Digital Certificates: Chain of Trust

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

we're now going to talk about a term called the chain of trust as it applies to SSL Certificates and to start their discussion we'll revisit our look at our root certificate authorities root CA now root CA s their certificates have to be kept behind numerous layers of security because the private keys of root certificates are we have to make sure that they're absolutely inaccessible if the private keys are compromised in all the certificates based on a root CA are compromised as well so we often use a stand-in for root certificate or proxy something called an intermediate CA so these are entities or organizations that can issue certificates and whose certificate themselves is signed by root CA so let's suppose we look at our organization NSCC CA it can now make a certificate signing request to an intermediate CA so we'll just call this I ca now what happens when an I ca can actually issue actually a chain of certificates to an SEC so we'll get our SSL certificate and certificate will be signed by the ica but we'll also get another certificate we'll get an ICA certificate that is from that company itself that is also signed by a CA so now we have a chain of certificates so we go from the ssl certificate for NSE CCA that was issued by the intermediate CA and that was signed by a CA that all browsers have in their list so this is called a chain of certificates or a certificate gene or sometimes called the chain of trust because what we're proving is we're proving that this certificate is trusted in that a browser can trust that this is the organization nscc CA an intermediate CA is verifying that any certificate authority a root certificate authority is a validating of VI CA so we have that chain that a browser needs to check we'll take a look at how this works so if we were going to a certain site for instance if you go and you try to access HTTPS google.com what you'll see is you'll see that you'll get a little locked symbol in the browser window and if you click on it you can see some information about the certificate chain so what you'll first see is that you'll see this right here this is the SSL certificate and that SSL certificate was issued by Google's intermediate CA and if we looked in our keychain we would find that if I look for Google here we'll find we have no entry for Google in our keychain that our browser is going to use to verify so our browser certainly cannot verify that but because of the chain of trust the root CA is actually GeoTrust global GeoTrust global CA and if we look in our browser we can see right here that that that is listed and we can validate that certificate so let's look at a little more detail this chain and Trust and show how it works so let's suppose we have our organizer web site NSCC CA and it wants an ssl certificate so it's going to make a CSR certificate signing request and it can make that to an intermediate CA and let's suppose we go to Google CA which is an intermediate CA now what was set up before was that GeoTrust has already validated Google's intermediate CA it trusts it and it has ensured by some process that Google is trustworthy and it has authorized Google CA to issue certificates on its behalf so what Google CA does is Google CA well issue an SSL certificate and it will of course have information about nscc there it will list Google CA as being the intermediate CA and of course all the certificate information it is going to make a hash of it and it is going to sign that certificate with the private key of Google and go all this together it is part of the SSL cert that is sent to n SEC so that will be sent back but what else is sent back because browsers can validate the browser's don't have the Google intermediate CA in their store another certificate is also sent along and this is their certificate from Google that will allow people to browsers to validate the certificate will show how that works so this is the certificate it is Google's intermediate ICA certificate it is going to be digitally signed by geo trusts so that informations on the certificate now what comes in a certificate is an all certificates contain the public key for the entity that the certificate is from so this is going to have the public key of Google that intermediate CA up in here will have the public key of NSCC because the certificate up top is going to be used for secure communications with NSC C so we have all this information here we're going to make a hash or a checksum of it and this is all going to be digitally signed so Google's intermediate certificate is all going to be digitally signed by the private key of GeoTrust and these two certificates are sent to NSCC dots CA and they're installed in the NECC web server now when a browser hits the NSCC website and when it requests an HTTP or an encrypted type of communication path what happens is both certificates get sent back to the browser now the very first thing that has to happen is that if it looks at this certificate here it will be able to verify because this browser has the certificates for all route CAS because this is a root CA it'll be able to unencrypted it'll have the public key in the key chain in the certificate that it keeps it has the public key of all root CA so we can unencrypted this hash and it can see that this certificate or that the Google intermediate certificate is trusted by the root certificate so it says ah okay well if the root certificate rest' all root certificates all routes CAS that are in my list and we looked at the keychain it had a list of all root CAS because it cannot encrypt this it says ah I trust anything that this root CA trusts well the root CA have signed this certificate from Google the intermediate CA so it automatically trust that and it gets the public key from Google now it looks at the SSL certificate that comes back from an SCC it uses the public key down here to decrypt this hash it checks that the certificate was not altered and it says ah okay well Google has signed this SSL certificate since I trust a private CA GeoTrust and since GeoTrust trust Google and Google trust this certificate therefore this browser accepts the certificate from NECC and it gets the public key from nscc it generates a symmetric key and it encrypts that key with the public key that it got from nscc and it sends that key over to the webserver now this is the NSCC webserver which has a private key it keeps it it keeps secure so it unencrypted and gets the same symmetric key encryption key and both ends now use this symmetric encryption key to exchange information in the rest of their session so whether it's they're doing a credit card sale or whatever the rest of the communication path will use this this system so this system here is how a chain of trust is established sometimes we call this a hierarchical article chain of certificates and you can follow that chain in most browsers have as we've seen earlier now we'll look at a recent article of what can happen if the chain of trust has been compromised and there was a article recently about Google who banned sorry who banned a China's root certificate authority see CNNIC after some type of security breach now CNNIC was the root certificate authority and it used a company called NCS holdings as an intermediate certificate authority and what happened is some of the certificates that MCs holdings were generating they weren't doing proper authorization on so there was some problem with that MCS should not be had issued certificates the way they were so the problem wasn't with the root CA it was with the intermediate CA but the way that Google can control that is simply to remove CNNIC it can remove the root certificate listing from its browser access for instance if we look in the keychain here we'll see that that CNNIC is not listed now that may simply be because we're in North America not to China certificate a root certificate but if I try to access any website that CNNIC is the root certificate in the chain of trust my browser will kick up something saying that's an untrusted site so if CA or an intermediate CA has done something they shouldn't have and if some of the browser's think it's worthy enough they may remove a root CA from the list of their trusted CAS and so that browser will pop up a message to user saying it's an untrusted site now not all browsers will every browser has their own system of how they store root certificates and so Google and Mozilla in this case I had banned it but Microsoft had not banned I think Microsoft had a way of looking to end just banning MCs holding certificates and I'm not quite sure how that messed worked but you can find that this trust can be compromised and that browsers and companies do have some alternatives to this sort of unrecognized a root CA so that they no longer are have the right to issue trusted certificates as far as that browsers concerned so that was an overview of chain of trust and how how certificates an intermediate certificate authorities work how that chain of trust is established and how browsers validate whether a certificate an SSL certificate from an entity should be trusted

Info

Channel: Dave Crabbe

Views: 246,077

Rating: undefined out of 5

Keywords:

Id: heacxYUnFHA

Channel Id: undefined

Length: 16min 41sec (1001 seconds)

Published: Mon May 01 2017