{"id":979,"date":"2012-10-15T00:00:33","date_gmt":"2012-10-15T04:00:33","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=979"},"modified":"2013-09-01T23:33:15","modified_gmt":"2013-09-02T03:33:15","slug":"public-key-cryptography-certificate-chaining","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2012\/10\/public-key-cryptography-certificate-chaining\/","title":{"rendered":"Public-key cryptography &#038; certificate chaining"},"content":{"rendered":"<p>Of the many marvelous\u00a0<em>Calvin and Hobbes<\/em>\u00a0cartoons by Bill Watterson, one of the most marvelous (and memorable) is\u00a0<a href=\"http:\/\/www.gocomics.com\/calvinandhobbes\/1991\/05\/05\/\">The Horrendous Space Kablooie<\/a>.\u00a0 Quoth Calvin, \u201cThat\u2019s the whole problem with science.\u00a0 You\u2019ve got a bunch of empiricists trying to describe things of unimaginable wonder.\u201d<\/p>\n<p>I feel the same way about X.509, the name of the international standard defining public key certificates.\u00a0\u00a0<em>X.509?<\/em>\u00a0 It\u2019s sort of hard to take that seriously \u2014 \u201cX.509\u201d feels better suited as the name of an errant asteroid or perhaps a chemical formula for hair restoration.<\/p>\n<p>But I digress.\u00a0 X.509 digital certificates are exchanged when you create a \u201csecure\u201d connection on the Internet, for example when you read your webmail using HTTPS.\u00a0 The exchange happens something like this:<\/p>\n<ul>\n<li><em>Your computer:<\/em>\u00a0 Hi, I\u2019m a client.<\/li>\n<li><em>Webmail server:<\/em>\u00a0 Howdy, I\u2019m a server.\u00a0 Here\u2019s my X.509 certificate, including the public key you\u2019ll use in the next step.<\/li>\n<li><em>Your computer:<\/em>\u00a0 Fabulous.\u00a0 I\u2019ve calculated new cryptographic information that we\u2019ll use for this session, and I\u2019ve encrypted it using your public key; here it is.<\/li>\n<li>(Further traffic is encrypted using the session cryptographic information.)<\/li>\n<\/ul>\n<p>Several things happen behind the scenes to provide you with security:<\/p>\n<ol>\n<li>Your computer authenticates the X.509 certificate(s) provided by the server.\u00a0 It checks that the server uses the expected web address.\u00a0 It also verifies that a trusted third party vouches for the certificate (by checking the digital signature included in the certificate).<\/li>\n<\/ol>\n<ol start=\"2\">\n<li>Your computer verifies that there is no \u201cman in the middle\u201d attack in progress.\u00a0 It does this by ensuring that the server has the\u00a0<strong>private<\/strong>\u00a0key associated with its certificate.\u00a0 It does this by encrypting the session cryptographic information with the server\u2019s\u00a0<strong>public<\/strong>\u00a0key.\u00a0 If the server didn\u2019t have the private key then it wouldn\u2019t be able to encrypt and decrypt any further traffic.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/www.eff.org\/deeplinks\/2011\/08\/iranian-man-middle-attack-against-google\">Unfortunately the system isn\u2019t perfect.<\/a>\u00a0 The folks who programmed your web browser included a set of trusted root certificates with the browser.\u00a0 Those root certificates were issued by well-known certificate authorities [CAs] such as Verisign and RSA.\u00a0 If an attacker breaches security at either a root CA or an intermediate CA,\u00a0<a href=\"http:\/\/threatpost.com\/en_us\/blogs\/comodo-diginotar-attacks-expose-crumbling-foundation-ca-system-090211\">as happened with the 2011 Comodo and DigiNotar attacks<\/a>, then an attacker could silently insert himself into your \u201csecure\u201d connection.\u00a0 Yikes!\u00a0 Efforts like\u00a0<a href=\"http:\/\/www.jumpesp.com\/why-arent-you-using-https-everywhere-yet\/\">HTTPS Everywhere<\/a>\u00a0and\u00a0<a href=\"http:\/\/convergence.io\/\">Convergence<\/a>\u00a0are trying to address this problem.<\/p>\n<p>Public-key cryptography is pretty neat.\u00a0 When you use public-key cryptography you generate two keys, a public key (okay to give out to everyone) and a private key (not okay).\u00a0 You can use the keys in two separate ways:<\/p>\n<ul>\n<li>When someone wants to send you a private message, they can encrypt it using your\u00a0<strong>public<\/strong>\u00a0key.\u00a0 The encrypted message can only be decrypted using your private key.<\/li>\n<\/ul>\n<ul>\n<li>When you want to publish a message, you can encrypt (sign) it using your\u00a0<strong>private<\/strong>\u00a0key.\u00a0 Anyone who has your public key can decrypt (validate) your message.<\/li>\n<\/ul>\n<p>In a public key infrastructure, a root CA (say, Verisign) uses its private key to sign the public-key certificates of intermediate certificate authorities (say, Thawte).\u00a0 The intermediate CAs then use their private key to sign the public-key certificates of their customers (say, www.google.com).\u00a0 When you visit Google\u2019s site using HTTPS, Google provides you both their certificate and Thawte\u2019s certificate.\u00a0 (The chained relationship Verisign-Thawte-Google is sometimes called the \u201cchain of trust\u201d.)\u00a0 Your browser uses the certificates provided by Google, plus the Verisign root certificate (bundled with the browser), to verify that the chain of trust is unbroken.