Personal Security Environment (PSE) Token properties. Realisation of PSEs : Tokens. How to store private keys? Chapter 6.

Similar documents
Public Key Infrastructures

Public Key Infrastructures

Public Key Infrastructures

Public Key Infrastructures Chapter 06 Private Keys

SSL/TLS Certificate Generation

PKCS #15: Conformance Profile Specification

SSL/TLS Certificate Generation

Securing U2 Soap Server

SAML with ADFS Setup Guide

Public Key Infrastructures Chapter 11 Trust Center (Certification Authority)

SSL/TLS Certificate Generation

Creating an authorized SSL certificate

SSL Configuration Oracle Banking Liquidity Management Release [April] [2017]

ADFS Setup (SAML Authentication)

SafeNet KMIP and Google Drive Integration Guide

Guide Installation and User Guide - Mac

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

KeyA3 Certificate Manager

Public Key Enabling Oracle Weblogic Server

Director and Certificate Authority Issuance

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

VMware vrealize Operations for Horizon Security. 20 SEP 2018 VMware vrealize Operations for Horizon 6.6

QUICK SET-UP VERIFICATION...3

midentity midentity Basic KOBIL midentity Basic Mobile, Secure and Flexible

Owner of the content within this article is Written by Marc Grote

INSTRUCTIONS FOR INSTALLING AND USING ELECTRONIC SIGNATURE CERTIFICATES UNDER LINUX

Unified Management Portal

Guide Installation and User Guide - Windows

Public Key Infrastructure. What can it do for you?

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

Symantec PKI Enterprise Gateway Deployment Guide. v8.15

Web as a Distributed System

VMware vrealize Operations for Horizon Security. VMware vrealize Operations for Horizon 6.5

Managing AON Security

eroaming platform Secure Connection Guide

keyon / PKCS#11 to MS-CAPI Bridge User Guide V2.4

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

GlobalForms SSL Installation Tech Brief

TFS WorkstationControl White Paper

Public Key Infrastructures

Guide Installation and User Guide - Linux

Digital it Signatures. Message Authentication Codes. Message Hash. Security. COMP755 Advanced OS 1

Sharing Secrets using Encryption Facility - Handson

Oracle Insurance Rules Palette

USER MANUAL FOR SECURE E MAIL MICROSOFT OUTLOOK (2003)

Information Security CS 526

Configuring the RTP Server

The SafeNet Security System Version 3 Overview

Key Management and Distribution

Certificate Import to Aladdin etoken

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.6

Server software page. Certificate Signing Request (CSR) Generation. Software

PKCS #15 v1.0: Cryptographic Token Information Format Standard

Assuming you have Icinga 2 installed properly, and the API is not enabled, the commands will guide you through the basics:

Tomcat SSL Certificate Deployment Guide (generate CSR by customer)

XenApp 5 Security Standards and Deployment Scenarios

Interface. Circuit. CryptoMate

Using Certificates with HP Network Automation

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Access SharePoint using Basic Authentication and SSL (via Alternative Access URL) with SP 2016 (v 1.9)

1. Product Overview 2. Product Features 3. Product Value 4. Comparison Chart 5. Product Applications 6. Q & A

FileAudit Plus. Steps for Enabling SSL: The following steps will help you in the installation of SSL certificate in FileAudit Plus

CSE 565 Computer Security Fall 2018

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SecureDoc Disk Encryption Cryptographic Engine

Oracle Insurance Policy Administration Configuration of SAML 1.1 Between OIPA and OIDC

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

PKI Contacts PKI for Fraunhofer Contacts

SmartCard-HSM. n-of-m Authentication Scheme

H.O.-215, Ghanshyam Tower, M.G. Road ELA Technologie s H.O. Mumbai

Who s Protecting Your Keys? August 2018

SECURE YOUR INTEGRATIONS. Maarten Smeets

Architecture 1 3. SecureToken. 32-bit microprocessor smart chip. Support onboard RSA key pair generation. Built-in advanced cryptographic functions

1. Product Overview 2. Product Features 3. Comparison Chart 5. Q & A

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

Deploy In-Memory Parallel Graph Analytics (PGX) to Oracle Java Cloud Service (JCS)

The Android security jungle: pitfalls, threats and survival tips. Scott

Configuring Oracle Java CAPS for SSL Support

This version of the IDGo 800 middleware contains the following components: IDGo 800 Credential Provider build 01

Weblogic Configuration Oracle FLEXCUBE Investor Servicing Release [October] [2015]

How to use the MESH Certificate Enrolment Tool

Meteor Quick Setup Guide Version 1.11

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

HARDWARE SECURITY MODULES (HSMs)

ACOS5-64. Functional Specifications V1.04. Subject to change without prior notice.

