x.500
x.509
SSL/PKI

What is x.500?

  • .500 is a series of computer networking standards covering electronic directory services (Wikipedia)

Then what are those

directory services?

  • In computing, directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects.

side note:

how that relates to CMDB/IPAM?

IPAM: IP address management (IPAM) is a methodology implemented in computer software for planning and managing the assignment and use of IP addresses and closely related resources of a computer network.

side note:

how that relates to CMDB/IPAM?

CMDB: A Configuration Management Database (CMDB) is an ITIL database used by an organization to store information about hardware and software assets (commonly referred to as Configuration Items [CI]). This database acts as a data warehouse for the organization and also stores information regarding the relationships among its assets.

So x.500 is a data structure, kind of database for things. Why is then different from relational database (like SQL)?

  • Tree structure
  • Optimized for reading
  • Schema is object class, attributes, namespaces
  • Object MAY or MUST have certain attributes
  • Attributes can be multi-valued
  • DN (Distinguished Name)

Implementation of original x.500 was somewhat difficult... but we all know LDAP.

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory services over an Internet Protocol (IP) network.

Or Microsoft Active Directory...

 Systems that are based on the X.500, such as the LDAP, the DCE Directory, Novell's NDS, and Microsoft's Active Directory, each define its own string representation. For example, in the LDAP, a DN's RDNs are arranged right to left, separated by the comma character (","). Here's an example of a name that starts with "c=us" at the top and leads to "cn=Rosanna Lee" at the leaf.

   cn=Rosanna Lee, ou=People, o=Sun, c=us

Here's an example of the same name using the string representation of the DCE Directory and Microsoft's Active Directory.

    /c=us/o=Sun/ou=People/cn=Rosanna Lee

 

The client may request the following operations (among others):

 

  •     Bind – authenticate and specify LDAP protocol version
  •     Search – search for and/or retrieve directory entries
  •     Compare – test if a named entry contains a given attribute value
  •     Add a new entry
  •     Delete an entry
  •     Modify an entry
  •     Unbind – close the connection (not the inverse of Bind)

LDAP URLs

An LDAP URL is a string that can be used to encapsulate the address and port of a directory server, the DN of an entry within that server, or the criteria for performing a search within that server.

ldap://ds.example.com:389/dc=example,dc=com

example:

Like standard database LDAP has similar flaws.

Like: LDAP injecton, not encrypted data, problems with replicaction, etc.

Where else we are using x.500/Directory Services?

DNS

That's actually not quite true, DNS was here before x.509. But they have much in common. DNS is oldest DS still in use.

NIS

Yellow Pages, Unix, mostly Solaris thing.

Still used in big companies...

Where else we are using x.500/Directory Services?

SSL

Yes, Secure Socket Layer.

But how?

Well... X.509 was originally designed to be the secure access method for updating X.500. Then we had browsers and X.509v3.

X.509? I thought we were talking about SSL... (?)

X.509 was initially issued on July 3, 1988 and was begun in association with the X.500 standard.

 

It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. The  IETF's Public-Key Infrastructure (X.509), or PKIX, working group has adapted the standard to the more flexible organization of the Internet.

X.509? I thought we were talking about SSL... (?)

An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed, so SSL certificates from major certificate authorities will work instantly; in effect the browsers' developers determine which CAs are trusted third parties for the browsers' users. For example, Firefox provides a CSV and/or HTML file containing a list of Included CAs. IE uses certs from Windows Certificate Store which is more like Directory Service.

Certificates Store in Windows.

Certs in Firefox.

Certificates in Firefox Browser.

Little about cryptography, certs and SSL/TLS...

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP).

  • SSL1.0, SSL2.0, SSL3.0, TLS1.0, TLS1.1, TLS1.2, TLS1.3
  • Symmetric vs asymetric
  • Ciphers
  • CAs
  • StartSSL/WoSign case
  • LetsEncrypt
  • Certificate Transparency
  • DH
  • HPKP
  • CAA
  • HSTS
  • SPDY/H2/QUIC
  • DoH

Other topics and questions...

Your turn!