Skip to content

Latest commit

 

History

History
162 lines (128 loc) · 4.04 KB

20-asym_certs_and_trust.md

File metadata and controls

162 lines (128 loc) · 4.04 KB
SPDX-FileCopyrightText SPDX-License-Identifier title author footer description keywords color class style
© 2024 Menacit AB <[email protected]>
CC-BY-SA-4.0
Practical cryptography course: Certificates and trust models
Joel Rangsmo <[email protected]>
© Course authors (CC BY-SA 4.0)
Presentation about what certificates are and different trust models
cryptology
cryptography
practical
encryption
course
#ffffff
invert
section.center { text-align: center; } table strong { color: #d63030; } table em { color: #2ce172; }

Certificates and trust models

bg right:30%

Asymmetric cryptography enables us to share secrets/valid authenticity without a shared key.

But how do we get hold of the public key of a peer?

bg right:30%

$ ssh 141.95.102.166

The authenticity of host '141.95.102.166 (141.95.102.166)' can't be established.
ED25519 key fingerprint is SHA256:wzzjNa+3VIhoxAEc1W9KfWzW8APaB3O6OSBFki66jEU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

$ for KEY in /etc/ssh/ssh_host_*_key.pub; do ssh-keygen -l -f "${KEY}"; done

1024 SHA256:IrBaPa6k+uPe1SMeshWaX8SMomgCxWthfjxtR0jjBfY root@w2 (DSA)
256 SHA256:VBBjYJyshoJU1x63APDVjTyzZu8TG4XUGGu1HxMEXSM root@w2 (ECDSA)
256 SHA256:wzzjNa+3VIhoxAEc1W9KfWzW8APaB3O6OSBFki66jEU root@w2 (ED25519)
3072 SHA256:4CiF9f8vMP2a8cGG5OjW0lmH1xWMXwgwjx9oUvPzYbI root@w2 (RSA

What does the "known_hosts" file contain?

Hostnames/IP addresses ("server identities") and "key fingerprints" (hash of public key).

bg right:30%

Common "trust models"

  • None ("YOLO!")
  • Trust On First Use (TOFU)
  • Certificates and Certificate Authorities (CA)
  • Web of Trust (WoT)

bg right:30%

TOFU

$ ssh -o StrictHostKeyChecking=accept-new 141.95.102.166

bg right:30%

Common "trust models"

  • None ("YOLO!")
  • Trust On First Use (TOFU)
  • Certificates and Certificate Authorities (CA)
  • Web of Trust (WoT)

bg right:30%

What are "certificates"?

Signed(public key + metadata)

bg right:30%

Examples of metadata

  • Identity (hostname, email, etc)
  • Expiry
  • Permitted usage
  • ID photo

bg right:30%

Common standards

  • X.509
  • OpenPGP
  • SSH certificates

bg right:30%

CA

Trust store contains public keys which are blessed to sign other certificates.

WoT

Any key can sign other certificates, users can choose how much risk they are willing to take.

bg right:30%

bg center 70%

Certificate Authorities

Trust store contains public keys which are blessed to sign other certificates.

Web of Trust

Any key can sign other certificates, users can choose how to "weight" keys and how much risk they are willing to take.

bg right:30%

We'll re-visit this topic and take a deeper look into how X.509 utilize CAs for establishing trust.

bg right:30%