ Submit New Request
Read file (certreq.txt) Shows up in Pending Requests
◦ REAL CA would look at request, and verify it’s correct – valid machine, paid bill, …
Right click on the specific pending request◦ All Tasks◦ Issue
Moves to Issued Certificates◦ Right click and Export Binary Data to a file◦ IIS Manager expects file with .cer extension