1
00:00:01,840 --> 00:00:07,810
If we decide to implement a public key infrastructure it turns out to be extremely functional and useful

2
00:00:07,810 --> 00:00:09,520
for various applications.

3
00:00:11,590 --> 00:00:16,170
Right now we'll just take a brief look and in a moment we'll return to individual cases.

4
00:00:18,480 --> 00:00:20,450
What can we do with the certificate.

5
00:00:20,850 --> 00:00:27,640
First of all we can verify the identity of Internet services probably no one would decide for example

6
00:00:27,850 --> 00:00:29,860
to use electronic bank services.

7
00:00:29,950 --> 00:00:36,220
If the communication from the Web site of that bank took place using h t t p instead of h t t p s protocol

8
00:00:38,520 --> 00:00:43,550
it would be the same if communication was already established using HTP protocol.

9
00:00:43,680 --> 00:00:46,320
But the bank's web site presents an invalid certificate

10
00:00:48,840 --> 00:00:53,210
currently almost all Internet browsers help us with this.

11
00:00:53,460 --> 00:00:57,550
If the certificate is invalid for some reason we'll speak about this later.

12
00:00:57,570 --> 00:01:02,190
The browser blocks displaying the given Web site and warns us before we visit the site that something

13
00:01:02,190 --> 00:01:06,200
is wrong with the certificate.

14
00:01:06,220 --> 00:01:12,240
It may also do so on the address bar rather than the soothing green color of the address bar.

15
00:01:12,500 --> 00:01:16,630
It's red which should draw our attention to the fact that something's wrong.

16
00:01:18,690 --> 00:01:22,310
If we don't pay attention to it then we fall victim to a dual attack.

17
00:01:22,500 --> 00:01:29,440
First of all men in the middle attacks which we've already talked about someone controls the channel

18
00:01:29,440 --> 00:01:33,880
between us and the bank's web site and we really connect to the bank through the attacker.

19
00:01:35,570 --> 00:01:40,920
The certificate of the attacker was displayed to us that this does not match the bank's address is signalled.

20
00:01:40,920 --> 00:01:47,070
For example in red if we write there any of our confidential data it will be encrypted.

21
00:01:47,280 --> 00:01:50,580
But the attackers will be used.

22
00:01:50,610 --> 00:01:54,080
This doesn't make any sense.

23
00:01:54,110 --> 00:02:00,710
The second type of attack is spoofing the bank's website very popular attacks at one time were based

24
00:02:00,710 --> 00:02:07,720
on attackers registering domains whose names very much resembled their original domain name.

25
00:02:07,740 --> 00:02:15,190
They used various tricks to do so for example double encoding or they used suitable words of a given

26
00:02:15,190 --> 00:02:23,180
language and encoding the domain name domain names may be regionalised because we display it on our

27
00:02:23,180 --> 00:02:29,760
side of the code we see for example the letter O as it should be in the name of a given bank.

28
00:02:30,260 --> 00:02:37,860
But in fact it could be for example the letter O with an armload contemporary browsers also protect

29
00:02:37,860 --> 00:02:39,300
us from such attacks.

30
00:02:41,680 --> 00:02:50,850
And other uses encrypting file system meaning the possibility to encrypt files another is digital signatures.

31
00:02:50,850 --> 00:02:55,320
We can prove that we're the sender of a message and convince the recipient that no one has modified

32
00:02:55,320 --> 00:02:59,220
it by signing it digitally as described in one of the earlier modules

33
00:03:01,700 --> 00:03:06,540
logging into systems using a smart card is also used in public key infrastructure.

34
00:03:08,590 --> 00:03:17,330
On the smart card is written on a certificate with some private key secure electronic mail s mail everything

35
00:03:17,330 --> 00:03:22,470
is based on certificates and on public key infrastructure.

36
00:03:22,580 --> 00:03:27,850
If it weren't for that there's no point to encrypt something if we don't know to whom it will be sent.

37
00:03:30,060 --> 00:03:32,900
We're not able to confirm the identity of the recipient.

38
00:03:34,150 --> 00:03:41,170
Certificates also permit code signing not only signing data but also code signing.

39
00:03:41,180 --> 00:03:46,380
Fortunately more and more programs are digitally signed.

40
00:03:46,560 --> 00:03:50,370
If it comes to such a situation that all programs will be signed digitally.

41
00:03:50,790 --> 00:03:58,540
We will be able to implement in our systems a simple policy stating do not run unsigned code with regard

42
00:03:58,540 --> 00:04:04,480
to sign code run programs from this publisher and that publisher we will be safer.

43
00:04:06,480 --> 00:04:14,200
Since we can identify code on this basis we can make some decisions software restriction principles

44
00:04:14,200 --> 00:04:21,160
work in the way we just mentioned one of the methods of code identification is these certificates used

45
00:04:21,160 --> 00:04:29,690
to sign it secure Internet protocol is based on using public key infrastructure.

46
00:04:29,880 --> 00:04:37,670
We must somehow authenticate the other person certificate may be used to do this.

47
00:04:37,710 --> 00:04:42,310
This is a significantly safer method than a shared key.

48
00:04:42,550 --> 00:04:49,920
Also in the group is the ATO to dump one X standard we've already mentioned it during our training.

49
00:04:49,970 --> 00:04:57,690
It may use certificates to authenticate both users and computers workstations and laptops in the central

50
00:04:57,690 --> 00:04:59,720
part of the scheme shown previously.

51
00:04:59,750 --> 00:05:07,000
There is a model structure of the public key for medium sized companies will have a root certification

52
00:05:07,000 --> 00:05:15,480
authority often referred to as root another will be subordinate's certification authority which in contrast

53
00:05:15,480 --> 00:05:20,380
to root will be online and will perform all requests on a regular basis.

54
00:05:22,660 --> 00:05:27,970
At the very bottom of the hierarchy are functional certification authorities which will issue certain

55
00:05:27,970 --> 00:05:31,540
types of certificates.

56
00:05:31,580 --> 00:05:35,030
We'll explain in a further part of this module why it should look this way.