class: center, middle # Certificate Authentication ### Highly **Secure** Access to Websites, Servers, and Services --- ## Certificates mean **Trust** * Certificates are based on public key encryption. -- * Certificates allow one party to verify the identity of another party. -- * Every secure transaction online involves a certificate to verify that you are actually talking to the website (Amazon, Google, LaunchCode) that you think you are talking to. -- * Certificates can also be used to verify the identity of users. Highly secure because certificates are cryptographically sound (where as a username password combination can be guessed or cracked). --- ## Certifcates: How exactly do they work? -- There are two typical scenarios where certificates are used: -- 1) An organization wants to verify it's online presence. -- 2) An organization wants to verify the identity of its user. -- ### **Trust** has to start somewhere * Certificates are created via open source software like `openssl`. Anyone can create a certificate. It's all about who you trust. --- ## Certificates for Identity Certificate Authorities (CAs) will vouch for an organization's identity. -- * You buy a certificate from DigiCert for $100. -- * DigiCert needs to verify your identity so they send you a postcard via snail mail to verify the address of your organization. -- * You complete the registration and DigiCert gives you a certificate that you can add to your website. -- * When people visit your website they will see that DigiCert vouches for your identity. -- * Certificates are like credit cards! If you lose one you have to let the CA know otherwise the certificate could be used on a malicious website to deceive your users. --- ## Certificates for Verification If an organization wants to verify the identity of its users, it will act as a certificate authority. -- * The organization wants to verify users using a more secure method than username and password. -- * The organization begins issuing certificates to the users of their system. -- * In order to access systems, users must present their certificate to verify their identity. -- * Anyone can become a Certificate Authority. Creation of certificates happens via the open source `openssl` library. --- ### What is a Certificate? -- * A certificate is simply a **public key** with some extra information that can be verified by a private key.* -- Format of X509 Certificates: ``` Version Certificate Serial Number Certificate Algorithm Identifier Issuer Validity Period Subject Public Key Certificate Authority Digital Signature ``` --- ## Breaking down a Certificate **Subject** - The name of the computer, user, network device, or service that the CA is vouching for (i.e. launchcode.org or mike@launchcode.org) **Issuer** - This is the Certificate Authority that issued the certificate. **Public Key** - There is a corresponding private key that is used to encrypt all traffic between the sources. **Certificate Authority Digital Signature** - The Certificate Authority provides a hash of the certificate that can be verified against a public key from that Certificate Authority. --- View a certificate from a website.  --- ## Who to Trust? ### *How do our computers know who to trust?* -- The world as a whole has already decided who to trust by default. -- * Every computer, device, server, or Operating System comes with pre installed certificates of all of the major trusted Certificate Authorities around the world. -- * You can choose to trust additional certificate authorities. -- * You can generate certificates and have those certficates be trusted by your browser. --- ## A quick word on Cryptography 1. For thousands of years, the world has relied on **symmetric** cryptography (a shared secret between two parties). -- 2. Now the world uses **asymmetric** cryptography (also known as `public-key cryptography`). -- 3. In **asymmetric** cryptography, one key is used for encrypting (public key) and another key is used for decrypting (private key). -- 4. **asymmetric** cryptography is computationally expensive. Typically, it is only used to establish a **symmetric** key that is shared. --- ## How your Browser trusts 1. Your browser downloads the certificate from a website. The certificate is signed with the private key of a trusted **certificate authority**. -- 2. Your browser checks to make sure the signature of the certificate can be decrypted using one of the trusted certficates factory **installed on the machine**. -- 3. Your browser verifies that the URL on the certificate matches the URL the browser is visiting. -- 4. Your browser generates a **symmetric key** that can be used to encrypt all traffic between the browser and the server. The **symmetric key** is encrypted with the public key from the certifcate and sent to the server. --- ## How your Server trusts Certificates can also be used to identify and authorize users. -- * Every user is granted a certificate signed by a certificate authority **created by an organization**. -- * All certificates that are allowed to access a server are stored in a `truststore` on that server. -- * When you visit a site, your browser presents a certificate. The server verifies that the certificate is signed and not expired. --- #Questions? ---