WEBVTT

00:00.000 --> 00:02.550
>> Building on our
last two lessons,

00:02.550 --> 00:05.325
we said that before bank
provides online banking,

00:05.325 --> 00:07.140
it goes to a
certificate authority

00:07.140 --> 00:09.660
and it obtains a
digital certificate.

00:09.660 --> 00:12.540
Then the bank installs
that certificate on

00:12.540 --> 00:13.950
its web server so that when

00:13.950 --> 00:15.944
a client requests a
secure connection,

00:15.944 --> 00:18.600
the bank provides
that certificate.

00:18.600 --> 00:20.700
Let's talk about certificates

00:20.700 --> 00:22.514
>> a little bit more in depth.

00:22.514 --> 00:25.335
>> But first, I want
to talk about driving,

00:25.335 --> 00:28.545
and you'll see the parallels
in just a few minutes.

00:28.545 --> 00:32.055
Maybe you've had this experience
or maybe you haven't.

00:32.055 --> 00:34.275
But if you have what
we call lead fight,

00:34.275 --> 00:36.930
you may have been pulled
over for speeding before,

00:36.930 --> 00:38.690
and you know that
when an officer

00:38.690 --> 00:39.995
pulls you over for speeding,

00:39.995 --> 00:41.090
he'll typically ask you for

00:41.090 --> 00:43.960
your driver's license
and registration.

00:43.960 --> 00:46.220
While you are looking
for those things,

00:46.220 --> 00:48.065
he will probably
ask you your name.

00:48.065 --> 00:49.610
Now, wouldn't you agree

00:49.610 --> 00:50.870
that the name you
should give should

00:50.870 --> 00:52.010
probably match the name that

00:52.010 --> 00:53.915
appears on your
driver's license?

00:53.915 --> 00:57.185
Otherwise, you might have
a problem on your hands.

00:57.185 --> 00:59.720
The next thing he
would likely check is

00:59.720 --> 01:01.955
that the license is not expired,

01:01.955 --> 01:05.225
and then the next thing he
checks for is the class.

01:05.225 --> 01:07.100
This is an indication
on the type of

01:07.100 --> 01:09.515
vehicle you are
authorized to drive.

01:09.515 --> 01:12.500
Then he's likely to check
the serial number on

01:12.500 --> 01:14.090
your license so that way he can

01:14.090 --> 01:16.730
look it up and make
sure it's not revoked.

01:16.730 --> 01:19.370
The reason he knows
what information

01:19.370 --> 01:20.960
he can find on the
driver's license

01:20.960 --> 01:22.120
and where it will be is that

01:22.120 --> 01:24.815
the driver's licenses
are standardize,

01:24.815 --> 01:27.440
that way regardless of
what state you are in,

01:27.440 --> 01:29.195
the license should
be accepted and

01:29.195 --> 01:32.045
understood anywhere
in the United States.

01:32.045 --> 01:34.640
Then the last thing the
officer might do is

01:34.640 --> 01:36.980
tilt the license back and
forth in the sunlight.

01:36.980 --> 01:39.300
Why does he do that? Well,

01:39.300 --> 01:42.225
he does that so you can see
the hologram or watermark.

01:42.225 --> 01:44.165
That tells him that
the license was

01:44.165 --> 01:46.220
issued by a trusted authority,

01:46.220 --> 01:47.840
and if it doesn't have that,

01:47.840 --> 01:50.465
it's a strong indication
that it's counterfeit.

01:50.465 --> 01:52.280
If there is no way
to be sure it was

01:52.280 --> 01:53.660
issued by a trusted authority,

01:53.660 --> 01:56.855
then nothing on that
license really matters.

01:56.855 --> 02:01.620
This is exactly the way
certificates work in the PKI.

02:01.780 --> 02:04.190
Then the folks at
Bank of America

02:04.190 --> 02:05.300
go get a certificate from

02:05.300 --> 02:08.405
Verisign or whoever is their
certificate authority,

02:08.405 --> 02:11.355
the name of that server
will be on the certificate.

02:11.355 --> 02:13.160
That's how you
would know that you

02:13.160 --> 02:15.100
are connected to
the right server.

02:15.100 --> 02:17.895
It shouldn't be an
expired certificate.

02:17.895 --> 02:19.905
It also has a class.

02:19.905 --> 02:21.350
The higher the class,

02:21.350 --> 02:23.720
the more authorized the
certificate should be.

02:23.720 --> 02:25.775
Meaning a class 1 certificate

02:25.775 --> 02:28.685
only indicates a match
with an email address.

02:28.685 --> 02:31.100
Whereas if you get
to class 3 or 4,

02:31.100 --> 02:32.510
you get digital signing and

02:32.510 --> 02:34.970
other rights and trust levels.

02:35.410 --> 02:38.090
Now, it will also have a serial

02:38.090 --> 02:39.420
>> number or license number

02:39.420 --> 02:40.970
>> that'll be used
to determine whether

02:40.970 --> 02:42.785
the certificate
has been revoked.

02:42.785 --> 02:44.845
We'll see that in a few minutes.

02:44.845 --> 02:46.620
Is it standardized?

02:46.620 --> 02:51.020
Yes. The standard for digital
certificates is X.509.

02:51.020 --> 02:53.965
You'll need to know that
standard for the test.

02:53.965 --> 02:55.680
Then the last piece is,

02:55.680 --> 02:57.855
was it issued by a
trusted authority?

02:57.855 --> 02:59.660
Yes, and it is

02:59.660 --> 03:02.870
digitally signed by that
certificate authority.

03:02.870 --> 03:05.420
Certificates have a
lot in common with

03:05.420 --> 03:08.820
driver's licenses.
Let's look at one.

