You should understand the importance of asymmetric cryptography and how it differs from symmetric cryptography. Today we'll explore PKI and digital certificates and what role they play in our everyday lives.

Public Key Infrastructure (PKI)

When your airline checks your passport, why do they believe you are who you claim to be? Because your passport was issued by an entity deemed to be trustworthy, the government. This analogy helps us understand how these entities work together.

When you saw a Man-In-The-Middle attack in class earlier, how was that possible? Using public and private keys is a good first step, but those are only associated with an identity. Maybe my identity is Matt Damon, which might cause headaches for him or people trying to securely communicate with him! Ideally, we'd like the trust to extend to actual people themselves. How do we do this? Again, how does the government verify you are who you think you are?

Similar to producing government issued identification, a birth certificate, and Social Security card, there are steps to be followed in order to obtain a digital certificate. This whole system is predicated on a system of trust. The Public Key Infrastructure system exists because of the Trusted Third-Party (TTP) system. These TTP are the equivalent of the government in our airline analogy. Because people trust them, the system works. To date, there has not been a serious breach of trust, but it is still run by humans.

Authorities

• Certificate Authority - A trusted authority that certifies identities and creates electronic documents indicating that individuals are who they say they are. A CA is made up of software, hardware, procedures, policies, and the people who are involved in validating identities and generating certificates.

• Registration Authority - The PKI component that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate. The authentication requirements differ depending on the type of certificate requested. There are three classes of certificates.
  • Class 1: Used to verify an individual's identity through e-mail. With a Class 1 certificate, a person can encrypt and digitally sign message contents.
  • Class 2: This certificate is used for software signing. This provides integrity for the software after it is developed and released. The user can verify the source of the software.
  • Class 3: This class of certificate can be used by a company to set up its own CA, which will allow it to generate and issue certificates internally.

X.509 Digital Certificate

Version number Serial number Signature algorithm Issuer Validity Subject Public Key Certificate usage Extensions

First, we will explore a well known certificate. Use your browser to navigate to Navy Federal . In the URL bar, you should see the green lock icon . Click on the lock icon and then click on the link for Certificate Information. This will now bring up a window that displays information about Navy Federal's digital certificate. To view the fields mentioned above, click on the Details tab at the top of the window. Now you can answer questions about the site, such as

• Who granted this digital certificate to http://www.navyfcu.org?
• How long is this particular certificate valid for?
• What algorithm is used for the signature?
• Many more!

Now we can compare this information to a certificate issued to the Naval Academy. Navigate to the MIDS website here. What are the major differences between the two certificates? For many years, the Navy's digital certificates did not allow a secure lock icon to be shown in browsers because the Certificate Authority was not recognized by the other organizations, such as Verisign. This appears to be rectified now, but you will still occassionally run into untrusted certificates at websites. If any of the fields in the X.509 format appear suspect, such as the validity date range, the issuer, etc. then the browser will not trust the certificate.

Now, download this unknown certificate here into your bin folder within the OpenSSL directory. Using the previous two certificates as examples, examine the certificate using the following command.

openssl x509 -text -in ra37891_cert.pem

This assumes the certificate will be in .pem format. Does this appear to be a valid certificate?

Your Personal Certificates

• https://www.portal.navy.mil
• https://mypay.dfas.mil

1. Insert your CAC card in the card reader slot on your laptop.
2. Right click on the ActiveCard icon in the lower right portion of your screen and select Open.
3. Click on Certificates and then you should see your three certificates. Right click on each one and select View to see what information that certificate stores.

How it Works

1. Alice sends Bob a message and it includes her digital certificate.

2. Bob validates the digital certificate using the public key of the Certificate Authority which confirms the message came from a trusted third party.

3. Bob extracts Alice's public key.

4. Bob uses Alice's public key for encryption purposes to communicate securely with her.

Role Playing

1. Start by opening a command prompt and navigating to the bin folder within the OpenSSL directory.

2. You need to come up with a hypothetical company domain, such as 12thCoRulz.com.

3. Now you'll need to generate a public/private key pair.

   openssl genrsa -des3 -out m15xxxx.key 1024

   In this command, the generated keypair will be in the file m15xxxx.key.

4. Next, you need to create a Certificate Signing Request (CSR). This CSR is what is sent to the CA, who will generate a certificate for the key (usually after verifying identity information first). Use the following command to generate your CSR. Use your domain name as the common name, such as 12thCoRulz.com.

   openssl req -new -key m15xxxx.key -out m15xxxx.csr -config openssl.cfg

5. Now, the CSR needs to have a CA's signature in order to form a certificate. Similar to the real world, you will upload your CSR and we will sign it. Use the following form to upload your CSR.
   Choose a file to upload:
   

6. Download the signed certificate.

7. Now we'll need to put the certificate in the proper format. Use the following commands.

   copy m15xxxx.key m15xxxx.pem
type m15xxxx.crt >> m15xxxx.pem

   Now we can start a small (very small!) web server that is included as part of the openssl tool.

   openssl s_server -cert m15xxxx.pem -www

8. Now use your browser to navigate to https://127.0.0.1:4433
   This is the loopback IP address, and the web server is listening on port 4433. You should see a warning that this certificate is not trusted, but you have the option to proceed.

9. You've just gone through the process of creating your very own digital certificate to use on a website!

Navy PKI

NMCI has deployed SmartCard readers to end users and requires a Class 3 DoD PKI certificate to access NMCI services and resources. Separate from NMCI, SIPRnet (Secret Internet Protocol Router Network) also requires a DoD Class 3 PKI certificate to provide data separation, message integrity, and non-repudiation within a closed network and does not utilize the CAC token.