PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Similar documents
CSE 565 Computer Security Fall 2018

Public Key Infrastructures

Chapter 9: Key Management

Public Key Infrastructures. Using PKC to solve network security problems

L8: Public Key Infrastructure. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Server-based Certificate Validation Protocol

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Digital Certificates Demystified

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Public Key Establishment

Public Key Infrastructure

Certificate Revocation: What Is It and What Should It Be

Certificates and Certification

Public Key Infrastructures

SSL Certificates Certificate Policy (CP)

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Public-Key Infrastructure NETS E2008

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Key Management and Distribution

CT30A8800 Secured communications

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Lecture Notes 14 : Public-Key Infrastructure

Certificateless Public Key Cryptography

X.509 CERTIFICATE X.509 CERTIFICATE PUBLIC-KEY CERTIFICATES THE CERTIFICATE TRIANGLE CERTIFICATE TRUST. INFS 766 Internet Security Protocols

FPKIPA CPWG Antecedent, In-Person Task Group

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

PUBLIC-KEY CERTIFICATES

Security Digital Certificate Manager

Version 3 X.509 Certificates

IBM. Security Digital Certificate Manager. IBM i 7.1

The Information Technology (Certifying Authority) Regulations, 2001

Network Security Essentials

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Managing Certificates

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Certificate implementation The good, the bad, and the ugly

AeroMACS Public Key Infrastructure (PKI) Users Overview

Request for Comments: TIS Labs March Storing Certificates in the Domain Name System (DNS)

KEY DISTRIBUTION AND USER AUTHENTICATION

Axway Validation Authority Suite

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Cryptography and Network Security

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

TELIA MOBILE ID CERTIFICATE

Signature Validity States

Bart Preneel PKI. February Public Key Establishment. PKI Overview. Keys and Lifecycle Management. How to establish public keys?

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Security Protocols and Infrastructures. Winter Term 2015/2016

Cryptography and Network Security Chapter 14

SONERA MOBILE ID CERTIFICATE

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

ForeScout CounterACT. SecureConnector Advanced Features. How-to Guide. Version 8.0

APNIC Trial of Certification of IP Addresses and ASes

Standard Certificate Extensions (1.)

PKIs for Mobile Commerce

Electronic Seal Administrator Guide Published:December 27, 2017

ECE 646 Lecture 3. Key management

Some Lessons Learned from Designing the Resource PKI

Add or remove a digital signature in Office files

Chapter 10: Key Management

Displaying SSL Configuration Information and Statistics

Certificates, Certification Authorities and Public-Key Infrastructures

Lecture 16 Public Key Certification and Revocation

Security Protocols and Infrastructures

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Description Provides details about the CA s certificate and all certificates that the CA will issue.

Key management. Pretty Good Privacy

ISO/IEC INTERNATIONAL STANDARD

Cryptography and Network Security

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Certification Practice Statement

Spring 2010: CS419 Computer Security

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

LPKI - A Lightweight Public Key Infrastructure for the Mobile Environments

Authentication in Distributed Systems

Configuring SSL CHAPTER

Distributed Access Control. Trust Management Approach. Characteristics. Another Example. An Example

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Public Key Infrastructure (PKI) Implementation at ETF Sarajevo

Configuring SSL. SSL Overview CHAPTER

September 1997 Expires March Storing Certificates in the Domain Name System

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Certificate Revocation : A Survey

APNIC Trial of Certification of IP Addresses and ASes

INTERNATIONAL STANDARD

IBM i Version 7.2. Security Digital Certificate Manager IBM

Using Cryptography CMSC 414. October 16, 2017

Overview of Authentication Systems

CS Computer and Network Security: PKI

EXBO e-signing Automated for scanned invoices

Lecture 14. Public Key Certification and Revocation

Transcription:

Public Key Infrastructures Public Key Infrastructure Definition and Description Functions Components Certificates 1 2 PKI Services Security Between Strangers Encryption Integrity Non-repudiation Key establishment What Does A PKI Do? Accurately Deliver Stored, Authenticated Public Keys to Requestors It is an Infrastructure for Establishing and Maintaining an Address Book 3 4 PKI Definition #1 "A PKI is a pervasive security infrastructure whose services are implemented and delivered using public-key concepts and techniques". -Adams/LLoyd 5 Text PKI Definition Certificates Repositories Method of evaluating certificates Revocation method 6 1

PKI Functions Create the Directory Update the Directory Register Users Deliver Keys on Request Keep the Directory Available Revoke Bad or Canceled Public Keys 7 1. Client 2. Trusted Registrar 3. Database Administrator Store Issue Verify 8 1. Client Roles Public Key Bearer Authenticated to PKI Key granted by PKI Public Key Requestor Seeking another party's public key 2. Trusted Registrar Establishes absolute identify of Public Key Bearers Binds the bearer's public key to their identity This is the quintessential PKI user9 10 3. Certificate Authority Acts as the Database Administrator Stores Public Keys for Bearers Establishes Certificates for Bearers Provides Certificates to Requestors Verifies Public Keys for Requestors 11 A Typical PKI Use 1. Client registers with an RA (once) RA creates and distributes client identity to CAs 2. Client requests key from CA(s) CA creates & issues key and certificate 3. Client uses the key and certificate to transmit sensitive data 12 2

PKI for Authorization 1. Client registers with an RA (once) RA creates and distributes client identity to CAs 2. Client requests public key from CA(s) CA creates & issues key and certificate 3. Client requests service from an application and presents the certificate 4. Application verifies the certificate (via the Certificates Binds a public key to an identity Usual method is to use a data structure that contains at least following three elements: 1. The public key 2. The identity of the public key owner 3. A signature over the above two fields CA's key) and provides the service 13 14 A Simple But Strong Certificate Certificate Standards Alice Identity of the public key holder [Alice,PK a ] PKc -1 The Encrypted Signature Charlie Identity of the Certifying Authority X.509 Simple Public Key Infrastructure (SPKI) Pretty Good Privacy (PGP) Attribute Certificates In order to extract Alice's verified public key, the certificate holder must know Charlie's public key. 16 X.509 Certificate Version Serial Number Signature Issuer Validity Subject Subject Public Key Info Issuer Unique ID Subject Unique ID Extensions Certificate Version (e.g. X.509_v3) Unique Identifier for the Certificate ID of the Algorithm Used to Sign the Certificate Unique Name of the Certificate Issuer Time Period of Certificate Validity Unique Name of the Certificate Owner Public Key and Algorithm ID of the Owner Optional Unique ID of the Certificate Issuer Optional Unique ID of the Certificate Owner Optional Extensions 17 Optional Extensions 1. Authority Key Identifier ID of the key that should be used to verify this certificate in case the CA has multiple signing keys 2. Subject Key Identifier ID of the public key contained in this certificate in case the owner has multiple public keys 3. Key Usage Bit string to identify or restrict usage of the key, e.g. signature only, encipher only, decipher only, etc. 4. Extended Key Usage Sequence of one or more OIDs that define specific usage of 18 the public key in the certificate (see RFC 2459) 3

Optional Extensions (cont) 5. CRL Distribution Point Location of the CRL partition where the CRL resides 6. Private Key Usage Period Time window that the PRIVATE key associated with this certificate may be used (Valid field in certificate deals with the Public key validity period) 7. Certificate policies One or more policy OIDs associated with the issuance and use of this certificate 8. Policy Mappings One or more policy OIDs equivalencies between two CA 19 domains (see RFC 2459) Optional Extensions (cont) 9. Subject Alternative Name Alternate owner name, e.g. email address, IP Addr 10.Issuer Alternative Name Alternate issuer name, e.g. email address, IP Addr 11.Subject Directory Attributes Used most to convey access/privilege information for the certificate owner, which is risky. 12.Basic constraints Indicates whether this is a CA certificate (T or F). 20 Optional Extensions (cont) 13.Path Length Constraint Indicates the maximum number of CA-certificates that may follow this certificate in a certificate chain. 14.Name Constraint In CA-certificates, indicates required or excluded subtree names for certificate chain. 15.Policy Constraints In CA-certificates, indicates required policy OIDs. 21 Simple Public Key Infrastructure Develop an Authorization Certificate that is simple to: Understand Implement Use Purpose Convey Permissions Delegate Permissions 22 OpenPGP Trust Model: Web of Trust Excellent Internet model Not compatible with X.509 Not suitable for centralized corporate use 23 Certificate Revocation 1.Adds significant complexity in infrastructure Certificates are fire and forget Lists must be maintained 2.Adds complexity in implementation It adds a second step in certificate verification 3.Time Revocation will likely NEVER be instantaneous If it is not instantaneous, how fast is fast enough? 24 4

Certificate Revocation Options 1. Certificate Revocation Lists (CRLs) 2. Authority Revocation Lists 3. CRL Distribution Points (Partitioned CRLs) 4. Delta CRLs 5. Indirect CRLs 6. Enhanced CRL Distrbution Points and Redirect CRLs Certificate Revocation Lists Signed data structure Contains a list of revoked certificates CR signer is usually the same entity that signed the certificate that the corresponding CRL revokes CRL is a signed list, not a database; cannot be updated 7. Certificate Revocation Trees (CRTs) 25 26 Certificate Revocation Lists Fields Version Date/time Signature expires Issuer List of revoked certificates Date/time issued Certificate Revocation Lists Extensions Reason Certificate Issuer Hold Instruction Code Invalidity Date Extensions 27 28 Authority Revocation Lists CRL for CA certificate revocation Should be very rarely used CRL Distribution Points CRL for CA domains Subdivides info about certificates 29 issued by one CA into multiple CRLs Enhanced CRL Distribution Points Dynamic CRL partitioning Allows reassociation of certificate & CRL after the certificate is issued. Can be accomplished by having the originally associated CRL redirect inquiries 30 5

Delta CRLs Used to enhance timeliness without significantly impacting performance Allows incremental postings of CR information Each Delta version contains ALL changes to the base CRL, so when a new Delta is received, old Deltas 31 can be discarded Indirect CRLs Enables single CRL for multiple CAs No specification for how to accumulate CR info from CAs to the issuing CA Certificate Revocation Trees Based on hash tree Dramatically reduces storage requirement Does not use CRL format 32 Other Revocation Option Short-lived certificate Problems with this? 33 Attribute Certificate Binds an attribute to a Distinguished Name The attribute could be an authorization To grant access, the attribute certificate is combined with 34 an ID certificate PKI Definition #2 Infrastructure that has the following components, infrastructure, & services: 1.Certification Authority 2.Certificate Repository 3.Certificate Revocation 4.Key Backup and Recovery 5.Automatic Key Update 6. Key History Management 7. Cross-certification 8. Supports Nonrepudiation 9. Time stamping 10.Client Software 35 Review Definition and Description Functions Components Certificates 36 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback