Agenda
o PKI Defined o Terminology
o Key Technical Concepts o Key Infrastructure Concepts o Practical Uses
o What o Who o Why
PKI – Public Key Infrastructure
The sum total of the hardware, software, people, processes, and
policies that, together, using the technology of asymmetric cryptography, facilitate the creation of a verifiable association
between a public key (the public component of an asymmetric key
pair) and the identity (and/or other attributes) of the holder of the corresponding private key (the private component of that pair), for uses such as authenticating the identity of a specific entity, ensuring the integrity of information, providing support for nonrepudiation, and establishing an encrypted communications section
– PKI Assessment Guidelines v3.0
Information Security Committee American Bar Association
Basic PKI Security Functions
o Authentication
▪ Be sure you know who you are communicating with o Confidentiality
▪ Keep secrets secret o Integrity
▪ Be sure nothing is changed behind your back o Access Control
▪ Control who can access what o Non-repudiation
PKI Terminology and Concepts
o Hashing functions
o Symmetric encryption and decryption
▪ Session key
o Asymmetric encryption and decryption
▪ Key pair
o Digital signature o Digital certificate
o Certification Authorities (CA) o Registration Authorities (RA) o Hierarchy of trust
Hash Functions
It was the best of times,
it was the worst of times
It was the best of thymes,
it was the worst of times
Small Difference
Large Difference
Examples: MD5 (128 bit), SHA-1 (160 bit)
3au8 e43j jm8x g84w
Hash Function
b6hy 8dhy w72k 5pqd
Symmetric Key Cryptography –
Encryption
o DES, AES, RC2, RC5 o Problems:
▪ Alice and Bob must agree on the secret key without anyone else finding out
▪ Anyone who intercepts the key in transit can later read, modify, and forge all messages encrypted using that key
▪ Doesn’t Scale
Message Common key
Encrypted Message Eavesdropper
A
MessageB
Encrypt DecryptAsymmetric Key Cryptography –
Encryption
o RSA, ECC, IDEA o Problems:
▪ Key exchange has to be done in a secure way
▪ Encryption and decryption are extremely SLOW Message Public key
Encrypted Message Eavesdropper
A
MessageB
Encrypt Decrypt Private keyPublic Key Encryption
= Private Key = Public Key = Symmetric Key
Encrypt with Bob’s Public Key
Symmetric keys encrypt data;
Public keys encrypt symmetric keys
Encrypted Sym Key Encrypt Sym Key Encrypted Message Encrypt Message Generate Sym Key Bob Alice
Encrypted Sym Key Encrypted
Message
Public-Key – Decryption
Public key and symmetric key cryptography
are complementary technologies
Bob
Decrypt with Bob’s Private Key
= Private Key = Public Key = Symmetric Key Decrypt Sym Key Decrypt Message
Public-Key – Signature &
Verification
Sender ReceiverHashing
+
Encry
pt
ion
=
Signature
Creat
ion
Hashing
+ Decry
ption
=
Signature
V
erificatio
n
Transmitted MessageSignature
Message Digest Hash FunctionIf these are the same, then the message
has not changed
Alice Bob Message Digest Hash Function Encrypt
Signature
Expected Digest DecryptPublic-Key – Encryption
Encrypted Sym Key Encrypt Sym Key Encrypted Message Encrypt Message Generate Sym Key Bob AlicePKI as DMV
CAs
Certs
CAs are like the government agencies
RAs are like the local registries offices
(root CA)
Certificate Authority
o An organization that issues certificates o Usually a trusted third party
Registration Authority
o Performs functions for CA but does not issue certificates directly o Processes requests
o Manages certificate lifecycle
▪ Issuance, recovery, revocation, renewal o Distributed
Certificate
A message which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it
– Digital Signature Guidelines
Information Security Committee American Bar Association
Version: v3
Serial No: 001b6f945h75
Algorithms: MD5 RSA
Subject DN: John Doe Issuer DN: State of Kansas
Validity period: from 11-03-2005 to 11-05-2005
Public key: 30 81 89 02 81 81 00 ba 6e e5 9a 74 f5 e7 af a9 8a 9c de a8
e5 53 1b 73 c7 f7 8a 13 f3 44 91 09 dc 91 12 b7 1b b2 cf 09 f7 4b 13 7d …
Signature
Certificate Extensions
Key Usage: digitalSignature dataEncipherment keyCertSign
nonRepudiation keyAgreement encipherOnly keyEncipherment cRLSign decipherOny
Extended Key Usage: serverAuth codeSigning timeStamping
clientAuth emailProtection OCSPSigning
Certificate Policies: URL of CPS and Policy notice text
Subject Alternative Name: rfc822name, IP Address, DNS Name
Digital Certificates in Use
o Secure e-mail
o Virtual Private Network (VPN)
o Wireless (Wi-Fi)
o Web Servers (SSL/TLS)
o Network Authentication
o Code Signing
Who Uses PKI?
Current demand for certificates
Current demand for certificates
+ Wireless (WiFi) deployments
+ Corporate Banking
▪ Phishing Attacks
▪ Identity Theft
+ Government and Industry Mandates
+ Physical/Logical access
▪ Windows Logon
+ Devices
▪ Web Servers
▪ Cable and Satellite
▪ Domain Controllers ▪ VPN + Signed Code ▪ PC ▪ Mobile + eCommerce ▪ SSL
Why Use PKI?
o Federal Government – HSPD-12
▪ Calls for the creation of a NIST standard for gov employees and contractors
▪ Builds off of DOD CAC card and External Certification Authority program
o DOCSIS (Data Over Cable Service Interface Specification)
▪ Requires that certificates be imbedded in cable modems for device authentication and code signing
o HIPAA
▪ Mandates the implementation of security measures to maintain patient privacy
▪ Email encryption of protected heath information (PHI)
o FFIEC
▪ Guidance to implement two-factor authentication for Internet Banking
▪ Mandatory compliance by 2006
o Gramm-Leach-Bliley Act
▪ Requires establishment of technical safeguards to ensure confidentiality and integrity for any institution holding financial data
Specific PKI Implementations
o The Commonweath of Pennsylvania Justice Network (JNET)
▪ Allows disparate law enforement agencies to share information securely o Barclays Bank
▪ Digital certificates issued to all online clients
▪ Account setup time reduced, trading volume increased o Department of Interior Buruea of Land Management
▪ Smart cards issued to employees for physical and logical access
▪ Certificate use expanded to form signing for paper reduction o State of New Jersey
▪ Allows residents, employees, business partners to share and access informaiton online
What is Difficult about Being a
CA?
o Understanding PKI risk management
▪ Controlling liability exposure
▪ Conforming to State and Federal Legislation o Policies and Practices
▪ Developing a comprehensive Certificate Policy (CP) and Certification Practices Statement (CPS)
▪ Maintaining trust o Security
▪ Technology
▪ Physical, personnel, administrative, etc. o Operating high availability infrastructure