Weblogic Configuration Oracle FLEXCUBE Universal Banking Release [May] [2017]

CERN Certification Authority

Entrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4

Configuring Java CAPS for SSL Support

Internet Engineering Task Force (IETF) Request for Comments: 7292 Category: Informational. S. Parkinson A. Rusch M. Scott RSA July 2014

Short Public Report. 2. Manufacturer or vendor of the IT product / Provider of the IT-based service:

Java Card Technology-based Corporate Card Solutions

IBM Presentations: Implementing SSL Security in WebSphere Partner Gateway

Public Key Cryptography in Java

CoSign Hardware version 7.0 Firmware version 5.2

2 Electronic Passports and Identity Cards

Prescription Monitoring Program Information Exchange. RxCheck State Routing Service. SRS Installation & Setup Guide

Transcription:

Personal Security Environment (PSE) Public Key Infrastructures Chapter 6 Private Keys How to store private keys? Cryptography and Computeralgebra Prof. Dr. Johannes Buchmann Dr. Alexander Wiesmaier 2 Realisation of PSEs : Tokens Token properties in Software Secure storing of private keys in Hardware Compatibility Portability Availability Access protection PKCS#12 Java KeyStore e Application specific (e.g. Netscape) USB-Token Smartcard Hardware Security Module (HSM) 3 4

PKCS#12 PKCS#12: Modes Software based PSE Format for secure transport t and storing Most typical format for software PSEs Available at: http://www.rsa.com/rsalabs/node.asp?id=2138 asp?id Public Key Privacy Mode: Encryption with a symmetric key. This symmetric key is encrypted with the public key of the receiver. Password Privacy Mode: Encryption with a symmetric key, which is derived from a password. Public Key Integrity Mode: Signed with a private key. The receiver can verify the message. Password Integrity Mode: A MAC is calculated which can be verified by the receiver. 5 6 PKCS#12: ASN.1 PFX ::= SEQUENCE { version INTEGER {v3(3)}(v3,...), authsafe ContentInfo, macdata MacData OPTIONAL } AuthenticatedSafe ::= SEQUENCE OF ContentInfo -- Data if unencrypted -- EncryptedData if password-encrypted -- EnvelopedData if public key-encrypted yp AuthenticatedSafe ContentInfo ti PKCS#12: Structure Plain data Encrypted data Enveloped data 7 8

Java KeyStore Java Keystores Implementation of the KeyStore Class Two types: JKS Proprietary algorithms Weak encryption JCEKS Standard d algorithms Strong encryption Part of the JCE (Java Cryptography Extensions) Since Java 1.4 9 Easy Administration with keytool 10 KeyStore example keytool -genkey -alias test -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456 -keystore test.ks Run:../BatchFiles/keytool.bat Application specific Netscape Family Mozilla, Firefox, Thunderbird, SeaMonkey Through Software Security Module The standard implementation is proprietary The format for the import is PKCS#12 11 12

Private key import in Firefox Private key access in Firefox 13 14 Application specific Private key import in Windows Windows Internet Explorer, Outlook/Express The standard implementation is proprietary Through Cryptographic Service Provider The format for the import is PKCS#12 cs_student.p12 15 16

Private key access in Windows Hardware Security Module Secure storage and use of keys (Pseudo)random number generation Key pair generation cs_student.p12 Key archiving Encryption / decryption 17 Generating / verifying signatures Acceleration for cryptographic schemes (e.g. TLS) 18 Hardware Security Module Hardware Security Module Protect the keys against Mechanical attacks Temperature attacks Manipulation of the voltage But Keys can be accidentally destroyed e.g. due to mechanical influence during transport Chemical attacks The keys are destroyed in case of danger 19 20

Network Attached HSM Smartcards Secure key storing and use Shared HSM Speed Availability Robustness Key pair generation (not all) Calculation of digital signatures Decryption 21 22 Interface to the HSM Access over PKCS#11 Support functions like: Change PIN, Sign, Decrypt, Write certificate But: Some functions are not supported (e.g. change PUK) Different libraries are needed for supporting different cards and readers. Available at: http://www.rsa.com/rsalabs/node.asp?id=2133 PKCS#15 Specifies the structure of the filesystem in the chip card Every directory in the card is an application Pointers to cryptographic objects (ODF) Private Key Public Key Certificate There is a newer specification based on it: ISO 7816-15 Available at: http://www.rsa.com/rsalabs/node.asp?id=2141 23 24

Structure PKCS#15 E4 NetKey (TeleSec) (Root directory) MasterFile (MF) E4 evaluated (according to ITSEC) Global files (serial number, etc.) SigG application (Meta data) Descriptor DF(PKCS#15) rdata EF (DIR) Further DFs/EFs Pre-keyd with one key-pair according to SigG (Signature Act) NetKey application ODF PrKDF CDF ADF TokenInfo Object Directory File: Pointers to directories: PrivateKey Data, Certificate Data, Authentication Data (PIN) and Token Information (Serial number) 3 key pairs (pre-keyed) Null-PIN scheme (patented) 25 26 No filesystem but applets Java Cards JCRE (Java Card Runtime Environment) manages: the resources of the card the communication with the outside world the execution of the applets controls: the compliance with the security limitations Java Cards Like normal Java code, but without: Long, double, float Characters and strings Multidimensional arrays Threads Object serialization und cloning Dynamic loading of classes (like drivers) Security Manager Garbage Collector not always present 27 28

