Getting to Grips with Public Key Infrastructure (PKI)

Similar documents
HARDWARE SECURITY MODULES (HSMs)

PKI Credentialing Handbook

Apple Inc. Certification Authority Certification Practice Statement

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Apple Inc. Certification Authority Certification Practice Statement

Delivering Certificates or Trust Building Robust PKIs Alan T Liddle Msc BSc PgDip FBCS CEng CITP AMP MIMMM

New Security Features in DLMS/COSEM

SENETAS ENCRYPTION KEY MANAGEMENT STATE-OF-THE-ART KEY MANAGEMENT FOR ROBUST NETWORK SECURITY

Authentication Technology for a Smart eid Infrastructure.

Who s Protecting Your Keys? August 2018

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

The SafeNet Security System Version 3 Overview

TELIA MOBILE ID CERTIFICATE

Digital Certificates Demystified

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

SONERA MOBILE ID CERTIFICATE

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

Overview. SSL Cryptography Overview CHAPTER 1

Chapter 8 Information Technology

The Open Protocol for Access Control Identification and Ticketing with PrivacY

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

The evolving storage encryption market

Volvo Group Certificate Practice Statement

IBM i Version 7.2. Security Digital Certificate Manager IBM

Installation and usage of SSL certificates: Your guide to getting it right

Cryptography MIS

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Digital signatures: How it s done in PDF

Computer Security: Principles and Practice

Certification Authority

White Paper for Wacom: Cryptography in the STU-541 Tablet

CERN Certification Authority

Public-key Infrastructure Options and choices

Cryptographic Concepts

Introducing Hardware Security Modules to Embedded Systems

Deploying a New Hash Algorithm. Presented By Archana Viswanath

Security Statement Revision Date: 23 April 2009

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

White Paper. Deploying CKMS Within a Business

Keep your fingers off my keys today & tomorrow

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

INF3510 Information Security University of Oslo Spring Lecture 3 Key Management and PKI. Audun Jøsang

Securing V2X communications with Infineon HSM

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Diffie-Hellman. Part 1 Cryptography 136

Public Key Infrastructure

Kurose & Ross, Chapters (5 th ed.)

PIN Security Requirements

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

nshield GENERAL PURPOSE HARDWARE SECURITY MODULES

Single Sign-On. Introduction

GovernmentOnline Gatekeeper The Government s Public Key Infrastructure

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

An Introduction to Cryptographic Security Methods and Their Role in Securing Low Resource Computing Devices

Adding value to your MS customers

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

CERTIFICATE POLICY CIGNA PKI Certificates

The Identity-Based Encryption Advantage

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

Electronic Signature Policy

Grenzen der Kryptographie

Computers and Security

BCA III Network security and Cryptography Examination-2016 Model Paper 1

AN12120 A71CH for electronic anticounterfeit protection

Securing Smart Meters with MULTOS Technical Overview

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

IEEE Std and IEEE Std 1363a Ashley Butterworth Apple Inc.

Certificate service General description Implementation project of a national Incomes Register

A simple approach of Peer-to-Peer E-Cash system

The Design of an Anonymous and a Fair Novel E-cash System

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Key Exchange. Secure Software Systems

Cryptography Introduction

Smart Meter Security. Martin Klimke, Principle of Technical Marketing Infineon Chip Card and Security

CT30A8800 Secured communications

Higher Education PKI Initiatives

1) Revision history Revision 0 (Oct 29, 2008) First revision (r0)

CS Computer Networks 1: Authentication

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

NIST Cryptographic Toolkit

SSL Certificates Certificate Policy (CP)

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

Key Protection for Endpoint, Cloud and Data Center

CSE 565 Computer Security Fall 2018

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols

VPN Overview. VPN Types

An Overview of Secure and Authenticated Remote Access to Central Sites

Transcription:

Getting to Grips with Public Key Infrastructure (PKI)

What is a PKI? A Public Key Infrastructure (PKI) is a combination of policies, procedures and technology that forms a trust infrastructure to issue and manage digital certificates. These certificates enable strong cryptographic processes that can provide: Electronic identification of users and devices Encryption of data at rest and in transit Data integrity Electronic signatures and non-repudiation How the PKI is implemented and controlled, with respect to its policies and procedures, will determine the level of trust you and others will associate with each digital certificate. 2

What is a PKI used for? Secure network log-on TLS/SSL for secure web transactions IPSec Secure site-to-site communication Digital signing Email encryption Hard disk encryption 3

