HTTPS certificate WIKI

Operation

The principle of operation of digital certificates is based on the encryption of information and trust. For this, there are two encryption methods:

Symmetric keys

This method is the easiest to understand: if Anne (A) wants to send an encrypted message to Bob (B) it shall disclose a password (key). As the encryption algorithm is symmetric, we have the following relation: Ciphertext = Encryption (key, text)

  Cles symetriques.png

And Anne can also decrypt a message from Bob with the same key. But you must first find a safe way to transmit the key to prying eyes. However, the situation can become complex, so Anne must send an encrypted message to Bob and Charlie, but she does not want to give the same key to Charlie. The more people, the more difficult it is to manage symmetric keys. Especially since he must first find a safe way to transmit the key to prying eyes.

Asymmetric keys

Ownership of asymmetric algorithms is that a message encrypted with a public key is readable only by the owner of the private key corresponding. Conversely, a message encrypted by theprivate key will be readable by anyone with the public key . And with his private key, Anne:

  • sign posts.
  • read (decrypt) messages sent to him.
Asymmetry - signature vs chiffrement.png

Certificate

A digital certificate is a data set containing:
  • at least a public key;
  • credentials, such as: names, location, emails;
  • at least one sign , when in fact there is only one, the signing entity is a single authority which she can lend confidence (or not) the accuracy of the certificate.
 
Certificate électronique.svg

Keyserver

Certificates are stored by key servers , which can also act as registration authority and certification (item A). They identify and control certificates. They often have a list (item B) of revoked certificates.

Description of key certificates

Electronic certificates of compliance with standards specifying their content rigorously. The two formats most used today are:
  • X.509 several RFCs define the properties and uses [citation needed] ;
  • OpenPGP , defined in RFC 4880 1 .
The significant difference between these two formats is an X509 certificate may contain only one identifier, this identifier must contain many predefined fields and can be signed by one CA.OpenPGP certificate can contain multiple identifiers, which allow flexibility in their content, and may be signed by a multitude of other OpenPGP certificates. Which then allows to build webs of trust . Electronic certificates and their life cycles (see Certificate Revocation List , Verification Protocol online certificate ) are managed within of public key infrastructures .

Use of certificates

Information systems security

Electronic certificates can be used in various applications in the context of information systems security to ensure that:
  • the non-repudiation and integrity of data with digital signature or electronic signature (Advanced)
  • the confidentiality of data through encryption ;
  • the authentication or strong authentication of an individual or identity non-physical (Web Server - SSL , Computer - 802.1x, VPN IPSEC - SSH - SSL , Code Mobile , electronic documents).

Interoperability

In some cases, the certificate may be associated with the element " ID "of metadata records (10 th element in Dublin Core ) for interoperability 2 .

Certificates and Internet navigation

Certificates are widely used on e-commerce sites, webmail or other sensitive sites (banks, taxes, etc.). Several levels of encryption available and several associated features make the understanding of complex certificates.

X.509 standard

The certificates are classics that have existed for several years. Encryption between 40 bits and 256 bits. This is due in part to the ability of browsers and legislation. Generally, publishing companies offer certificates 40 bit or 128 bit secured.

Extended X.509 certificates

These are the certificates that are supported in modern browsers and enable display a green background (indicating a trusted site warranty). The EV abbreviation stands for "Extended Validation".

X.509 certificates omnidomaines

Omnidomaine a certificate or "wildcard" can make some generic domain name certified:
* . societe.fr → www.societe.fr, toto.societe.fr, titi.societe.fr (but not "societe.fr" nor "www.toto.societe.fr." See RFC 2818 3 )

X.509 multi

These certificates contain a list of names. This solution is based on the field subjectAltName . In the case of web servers, these certificates are useful for providing several HTTPS sites on a single IP address. Indeed, HTTPS, certificate exchange is done before the client browser has sent the domain of interest. However, if the certificate provided by the server does not contain the name requested by the client, it will trigger a security alert. See Server Name Indication for an alternative technique.

OpenPGP certificates

While the first websites "secure" could only use certificates X.509 , operation of RFC 6091 4 now allows certificates OpenPGP to make HTTPS .

Certificates and emails

The use certificates to encrypt or sign emails is done using the standard S / MIME allows cryptographic encapsulation of data in the format MIME emails. When a user is certified, an icon will usually know: Certificate mail.jpg Their use is controversial because the signature is added as an additional element to the content of the email. Therefore, the use of certificates of mailing lists may result in the invalidation of the signature, because of changes made by the engine contractor list. In addition, many online messaging (or "webmail") and mail clients do not support S / MIME, which sometimes disrupts users seeing an attachment "smime.p7m" appear in their messages. In the context of online messaging, an additional issue is involved, the confidence in the operator. In fact, using the certificate on a webmail necessarily implies that the service provider shares the secret elements of the certificate (and private key password), otherwise it can not make the signing, or encryption. And this implies that it should also provide a cryptographic engine.