Life cycle of private keys Life cycle of private keys Backup Backup Storing Recovery Storing Recovery Transport Transport start state state appropriate parameters secure random number generator Destruction end state Destruction shielding against eavesdropping 29 30 Life cycle of private keys Life cycle of private keys Backup Backup Storing Recovery Storing Recovery Transport Transport persistent storing correct receiver deletion from the generator guaranteed delivery Destruction appropriate access protection Destruction appropriate transport security mechanisms 31 32

Life cycle of private keys Life cycle of private keys Backup Backup Storing Recovery Storing Recovery Transport Transport easy for the authorised users unrecoverable Destruction impossible for the unauthorised users protection of the private key Destruction easy for authorised users impossible for unauthorised users 33 34 Life cycle of private keys Life cycle of private keys Backup Backup Storing Recovery Storing Recovery Transport Transport persistent storing correct reestablishment only for certain keys easy for authorised users Destruction appropriate access protection Destruction impossible for unauthorised users 35 36

Life cycle of private keys Example 1: r generates keys Here: PGP 37 38 39 40

41 42 43 44

Storing 45 46 Transport Transport 47 48

Transport File contents../certificates/test t /T t r.cxt 49 50 Destruction 51 52

Destruction Destruction 53 54 Backup Backup 55 56

Backup Backup 57 58 Recovery Recovery 59 60

Recovery Life cycle of private keys Example 2: TC generates keys Here: TUD Card 61 62 Storing The manufacturer creates the keys Contains the private key input A file exists that holds the private key. Security condition: output 63 PSO (Perform Security Operation) after PIN has been correctly given. 64

Transport By snail mail First detection Null-PIN technique 65 66 Set PIN See PUK Download certificate PIN-Entry necessary for PSO 67 68

Destruction Backup Physical destruction of the card. high temperature, etc Each encryption key is stored in a PKCS#12 file input output 69 70 Life cycle of private keys Generate keytool -genkey -keyalg RSA -keystore keystore.ks -alias myalias Example 3: r generates keys Here: Java keytool 71 72

Store Transport keytool -genkey -keyalg RSA -keystore keystore.ks -alias myalias The key is already at the client side. 73 74 In order to use the private key, the public key is certified by a CA. Thawte example 75 76

77 78 79 80

Hi! Please use your browser to go to the following URL: https://www.thawte.com/cgi/enroll/personal/step8.exe Once you have connected successfully to the above address, you must copy and paste the "probe" and "ping" values below into the appropriate text boxes: Probe: value Ping: value You should save this message until you have completed the enrollment process, just in case. But you MUST go to the above URL within 24 hours, or we will delete your request information and you'll have to start over! If you have problems completing the above please contact our support team by going to the following URL: https://www.thawte.com/cgi/support/contents.exe Regards, The thawte team thawte Certification 81 82 83 84

85 86 87 88

email address 89 90 91 92

keytool -certreq -keystore keystore.ks -file csr.txt -alias myalias -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrDCCARUCAQwbDELMAkGA1UEBhMCREUxDjAMBgNVB TBUhlc3NlMRIwEAYDVQQHEwlEYXJtN57qbnyAfAAAAAAA c3rhzhqxddkbgnvata1rvrdemmaoga1uecxmdq0rdmr wgwydvqqdexrwy5nzwxpcyblyxjhn57qbnyafaaaaaaa dhnpb2xpcznzanbqhkig9w0baqefaaobjqawgykcgyearoj ITHFBR5orQ9dB4qkP/gMhS1hCNiowdM2CrJINiowdM2CCCCE +Qrzut77pzzjlEBLQeeMC0Q88LF8tTJfFoUKdGni/PAAiOPHxv NXFFH0YZs4/P7gXMAX+9eEgGNiowdM2CrJINiowdM2CCCCE jl2ig7pyqlkggwibvxyqmex2tkk9tkwqcvfjl6bktjiijermgoly i79dk3cdwx26z8caweaaaaaniowdm2crjiniowdm2cccceee MA0GCSqGSIb3DEBBAUAAGBAIvbaheW+lVaDdRN57qbnyAf3baheW+lVaDdRN57qbn Af3 qqxd2gcjmbccco8v3tn9zc4mseniowdm2crjiniowdm2cccc pxxtfqg4uqo0urjiniowdm2ctrpzletorjntoxxirlhp9+lln XnER43nYvcLZ/QIChlfIX6KiPrJINiowdM2CrJINiowdM2CCCC Elr81bvYRq6G/bGxrz4K55c17UIqPtlGN7yQEDxYZ5e+ -----END NEW CERTIFICATE REQUEST----- 93 94 95 96

The user receives a URL that contains the certificate inside a PKCS#7 structure 97 98 Destruction keytool -import -file test.crt -alias myalias -trustcacerts -keystore keystore.ks ks 99 100

Backup Recovery A simple copy of the file to: a CD a USB stick an external hard disc or similar Recovery from the copy location. Password is needed. The password may be changed. 101 102

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback