Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
49 views5 pages

X.509 Certificate Features & Vulnerabilities

X.509 certificates contain several key components: - Validity period specifying the timeframe when the certificate is valid - Subject identifying the certificate owner (e.g. name, email, URL) - Public key and algorithm for encryption/decryption - Extensions allowing additional attributes like usage policies and publication points - CA's digital signature authenticating the certificate contents

Uploaded by

Shiva prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
49 views5 pages

X.509 Certificate Features & Vulnerabilities

X.509 certificates contain several key components: - Validity period specifying the timeframe when the certificate is valid - Subject identifying the certificate owner (e.g. name, email, URL) - Public key and algorithm for encryption/decryption - Extensions allowing additional attributes like usage policies and publication points - CA's digital signature authenticating the certificate contents

Uploaded by

Shiva prasad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

X.

509 Version 3 Certificate


„ Validity Period: The
certificate's start and
expiration dates.
„ define the interval

during which the


certificate is valid,
although the certificate
can be revoked before
the designated
expiration date.

31

X.509 Version 3 Certificate


„ Subject: The name of the
subject (owner) of the
certificate such as:
„ X.500 directory name
„ Internet e-mail address
„ URL
„ Subject Public-Key
Information: The public key
and the public key
cryptography algorithm.
„ The algorithms for which the
public key set can be used,
such as digital signing, secret
key encryption, and
authentication.
32
X.509 Version 3 Certificate
„ Issuer Unique Identifier:
Optional information (bit
string) for uniquely
identifying the issuer,
when necessary.

„ Subject Unique
Identifier: Optional
information (bit string)
for uniquely identifying
the subject, when
necessary.

33

X.509 Version 3 Certificate


„ Extensions: Additional
information that can be
specified for optional use by
public key infrastructures.
Common extensions include a
list of specific uses for
certificates (for example,
S/MIME secure mail or IPSec
authentication), CA trust
relationship and hierarchy
information, a list of publication
points for revocation lists, and
a list of additional attributes
for the issuer and subject.

34
X.509 Version 3 Certificate

„ Certification Authority's
Digital Signature: The CA's
digital signature of all the
previous fields, which is
created as the last step in
generating the certificate.
(Called Encrypted)

35

X.509 Version 3 Certificate

„ 3 extension categories
„ Key and policy information

„ Subject and issuer attributes

„ Certification path constraints

36
X.509 Extensions: Key and Policy
„ Subject and issuer keys information
„ Indicators of certificate policy
„ Extension fields
„ Authority key identifier (to differentiate keys of the same
CA)
„ Subject key identifier (to differentiate keys of the same
subject)
„ Key usage (bit string for 9 possibilities, such as key and/or
data encryption, signature verification on
certificates/CRLs, …)
„ Private-key usage period (for signatures)
„ Certificate policies (used for issuing and for certificate
usage)
„ Policy mappings (from CA to CA, for matching policies of
different CAs)
37

X.509 Extensions:
Certificate Subject Attributes
„ Alternate names for either the certificate
subject or the certificate issuer

„ Extension fields
„ Subject alternative name (additional
identities to be bound to the subject)
„ Issuer alternative name (to associate, e.g.,
internet style identities to issuer)
„ Subject directory attributes (such as DoB
or clearance, to be used by X.500 directory )

38
X.509 Extensions:
Certification Path Constraints
„ Provide constraints for certificates issued
by CAs for other CAs.

„ Extension fields
„ Basic constraints (can subject be CA and
length of allowed certification path from this CA)
„ Name constraints (name space for allowed
subjects in subsequent certificates)
„ Policy constraints (for path validation, either
prohibiting or requiring policy)

39

Vulnerability and Exploits


„ In 2005, shown "how to use hash collisions to construct two X.509
certificates with identical signatures and differerent public keys",
using a collision attack on the MD5 hash function.
„ In 2008, presented a practical attack to create a rogue
Certificate Authority, accepted by all common browsers, by
exploiting the issuing X.509 certificates based on MD5.
„ X.509 certificates based on SHA-1 appeared to be secure until
April 2009 when researchers produced a method to increases the
likelihood of a collision
„ There are implementation errors with X.509 that allow e.g.
falsified subject names using null-terminated strings or code
injections attacks in certificates
„ Implementations suffer from design flaws, bugs, different
interpretations of standards and lack of interoperability.
„ Many implementations turn off revocation check and policies are not enforced
40

You might also like