Public-key Infrastructure

Slides:



Advertisements
Similar presentations
Public Key Infrastructure (PKI)
Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Computer Science Public Key Management Lecture 5.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate revocation list
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,
Windows 2000 Certificate Authority By Saunders Roesser.
Public-key Infrastructure. Computer Center, CS, NCTU 2 Cryptosystems  Cryptosystems Symmetric Asymmetric (public-key)  RSA Public key: n=3233, e=17.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Digital Signatures and Digital Certificates Monil Adhikari.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.
and File Security With GnuPG Matt Brodeur
Certificate Management with OpenSSL 樹德科技大學 資訊工程系 林峻立 助理教授.
Key management issues in PGP
TOPIC: HTTPS (Security protocol)
Chapter 4 a - X.509 Authentication
Setting and Upload Products
Chapter 9. Key management
SSL Certificates for Secure Websites
Secure Sockets Layer (SSL)
Information Security message M one-way hash fingerprint f = H(M)
Public-key Infrastructure
How to Check if a site's connection is secure ?
Tutorial on Creating Certificates SSH Kerberos
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
CompTIA Security+ Study Guide (SY0-501)
Security in ebXML Messaging
Homework #05 SSL and TLS Announce: Due:
Public-key Infrastructure
Secure Electronic Transaction (SET) University of Windsor
Information Security message M one-way hash fingerprint f = H(M)
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Secure How do you do it? Need to worry about sniffing, modifying, end-user masquerading, replaying. If sender and receiver have shared secret keys,
Public-key Infrastructure
Building Security into Your System
PKI (Public Key Infrastructure)
Unit 8 Network Security.
Advanced Computer Networks
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Presentation transcript:

Public-key Infrastructure

Public-key Infrastructure A set of hardware, software, people, policies, and procedures. To create, manage, distribute, use, store, and revoke digital certificates. Encryption, authentication, signature Bootstrapping secure communication protocols.

CA: Certificate Authority (1) In God We Trust

CA: Certificate Authority (2) Contains data of the owner, such as Company Name, Server Name, Name, Email, Address,… Public key of the owner. Followed by some digital signatures. Sign for the certificate. In X.509 A certificate is signed by a CA. To verify the correctness of the certificate, check the signature of CA.

CA: Certificate Authority (3) Certificate Authority (CA) “憑證授權” in Windows CHT version. In X.509, it is itself a certificate. The data of CA. To sign certificates for others. Each CA contains a signature of Root CA. To verify a valid certificate Check the signature of Root CA in the certificate of CA. Check the signature of CA in this certificate. Reference: http://www.imacat.idv.tw/tech/sslcerts.html

What is a CA ? (1) Certificate Authority (認證中心) Trusted server which signs certificates One private key and relative public key Tree structure of X.509 Root CA

What is a CA ? (2) Root CA (最高層認證中心) In Microsoft:「根目錄授權憑證」 Root CA do not sign the certificates for users. Authorize CA to sign the certificates for users, instead. Root CA signs for itself. It is in the sky. To trust Root CA Install the certificate of Root CA via secure channel.

What is a CA ? (3) Tree structure of CA Cost of certificate HiTrust : NT $30,000 / per year / per domain TWCA: NT $30,000 / per year / per domain GoGetSSL (Comodo): USD 7.85 / per year / per domain GoGetSSL (Comodo Wildcard): USD 70.95 / per year Myself : NT $0

Certificate (1) Digital Certificate, Public-key Certificate, Network Identity A certificate is issued by a CA X A certificate of a user A consists: The name of the issuer CA X His/her public key Apub The signature Sig(Xpriv, A, Apub) by the CA X The expiration date Applications Encryption / Signature

Sig(Xpriv, Alice, Apub, T) Certificate (2) CA X: (3) Generate Sig(Xpriv, Alice, Apub, T) Alice: Generate Apub, Apriv (2) Alice, Apub, ID proof (4) Sig(Xpriv, Alice, Apub, T) CertA,X=[Alice, Apub, Sig(Xpriv, Alice, Apub, T)] Note: CA does not know Apriv

Certificate (3) Guarantee of CA and certificate Guarantee the public key is of someone Someone is not guaranteed to be safe Security of transmitting DATA Transmit session key first Public-key cryptosystem Transmit DATA by session key Symmetric-key cryptosystem

OpenSSL

OpenSSL http://www.openssl.org/ In system In pkg /usr/src/crypto/openssl In pkg openssl

Example: Apache SSL settings

Example: Apache SSL settings – Flow Generate random seed Generate RootCA Generate private key of RootCA Fill the Request of Certificate. Sign the certificate itself. Generate certificate of Web Server Generate private key of Web Server Fill the Request of certificate Sign the certificate using RootCA Modify apache configuration  restart apache

Example: Apache SSL settings – Generate random seed openssl rand -out rnd-file num % openssl rand -out /etc/ssl/RootCA/private/.rnd 1024 chmod go-rwx rnd-file % chmod go-rwx /etc/ssl/RootCA/private/.rnd

Example: Apache SSL settings – Certificate Authority (8) Include etc/apache22/extra/httpd-ssl.conf SSLEngine on SSLHonorCipherOrder on SSLCompression off SSLSessionTickets Off SSLCipherSuite SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384" SSLCertificateFile /etc/ssl/nasa/nasa.crt.pem SSLCertificateKeyFile /etc/ssl/nasa/private/nasa.key.pem # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always add Strict-Transport-Security "max-age=15768000; preload“ # Public Key Pinning (HPKP) ##Header set Public-Key-Pins "pin-sha256=\"klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=\"; pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; max-age=2592000; includeSubDomains"

Appendix: PGP

PGP Pretty Good Privacy Public key system security/gnupg Encryption Signature security/gnupg Will talk more in Network Administration Ref: http://security.nknu.edu.tw/textbook/chap15.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.