Tài liệu Module 8: Protecting Communication Privacy and Data Integrity pptx

Contents Overview 1 Lesson: Introduction to Cryptography 3 Lesson: Working with Digital Certificates 15 Lab 8.1: Obtaining a Server Certificate 35 Lesson: Using the Secure Sockets L

Contents

Overview 1

Lesson: Introduction to Cryptography 3

Lesson: Working with Digital Certificates 15

Lab 8.1: Obtaining a Server Certificate 35

Lesson: Using the Secure Sockets

Layer/Transport Layer Security Protocols 39

Lesson: Using Internet Protocol Security 58

Review 63

Lab 8.2: Protecting Communication

Privacy and Data Integrity 65

Module 8: Protecting Communication Privacy and Data Integrity

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2002 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with an overview of cryptography and digital certificates The module then explains how students can protect data and communications between the Web browser and the Web server After completing this module, students will be able to protect the portions of a Web application that require private communications through Secure Sockets Layer

(SSL) security

After completing this module, students will be able to:

! Define the basic elements of cryptography

! Describe the purpose of digital certificates and obtain one through a Certificate Authority (CA)

! Validate user and Web server identity through the use of SSL/Transport Layer Security (TLS)

! Protect communications between Web application resources through the use

of Internet Protocol security (IPSec)

To teach this module, you need the following materials:

! Microsoft® PowerPoint® file 2300A_08.ppt

! Hypertext Markup Language (HTML) and Flash animation files 2300A_08_A05_1619.htm and 2300A_08_A05_1619.swf

To prepare for this module:

! Read all of the materials for this module

! Complete the demonstrations and labs

! Read Module 5, “Configuring Network Security by Using Public Key

Infrastructure,” in Course 2153, Implementing a Microsoft Windows 2000

Network Infrastructure

! Read Module 6, “Configuring Network Security by Using IPSec,” in Course

2153, Implementing a Microsoft Windows 2000 Network Infrastructure

! Read Module 5, “Implementing Security on a Web Server,” in Course 2295,

Implementing and Supporting Microsoft Internet Information Services 5.0

! Read the article “Step-by-Step Guide to Internet Protocol Security (IPSec),”

which is available at http://www.microsoft.com/windows2000/techinfo/ planning/security/ipsecsteps.asp

! Read the TechNet article, “Authentication and Encryption,” which is available at http://www.microsoft.com/technet/security/network/authen.asp

! Read the Microsoft MSDN® Magazine article, “Web Security: Putting a Secure Front End on Your COM+ Distributed Applications,” which is available at http://msdn.microsoft.com/msdnmag/issues/0600/

! Read the MSDN article, “The Evolution of Security on the Web: An Introduction to Cryptosystems on the Internet,” which is available at http://msdn.microsoft.com/library/en-us/dnsecure/html/msdn_websec.asp

! Read the VeriSign article, “Implementing Web Site Client Authentication Using Digital IDs,” which is available at http://www.verisign.com/

clientauth/kit/details.html

! Read the VeriSign article, “Guide to Securing Your Web Site For Business,” which is available at http://www.verisign.com/resources/

gd/secureBusiness/secureBusiness.html

How to Teach This Module

Begin this module with a discussion of the types of attacks that are possible on the communication link between the browser and the Web server

Lesson: Introduction to Cryptography

It is an interesting sidebar to mention the role that cryptographic code breaking played in World War II “Enigma,” “Purple,” and “Magic” are the code names

of some of the more well-known cryptographic systems You can find more information about cryptography during wartime by searching for “cryptography World War II” on the Internet

Mention that symmetric encryption is very fast and that it is the most efficient way to transfer larger quantities of data securely

By using asymmetric encryption, the recipient of the encrypted data can be assured that the data came from the owner of the public key Therefore, not only can asymmetric encryption be used to encrypt the data, it also provides a guarantee of the data’s origin

Note that the key length plays an important role in the strength of the encryption If the key length is long enough, it is virtually impossible to guess Storing private keys is the most challenging aspect of encryption For more

information about this topic, direct students to the book, Writing Secure Code,

by Michael Howard and David LaBlanc (Redmond: Microsoft Press®), 2002

An important distinction between encryption and hashing is that encryption scrambles the data such that it can be unscrambled, whereas hashing cannot be reversed

You can sign data without hashing it to guarantee that the data came from you; however, this would not guarantee that the data was not changed en route to the recipient

After reviewing the answers to the practice, brainstorm with the students for more scenarios of when cryptography could be used in Web applications

Lesson: Working with Digital Certificates

Mention briefly that one of the reasons for obtaining a certificate (personal or server) is to use SSL to communicate with a Web server Students will learn more about the SSL/TLS and IPSec protocols later in this module

You can do the steps of this practice with the students and show the nwtraders.msft certificate, which is the certificate from the London CA

Students may ask about the process that is required to become a CA, such as VeriSign Although anyone who uses Certificate Services can generate

certificates, not everyone who generates certificates is a trusted CA Trust is

based on many factors, including the length of time that the CA is in business, the CA’s reputation, and the process that the CA uses to verify those who request certificates

This animation provides an overview of the process of how certificates are requested and granted from a CA, and then how those certificates are used to communicate securely over SSL You might consider postponing this animation until the next lesson, which discusses SSL

Note that the “random bits” referred to in the multimedia are the session key For certificates to be effective, they must be trusted Certificate chains enable users to trace a certificate back to the original CA

If time permits, demonstrate the use of the Certificate Manager tool

Discuss some of the reasons why a user would want to obtain a personal certificate

Note

The options for certificate templates offered by the Certificate Request Wizard depend on how you installed the Microsoft Management Console (MMC) Certificates snap-in:

! If you installed the MMC Certificates snap-in to manage certificates for My user account, as directed in the “Practice: Viewing Digital Certificates” topic, you get Authenticated Session, Basic EFS, and User Signature Only templates

! If you installed the MMC Certificates snap-in to manage certificates for

Computer account, you get Computer and IPSEC templates

You will need to lead this practice and also get a personal certificate; make sure

to enter Research for your department, because this field will be used in the

client certificate mapping demonstration

As the students submit their requests for personal certificates, you need to issue the certificates The issuing of certificates should be done with little explanation and with the screen blanked so that the students do not get confused between the request and issue processes

! To process the certificate requests with Microsoft Certificate Services for Microsoft Windows® 2000

1 On the Start menu, click Programs, click Administrative Tools, and then click Certification Authority

During setup, the instructor computer was set up with Certificate Services and was created as a stand-alone root CA

2 Expand the nwtraders.msft CA, and then click Pending Requests

There will be one certificate request from each student

3 To accept the request and issue a certificate, right-click the request, click All Tasks, and then click Issue

The request is moved from the Pending Requests node to the Issued Certificates node

Show how the SSL port, 443, is disabled by opening Internet Information

Services (IIS) and viewing the Web Site tab for the Mod08 folder of the

2300Demos Web application

Explain to students that they will obtain a server certificate in the lab; therefore, they can just watch the demonstration now, rather than performing the steps When processing the certificate request with Certification Services, do not explain what is being done This step occurs only because you are using Certificate Services in the classroom

Lab 8.1: Obtaining a Server Certificate

Both the TailspinToys and TailspinToysAdmin Web applications contain Web pages that either request private information from users or deliver private information to users Before students can turn on SSL for these Web pages, they need to obtain a server certificate for their Web servers

Students will request the server certificates from the London CA You will need

to approve the requests as they are made by the students

! To issue certificates by using Certificate Services

After students have submitted their requests for server certificates, you must issue the certificates:

1 On the Start menu, click Programs, click Administrative Tools, and then click Certification Authority

2 Expand the nwtraders.msft CA, and then click Pending Requests

There will be a certificate request from each student

3 To accept a request and issue a certificate, right-click the request, click All Tasks, and then click Issue

The request is moved from the Pending Requests folder to the Issued Certificates folder

Lesson: Using the Secure Sockets Layer/Transport Layer Security Protocols

Students may have heard of both SSL and TLS It is important to note that TLS

is the most recent version of the protocol and that although SSL is the more commonly referred-to protocol, it is most likely TLS that is being used

Mention that SSL/TLS are the protocols that enable the secure communications that are described in the animation “Using Digital Certificates.” You might consider showing this animation here instead of in the previous lesson

Mention the steps that are required before SSL can be enabled in IIS You will demonstrate the process of enabling SSL in the demonstration that follows this topic

Show how SSL is enabled in IIS Discuss the various options that are available for client certificates

Discuss both the Active Server Pages (ASP) method and the Microsoft ASP.NET method of verifying the authenticity of client certificates

Before students can view the pages in the practice, you must configure the Mod08 folder of the 2300Demos Web application to require client certificates After students have accessed the WhoAmI.asp and ReadCertInfo.aspx pages in the Mod08 folder of the 2300Demos Web application on the London computer, examine the source code for the pages in Microsoft Visual Studio® NET:

1 In Visual Studio NET, open the WhoAmI.asp page in the Mod08 folder of the 2300Demos project

2 In Visual Studio NET, open the ReadCertInfo.aspx page in the Mod08 folder of the 2300Demos project

The page displays information from a client certificate by using the

HttpClientCertificate object

Client certificate mapping is a powerful authentication method that allows IIS

to perform work on behalf of the client, based on the contents of a client certificate Emphasize IIS client certificate mapping Information on Active Directory® directory service mapping is provided for those students that have previous experience with Active Directory

Demonstrate how to enable many-to-one client certificate mapping in the 2300Demos Web application Note that client certificate mapping is not used in the labs

SSL should be used only for those portions of the Web application that require secure communications There is a performance cost that is associated with using SSL, and care should be taken to ensure that SSL is used only when necessary Discuss the guidelines for using SSL