03:09.560 --> 03:12.199
You can see this
digital certificate

03:12.199 --> 03:13.415
which follows the standard of

03:13.415 --> 03:15.320
X.509 and you can

03:15.320 --> 03:17.450
see some of the fields
on the certificate.

03:17.450 --> 03:19.350
You can see the public key there

03:19.350 --> 03:21.395
and if I scroll up
on this screenshot,

03:21.395 --> 03:24.110
you'd be able to see the name
and the expiration date.

03:24.110 --> 03:26.120
You can see that it's
digitally signed

03:26.120 --> 03:28.250
using SHA1 and RSA,

03:28.250 --> 03:33.095
and this is how a server
authenticates its SSL or TLS,

03:33.095 --> 03:35.090
and proves who it is.

03:35.090 --> 03:37.040
It provides it the
public key that is

03:37.040 --> 03:39.350
issued by a trusted
authority and you know

03:39.350 --> 03:41.180
that because it's
hash and the hash is

03:41.180 --> 03:44.530
encrypted with that trusted
authorities' private key.

03:44.530 --> 03:47.445
When your public key
can decrypt that hash,

03:47.445 --> 03:50.290
you know it came from
a trusted authority.

03:50.420 --> 03:53.795
The heart and soul of
public key infrastructure

03:53.795 --> 03:55.280
is the certificate authority

03:55.280 --> 03:56.960
because the trust
and the certificate

03:56.960 --> 04:00.180
comes from the trust and
the certificate authority.

04:02.090 --> 04:04.940
Now, there's some other elements

04:04.940 --> 04:07.370
that make up a public
key infrastructure.

04:07.370 --> 04:08.880
The certificate authority is

04:08.880 --> 04:10.449
>> the most important element.

04:10.449 --> 04:13.835
>> There are also registration
authorities, or RA,

04:13.835 --> 04:15.185
which takes some off

04:15.185 --> 04:18.540
the off-loaded work from
the certificate authority.

04:19.240 --> 04:21.800
Verisign might hire a company

04:21.800 --> 04:23.840
to do the verification
and checks,

04:23.840 --> 04:26.195
and that company
would be the RA.

04:26.195 --> 04:27.725
In our bank scenario,

04:27.725 --> 04:28.940
when the bank provides us all of

04:28.940 --> 04:30.635
its proof and documentation,

04:30.635 --> 04:33.920
there might be an RA that
does that verification,

04:33.920 --> 04:37.830
but only the CIA can
issue the certificate.

04:39.010 --> 04:42.310
There's also a
certificate repository.

04:42.310 --> 04:45.080
Your browsers, where you
hold digital certificates

04:45.080 --> 04:47.935
for Verisign and all the
other trusted authorities.

04:47.935 --> 04:50.550
That's the certificate
repository.

04:50.550 --> 04:52.560
Then also traditionally,

04:52.560 --> 04:56.750
there have been a certificate
revocation list or CRL.

04:56.750 --> 04:59.060
The clients have had to
download to verify whether

04:59.060 --> 05:01.100
the server certificate
is valid and

05:01.100 --> 05:02.899
>> hasn't been revoked.

05:02.899 --> 05:04.970
>> In a few minutes,
we'll see how

05:04.970 --> 05:07.370
>> this has been modernized.

05:08.549 --> 05:11.270
>> For a longtime
clients had to download

05:11.270 --> 05:13.100
the entire CRL and verify

05:13.100 --> 05:15.380
certificates revocation
status every

05:15.380 --> 05:17.440
time they received
a certificate.

05:17.440 --> 05:20.510
Now since then, we've
evolved past that.

05:20.510 --> 05:23.645
We're now dealing with
a protocol called OCSP,

05:23.645 --> 05:26.760
online certificate
status protocol.

05:26.890 --> 05:30.350
Now OCSP has mean
it more streamlined

05:30.350 --> 05:33.290
to determine a certificate's
revocation status.

05:33.290 --> 05:35.840
What happens is that the
certificate authority will

05:35.840 --> 05:38.620
publish the CRL on
a regular basis.

05:38.620 --> 05:41.570
It's the job of the
OCSP responder to pull

05:41.570 --> 05:44.620
from the CRL periodically
throughout the day.

05:44.620 --> 05:47.180
When my client goes
to the OCSP server

05:47.180 --> 05:49.820
and asks whether the
certificate has been revoked,

05:49.820 --> 05:51.680
the OCSP responder will

05:51.680 --> 05:54.080
indicate whether it has
been revoked or not,

05:54.080 --> 05:56.760
as of the last time
that it was updated.

05:57.470 --> 06:00.530
To recap, you have
certificate authorities

06:00.530 --> 06:02.285
and registration authorities,

06:02.285 --> 06:03.650
both are involved in getting

06:03.650 --> 06:05.990
the client or server
a certificate.

06:05.990 --> 06:08.555
Certificates are used
to authenticate.

06:08.555 --> 06:10.730
The trust of a
certificate is based on

06:10.730 --> 06:13.100
the trust of the
certificate authority.

06:13.100 --> 06:15.620
We have the CRL and the OCSP

06:15.620 --> 06:18.430
to make sure that
certificates are up-to-date.

06:18.430 --> 06:21.915
That pretty much wraps up
public key infrastructure.

06:21.915 --> 06:23.930
Keep in mind that
this is a lot of

06:23.930 --> 06:26.705
overhead and takes a lot
of effort to maintain,

06:26.705 --> 06:28.475
and as we will see,

06:28.475 --> 06:32.340
this can be too much overhead
for some organizations.