<\/p>\n<p>[I use Google as the example here, since you can visit\u00a0<a href=\"https:\/\/www.google.com\/\">https:\/\/www.google.com<\/a>\u00a0and configure your browser to show the certificates that Google provides.\u00a0 However, I have no knowledge of Google\u2019s contractual relationship with Thawte.\u00a0 My assertions below about Google are speculative, but the overall example is valid.]<\/p>\n<p>Recently I was asked \u201cWe have been trying to understand Certificate Chaining and Self Signing.\u00a0 Would a company [like Google] be allowed to purchase one certificate from a Certificate issuer like Verisign and then issue its own signed additional certificates for additional use?\u201d<\/p>\n<p>Great question!\u00a0 (Where \u201cgreat question\u201d is defined as \u201cum, I don\u2019t know, let me check into that.\u201d)\u00a0 It turns out the answer is no, a company\u2019s certificate(s) cannot be used to sign other certificates.<\/p>\n<p>Using Google as an example, the principal reason is that neither Verisign nor Thawte let Google act as an \u201cintermediate certificate authority.\u201d\u00a0 It\u2019s (1) likely against the license agreement under which Thawte signed Google\u2019s certificate, and (2) prohibited by metadata fields inside both Thawte\u2019s certificate and Google\u2019s certificate:<\/p>\n<ul>\n<li>Google\u2019s certificate is prohibited from signing other ones because of a flag inside the certificate metadata.\u00a0 (Specifically, their\u00a0<em>Version 3<\/em>\u00a0certificate has an\u00a0<em>Extension<\/em>\u00a0called\u00a0<em>Certificate Basic Constraints<\/em>\u00a0that has a flag\u00a0<em>Is not a Certificate Authority<\/em>.)\u00a0 And Google can\u2019t modify their certificate to change this flag, because then signature validation would fail (your browser would detect that Google\u2019s modified certificate doesn\u2019t match the original certificate that Thawte signed).<\/li>\n<\/ul>\n<ul>\n<li>Certificates signed by Thawte\u2019s certificate cannot be used as Certificate Authorities (CAs) because of a flag inside Thawte\u2019s certificate.\u00a0 (Specifically, their\u00a0<em>Version 3<\/em>\u00a0certificate has an\u00a0<em>Extension<\/em>\u00a0called\u00a0<em>Certificate Basic Constraints<\/em>\u00a0that has an field\u00a0<em>Maximum number of intermediate CAs<\/em>\u00a0that\u2019s set to zero, meaning that no verification program should accept any certificates that we signed using their key.)<\/li>\n<\/ul>\n<p>If your company needs to issue its own signed certificates, for example to protect your internal servers, it\u2019s relatively easy to do.\u00a0 All you have to do is\u00a0<a href=\"http:\/\/www.davidpashley.com\/articles\/cert-authority.html\">run a program that generates a root certificate<\/a>.\u00a0 You would then be like Verisign in that you could issue and sign as many other certificates as you wanted.\u00a0 (The down side of your \u201cprivate PKI\u201d is that none of your users\u2019 browsers would initially recognize your root certificate as a valid certificate.\u00a0 For example, anyone surfing to a web page protected by certificates you signed would get a big warning page every time, at least until they imported your root certificate\u2019s signature to their trusted-certificates list.)<\/p>\n<p>The article I found most helpful in digging up this answer is here:<br \/>\n<a href=\"https:\/\/webmail1.telecomsys.com\/owa\/redir.aspx?C=a2c724b4d8704ab0bf61a06020207177&amp;URL=http%3a%2f%2funitstep.net%2fblog%2f2009%2f03%2f16%2fusing-the-basic-constraints-extension-in-x509-v3-certificates-for-intermediate-cas%2f\">http:\/\/unitstep.net\/blog\/2009\/03\/16\/using-the-basic-constraints-extension-in-x509-v3-certificates-for-intermediate-cas\/<\/a><\/p>\n<p>(The full name of the X.509 standard is the far worse\u00a0<em>ITU-T Recommendation X.509: Information technology \u2013 Open systems interconnection \u2013 The Directory: Public-key and attribute certificate frameworks<\/em>.\u00a0 One name with four hyphens, two colons, and the hyphenated equivalent of comma splicing?\u00a0 Clearly\u00a0<a href=\"http:\/\/www.phdcomics.com\/comics\/archive.php?comicid=718\">rigorous scientific work<\/a>.)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Of the many marvelous\u00a0Calvin and Hobbes\u00a0cartoons by Bill Watterson, one of the most marvelous (and memorable) is\u00a0The Horrendous Space Kablooie.\u00a0 Quoth Calvin, \u201cThat\u2019s the whole problem with science.\u00a0 You\u2019ve got a bunch of empiricists trying to describe things of unimaginable wonder.\u201d I feel the same way about X.509, the name of the international standard defining [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,7],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/979"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=979"}],"version-history":[{"count":1,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/979\/revisions"}],"predecessor-version":[{"id":980,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/979\/revisions\/980"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=979"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}