Run this practice as a group brainstorming session where students determine which pages in the TailspinToys and TailspinToysAdmin Web applications should be protected with SSL

Lesson: Using Internet Protocol Security

Note that although IPSec is not commonly used for securing communications between client computers and Web applications on the IIS Web server, IPSec does have a role in protecting communications between the IIS Web server and the other computers and resources that are on the organization’s network Briefly discuss the process of implementing IPSec

Understanding how IPSec and SSL/TLS differ is important when deciding where to apply each protocol Discuss each difference between IPSec and SSL/TLS

Lab 8.2: Protecting Communication Privacy and Data Integrity

In Lab 8.2, students will turn on SSL for portions of the TailspinToys and TailspinToysAdmin Web applications

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

Lab Setup

To complete this lab, the WebUser login and the InternetStoredProcs and IntranetStoredProcs roles must be added to Microsoft SQL Server™ on the Glasgow computer

! Configure SQL Server on the Glasgow computer

• If you did not perform the “Adding Roles and Logins to SQL Server” demonstration in Module 7, “Securing Microsoft SQL Server,” in Course

2300, Developing Secure Web Applications, you must do it now

To complete this lab, students can continue working in the Tailspin Toys Visual Studio NET projects that they used in previous labs, or they can start with new files

To start with new files, students must complete the following steps

! Create the Web applications for the ASP exercises

1 Copy all of the contents of the ASP starter folder install_folder\Labfiles\

Lab08_2\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory

at C:\Inetpub\wwwroot\TailspinToys

2 Copy all of the contents of the ASP starter folder install_folder\Labfiles\

Lab08_2\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin

! Create the Web applications for the ASP.NET exercises

1 Copy all of the contents of the ASP.NET folder install_folder\Labfiles\

Lab08_2\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET

2 Copy all of the contents of the ASP.NET folder install_folder\Labfiles\

Lab08_2\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET

3 Edit the file c:\Inetpub\wwwroot\TailspinToysAdmin.NET\Web.config and change the <allow roles="London\TailspinAdmins"/> tag to be <allow

roles="machineName\TailspinAdmins"/>, where machineName is the name

of your computer

! Configure IIS authentication

1 Run the IIS administrative tool

2 Expand the computer node and the Default Web Site node in the tree

3 Right-click the TailspinToysAdmin virtual directory, and then click Properties

4 Click Directory Security

5 In the Anonymous access and authentication control group, click Edit

6 Clear the Anonymous access check box

7 Click OK twice to save your changes

8 Right-click the TailspinToysAdmin.NET virtual directory, and then click Properties

9 Click Directory Security

10 In the Anonymous access and authentication control group, click Edit

11 Clear the Anonymous access check box

12 Click OK twice to save your changes

Overview

! Introduction to Cryptography

! Working with Digital Certificates

! Using the Secure Sockets Layer/Transport Layer Security Protocols

! Using Internet Protocol Security

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

By using Internet Information Services (IIS), you can validate user and resource identities, as well as protect data and communications between the Web

browser and the Web server The communication link between the browser and the server is susceptible to a number of security-related attacks, including:

! Network monitoring An attacker can use a network monitoring application

or device to observe and read network packets If the packets are not encrypted, a network-monitoring tool provides a full view of the data that is inside the packet Such applications and devices are useful for diagnostic purposes, but they can be misused to obtain unauthorized access to data Network Monitor is an example of a network-monitoring tool

! Data modification An attacker can modify a packet in transit and send

counterfeit data, which can prevent the receiver from receiving the correct information or can allow the attacker to obtain secure information

! Passwords An attacker can use a stolen password or key, or can attempt to

decipher the password if it is a simple password

! Address spoofing An attacker can use special programs to construct Internet

Protocol (IP) packets that appear to originate from valid IP addresses that come from inside the trusted network

! Man-in-the-middle An attacker can actively monitor, capture, and control

the data that passes between two communicating computers without the knowledge of the affected parties (for example, the attacker can reroute a data exchange)

The code samples in this module are provided in both Microsoft®

Visual Basic® NET and C#

Introduction

Note

After completing this module, you will be able to:

! Define the basic elements of cryptography

! Describe the purpose of digital certificates and obtain one through a Certificate Authority (CA)

! Validate user and Web server identity through the use of Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

! Protect communications between Web application resources through the use

of Internet Protocol security (IPSec)

Objectives

Lesson: Introduction to Cryptography

! What Is Cryptography?

! How Does Symmetric Encryption Work?

! How Does Asymmetric Encryption Work?

! Exchanging and Storing Keys

! Verifying Data Integrity with Hashes

! Using Digital Signatures

! Practice: Using Cryptography

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Because cryptography permeates many security-related technologies, a general understanding of what cryptography is and how it works is valuable when developing secure Web applications

This lesson provides an overview of cryptography, including a description of the functional aspects of, and the differences between, public key cryptography, private key cryptography, hashing (digests), data signing, and digital

certificates

After completing this lesson, you will be able to:

! Describe the purpose and uses of cryptography

! Describe how symmetric (or private key) encryption works

! Describe how asymmetric (or public key) encryption works

! Describe how session keys are typically exchanged between users

! Explain the purpose of hashing and digital signing

Introduction

Lesson objectives

What Is Cryptography?

! Cryptography is the science of protecting data

" Protects a user's identity or data from being read

" Protects data from being altered

" Verifies that data originates from a particular user

! Encryption is the process of scrambling data

! Encryption is only as strong as the key

Data

Encryption algorithm Key

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Cryptography, the practice and study of encryption and decryption, provides the foundation of secure communications in a Web application

Cryptography is a mathematical science that was originally developed for military communications with the intention of keeping secrets from the enemy

in times of war More recently, cryptography has also been used in the information technology (IT) industry to aid in securely authenticating users on a network, protecting a user's identity, protecting data from being read or altered,

or verifying that the data originates from a particular user Two forms of cryptography are symmetric and asymmetric encryption

Cryptography is put into practice through the use of encryption, which is the

process of scrambling data by applying an algorithm to it By encrypting data, you can make it difficult and time consuming, if not impossible, for an attacker

to decipher the data

Encryption is often used in the following types of transactions:

An encryption algorithm, also called a cipher, is used with secret data, which is called a key, to encrypt data The key prevents the message from being

decoded—even if the algorithm is publicly known

However, if the keys are compromised, even the strongest levels of cryptographic algorithms are worthless For cryptography to work securely, the generation, storage, and exchange of keys must be protected If the keys are exchanged in plain text, it is easy for an attacker to intercept an e-mail message

or other forms of communication to obtain the keys

For more information about encryption algorithms, see the topic

“Supported Algorithms” in the Microsoft MSDN® online documentation

How is data encrypted?

Note

How Does Symmetric Encryption Work?

Encrypt

! Same encryption algorithm and key are used to both encrypt and decrypt the data

! Fast and efficient

! Difficult to safely exchange keys so they change often

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Symmetric encryption algorithms use a single, private key (also called a session

key), which is agreed upon by both the sender and the recipient of the data This

key is used to both encrypt and decrypt the data

Symmetric encryption is the most commonly used form of encryption because

it is very fast and efficient Symmetric encryption is well suited for performing cryptographic transformations on large streams of data, because it can process the data in a fast and efficient manner

The disadvantage of using symmetric encryption is that it is difficult to protect keys when they are exchanged between the sender and recipient of the data Because of this difficulty, session keys are frequently changed, with a different session key created for each message that is encrypted

Introduction

Advantages and

disadvantage of

symmetric encryption

How Does Asymmetric Encryption Work?

! Each user has both a private and a public key

! Messages encrypted with the public key can be decrypted only by using the private key

! When messages are encrypted with the private key, anyone with a public key can verify that the owner of the private key sent it

! More secure than symmetric encryption, but not as efficient

Private key

Public key

User A

Private

User B

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Asymmetric (or public key) encryption uses a private key, which must be kept secret from unauthorized users, and a public key, which can be made public to all users

Both the public key and the private key are mathematically linked The mathematical complexity of the relationship between the public key and the private key means that, provided that the keys are long enough, it is practically impossible to determine one key from the other

The following table shows various key sizes, the corresponding number of keys

in the keyspace, and the time that it takes to check all of the keys at 1.6 million keys per second and at 10 billion keys per second

Key size (x) Number of keys (2 x )

Time to check all keys (at 1.6 million keys per second)

Time to check all keys (at 10 billion keys per second)

Using asymmetric encryption, users can be assured that:

! Messages that are encrypted with the public key can be decrypted only by using the private key

! When messages are encrypted with the private key, any user with a public key can verify that only the owner of the private key could have sent the message

Introduction

Asymmetric encryption provides a much higher level of security than symmetric encryption This higher level of security, however, comes at a performance cost Asymmetric encryption is not typically used to transmit large streams of data because it is not as fast and efficient as symmetric encryption

Advantages and

disadvantages of

asymmetric encryption

Exchanging and Storing Keys

! Exchanging keys

" Use asymmetric encryption to transfer a key

" Use symmetric encryption for the remainder of the session

Session key

Private key

Encrypt

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Due to the security issues that are associated with symmetric encryption and the performance issues that are associated with asymmetric encryption, most real-world scenarios use a combination of these two technologies

Asymmetric encryption is often used to transfer a session key between users, thereby taking advantage of the stronger security that is provided by

asymmetric encryption After the session key is transmitted between users, symmetric encryption is then used for the remainder of the session

The most challenging aspect of cryptography is the secure storage of private keys

You can store a key in a resource that can be secured through access control lists (ACLs), such as the registry, and then you can define an ACL only on the resource that allows your application to read it A typical ACL contains only Creator/Owner Full Control and Administrators Full Control

