X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Similar documents
Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Certificates, Certification Authorities and Public-Key Infrastructures

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Key Management and Distribution

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Overview. SSL Cryptography Overview CHAPTER 1

Configuring SSL CHAPTER

Lecture Notes 14 : Public-Key Infrastructure

Public Key Infrastructure

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CSE 565 Computer Security Fall 2018

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

CERTIFICATE POLICY CIGNA PKI Certificates

ECE 646 Lecture 3. Key management

Public Key Infrastructures. Using PKC to solve network security problems

Security Digital Certificate Manager

Chapter 9: Key Management

IBM. Security Digital Certificate Manager. IBM i 7.1

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Managing Certificates

Key management. Pretty Good Privacy

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Diffie-Hellman. Part 1 Cryptography 136

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

Digital Certificates Demystified

Configuring Certificate Authorities and Digital Certificates

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

IBM i Version 7.2. Security Digital Certificate Manager IBM

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Send documentation comments to

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Understanding HTTPS CRL and OCSP

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Key Management and Distribution

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Apple Inc. Certification Authority Certification Practice Statement

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Server-based Certificate Validation Protocol

Key Agreement Schemes

FPKIPA CPWG Antecedent, In-Person Task Group

VMware AirWatch On-Premises Certificate Authority Guide

Securing Connections with Digital Certificates in Router OS. By Ezugu Magnus PDS Nigeria

Cryptography and Network Security

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Apple Inc. Certification Authority Certification Practice Statement

Network Security Essentials

Some Lessons Learned from Designing the Resource PKI

APNIC Trial of Certification of IP Addresses and ASes

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Public-key Infrastructure Options and choices

The most common type of certificates are public key certificates. Such server has a certificate is a common shorthand for: there exists a certificate

Considerations about the Architecture Solutions for PKI in Ad-hoc-Networks

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Certificate Revocation: What Is It and What Should It Be

Public-Key Infrastructure NETS E2008

Public Key Establishment

ECE 646 Lecture 3. Key management. Required Reading. Using Session Keys & Key Encryption Keys. Using the same key for multiple messages

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

CT30A8800 Secured communications

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

But where'd that extra "s" come from, and what does it mean?

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

SSL Certificates Certificate Policy (CP)

KEY DISTRIBUTION AND USER AUTHENTICATION

Comodo Certificate Manager

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Lecture 15 Public Key Distribution (certification)

X.509 CERTIFICATE X.509 CERTIFICATE PUBLIC-KEY CERTIFICATES THE CERTIFICATE TRIANGLE CERTIFICATE TRUST. INFS 766 Internet Security Protocols

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

PUBLIC-KEY CERTIFICATES

Standard Certificate Extensions (1.)

Public Key Algorithms

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

August 2007 Intel Pro SSL Addendum to the Comodo Certification Practice Statement v.3.0

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Total points: 71. Total time: 75 minutes. 9 problems over 7 pages. No book, notes, or calculator

Cryptography and Network Security Chapter 14

Public Key Infrastructure scaling perspectives

APNIC Trial of Certification of IP Addresses and ASes

Crypto meets Web Security: Certificates and SSL/TLS

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Certificate implementation The good, the bad, and the ugly

Cryptographic Protocols 1

Overview of Authentication Systems

Bugzilla ID: Bugzilla Summary:

Keep your fingers off my keys today & tomorrow

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Public Key Infrastructures Chapter 11 Trust Center (Certification Authority)

Transcription:

X.509 CPSC 457/557 10/17/13 Jeffrey Zhu

2

3

X.509 Outline X.509 Overview Certificate Lifecycle Alternative Certification Models 4

What is X.509? The most commonly used Public Key Infrastructure (PKI) on the web Public Key Infrastructure Create, manage, distribute, and store certificates Certification Validation Path Algorithms Certificate Lifecycle Management Certificate Revocation Lists 5

Assumptions and Goals Users of certificates will utilize them in a variety of environments Certificates should be nonspecific in regards to environment Users of PKI will not necessarily be technologically sophisticated Need for automated and deterministic forms of authentication and identification Large number of security dimensions/attributes Minimize chances that CA administration mistake will result in broad compromise Decrease the number of configuration choices necessary 6

X.509 Architecture End entity Subjects or users of PKI certificates Certification Authority (CA) Issues and signs certificates Certification Practice Statement determined by each CA CRL issuer May be the same entity as CA Repository System that stores certificates and CRLs Distributes them as necessary to end entities 7

Commercial Certification On the local level: Extremely fragmented For websites: Most use SSL certificates Significant barriers to entry Symantec 42.9% Comodo Group 26% Go Daddy 14% Global Sign 7.7% 8

Certificate Structure Certificate Version Subject Issuer Public key for Subject Validity period Not Before Not After Signature Algorithm Signature Field Must be Distinguished Names: Unique identifier in CA s domain Can contain Country Organization State or Province Common name Serial Number 9

Extensions Allow for flexibility of certificates to contain additional fields Critical vs. Non-critical extensions Common Extensions: Authority Key Identifier means of identifying public key corresponding to private key used to sign Subject Key Identifier identify certificates that contain particular public key Key Usage defines purpose of key Certificate Policy information 10

Certificate Lifecycle Once a CA verifies the credentials of a user, it can create and issue a certificate for that user Policy matter context dependent After certificates are issued, they are either renewed or allowed to expire Can be revoked if: CA has been compromised User s secret key was leaked Name was changed 11

Certificate Revocation List (CRL) Two major types of CRLs Complete CRL signed and time-stamped list identifying revoked certificates Delta CRL used for updates to the complete CRL Published periodically at defined interval Issues Mistakes in revocation list Access to most current CRLs No guarantee that all certificate copies will be revoked 12

Comparisons to X.509 PGP (Web of Trust model) Introducer Model - users are referred from one user to another (creating a web ) Updates to the web are found by users themselves No guarantee if or when the web will be up-to-date No centralized entity Not scalable, but potentially preferable in a small group X.509 Users trust CAs, rather than each other (transitive trust) Hierarchical certification validation from centralized entities Updates managed by CAs Scalable 13

Practical Implications of X.509 Each browser has a built in set of predetermined trusted root CAs to facilitate SSL transactions The browser developers determine the primary CA s that are trusted third parties to the users The Internet is all about decentralization, but X.509 relies on a few number of centralized authorities. Usage of duplicate RSA-moduli keys, man-in-the-middle attacks, etc. have all occurred in the last few years Can we trust them? If not, what alternatives do we have? Is this an issue? Do we need a large number of providers? 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback