Public Key Infrastructure

Similar documents
Key Management and Distribution

by Amy E. Smith, ShiuFun Poon, and John Wray

Server-based Certificate Validation Protocol

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Public Key Infrastructures. Using PKC to solve network security problems

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Certificates, Certification Authorities and Public-Key Infrastructures

Public Key Establishment

AeroMACS Public Key Infrastructure (PKI) Users Overview

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Network Security Essentials

Cryptography and Network Security

Digital Certificates Demystified

CSE 565 Computer Security Fall 2018

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Overview. SSL Cryptography Overview CHAPTER 1

CERTIFICATE POLICY CIGNA PKI Certificates

Public-Key Infrastructure NETS E2008

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

CertDigital Certification Services Policy

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Fall 2010/Lecture 32 1

Lecture Notes 14 : Public-Key Infrastructure

Security Digital Certificate Manager

Public Key Infrastructures

Data Sheet NCP Secure Enterprise Management

IBM. Security Digital Certificate Manager. IBM i 7.1

and Web Security

TELIA MOBILE ID CERTIFICATE

Copyright

SONERA MOBILE ID CERTIFICATE

Chapter 8 Information Technology

Cryptography and Network Security Chapter 14

Lecture 15 Public Key Distribution (certification)

Managing Certificates

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Public-key Infrastructure Options and choices

Key Management and Distribution

KeyOne. Certification Authority

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Bart Preneel PKI. February Public Key Establishment. PKI Overview. Keys and Lifecycle Management. How to establish public keys?

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Understanding HTTPS CRL and OCSP

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

ISO/IEC INTERNATIONAL STANDARD

An Overview of Secure and Authenticated Remote Access to Central Sites

Mavenir Systems Inc. SSX-3000 Security Gateway

NCP Exclusive Remote Access Management

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

KEY DISTRIBUTION AND USER AUTHENTICATION

FPKIPA CPWG Antecedent, In-Person Task Group

Volvo Group Certificate Practice Statement

CERN Certification Authority

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Managing AON Security

Configuring Certificate Authorities and Digital Certificates

Apple Inc. Certification Authority Certification Practice Statement

How to Set Up External CA VPN Certificates

IBM i Version 7.2. Security Digital Certificate Manager IBM

INTERNATIONAL STANDARD

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

ING Corporate PKI G3 Internal Certificate Policy

SAML-Based SSO Solution

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

Expires: 11 October April 2002

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

Index. NOTE: Boldface indicates illustrations; t indicates a table. 209

Public Key Infrastructure (PKI) Implementation at ETF Sarajevo

Implementing Security in Windows 2003 Network (70-299)

Designing and Managing a Windows Public Key Infrastructure

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

PKI Configuration Examples

SSH Communications Tectia SSH

ETSI TS V1.2.2 ( )

SAML-Based SSO Solution

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols

CT30A8800 Secured communications

Certificateless Public Key Cryptography

SSL Certificates Certificate Policy (CP)

Public Key Technology in Windows 2000

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Validation Policy r tra is g e R ANF AC MALTA, LTD

Public Key Algorithms

Software Development & Education Center Security+ Certification

ISO/IEC INTERNATIONAL STANDARD

Send documentation comments to

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Apple Inc. Certification Authority Certification Practice Statement

Getting to Grips with Public Key Infrastructure (PKI)

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Axway Validation Authority Suite

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

ISO/IEC INTERNATIONAL STANDARD

EEC-682/782 Computer Networks I

Transcription:

Public Key Infrastructure Ed Crowley Summer 11 1

Topics Public Key Infrastructure Defined PKI Overview PKI Architecture Trust Models Components X.509 Certificates X.500 LDAP 2

Public Key Infrastructure Defied A public key infrastructure (PKI): Binds public keys to entities Enables other entities to verify public key bindings Provides the services needed for ongoing management of keys in a distributed system. -- NIST 800-32 Provides confidence that: The person or process identified as sending the transaction is actually the originator. The person or process receiving the transaction is the intended recipient. Data integrity has not been compromised. 3

Public Key Infrastructure An enterprise-wide network security architecture, PKI integrates: Digital certificates Public key cryptography Certification authorities. Facilitates specific security services including: Public key exchange User authentication Nonrepudiation. 4

