PKI

Andrew Nash

Mentioned 3

More on Amazon.com

Mentioned in questions and answers.

Since SSL is the backbone of the secure internet, (now technically called TLS), what are some good books I should read up on to understand all aspects of it?

I suppose I'll need to learn some math, some PKI books, crypto, and Sysadmin books as well. Since that isn't a complete list I'm interested in hearing what you think is wise to learn as well.

As far as cryptography goes, this is the best there is:

Applied Cryptography: Protocols, Algorithms, and Source Code in C

You will learn all there is from the basic building blocks upwards.

I am working on a .net project that needs two-way https authentication based on certificates, i.e., client needs to associate requests with its own certificate and the https server can authenticate the client based on the certificate. I figured out the rough workflow but not sure if it is the right way to do it:

On the client side:

    HttpWebRequest request = (HttpWebRequest)WebRequest.Create("a request uri");
    // cert is a X509Certificate2 instance from certStore or a cert file
    request.ClientCertificates.Add(cert); ;
On the server side:
    // req is the HttpListenerRequest instance
    if (req.ClientCertificateError == 0)
    {
        X509Certificate2 clientCert = req.GetClientCertificate;
        // Validate client certificate
    }

My questions are:

1) Is this the right way to do it?

2) On the server side, once it get the client certificate associated with the request, what does it do to validate the certificate? Assume we can install the same client certificate on the server.

I am new to the security stuff. Really appreciate it if anyone could help with the questions or point me to useful documents.

The answer depends on how you issue client certificates. Yesterday I described the procedure of validation in another question. The procedure is quite complicated, but depending on how the client certificates are issued, you can simplify it.

I don't think you will want your visitors buy certificates to just login to your server. This means that you need to issue certificates for the clients yourself. And if you issue these certificates, you can simply put them to the database and when the client connects, check if your clientCert is in the database.

Note that besides certificates themselves you would like to to keep revocation info in the DB in order to let the users know, what happened with their certificate if it's no longer valid.

The procedure of certificate generation is quite a complex topic. I suggest that you read some books on PKI before you proceed. Here are the great books I'd recommend:

  1. Rsa Security's Official Guide to Cryptography
  2. PKI: Implementing & Managing E-Security

I am tired of buying SSL Certificates for my clients. We spend thousand dollars per month on average. Can someone please show me how to start my own certificate authority (Not the the self-sign certificate)? This SSL is for IIS.

It seemed like IIS can issue self-sign and OpenSSL can do the same thing and I do not want it unless it can provide a full SSL like Verisign and other big companies.

If you want to roll your own certificate authority (suppose for closed in-company infrastructure), you start by (surprise, surprise) creating a self-signed certificate, which will act as a root CA certificate. Then you generate the first child certificate - intermediate CA certificate. Now put the private key of the root certificate to the safe place - most likely you will not need it for years. Intermediate CA certificate is used to issue end-user (or other sub-CA) certificates.

If you want your certificates to be recognized by standard browsers and other client software, you need to find a way to get your public root certificate to the list of trusted roots in the OS itself and in those browsers and clients, if they have their own certificate storages. This is a complicated procedure, different for each OS and each browser. It involves repeating audits, compliance to tough procedures etc.

Again, if you create certificates for internal company use only, you can make software installer (or just write a custom script or application) that will add your certificate to the trusted root list on each user's computer. This can be done in code almost without problems, but the user will have to (a) run that script or program, and (b) confirm addition of the certificate. For some browsers or other client applications the procedure can be more complicated.

The procedure of creating a CA is quite a complex topic. I suggest that you read some books on PKI before you proceed. Here are the great books I'd recommend:

  1. Rsa Security's Official Guide to Cryptography
  2. PKI: Implementing & Managing E-Security