Wong Tuck WahWong Tuck WahIndependent Security Professional, CISSPIndependent Security Professional, CISSP

Think your network is safe Think your network is safe

using the default protocols?using the default protocols?

Think againThink again

What is theWhat is the 11stst thing you thing you will do when you reach will do when you reach

office ?office ?

Go ToiletGo Toilet

Check Check EmailEmail

Go Go PantryPantry

Tea Tea BreakBreak Internet Internet

SurfingSurfingCall Call

GirlfriendGirlfriend

Meeting Meeting

GossiGossipp

NetworkingNetworking

Summon Summon into boss into boss

roomroom

Face Face

PoliticsPoliticsTake a NapTake a Nap

Tidy Tidy DesktopDesktop

Cosmetics PatchupCosmetics Patchup

Read Newspaper

Staring at Ceiling

Feed the Fishes

Tune in to 90.5FM

Charge Battery

Shake

Legs

Starts Starts WorkinWorkin

gg

Popeye is sending a

mail to Olive

Web Server

Olive

Popeye

Bluto

Protocol Analyzer

WithouWithoutt

EncryptiEncryptionon

ObjectivesObjectives

What Is Certificate?

Usage of Certificates

Public Key Infrastructure

What Is Certificate Authority

Selection of CA

CA Hierarchy

Certificate Enrolment Process

Conclusions

What Is Certificate?What Is Certificate?

Verifies the identity of a user, computer, or program

Contains information about the issuer and the subject

Is signed by a CA

Usage of CertificatesUsage of Certificates

Smart CardLogon

Smart CardLogon

SoftwareCode Signing

SoftwareCode Signing

IP SecurityIP Security

EncryptingFile SystemEncryptingFile System

SecureE-mailSecureE-mail

InternetAuthentication

InternetAuthentication

802.1x802.1x

SoftwareRestriction Policy

SoftwareRestriction Policy

DigitalSignatures

DigitalSignatures

Public Key InfrastructurePublic Key Infrastructure

Certificate Template

Certificate Template

Digital Certificate

Digital Certificate

Certificate Revocation List

Certificate Revocation List

Public Key-EnabledApplications and Services

Public Key-EnabledApplications and Services

Certificate and CRLDistribution PointsCertificate and CRLDistribution Points

Certificate and CAManagement ToolsCertificate and CAManagement Tools

Certification Authority

Certification Authority

What Is Certificate AuthorityWhat Is Certificate Authority

Verifies the identity of a certificate requestor

Issues certificates

Manages certificate revocation

Selection of CASelection of CA

Self-Hosted Root vs Commercial Root CA

Reputation

Cost

Flexibility

Expertise

Selection of CASelection of CA

Stand-Alone CAStand-Alone CA Enterprise CAEnterprise CA

1. Typically used for offline CAs

1. Typically used to issue certificates

2. AD is optional 2. AD is mandatory

3. Web-based enrolment only

3. Web-based and MMC enrolment

4. Certificate requests issued or denied by a certificate manager

4. Certificate requests issued or denied based on the certificate template

CA HierarchyCA Hierarchy

Root CARoot CA

Policy CAPolicy CA

Issuing CAIssuing CA

Stand-alone and kept offline

Credit Card Enrolment ProcessCredit Card Enrolment Process

ShopBank

Customers Data

Revocation Data

Transaction using credit

Enrolment

Enrolment

Certificate Enrolment ProcessCertificate Enrolment Process

ShopBank

Customers Data

Revocation Data

Transaction using credit

CA

Certificate Data

Revocation List

Server

Transaction using certificate

Enrolment

Enrolment

Popeye is sending a

mail to Olive

Web Server

Olive

Popeye

Bluto

Protocol Analyzer

WithWith

EncryptiEncryptionon

Source : IDASource : IDA

ConclusionsConclusions

Internet Protocols are NOTNOT secured by design

Contents are usually transmitted in CLEARCLEAR text

Certificates can be used to alleviate the situation

Source: Cufa Grad ForumSource: Cufa Grad Forum