Public Key Infrastructure Issues Specific Public Key Infrastructure (PKI) issues include: Key Authentication and Non-repudiation Nothing about a key proves to whom it belongs Revoking keys Nothing about a key indicates whether it has been revoked Policy enforcement Any organization utilizing PKI needs to create and enforce a local policy. 5

PKI Architecture Overview PKI architecture consists of: A Trust Model Servers (Certificate, Revocation, Registration) Certificates/Data format standards Public key mechanism standards Related infrastructure including Programs Protocols Policies and Procedures All components work together to enable trusted and secure communications. 6

Three PKI Trust Models 1. Hierarchical Trust Sets up an independent certificate authority (CA) with authority to sign digital certificates. A CA can revoke a certificate Facilitates enforcement of a local policy Most complex, most efficient trust model 2. Web of Trust Random trust chains produce a network of signed keys. Invented by Phil Zimmerman -- Used by PGP 3. Direct Trust Each person confirms their authenticity by personally delivering their public keys 7

PKI Trust: Hierarchical and Web 8

PKI Web Model A form of hierarchical trust, in which there are many independent CAs. Cross Certification Allows two CAs to exchange certificates with one another. An alternative to cross certification is a CA hierarchy with a root authority at the top 9

PKI Support Infrastructure Includes Certificates X.509 Standard Certificate Authority Trusted entity that maintains and issues digital certificates. Registration Authorities Performs certificate registration duties Acts as a broker between users and CA Certificate revocation process CA maintains a Certificate Revocation List (CRL) Local Policies and Procedures Non-repudiation service Digital Signature 10

Certificate Servers Certificate servers validate, or certify, keys. A certificate server holds a large number of: Certificates Associated data sets Revocation lists Three data structures 1. Certificates 2. Certificate revocation lists 3. Attribute certificates. Include: Certificate Authorities Registration Authorities 11

Directory Services A directory server could hold and make available data such as email addresses, telephone numbers etc. ready for retrieval by company employees. X.500 is a series of networking standards covering directory services. Originally supported ITU s ISO/OSI with DAP. Many organizations utilize LDAP (Lightweight Directory Access Protocol) 12

X.509 Public Key Infrastructure Standard ITU/CCITT X.509 Initially intended to provide X.500 authentication Produced by an ISO and ITU collaboration Describes digital certificate format. Several versions. PKIX IETF working group Specifies protocols for managing digital certificates as well as protocols for their use. RFC 2459 13

Public Key Certificates Sample digital certificate components 1. Public key 2. Certificate attributes Identity information about user, including name, user ID 3. One, or more, digital signatures from the Certificate Authority. 14

Browsers Browsers come with root certificates preinstalled, so SSL certificates from larger vendors will work instantly. In effect, the browsers developers determine which Certificate Authorities are trusted third parties for the browsers users

Certificate 16

PKI Attributes Can also include: Timestamping Lightweight Directory Access Protocol (LDAP) Security concerns include availability and integrity of LDAP servers Security enabled applications Cross certification. 17

LDAP Designed to be lighter (faster) than Directory Access Protocol (DAP). TCP/IP based Uses Internet address Evolved from a protocol to a directory services standard. Most important certificate server standard While NDS and Active Directory may be used as certificate servers, LDAP is used most often. 18

Certificate Revocation Process Utilizes Certificate Revocation Lists (CRLs) A revocation list is a signed list (usually signed by CA) in which the serial numbers of revoked certificates are detailed. A revocation list is replaced by an updated version from the Trust Center at regular intervals, or as necessary. Validity period determined by Trust Center Usually one day 19

Attribute Certificate A data structure that resembles a PKI key certificate but does not contain a public key. Normally an adjunct to a key certificate. Rarely used. 20

PKI Applications SSL VPN E-mail encryption File encryption SAP R/3 Single Sign On (SSO) SET Others 21

SET Secure Electronic Transaction Because it uses certificates, considered a PKI application Level 7 protocol Developed by a consortium including Cybercash, MasterCard and Visa. Provides confidentiality for purchases by encrypting the payment information. Covers end to end transactions. 22

Questions? References NIST Special Publications http://csrc.nist.gov/publications/pubssps.html 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback