• No results found

Agenda. PKI Defined Terminology Key Technical Concepts Key Infrastructure Concepts Practical Uses. o o o o o. Important Considerations of Being a CA

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Agenda. PKI Defined Terminology Key Technical Concepts Key Infrastructure Concepts Practical Uses. o o o o o. Important Considerations of Being a CA"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)
(2)

Agenda

o PKI Defined o Terminology

o Key Technical Concepts o Key Infrastructure Concepts o Practical Uses

o What o Who o Why

(3)

PKI – Public Key Infrastructure

The sum total of the hardware, software, people, processes, and

policies that, together, using the technology of asymmetric cryptography, facilitate the creation of a verifiable association

between a public key (the public component of an asymmetric key

pair) and the identity (and/or other attributes) of the holder of the corresponding private key (the private component of that pair), for uses such as authenticating the identity of a specific entity, ensuring the integrity of information, providing support for nonrepudiation, and establishing an encrypted communications section

– PKI Assessment Guidelines v3.0

Information Security Committee American Bar Association

(4)

Basic PKI Security Functions

o Authentication

▪ Be sure you know who you are communicating with o Confidentiality

▪ Keep secrets secret o Integrity

▪ Be sure nothing is changed behind your back o Access Control

▪ Control who can access what o Non-repudiation

(5)

PKI Terminology and Concepts

o Hashing functions

o Symmetric encryption and decryption

▪ Session key

o Asymmetric encryption and decryption

▪ Key pair

o Digital signature o Digital certificate

o Certification Authorities (CA) o Registration Authorities (RA) o Hierarchy of trust

(6)

Hash Functions

It was the best of times,

it was the worst of times

It was the best of thymes,

it was the worst of times

Small Difference

Large Difference

Examples: MD5 (128 bit), SHA-1 (160 bit)

3au8 e43j jm8x g84w

Hash Function

b6hy 8dhy w72k 5pqd

(7)

Symmetric Key Cryptography –

Encryption

o DES, AES, RC2, RC5 o Problems:

▪ Alice and Bob must agree on the secret key without anyone else finding out

▪ Anyone who intercepts the key in transit can later read, modify, and forge all messages encrypted using that key

▪ Doesn’t Scale

Message Common key

Encrypted Message Eavesdropper

A

Message

B

Encrypt Decrypt

(8)

Asymmetric Key Cryptography –

Encryption

o RSA, ECC, IDEA o Problems:

▪ Key exchange has to be done in a secure way

▪ Encryption and decryption are extremely SLOW Message Public key

Encrypted Message Eavesdropper

A

Message

B

Encrypt Decrypt Private key

(9)

Public Key Encryption

= Private Key = Public Key = Symmetric Key

Encrypt with Bob’s Public Key

Symmetric keys encrypt data;

Public keys encrypt symmetric keys

Encrypted Sym Key Encrypt Sym Key Encrypted Message Encrypt Message Generate Sym Key Bob Alice

(10)

Encrypted Sym Key Encrypted

Message

Public-Key – Decryption

Public key and symmetric key cryptography

are complementary technologies

Bob

Decrypt with Bob’s Private Key

= Private Key = Public Key = Symmetric Key Decrypt Sym Key Decrypt Message

(11)

Public-Key – Signature &

Verification

Sender Receiver

Hashing

+

Encry

pt

ion

=

Signature

Creat

ion

Hashing

+ Decry

ption

=

Signature

V

erificatio

n

Transmitted Message

Signature

Message Digest Hash Function

If these are the same, then the message

has not changed

Alice Bob Message Digest Hash Function Encrypt

Signature

Expected Digest Decrypt

(12)

Public-Key – Encryption

Encrypted Sym Key Encrypt Sym Key Encrypted Message Encrypt Message Generate Sym Key Bob Alice

(13)

PKI as DMV

CAs

Certs

CAs are like the government agencies

RAs are like the local registries offices

(root CA)

(14)

Certificate Authority

o An organization that issues certificates o Usually a trusted third party

(15)

Registration Authority

o Performs functions for CA but does not issue certificates directly o Processes requests

o Manages certificate lifecycle

▪ Issuance, recovery, revocation, renewal o Distributed

(16)

Certificate

A message which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it

– Digital Signature Guidelines

Information Security Committee American Bar Association

Version: v3

Serial No: 001b6f945h75

Algorithms: MD5 RSA

Subject DN: John Doe Issuer DN: State of Kansas

Validity period: from 11-03-2005 to 11-05-2005

Public key: 30 81 89 02 81 81 00 ba 6e e5 9a 74 f5 e7 af a9 8a 9c de a8

e5 53 1b 73 c7 f7 8a 13 f3 44 91 09 dc 91 12 b7 1b b2 cf 09 f7 4b 13 7d …

Signature

Certificate Extensions

Key Usage: digitalSignature dataEncipherment keyCertSign

nonRepudiation keyAgreement encipherOnly keyEncipherment cRLSign decipherOny

Extended Key Usage: serverAuth codeSigning timeStamping

clientAuth emailProtection OCSPSigning

Certificate Policies: URL of CPS and Policy notice text

Subject Alternative Name: rfc822name, IP Address, DNS Name

(17)

Digital Certificates in Use

o Secure e-mail

o Virtual Private Network (VPN)

o Wireless (Wi-Fi)

o Web Servers (SSL/TLS)

o Network Authentication

o Code Signing

(18)

Who Uses PKI?

Current demand for certificates

Current demand for certificates

+ Wireless (WiFi) deployments

+ Corporate Banking

▪ Phishing Attacks

▪ Identity Theft

+ Government and Industry Mandates

+ Physical/Logical access

▪ Windows Logon

+ Devices

▪ Web Servers

▪ Cable and Satellite

▪ Domain Controllers ▪ VPN + Signed Code ▪ PC ▪ Mobile + eCommerce ▪ SSL

(19)

Why Use PKI?

o Federal Government – HSPD-12

▪ Calls for the creation of a NIST standard for gov employees and contractors

▪ Builds off of DOD CAC card and External Certification Authority program

o DOCSIS (Data Over Cable Service Interface Specification)

▪ Requires that certificates be imbedded in cable modems for device authentication and code signing

o HIPAA

▪ Mandates the implementation of security measures to maintain patient privacy

▪ Email encryption of protected heath information (PHI)

o FFIEC

▪ Guidance to implement two-factor authentication for Internet Banking

▪ Mandatory compliance by 2006

o Gramm-Leach-Bliley Act

▪ Requires establishment of technical safeguards to ensure confidentiality and integrity for any institution holding financial data

(20)

Specific PKI Implementations

o The Commonweath of Pennsylvania Justice Network (JNET)

▪ Allows disparate law enforement agencies to share information securely o Barclays Bank

▪ Digital certificates issued to all online clients

▪ Account setup time reduced, trading volume increased o Department of Interior Buruea of Land Management

▪ Smart cards issued to employees for physical and logical access

▪ Certificate use expanded to form signing for paper reduction o State of New Jersey

▪ Allows residents, employees, business partners to share and access informaiton online

(21)

What is Difficult about Being a

CA?

o Understanding PKI risk management

▪ Controlling liability exposure

▪ Conforming to State and Federal Legislation o Policies and Practices

▪ Developing a comprehensive Certificate Policy (CP) and Certification Practices Statement (CPS)

▪ Maintaining trust o Security

▪ Technology

▪ Physical, personnel, administrative, etc. o Operating high availability infrastructure

References

Download now ( PDF - 21 Page - 4.76 MB )

Related documents

The Effects of Management Practices on Grassland Birds: An Introduction to North American Grasslands and the Practices Used to Manage Grasslands and Grassland Birds

In Wisconsin, Sample and Mossman (1997) recommended that grazing should be discontinued by early August when manag- ing for warm-season grasses and by mid-September when managing

Proactive planning and deliberate avoidance of affordable housing by Massachusetts communities in response to Chapter 40B

Municipal planning staff, land-use board members, and elected officials in five communities on the rapidly-growing edge of metropolitan Boston (Bellingham, Framingham,

Attention and cognition in patients with obsessive-compulsive disorder de Geus, F.; Denys, D.A.J.P.; Sitskoorn, M.M.; Westenberg, H.G.M.

The aim of this study was two- fold: (i) to investigate the cognitive deficits in patients with OCD compared to matched healthy controls; and (ii) to relate cognitive performance

8.9 Web Security Threats Secure Naming. Page 1 of 11. [ Team LiB ]

If Trudy returns Bob's public key, Alice will not detect the attack, but Alice will encrypt her next message, using Bob's key.. Trudy will get the message, but she will have no way

Franz Kafka

In addition to Bergmann, Pollak and especially Brod, this group was part of the extended German-speaking literary world of Prague, most of whom were Jews: the blind novelist Oskar

Vol 33, No 13 (2020)

Residindo a doente numa região onde foram, no passado, diagnosticados vários casos de estrongiloidíase e na ausência de viagens previas para o estrangeiro, este representa o

User Experience Testing: A Case Study for Mobile Devices-

In this user experience testing, each test participant was asked to perform four tasks using the selected mobile device.. The tasks given were

The steps of Slovenian organisations on the way to business excellence

On the basis of analysis and the synthesis of various approaches that we identified from the reviews and the results of the individual organisations, we formulated 8