I would appreciate help with these 4 questions Thank You 1 E

I would appreciate help with these 4 questions. Thank You.

1) Explain what the following are: root certificates, self-signed certificates. Describe how they are used. Provide some examples of each explaining how they are used. You should be able to find examples of each on your system by looking through various options available on your browser.

2) Provide a listing of the fields associated with a certificate of your choosing. Use the X509 definition to match the general fields of a certificate with the certificate you choose to look at. Describe each field.

3) Your manager is considering implementing a PKI infrastructure. They are considering using RSA encryption technology for the central part of their infrastructure. You manager would like to know some products or services that utilize RSA encryption technology. Provide three examples and explain how they make use of the RSA encryption technology. Provide a few original sentences describing each of your examples.

4) Compare the functionality offered by the RSA and Diffie-Hellman algorithms.

Solution

A Root SSL certificate could be a certificate issued by a trusty certificate authority (CA).In the SSL system, anyone will generate a language key and sign a replacement certificate therewith signature. However, that certificate isn\'t thought-about valid unless it\'s been directly or indirectly signed by a trusty CA.A trusty certificate authority is Associate in Nursing entity that has been entitled to verify that somebody is effectively World Health Organization it declares to be. so as for this model to figure, all the participants on the sport should agree on a group of CA that they trust. All operational systems and most of net browsers ship with a group of trusty CAs.The SSL system is predicated on a model of trust relationship, conjointly known as “chain of trust”. once a tool validates a certificate, it compares the certificate establishment with the list of trusty CAs. If a match isn\'t found, the shopper can then check to check if the certificate of the supplying CA was issued by a trusty CA, so on till the tip of the certificate chain. the highest of the chain, the basis certificate, should be issued by a trusty Certificate Authority.

Self-signed certificates or certificates issued by a non-public CAs aren\'t appropriate to be used with the overall public.A certificate serves two essential purpose distribute the public key and verifying the individuality of the server so guests know they aren’t sending their information to the wrong person. It can only properly verify the identity of the server when it is signed by a trusted third party because any attacker can create a self-signed certificate and launch a man-in-the-middle attack. If a user just accept a self-signed certificate, an attacker could drop on all the traffic or try to set up an imitation server to phish additional information out of the user. Because of this, you will approximately on no account want to use a self signed certificate on a server that requires anonymous visitors to connect to your site. In these cases, you really need to lay down a few bucks on a trusted certificate. However, self-signed certificates can have their place:An Intranet. When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.A development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.Personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connections.

To program Windows Communication Foundation (WCF) security, X.509 digital certificates are commonly used to authenticate clients and servers, encrypt, and digitally sign messages. This topic briefly explains X.509 digital certificate features and how to use them in WCF, and includes links to topics that explain these concepts further or that show how to accomplish common tasks using WCF and certificates.

In brief, a digital certificate is a part of a public key infrastructure (PKI), which is a system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. A certification authority issues certificates and each certificate has a set of fields that contain data, such as subject, validity date, issuer and a public key. In WCF, each of these properties is processed as a Claim, and each claim is further divided into two types: identity and right. For more information about X.509 certificates see X.509 Public Key CertificatesFor a lot of info regarding Claims and Authorization in WCF see Managing Claims and Authorization with the Identity Model. For a lot of info regarding implementing a PKI, see Windows Server 2008 R2 - Certificate Services.A primary perform of the certificate is to manifest the identity of the owner of the certificate to others. A certificate contains the general public key of the owner, whereas the owner retains the non-public key. the general public key will be accustomed write messages sent to the owner of the certificate. solely the owner has access to the non-public key, therefore solely the owner will decode those messages.Certificates should be issued by a certification authority, that is commonly a third-party establishment of certificates. On a Windows domain, a certification authority is enclosed that may be accustomed issue certificates to computers on the domain.

A public key infrastructure (PKI) supports the distribution and identification of public encoding keys, enabling users and computers to each firmly exchange information over networks like the net and verify the identity of the opposite party

PKI (public key infrastructure)

A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.Without PKI, sensitive information can still be encrypted (ensuring confidentiality) and exchanged, but there would be no assurance of the identity (authentication) of the other party. Any form of sensitive data exchanged over the Internet is reliant on PKI for security.

Elements of PKI

A typical PKI consists of hardware, software, policies and standards to manage the creation, administration, distribution and revocation of keys and digital certificates. Digital certificates are at the heart of PKI as they affirm the identity of the certificate subject and bind that identity to the public key contained in the certificate.

A typical PKI includes the following key elements:

A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate the identity of individuals, computers and other entities

A registration authority, often called a subordinate CA, certified by a root CA to issue certificates for specific uses permitted by the root

A certificate database, which stores certificate requests and issues and revokes certificates

A certificate store, which resides on a local computer as a place to store issued certificates and private keys

A CA issues digital certificates to entities and individuals after verifying their identity. It signs these certificates using its private key; its public key is made available to all interested parties in a self-signed CA certificate. CAs use this trusted root certificate to create a \"chain of trust\" -- many root certificates are embedded in Web browsers so they have built-in trust of those CAs. Web servers, email clients,smartphones and many other types of hardware and software also support PKI and contain trusted root certificates from the major CAs.Along with an entity’s or individual’s public key, digital certificates contain information about the algorithm used to create the signature, the person or entity identified, the digital signature of the CA that verified the subject data and issued the certificate, the purpose of the public key encryption, signature and certificate signing, as well as a date range during which the certificate can be considered valid.

Problems with PKI

PKI provides a chain of trust, so that identities on a network can be verified. However, like any chain, a PKI is only as strong as its weakest link. There are various standards that cover aspects of PKI -- such as the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC2527) -- but there is no predominant governing body enforcing these standards. Although a CA is often referred to as a “trusted third party,” shortcomings in the security procedures of various CAs in recent years has jeopardized trust in the entire PKI on which the Internet depends. If one CA is compromised, the security of the entire PKI is at risk. For example, in 2011, Web browser vendors were forced to blacklist all certificates issued by the Dutch CA DigiNotar after more than 500 fake certificates were discovered.

Diffie-Hellman is anonymous key exchange. RSA is an integrity key exchange. RSA confirms the server knows the private exponent to a public exponent/modulus.Diffie-Hellman requires the exchange of two clear text keys, a prime number and a generator. Each server generates a random number, calculates (G^random number) mod P and exchanges the answer to that. Then they calculate (other computer\'s answer ^ My Random Number) mod P. This answer will be the same on both computers. Very simple.

With RSA, two numbers are exchanged, an exponent (generally 65537 is chosen) and a modulus. The server\'s exponent (private exponent (the calculation for this exponent is a function of two primes and the public exponent; modulus is always prime1 * prime2) is hidden (they share the modulus). The client simply sends (Data ^ exponent) mod modulus = cipher message. On the server side, data can be recovered by data mod modulus.With Ephemeral Diffie-Hellman, the server\'s exchanged key is singed by RSA (see SHA-256/PKCS5Padding/Cipher Block Chaining). and sent over the wire in plaintext. This guarantees that the server owns the Private Exponent (Message ^ Private Exponent) mod P which then can be decrypted by (Cipher Message ^ Public Exponent) Mod P, ran against the same algorithm, and compared in plain text on the client side. By utilizing Ephemeral Diffie-Hellman, you maintain the benefit of Anonymous Key Exchange while preventing man-in-the-middle attacks.