You can also use the Data Protection API (DPAPI) to store keys DPAPI relies

on two functions, CryptProtectData and CryptUnprotectData, which can be

used to produce user-specific or computer-specific encryptions without explicit key management Only a user with logon credentials matching those credentials

of the user that originally encrypted the data can decrypt the data In addition, decryption usually can only be done on the computer where the data was encrypted DPAPI is not directly wrapped by managed wrappers, so you must use P/Invoke to call them

For more information about running managed code in the Microsoft NET common language runtime, see the MSDN Magazine article, “Migrating Native Code to the NET CLR,” which is available at

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmag01/ html/com0105.asp

Introduction

Exchanging keys

Storing keys

Note

If your process runs as SYSTEM (such as an Active Server Pages (ASP) page), you can store keys in the Local Security Authority (LSA) by using

LsaStorePrivateData and LsaRetrievePrivateData LSA can store only a

fixed (small) number of keys, however, so this option should be used carefully Keys that are protected by LSA can still be viewed by administrators on the computer by using tools such as LSADump2.exe

Key management is one of the most challenging parts of designing a secure system Ultimately, the best practice is to avoid storing keys, if at all possible Storing keys is not covered in this course

For more information about storing keys, see the Microsoft Press® book,

Writing Secure Code, by Michael Howard and David LaBlanc (Redmond:

Microsoft Press), 2001

Important

Verifying Data Integrity with Hashes

If hash values match, data is valid

Data and hash value are sent from User A to User B

Data

Data

Hash value

Hash algorithm

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can use hash values (also called digests) to guarantee the validity of data as

it is transmitted over a network or over the Internet, thereby ensuring that the data has not been tampered with

A hash value is a digital fingerprint of data A hash value is a unique and

extremely compact numerical representation of a piece of data If you hash a paragraph of plain text and change even one letter of the paragraph, a subsequent hash will produce a different value It is computationally improbable to find two distinct inputs that hash to the same value

A hash value is derived by applying a mathematical algorithm on

arbitrary-length binary data These mathematical algorithms are called hash functions

The result is a fixed-length hash value, which is then associated with the original data

When the hash value and the original data are sent to a recipient, the recipient can verify the validity of the data by applying the same hash algorithm to the data and then comparing the resulting hash value to the hash value that was sent with the data If the hash values match, the recipient is guaranteed that the data has not been tampered with since it was first sent

A Web application can hash passwords and store them in a database without the original password When the user enters his or her password, the application hashes it, and then compares the new hash value with what is saved in the database to determine whether the hash values are the same, thus verifying the password

Introduction

What is a hash value?

Verifying the validity of

data by using hash

values

Using Digital Signatures

User A User B

Hash value

If hash values match, data came from the owner of the private key and is valid

If hash values match, data came from the owner of the private key and is valid

Data Data

Hash algorithm

Private key

User B

Private key

Hash value Hash algorithm

Hash value

1 2 3

Private key

User B

Public key

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Digital signatures combine hash values with encryption to guarantee the

integrity of a message and to authenticate the identity of the sender

The following steps are completed when data is signed with a digital signature:

1 A hash algorithm is applied to the data to create a hash value

2 The hash value is encrypted with a user’s private key, thereby creating the digital signature

3 The digital signature and the data are sent to the recipient

The following steps are completed when digitally signed data is decrypted:

1 The recipient decrypts the signature by using the sender’s public key and then recovers the hash value

If the signature can be decrypted, the recipient is assured that the data came from the sender (or the owner of the private key)

2 The hash algorithm is applied to the data to create a second hash value

3 The two hash values are compared

If the hash values match, the recipient is assured that the data has not been modified

Introduction

Signing data

Decrypting data

Practice: Using Cryptography

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In the following scenarios, decide what cryptographic function should be used

to complete the transaction securely

1 You receive a user name and password from a user, and then store the password in a database

The password should not be kept in clear text anywhere Store a hash of the password Then, when you need to validate the password the next time, hash what is entered and compare it with what is stored in the database

2 You compute an employee's bonus based on his or her salary and the amount of sales that he or she has made for the last year Then, you store the bonus amount in a database

Encrypt the bonus value before storing it in the database

3 You want to send a file to a user and have the user be sure that the file came from you

Sign the file by using a digital signature before sending it

Introduction

4 You want to send data to a user and have the user be sure that the file is from you and has not been changed en route

Create a hash of the file and sign the hash to send along with the file

5 You want to send a broadcast message with important data

You do not necessarily want to encrypt the message, because in this case, the content is not a secret; however, clients still need to make sure that the message came from the right server and not from an imposter Therefore, you can just sign the data

Lesson: Working with Digital Certificates

! What Are Digital Certificates?

! Practice: Viewing Digital Certificates

! What Is a Certificate Authority?

