Este vídeo pertenece al curso Confidential Communication in the Internet de openHPI. ¿Quiere ver más?
An error occurred while loading the video player, or it takes a long time to initialize. You can try clearing your browser cache. Please try again later and contact the helpdesk if the problem persists.
Scroll to current position
- 00:01Now we want to consider some Public Key Infrastructures (PKI) in the Internet
- 00:05in our openHPI course- Confidential Communication in the Internet.
- 00:11You remember the Public Key Infrastructures, we discussed it in detail,
- 00:17say, the Trust Problem, a trust problem for asymmetric cryptosystems.
- 00:23The trust problem consists of problems that we need to tamper-proof liaise the public keys to their users.
- 00:36So, the PKIs allow in this way the secure application
- 00:42of asymmetric cryptoprotocols for encryption and also particularly for digital signature.
- 00:49And they provide a basis of the hierarchical trust model and the
- 00:56hierarchical structure of such Public Key Infrastructures (PKI). So first, PKI
- 01:04and the most important PKI in the internet
- 01:08is connected to the HTTP, the HyperText Transfer Protocol, that's
- 01:16the protocol that allows to use the web-applications over the internet and the Public Key
- 01:23Infrastructure is in place for the HTTPS protocol, the HyperText
- 01:32Transfer Protocol Secure. And this HTTPS protocol secures the protocol for communication
- 01:42with web servers- the interaction between web browsers and web servers.
- 01:49Originally, the HTTP protocol was introduced to this end and this was
- 01:57all of the communication running in cleartext. And then with this version of the HTTPS protocol,
- 02:04the connection between the web browser and the web server could
- 02:10be secured. So, in the case of using an HTTPS connection in the internet,
- 02:17the identity of the requested web page is checked.
- 02:22So, the communication does not start before the partners are authenticated to each other.
- 02:28And all the communication is encrypted. These are the two main
- 02:34features that are provided by the HTTPS protocol,
- 02:39compared to the HTTP protocol. HTTPS because we need it for our authentication
- 02:47or we need it for the exchange of
- 02:50security encryption keys. HTTPS is based on hierarchical Public Key Infrastructures.
- 03:01Here, in this hierarchical Public Key Infrastructures, the "Root CA" certificates are stored in the browser
- 03:13of the user or in operating system, particularly for the smart devices.
- 03:21And if you connect to critical internet services,
- 03:26definitely, you should only use this HTTPS protocol
- 03:37when a browser displays a certificate warning, then you should be careful.
- 03:44So, the certificate guarantees that you are communicating with the
- 03:49right owner, with the right service, and that all the internet communication is
- 03:57encrypted. To give an example, in the beginning of such a connection,
- 04:04such an interaction in the World Wide Web, a connection needs
- 04:10to be established and here in our example,
- 04:13Let's assume that the user wants to connect to his saving bank.
- 04:22The browser verifies, so, he gives in the URL and the browser verifies the
- 04:29signature of the certificate on the "www.sparkasse.de"(URL) with the help of superordinate certificate.
- 04:45This superordinate certificate comes from D-Trust. It is an
- 04:51organization that issues such certificates. So, in this step, it is checked
- 04:59whether the connection between you (user) and your bank, if it's really your bank which is communicating with you.
- 05:11And here in the browser, in the URL field, one can see this (D-Trust Certificate).
- 05:19Now, one has to check the signature, not one (you), the browser is doing this
- 05:24the signature of the D-Trust certificate is verified.
- 05:30The browser is doing this, so it checks the signature and checks whether
- 05:37the certificate is valid. The browser is doing this
- 05:45with the trustworthy "Root CA" certificate
- 05:51of the service. And then the browser can establish a chain of trust up to
- 05:58the certificate of the saving bank. Starting from the certificate of the D-Trust "Root CA" up
- 06:08to the certificate of the savings bank. And if you like,
- 06:13you can follow this on your browser, in any case, if you have
- 06:20an HTTPS connection, there is a small lock icon
- 06:25displayed. When connecting to a critical internet service, the browser should show
- 06:33such a small lock icon. Here, this is a lock symbol, it's green.
- 06:40Otherwise, it is red and the lock is open. It differs a little bit
- 06:44on what kind of browser you are using, but this guarantees
- 06:48you that there is a valid certificate and that you are really connected with your
- 06:57savings bank. Anyone who is interested to see the certificate chain in the
- 07:03hierarchy, can do this in his browser.
- 07:08For example, in Firefox, it looks like the following -
- 07:12You can click here on this green lock.
- 07:15Then you can click on the arrow next to the secure connection,
- 07:19and then you see further information which shows you the certificate details.
- 07:26Definitely, you should do this to get a feeling that
- 07:30when you are connecting to your bank in the background this Public Key
- 07:35Infrastructure is working. Certificates are exchanged when the connection is
- 07:41established, so that both partners know that they are exactly connected
- 07:50to each other. Another example of a PKI in practice is
- 07:58"My ELSTER". My ELSTER is an official online portal of the German tax authorities.
- 08:05For example, for filling in-context returns or others.
- 08:10The log-in into this portal, into "My ELSTER" portal is possible via a Public
- 08:17Key Infrastructure. So, the certificate file contains a signed certificate and
- 08:25private key and is stored in the user's computer. This is when you
- 08:31establish a connection to interconnect and interchange messages with ELSTER.
- 08:38Then you can also use an electronic identity card plus the ID card App2 software.
- 08:46This is a chip card which after checking the Authorization Certificate of "My ELSTER"
- 08:51issues your stored identity data assigned by the BSI. BSI in
- 08:58Germany is a federal authority for security in information technology.
- 09:06And you can interact with "My ELSTER" by means of a security stick or
- 09:13a chip card and the "ELSTER" authenticator software which contains a private key and
- 09:21signed certificate to prove your identity for this interaction. So, this works in a
- 09:28different way, like the PKI, it's a different PKI that we discussed first
- 09:35in the internet, which is used when we make secure
- 09:40communications via the HTTPS protocol. So, there are many such public key infrastructures
- 09:48in internet. The PKI which is on the basis of HTTPS protocol is of particular
- 09:59importance, and is very very popular in use.
To enable the transcript, please select a language in the video player settings menu.