What are certificates?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this video from IT free training I will look at what is a certificate certificates are used for security and identification but how do they work this video looks at what is a certificate and how they are used to secure communication improve identity first of all what is a certificate a certificate is simply a file or an electronic document that contains data fields if you were to compare a digital certificate with a traditional physical certificate you will notice some similarities as shown in the traditional certificate you can see who has issued the certificate in this case I T free training if you had a certificate from an organization like a university the certificate would have this printed on it so you know who issued it an electronic certificate is issued from an authority as well by looking at the data inside the certificate it can easily be determined which authority it was issued from the next question is would you trust this Authority by doing a quick search on the internet you may find many websites that will take your money and give you a certificate showing you have a PhD an employer should not trust these certificates if an employer was given a certificate that came from an educational institution like Harvard University they would have good reason to trust this certificate this is because in order for a person to obtain a certificate from Harvard University they would have needed to complete all the necessary steps in order to achieve this electronic certificates work off the same principle of trust do you trust the person that issued the digital certificate like you would a physical certificate if a certificate said that it was issued by Microsoft would you trust this certificate if a certificate came from a website that you had never heard of before would you be so quick to trust it as we will see later in the video certificates use a trust model in order for the end-user to know where the certificate has come from and whether it is gen or not the next point of interest is who the certificate was issued to the certificate shown here was issued to John Doe like a physical certificate an electronic certificate is issued to someone or something for example an electronic certificate could be issued to a user computer device or web page by using this information the electronic certificate can be checked to see if the user computer device or web page should be using that certificate just like a physical certificate the name on the certificate can be checked to make sure that the person using it is the same person if the name does not match this means that someone is using a certificate they are not supposed to be and thus the certificate is rejected some physical certificates have expert dates for example certain IT certifications will expire after a certain date unless you pass additional exams in this case the example physical certificate has an expert date electronic certificates also have an expert date associated with them once this date is reached the certificate can no longer be used a common piece of data contained in an electronic certificate that is not contained in a physical certificate is the public key the public key allows data to be encrypted that can only be decrypted using the private key for example if you had a certificate from Microsoft com you could use this certificate to encrypt data so that only people at Microsoft could decrypt it the next part of the electronic certificate is the digital signature this is like the wax seal on a physical certificate just like the wax seal the digital signature proves the certificate came from a trusted source and is not a fake the digital signature also provides an additional feature in that it provides a checksum like function to the digital certificate that is it can be used to check if the certificate has been altered this is a some of the data that is contained in a certificate other data also exists like the algorithms and key sizes used to understand how certificates work it helps to have a closer look at the digital signature in the certificate the first point to understand with a digital signature is the hash value the hash value is a value that represents the certificate the hash is calculated by putting the certificate through a mathematical function to produce a value a simple hash function would be to add each byte in the file together to obtain a single number of course the hash function news and certificates is more complex than this the hash value is then put through a mathematical function using the private key to generate a digital signature this digital signature is then added to the certificate now that the digital signature has been added to the certificate it can be used later to check that the certificate has not been altered or damaged to check the certificate the digital signature is put through a mathematical function using the public key the result of this should be the original hash value if this value is not obtained the person knows the certificate is corrupt or has been tampered with the hash function is a one-way process which means you cannot use the hash value to generate the original certificate this essentially means that even though the private key is used in the process it is not possible to use the digital signature to obtain the private key so what exactly does the digital signature do first it provides a method for checking the identity for example if you had a certificate that was issued to I T free training com the name of the website could be included as a field in the certificate when the certificate is downloaded to a client computer the client computer checks the name on the certificate to see if it matches the website that they are trying to access if it does the certificate will be used you can see that if another website also obtained this certificate and attempted to use it the certificate would be rejected as the name in the certificate and website do not match remember that a certificate is essentially a file with data in it so it is an easy process to change the name in the certificate if this were to occur and an attempt was made to change the certificate that digital signature would come into play notice that when a modified certificate is used the digital signature will not match the data in the certificate and the certificate will be rejected this is how a certificate can be used to prove identity and how they protect themselves from being tampered with the next question that arises is if you were given a digital certificate would you trust this certificate certificates work off a trust model to illustrate this consider an example that occurs often in the real world in this example let's say you have the company Microsoft Microsoft makes operating systems as we know and you want to buy a laptop that will work with Windows 8 in order to do this you find a laptop and see that the laptop has a sticker on it saying Windows 8 compatible even though the laptop is not made by Microsoft you can be assured that because it has this sticker Windows 8 will work on this laptop so what has happened here you are trusting the manufacturer of the laptop has put the sticker on the laptop because their laptop works with Windows 8 you are trusting Microsoft that they would not allow a sticker like this to be put on a laptop that would not run Windows 8 thus you can see how one trusts the other and the person who purchases the laptop must trust both so how does this all relate to certificates certificates use the same type of trust model at the top you have a certificate authority in this example I will use the certificate authority Verisign Verisign has been around a long time and is well trusted on the Internet a authorities job is to issue certificates these certificates can be used for users computers devices and webpages let's say I T free training wants to get a certificate for their webpage to do this they obtain a certificate from Verisign which would allow a visitor to the IT free training website to use encryption like SSL before Verisign could issue a certificate to I T free training a number of checks are performed these checks include checking who registered the domain name and a number of checks on the business this helps prevent certificates being issued to individuals who want to use the certificates for illegal activities for example if someone attempted to obtain a certificate for Microsoft com notice that the eye has been changed to a 1 this would be denied what this essentially means is that if you use a certificate from Verisign you can be assured that a number of checks have been performed before the certificate was issued it is possible for a certificate to be issued to a company that is doing the wrong thing but at least you can be assured that some checks have been performed to determine that they are a valid company the next question is what happens when a user connects to the IT free training website and obtains the certificate how does it know it is valid and from Verisign and why would it trust and thus use this certificate by default a number of certificates are installed on the client computer when the operating system is installed these include a Verisign certificate since the certificate is installed locally in the OS the OS will trust any certificates issued from Verisign when the certificate is downloaded from IT free training the digital signature is used in the certificate to determine a number of different things first that the certificate has not been tampered with and the website matches the website in the certificate using the local certificate installed in the OS windows can check the certificate obtained from IT free training to see if it is in fact a Verisign certificate you can start to see how the certificate trust model works the computer must trust the certificate authority that the certificate came from just like you would trust an organization like Harvard University if you were given a certificate with the Harvard University logo on it would you trust it also consider that if you were an employer that had never heard of Harvard University would you trust a certificate from an educational institution that you had never heard of before certificates work the same way you need to trust who issued the certificate in order to start using it when you are surfing on the Internet you may be presented with the following screen this is essentially telling you that you visited a website that Windows does not trust this essentially means no certificate is installed locally on the computer or the site has not been placed in an exception list what this essentially means from a user's perspective is that Windows has not been configured to trust certificates from this source in this case the user can take the risk and accept the certificate and hope for the best or not to open the website although certificate authorities like Verisign are trusted by Windows by default you may want to use your own certificate authority besides having complete control over the certificate authority certificates from companies like Verisign do cost money if you have your own certificate authority you can issue as many certificates as you wish at no cost besides the cost for the operating system and hardware to run it on when deploying a certificate infrastructure this will often be done at a number of different levels at the top you have the root CA the root CA will issue certificates to the subordinate or second-level certificate authorities often what will happen after the root CA has issued certificates to the second-level authorities the root CA will be taken off since the root CA holds the private key that effectively is the key to the entire certification infrastructure this should be protected in some cases a company will install the root CA on removable media once the root CA is not needed anymore the removable media is placed in a safe until it is needed again the second-level CAS are free to issue certificates without the root CA so the system will work fine even though the root CA is offline having the root CA offline helps keep it secure the second level CA will often issue certificates to users in computers for example a certificate may be issued to a user so their identity can be checked when using a VPN connection it is also possible to have additional levels of certificate authorities if your organization requires it in this example let us consider what happens when a computer attempts to connect to a web server the certificate for that website will be downloaded to the client but will the client trust that certificate in order for the certificate to automatically be trusted a certificate from the root CA needs to be installed locally on the client computer once this certificate is installed on the computer the computer will trust any certificate automatically that comes from any certificate authority in this hierarchy it is kind of like the old saying any friend of yours is a friend of mine if the root CA is trusted by the client and if the child CAS will be trusted automatically I hope this video has given you a good understanding of how certificates can check identity check for corruption and modification and lastly how they work with a trust model thanks for watching this video from I T free training see you next time

Info

Channel: itfreetraining

Views: 686,632

Rating: 4.8796315 out of 5

Keywords: Certificates, Digital Signatures, ITFreeTraining, Public Key Certificate, Microsoft Windows (Operating System), Windows Server (Operating System), Information Security (Conference Subject)

Id: LRMBZhdFjDI

Channel Id: undefined

Length: 15min 10sec (910 seconds)

Published: Tue Jun 18 2013