! Multimedia: Using Digital Certificates

! Certificate Chains and Hierarchies

! Certificate Stores

! Obtaining a Personal Certificate

! Instructor-Led Practice: Obtaining a Personal Certificate

! Obtaining a Server Certificate

! Demonstration: Obtaining a Server Certificate

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Digital certificates use asymmetric encryption to provide an extra layer of security for your Web applications In this lesson, you will learn what digital certificates are and how they work

After completing this lesson, you will be able to:

! Explain the purpose of digital certificates

! Describe the role of a CA

! Define certificate chains and hierarchies

! Define the role of a certificate store

! Obtain a personal certificate

! Obtain a server certificate

Introduction

Lesson objectives

What Are Digital Certificates?

are encrypted by using the issuer's private key, resulting in a digital signature

Signed hash of the certificate data

derive the key

Subject public key information

Private key

Public key

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Asymmetric encryption and the exchange of public keys can be made more secure through the use of digital certificates

A digital certificate is an item of information that binds the details of an

individual or organization to the individual or organization’s public key Digital certificates can be used to verify the identity of both clients and servers

A digital certificate is a binary structure that contains information about the holder of a public key The most common form of certificate is the X.509 certificate, of which there are three versions—1, 2, and 3 Version 3 X.509 certificates contain, at a minimum, the items that are shown in the following table

which is represented by using an object identifier (OID)

name

associated with the public key that is held in the certificate), expressed as an X.500 name

Subject public key information

The algorithm that is used to define the public/private key pair (expressed as an OID), and the actual public key data Signed hash of the

Some of the common protocols that use digital certificates include:

! SSL/TLS A protocol that is used for securing a connection between a client

application and a server application (such as a Web browser and Web server)

! Secure Multipurpose Internet Mail Extensions (S/MIME) A protocol that is

used for sending secure e-mail

! IPSec A computer-to-computer protocol that supports privacy,

authentication, and data integrity

Practice: Viewing Digital Certificates

! Students will:

" View installed digital certificates

! Timing:

" 5 minutes

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this practice, you will view the digital certificates that are installed on your computer

! Install the Certificates snap-in

1 On Start menu, click Run

2 Type mmc and then click OK

3 In Console1, on the Console menu, click Add/Remove Snap-in

4 In the Add/Remove Snap-in dialog box, click Add

5 In the Add Standalone in dialog box, click Certificates in the

Snap-in list box, and then click Add

6 In the Certificates snap-in dialog box, click My user account, and then click Finish

The Certificates snap-in is added to the list of installed snap-ins in the

Add/Remove Snap-in dialog box

7 Close the Add Standalone Snap-in dialog box, and then in the Add/Remove Snap-in dialog box, click OK

! View certificates on your computer

1 In Microsoft Management Console (MMC), expand the Certificates node, which is under the Console Root node

2 Expand the Personal node

Do you have any personal certificates installed?

No

Introduction

3 Expand the Trusted Root Certification Authorities node, and then expand the Certificates node

These are the CAs that are trusted by your computer

List three of the CAs that are trusted by your computer

GTE Cyber Trust Global Root

http://www.valicert.com/

VeriSign Trust Network

4 Right-click one of the CA certificates, and then click Open

What information are you given about the certificate?

The purpose of the certificate, the owner of the certificate, the issuing

CA, and the valid dates of the certificate

5 Close Microsoft Management Console without saving changes

! View certificates by using Internet Explorer

1 Run Microsoft Internet Explorer

2 On the Tools menu, click Internet Options

3 In the Internet Options dialog box, on the Content tab, click Certificates

4 Click the Personal tab to view your personal certificates

5 Click the Trusted Root Certification Authorities tab to view CA

certificates

What Is a Certificate Authority?

! A Certificate Authority issues X.509 certificates by:

Performing background checks to verify the identity of the principal (called a subject)

Creating and signing a certificate by using its private key

Issuing the certificate to the subject Making the certificate known to all interested users

! Users can decide which Certificate Authorities are trusted and which are not trusted

1

2 3 4

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Digital certificates are issued by Certificate Authorities

A Certificate Authority is a commonly known, trusted third party that is

responsible for verifying both the contents and ownership of a certificate When a Certificate Authority issues a certificate to a principal, it:

1 Performs background checks to verify that the principal (called a subject) is who they say they are

For example, for a user's certificate, this background check might be a simple physical address check or perhaps a simple verification that the Certificate Authority can receive the e-mail that the subject sent during the enrollment process However, because certificates are often used for important and sensitive tasks, more stringent background checks are advisable

2 Creates and signs a certificate by using its private key

3 Issues the certificate to the subject

4 Makes the certificate known to all interested users (This step may also be performed by the subject.)

Introduction

Definition

Users can decide which Certificate Authorities are trusted and which are not trusted This decision is made based on:

! The Certificate Authority that issued the certificate

An example of a well-known and trusted Certificate Authority is VeriSign

! The various checks that the Certificate Authority employs to verify the identities of those who request certificates

The checks that a Certificate Authority uses must be publicly divulged so that users can decide the level of trust that they will apply to certificates that are issued by the Certificate Authority

! The class of certificate, which reflects the level of assurance that is given by the Certificate Authority

For example, a certificate for users who just browse the Web requires less verification than a certificate for a business server

If two entities trust the same Certificate Authority, they can exchange digital certificates to obtain access to each other's public key, and from then onward, the two entities can undertake secure transmissions between each other

Certificate Authorities

and trust

Multimedia: Using Digital Certificates

https://www.

Client

Web Server

Certificate Authority

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this animation, you will see how digital certificates are used to verify the identity of users

Introduction

Certificate Chains and Hierarchies

Certificates based on differing organizational units, geographical location, or certificate usage

Self-signed by Certificate Authority

Root CA

Extranet CA

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Certificates can form chains or hierarchies, with a series of certificates

(sometimes called leaf certificates) leading up to the root certificate The root

certificate is the topmost certificate in the hierarchy The root certificate is

called a self-signed certificate because it is issued by the Certificate Authority

For digital certificates to be effective, users of certificates must have a high level of trust in them There are cases in which a user does not trust the issuer of

a certificate This could happen if the Certificate Authority is unknown to the certificate user and the certificate user therefore is uncomfortable with accepting a certificate from that issuer This problem is addressed in the

certifying process by a hierarchy of trust

The concept of a hierarchy of trust is that the trust process must begin with at least one certifying authority that is accepted as trustworthy This trustworthy authority could be some agency of the federal government, such as the postal service, or a company that everyone agrees is trustworthy Such an ultimate authority, whatever it is, is called the root authority The root authority can then certify other Certificate Authorities, called first-tier Certificate Authorities, who can then issue certificates and also certify additional or second-tier Certificate Authorities

Introduction

The hierarchy of trust

Certificate Stores

! Contains certificates, CRLs, and CTLs

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Both client and server certificates are stored in a certificate store that can be accessed by the process in which a Web application runs

A certificate store is a permanent storage location, such as a disk file or the

system registry Certificate stores can also be created and opened in system memory A memory store provides temporary certificate storage that can be used when working with certificates that do not need to be stored permanently

A certificate store contains the following information:

! The certificates

! Certificate Revocation List (CRL) The CRL is a document, maintained and

published by a Certificate Authority, that lists certificates that are issued by the Certificate Authority that are no longer valid

! Certificate trust list (CTL) The CTL is a predefined list of items that have

been signed by a trusted entity All of the items in the list are authenticated and approved by the signing entity

A system store is a collection of stores that consists of one or more predefined

physical sibling stores, including the following:

The My store contains a user's certificates The My store can be located at any one of many different physical locations, including in the registry on a local or remote computer, on a disk file, in a database, in a directory service,

on a smart card, or in another location Although any certificate can be stored in the My store, this store should be reserved for a user's personal certificates, which are those certificates that are used for signing and decrypting that user's messages

Client applications, such as Internet Explorer, normally use the current user's My store, whereas servers, such as IIS, use the local computer system’s My store

Introduction

Definition

Predefined stores

! Trust (or Other) The Trust store contains the certificates for people that you trust, such as those individuals that you commonly send information to or receive information from After a certificate is placed in the Trust store, you will no longer be prompted to trust (or not trust) this individual

! Root Certificates for trusted certificate issuers are typically kept in the ROOT store, which is currently persisted to a registry subkey The ROOT store is protected, and users should place only trusted certificates in that store

In enterprise network situations, certificates may be copied by a system administrator from the domain controller computer to the ROOT stores that are on the client computers This copying process provides all of the members of a domain with similar trust lists

The CA store contains certificates of the Certificate Authorities that you trust to issue certificates You need to have the Certificate Authority's certificate to establish a chain so that you can trust certificates from that Certificate Authority

In addition to these predefined stores, user-defined stores may also be used to store certificate information

The Certificate Manager tool (Certmgr.exe) manages certificates, CTLs, and CRLs in a certificate store By using this tool, you can remove unnecessary certificates that accumulate in a store over a period of time, add new certificates, or save a certificate to a file so that it can be transferred to another computer

You can use the Certificate Manager tool to:

! Display certificates, CTLs, and CRLs on the console

! Add certificates, CTLs, and CRLs to a certificate store

! Delete certificates, CTLs, and CRLs from a certificate store

! Save a certificate, CTL, or CRL from a certificate store to a file

The Certificate Manager tool is provided with the Microsoft NET Framework

Certificate Manager tool

Obtaining a Personal Certificate

! Why use personal certificates?

" Send personal e-mail messages that are encrypted for security or digitally signed to prove authenticity

" Verify that the message has not been altered during transit and that the message came from you

! How to obtain a personal certificate:

" Using the Certificate Request Wizard

" Certificate Creation tool (Makecert.exe) generates certificates for testing purposes only

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can purchase a personal certificate from a commercial Certificate Authority, such as VeriSign, to send personal e-mail messages These e-mail messages are then encrypted for security, or digitally signed to prove authenticity or to identify yourself to a Web application

After you purchase a certificate and you use it to digitally sign an e-mail message, the message recipient can verify that the message has not been altered during transit and that the message came from you—assuming that the message recipient trusts the Certificate Authority that issued your certificate

When you encrypt an e-mail message, no one can read the message while it is

in transit, and only the message recipient can decrypt and read the message

If you visit a Web application that requests certificates, your certificate is automatically used to identify who you are, and it provides information about you (such as your name) to the Web application

There are two types of Certificate Authorities: enterprise and stand-alone Both types of Certificate Authorities have public Web sites where you apply for a personal certificate An enterprise Certificate Authority can also use the Active Directory® directory service that is in an organization, and that will issue personal certificates for use within that organization For this type of Certificate Authority, the Certificate Request Wizard is provided

! To obtain a personal certificate from a Certificate Authority's Web site

1 Go to the Web site of the Certificate Authority

2 Fill out a request for a personal certificate

3 Return to the Web site after the certificate has been issued, and then install the certificate

Introduction

Obtaining a personal

certificate

! To obtain a personal certificate by using the Certificate Request Wizard

1 In the MMC/Certificates viewer application, expand the Console Root node, and then expand the Certificates folders

2 Right-click the Personal folder, point to All Tasks, and then click Request New Certificate

3 The Certificate Request Wizard steps you through the process of requesting

a certificate, as shown in the following table

Page Description Certificate Template The wizard provides three certificate templates:

Authenticated Session, Basic EFS, and User Signature Only

The Advanced options check box instructs the

wizard to prompt you for additional options during the certificate request process

Click Authenticated Session, select the Advanced

options check box, and then click Next

Cryptographic Service Provider

Displays the list of Cryptographic Service Providers (CSPs) from which you can choose The CSP generates the public/private key pairs by using a variety of encryption algorithms (This page appears

only when Advanced options is selected.)

Certificate Authority Specifies the Certificate Authority to which the

certificate request is sent (This page appears only

when Advanced options is selected.)

Certificate Friendly Name and Description

Specifies the display name and description of the certificate

Completing the Certificate Request Wizard

Click Finish to complete the request

The Certificate Creation tool (Makecert.exe) is one of the tools in the.NET Framework Software Development Kit (SDK) The Certificate Creation tool generates certificates for testing purposes only, and it creates a public/private key pair for digital signatures and stores the pair in a certificate file This tool also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair

The Certificate Creation tool is provided with the NET Framework

Certificate Creation tool

Instructor-Led Practice: Obtaining a Personal Certificate

! Students will:

" Obtain a personal certificate

! Timing:

" 5 minutes

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this practice, you will obtain a personal certificate from the instructor's certificate server

! Request a personal certificate

1 In Internet Explorer, browse to the http://London/certsrv Web site

2 Fill in the pages of the wizard with the information that is shown in the following table

Welcome Click Request a certificate, and then click Next

Choose Request Type Click Web Browser Certificate in the User

certificate request list box, and then click Next Web Browser Certificate -

Identifying Information

Type your name, your e-mail address, Tailspin

Toys as your company, Research for your

department, and your city, state, and country

information, and then click Submit

Certificate Pending With the London Certificate Authority, you must

wait until the instructor issues the certificate before you can install it

Introduction

! Install the new certificate

1 In Internet Explorer, return to the http://London/certsrv Web site to retrieve the issued certificate

2 On the Welcome page, click Check on a pending certificate, and then click Next

3 On the Check On A Pending Certificate Request page, select the request that you made, and then click Next

4 On the Certificate Issued page, click Install this certificate

5 When prompted, add the nwtraders.msft certificate to the Root store This is the Certificate Authority's certificate

The certificate is now installed

6 Open Internet Explorer

7 On the Tools menu, click Internet Options

8 In the Internet Options dialog box, on the Content tab, click Certificates

9 Click the Personal tab, and then double-click your personal certificate to

view the certificate

What is the purpose of this certificate?

This certificate will be used to prove your identity to a remote computer

10 Close the certificate

11 Click the Trusted Root Certification Authorities tab, and then click the nwtraders.msft certificate to view the Certificate Authority

double-certificate that issued your double-certificate

What is the purpose of this certificate?

This certificate will be used in all issuance polices and all application policies

12 Close the certificate

13 Close the Certificates dialog box, and then close the Internet Options

dialog box

Obtaining a Server Certificate

! To obtain a server certificate

" Create a server certificate request by using the Web Server Certificate Wizard

" Connect to the CA and submit the request

" When the certificate is issued, return to the CA Web site to obtain the certificate

" Install the certificate by using the Web Server Certificate Wizard

! Using the SSL port 443

1 2 3

4

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

A server certificate is installed on the Web server A server certificate encrypts the messages that are sent to browsers and decrypts the messages that are received from browsers

To obtain a server certificate, you submit a Certificate Signing Request (CSR)

to the Web site of a Certificate Authority The Certificate Authority verifies that your company is valid and then issues you a server certificate You then install the server certificate on your Web server

Any user who wants to use your secure Web server should also install the root certificate from the Certificate Authority on his or her browser If the certificate is not installed, the user will see a security dialog box that states that the certificate is not trusted

Introduction

Note