WEBVTT 00:00.110 --> 00:00.650 Huron. 00:00.650 --> 00:01.490 And welcome back. 00:01.490 --> 00:06.920 Now, in today's video, our prime focus would be over the revocation methods for the certificates. 00:06.920 --> 00:11.810 And the topics that we'll be discussing would be CRL and the Ocsp protocol. 00:11.810 --> 00:16.010 So when you talk about revocation method, you can understand this in an easier way. 00:16.010 --> 00:19.790 So let's say that this is my passport. 00:19.790 --> 00:23.300 So now there can happen that the passport gets revoked, right? 00:23.300 --> 00:25.550 So government can revoke the passport. 00:25.550 --> 00:28.490 So a revoked passport is no longer trusted. 00:28.490 --> 00:33.140 So same way you can even revoke the certificates. 00:33.140 --> 00:40.520 So let's say a certificate is issued for five years and you might see that that certificate is compromised. 00:40.520 --> 00:45.590 So the private key associated with the certificate is compromised in the recent breach. 00:45.590 --> 00:48.290 So you can revoke that certificate immediately. 00:48.290 --> 00:52.940 So those revocation related aspects are the things that we'll be discussing today. 00:53.180 --> 00:55.400 Now the first one is the CRL. 00:55.550 --> 01:02.820 So CRL basically stands for certificate Revocation list and it basically is a list of digital signatures 01:02.820 --> 01:11.040 that have been revoked by the issuing certificate authority before their scheduled expiration date and 01:11.040 --> 01:12.810 should no longer be trusted. 01:12.810 --> 01:17.970 So how things would work is you have a client, so client would be, let's say a web browser. 01:17.970 --> 01:24.180 So before client trusts the certificate, it first checks the CRL. 01:24.180 --> 01:28.320 So this is generally published by the certificate Authority. 01:28.320 --> 01:34.860 So within the CRL it will look for whether that certificate that the web server has sent to the client, 01:34.890 --> 01:37.080 is it there in the list or not? 01:37.110 --> 01:40.530 If it is there within the list, then it is no longer trusted. 01:40.530 --> 01:41.970 You'll get an error there. 01:41.970 --> 01:45.540 If it is not there within the list, then you'll get a 200. 01:45.540 --> 01:45.840 Okay. 01:45.840 --> 01:51.150 And you will get the lock symbol if everything else is also fine. 01:51.150 --> 01:53.790 So that is what CRL is all about. 01:53.790 --> 02:00.270 So as we had discussed many times, what happens is that since the certificate and the private key are 02:00.270 --> 02:07.110 within the web server and if the web server is compromised, there are a lot of cases where your web 02:07.110 --> 02:08.430 server is compromised. 02:08.430 --> 02:14.490 So in such cases the attacker is able to get hold of the private key there. 02:14.520 --> 02:20.070 So if he gets the private key, he will be essentially be able to decrypt the communication. 02:20.070 --> 02:28.080 So what the system administrator do, they contact the certificate authority and they revoke the certificate. 02:28.080 --> 02:32.820 So what happens in revocation of certificate is certificate authority. 02:32.820 --> 02:37.800 In case of CRL, they will put the certificates serial number within the CRL. 02:37.800 --> 02:43.680 So anyone who goes to the website, right, they have to check the CRL and if they check the CRL and 02:43.680 --> 02:47.610 if the list of the certificate is there, then it is not trusted. 02:47.610 --> 02:50.880 So let's look into how exactly it might look like. 02:51.180 --> 02:54.990 So for our test purpose we'll just open up digital ocean.com. 02:54.990 --> 03:00.120 So let's open up the certificate associated with digital ocean. 03:00.120 --> 03:01.830 So we'll go to details. 03:02.850 --> 03:08.730 And if you look into the extensions only there is one extension called as CRL distribution points. 03:08.760 --> 03:12.000 So if I open this up, you have the list. 03:12.000 --> 03:17.550 So this is the URL from where you can download the CRL and this is important. 03:17.550 --> 03:20.970 So let's say you have a web browser, it receives the certificate. 03:20.970 --> 03:25.670 So now it also needs to verify whether the certificate is revoked or not. 03:25.680 --> 03:31.410 So one of the ways is through the CRL distribution point, so the web browser will look into the CRL 03:31.410 --> 03:32.520 distribution point. 03:32.550 --> 03:34.800 It will fetch the URL. 03:34.800 --> 03:38.970 So let's copy this URL and let me paste it. 03:39.180 --> 03:43.830 So you see, after I pasted it, it automatically got downloaded here. 03:43.860 --> 03:44.630 All right. 03:44.640 --> 03:50.820 Now this is a file which basically contains the serial number of the certificates. 03:50.820 --> 03:52.410 So let me quickly show you. 03:52.410 --> 04:00.360 So from the command prompt, I'll open up cert util, I'll say dump and I'll pass on the CRL. 04:00.720 --> 04:05.130 So basically if you see it contains huge amount of data here. 04:05.140 --> 04:08.890 So it contains serial number as well as the revocation list. 04:08.890 --> 04:13.210 So let me do a control C over here because this list is quite huge. 04:14.320 --> 04:16.870 So here it basically contains two things. 04:16.870 --> 04:20.620 One is the serial number and second is the revocation date. 04:20.620 --> 04:25.660 So you see the number of certificates which are revoked is quite huge. 04:25.660 --> 04:29.680 So now let's look into what exactly serial number is. 04:29.710 --> 04:36.580 Now, if you open up the certificate yet again, now every certificate has a serial number. 04:36.610 --> 04:38.410 This is important for you to know. 04:38.860 --> 04:42.400 So for Digital Ocean, this is the serial number. 04:42.400 --> 04:49.240 So if a certificate is revoked, this is the serial number that you will be seeing within the CRL. 04:49.240 --> 04:54.610 And Certificate Authority works in that way as far as the Crls are concerned. 04:54.610 --> 04:56.530 So you will have the serial number. 04:56.530 --> 05:01.000 So if you see you have the serial number here and you have the revocation date. 05:01.270 --> 05:05.590 So this has been the way of checking the revoked certificates. 05:05.590 --> 05:07.720 However, there is a problem with CRL. 05:07.720 --> 05:14.440 You see the more the amount of certificates which get revoked because a specific certificate authority 05:14.440 --> 05:17.080 might have tens of thousands of certificates. 05:17.260 --> 05:24.700 So if huge amount of certificates are being revoked, then the size of the CRL will also increase and 05:24.700 --> 05:30.130 you will have to browser or a client who is checking whether the certificate is revoked or not. 05:30.160 --> 05:36.940 He'll have to go through the list and if the certificate associated with your website is present at 05:36.940 --> 05:40.210 the last of the list, it might take little amount of time. 05:40.210 --> 05:43.990 So this is not a very efficient way of doing things. 05:43.990 --> 05:51.760 So the Ocsp protocol was released to basically prove to be an alternate to CRL. 05:51.910 --> 05:59.200 So again, the Ocsp stands for Online Certificate Status Protocol is basically an internet protocol 05:59.200 --> 06:05.380 used for obtaining the revocation status of a 6.509 certificate. 06:05.380 --> 06:09.670 So the goal of both CRL and the Ocsp are the same. 06:09.670 --> 06:12.280 So let's look into the working of Ocsp. 06:12.580 --> 06:14.290 So you have the client here. 06:14.290 --> 06:19.360 Client basically connects to a website to perform the SSL, TLS handshake. 06:19.360 --> 06:24.490 So this website basically gives the server certificate back to the client. 06:24.490 --> 06:32.800 So now instead of client downloading or exploring the CRL, what it basically does, it contacts the 06:32.800 --> 06:34.000 Ocsp server. 06:34.000 --> 06:39.640 So this server certificate would also have the Ocsp server URL. 06:39.640 --> 06:46.960 So basically this client will connect to this URL and it will verify whether this server certificate 06:46.960 --> 06:48.370 is revoked or not. 06:48.370 --> 06:56.320 And this ocsp server, which is managed by the CA, it will send a success or failed response. 06:56.320 --> 07:01.150 If it is a success response, that means the certificate is perfectly fine. 07:01.150 --> 07:05.020 If it is a field response, that means the certificate is revoked. 07:05.050 --> 07:13.330 So now the entire aspect of checking the certificate is managed by the Ocsp server, which is typically 07:13.360 --> 07:15.910 handled by the certificate authority. 07:15.910 --> 07:22.510 So this is one of the quick ways in which you can go ahead and check for the revocation status. 07:22.510 --> 07:24.700 So let me also show you this. 07:25.000 --> 07:27.850 So let's open up Digitalocean certificate. 07:30.600 --> 07:35.100 We'll go to extensions only now within the authority information access. 07:35.100 --> 07:37.020 So this is one of the extensions. 07:37.020 --> 07:38.670 So let me just open this up. 07:38.670 --> 07:41.130 So this is the authority information access. 07:41.130 --> 07:47.370 Within here you have access method, which is online certificate status protocol, and essentially you 07:47.370 --> 07:48.750 have the URL here. 07:48.930 --> 07:52.530 So before we conclude, let me also show you one more thing. 07:53.720 --> 07:55.130 So when you go to options. 07:55.130 --> 07:56.720 So this is a browser option. 07:56.720 --> 08:02.060 If you go into privacy and security within the certificate, you see you have an option which is query 08:02.090 --> 08:06.500 ocsp responder servers to confirm the current validity of certificates. 08:06.500 --> 08:11.750 And this is important because nowadays you will see that the certificates which are being sent to the 08:11.750 --> 08:13.760 client, in our case it would be browser. 08:13.760 --> 08:17.930 So that certificate has the ocsp URL. 08:17.930 --> 08:25.310 So it is important that the browser verifies with those URL, which are also referred as the Ocsp responder 08:25.310 --> 08:29.210 to verify whether the certificate is revoked or not. 08:29.360 --> 08:36.920 So that's the high level overview about both the certificate revocation lists and the Ocsp protocol. 08:36.920 --> 08:41.960 I hope you understood at a high level overview about the revocation methods.