Understanding asymmetric encryption It involves the generation and use of a pair of mathematically linked keys What one encrypts, only the other can decrypt One key (private) is kept secret and secure (on a token/hsm) - the other key (public) can be freely distributed via a digital certificate Knowing the public key does not reveal the private key Sender uses recipient s public key to encrypt, recipient uses their private key to decrypt Sender signs messages with their private key, recipient verifies the signature using the sender s public key Both encryption and signing can be applied to the same message, providing privacy and authentication to both parties 4

Understanding asymmetric encryption Key sizes vary, depending on what they are being used for Using the RSA algorithm, 2048 bits is recommended for keys used in certificates for secure messages, webserver authentication or document signing For a Subordinate CA also called an Issuing CA - RSA keys from 2048 to 4096 bits are recommended For a Root CA, a much stronger key is recommended: typically 4096 bits if RSA keys are used 5

More about asymmetric encryption While increased computing power drives the requirement for longer keys to maintain security, this slows down processing time. Elliptic Curve Cryptography (ECC) offers shorter keys for equivalent levels of security and, generally, faster processing. For example, signing algorithms such as ECDSA typically use keys of 256 bits, with Root CAs requiring keys of 384 bits and can be nearly an order of magnitude faster than RSA for some operations. A big advantage of asymmetric encryption is that it eases the historical problem of secret key (or symmetric key) distribution: it is possible to set up a secure exchange of information over an insecure link. 6

The core components of a PKI 7

Defined certificate policy Registration process: Who can have a certificate? What checks must be undertaken to verify the certificate holder s identity? Certification Practice Statement (CPS) How are certificates issued, stored, revoked and renewed? Size and nature of key How will the certificate policy be enforced? Subscriber Agreement Relying Party Agreement PKI Disclosure Statement 8

A PKI is only as good as your security policy Anyone can build a PKI BUT it has to be managed properly to be effective. The primary cause of many security breaches can be attributed to errors in implementation of a PKI. It has to be operated and maintained under secure circumstances Requires a separation of duties away from Admin/System team to a dedicated security team It must comply with tscheme (independent assurance that Trust Services meet rigorous quality standards) as well as ISO 27001 standards for information security Keys need to be stored securely in accordance with internationally-recognised security standards e.g. FIPS 140-2 Level 3 or 4 (robust security that s tamper-resistant, both physically and electronically) 9

Checks & balances A Root CA has an average lifetime of 20 years 20 YEARS A Sub-CA typically operates for 5-10 years 5 10 YEARS An End Entity digital certificate has a lifespan of 1-3 years 1 3 YEARS Who takes responsibility and keeps track of all this? 10

Skills, resources & costs PKI is not simply about technology. Design, structure and management are all equally important. The expertise required to do this properly demands a highly-specialised skills set which makes it prohibitive to do properly in-house. The high cost of physically securing the environment: not everyone can afford to build their own Trust Service Centre. This is why so many organisations choose to outsource it to companies like us. 11

Trustis: PKI specialists Trustis has successfully implemented over 100 highassurance PKIs for organisations such as the NHS, HMRC, utility suppliers, telecommunications companies and financial institutions. At the heart of our organisation is a group of experts who can provide help and advice on PKI and digital certificate solutions, covering everything from design through to full implementation, including compliance with recognised PKI standards. We can build and deploy a fully-compliant PKI at a fraction of the cost of doing it in-house. We can integrate it with your environment and keep you in absolute control. You can host the Sub-CA in your own environment or at our ultra-secure Trust Service Centre. Trustis is ISO 27001:2013, tscheme and ETSI Certified. 12

More about PKI Further reading: New Directions in Cryptography Whitfield Diffie and Martin E. Hellman NIST The RSA Patent US 4405829 A: Cryptographic communications system and methods Schneier on Security Bruce Schneier blog Security Engineering Ross Anderson 13

About Trustis For over 15 years, Trustis has specialised in cryptographic solutions that include large-scale PKIs, managed HSMs, Identity Federation as well as security policy and compliance. We serve both the public and private sectors in the UK and around the world and have been a G-Cloud supplier since its inception. Trustis services comply with ISO 27001:2013 as well as tscheme and are ETSI Certified. A product-independent approach ensures that customers get the best solution to meet their requirements. Recent projects include public sector networks, 4G security in telecoms, smart grid and metering rollouts, payment systems in banking and epassport PKIs. 14

Contact details Trustis Commercial Contact: Robert Hann robert.hann@trustis.com +44 (0) 7818 552411 Trustis Limited Building 273, Greenham Business Park, Thatcham, RG19 6HN +44 (0) 1635 231361 info@trustis.com www.trustis.com 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback