SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

Public Key Management and X.509 Certificates

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 5 Network Security Protocols in Practice Part I

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Public Key Distribution and X.509 Wade Trappe. Distribution of Public Keys There are several techniques proposed for the distribution of public keys:

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Key Management in Cryptography

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

©Copyrights 2011 Eom, Hyeonsang All Rights Reserved Distributed Information Processing 20 th Lecture Eom, Hyeonsang ( 엄현상 ) Department of Computer Science.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.

By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

Cryptography and Network Security Chapter 14

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

Key Management and Distribution Anand Seetharam CST 312.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

TAG Presentation 18th May 2004 Paul Butler

Key management issues in PGP

CSE 4905 Public-key Infrastructure

TAG Presentation 18th May 2004 Paul Butler

Security in ebXML Messaging

Public Key Infrastructure

زير ساخت كليد عمومي و گواهي هويت

Digital Certificates and X.509

CS 465 Certificates Last Updated: Oct 14, 2017.

Presentation transcript:

SMUCSE 5349/7349 Public-Key Infrastructure (PKI)

SMUCSE 5349/7349 What is PKI? Pervasive security infrastructure whose services are implemented and delivered using public-key concepts and techniques -(C. Adams, S. Lloyd) –Secure sign-on –End-user transparency –Comprehensive security

SMUCSE 5349/7349 Business Drivers Cost savings Inter-operability Uniformity Potential for validation/testing Choice of provider Consider the analogy with BUS architecture vs. point-to-point links

SMUCSE 5349/7349 Components and Services Certification authority Certificate repository Certificate revocation Key backup and recovery Automatic key update Key history Cross-certification Support for non-repudiation Time stamping

SMUCSE 5349/7349 Certificates Certificate vs. signature Types of certificates –X.509 (v1, v2, v3) –Simple Public Key Infrastructure (SPKI) certificates –PGP certificates –Attribute certificates

SMUCSE 5349/7349 Certificate Format Version number Serial number Signature algorithm identifier Issuer name Period of validity Subject name Subject’s public-key info. Issuer unique ID Subject unique ID Extensions Signature

SMUCSE 5349/7349 Key/Certificate Life Cycle Initialization –Registration –Key-pair generation (where?) –Certificate creation and dissemination –Key backup Issued –Certificate retrieval –Certificate validation Cancellation –Expiration –Revocation –History and archive

SMUCSE 5349/7349 Certificate Path Processing Eventual objective is to determine whether the key in a given certificate can be trusted –Path construction – aggregation of certificates to form a complete path –Path validation – validating each certificate in the path Target certificate is trusted only if every certificate in the path are trustworthy

SMUCSE 5349/7349 X.509 Hierarchy Forward certificates –Certificate of X generated by other CAs Reverse certificates –Certificates of other CAs generated by X Example from the book (showed in last class)

SMUCSE 5349/7349 Authentication Procedures One-way Two-way Three-way

SMUCSE 5349/7349 Problems with PKI Hierarchical model of trust –Chain of partial trust ending in one “fully trusted” entity Identifier associated with the key pair –Unique distinguished name within the namespace Private-key insecurity –Has to protect the private key Technical and Implementation difficulties –Assumption of global namespace –Difficulty in detecting key compromise –Inefficient revocation

SMUCSE 5349/7349 PKI Problems (cont’d) Limited assurance provided in reality –CA’s generally protected in case of failure –What certificate assure (usually) A particular message was generated by an entity that had available to it a particular private key; and CA that provided the certificate has, at some time in the past, had grounds for believing that that private key was associated with a particular entity. CA that provided the certificate has, at some time in the past, had grounds for believing that the entity had some kind of right to use that identifier, or had used that identifier in the past; and CA that provided the certificate has, at some time in the past, had grounds for believing that the entity had access to the appropriate private key.

SMUCSE 5349/7349 Problems (cont’d) –What it does not ensure Private key was originally available to other entities as well as the entity to which it purports to be 'bound'; Private key is now available to other entities as well as the entity to which it purports to be 'bound'; Private key invocation that gave rise to a particular message was performed by the entity; and Private key invocation that gave rise to a particular message was performed with the entity's free and informed consent. Privacy invasiveness –Just to talk to your buddy securely, you may need to tell your life story to a third party! Idiosyncrasy: –In order to have trust in the party you are transacting with, you are expected to have trust in organizations you have no relationship with at all

SMUCSE 5349/7349 What is Really Needed! Minimal Use of Identifiers Minimal Registration Requirements Mechanisms for Persistent Anonymity Value Authentication without Identity Attribute Authentication without Identity Recourse in case of violation

SMUCSE 5349/7349 Alternatives to PKI Web of trust like in PGP Simple Distributed PKI (SDPKI) Login ID, password Biometrics Other form of cetificates