An understanding of PKI and some deployment hints BY Charles Anakweze CIS532 PKI = Public Key Infrastructure.

Slides:



Advertisements
Similar presentations
Public Key Infrastructure – tell me in plain English AND THEN deep technical how PKI works Steve Lamb
Advertisements

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
(n)Code Solutions A division of GNFC
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
An introduction to PKI and few deployment hints
A-to-Z of Public Key Infrastructure (PKI)
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Certificates, Keys, Web Browsers, and Security - Sumanth Gelle.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Cryptography 101 Frank Hecker
Chapter 31 Network Security
Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
©Copyrights 2011 Eom, Hyeonsang All Rights Reserved Distributed Information Processing 20 th Lecture Eom, Hyeonsang ( 엄현상 ) Department of Computer Science.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Cryptography 1 CS432. Overview  What is cryptography and cryptology?  The main components of a crypto system.  Problems solved by cryptography.  Basic.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Cryptography, Authentication and Digital Signatures
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Configuring Directory Certificate Services Lesson 13.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
Authentication 3: On The Internet. 2 Readings URL attacks
11-Basic Cryptography Dr. John P. Abraham Professor UTPA.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Digital Signatures and Digital Certificates Monil Adhikari.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
Key management issues in PGP
Basics of Cryptography
Information Security message M one-way hash fingerprint f = H(M)
IS3230 Access Security Unit 9 PKI and Encryption
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Lecture 4 - Cryptography
National Trust Platform
Presentation transcript:

An understanding of PKI and some deployment hints BY Charles Anakweze CIS532 PKI = Public Key Infrastructure

2 Objectives  Explain the basics of Cryptography and PKI  Introduce commonly used terminology  Identify aspects of PKI that require careful planning during deployment

3 Agenda  Quick Summary on Cryptography  Fundamentals of PKI  PKI Deployment

4 Agenda  Quick Summary on Cryptography  Fundamentals of PKI  PKI Deployment

5 What Does Cryptography Solve?  Confidentiality  Ensure that nobody can get knowledge of what you transfer even if listening the whole conversation  Integrity  Ensure that message has not been modified during the transmission  Authenticity  You can verify that you are talking to the entity you think you are talking to  Identity  You can verify who is the specific individual behind that entity  Non-repudiation  The individual behind that asset cannot deny being associated with it

6 Traditional paper-based solutions  Confidentiality  Integrity  Authenticity  Non-repudiation  Availability  Envelopes  Signatures, Watermarks, Barcodes  Notaries, strong ID, physical presence  Signatures, receipts, confirmations  Alternate routes, sites, etc.

7 Electronic Solutions  Confidentiality  Authenticity  Integrity  Non-Repudiation  Availability  Data Encryption  Digital Signatures, Certificates, Digital Ids  Hash Algorithms, Message Digests, Digital Signatures  Digital Signatures, Audit Logs  Redundant Systems, Automatic Failover

8 Symmetric Encryption An unders to PKI and some deploy hints AxCvGsmWe#4^, sdgfMwir3:dkJeTs An unders to PKI and some deploy hints Clear-text input Clear-text output Cipher-text Same key (shared secret) EncryptionDecryption DE S

9 Asymmetric Encryption An unders to PKI and some deploy hints Py75c%bn&*)9|f nmdFgegMs An unders to PKI and some deploy hints Clear-text Input Clear-text Output Cipher-text Different keys Encryption Decryption RSA RSA

10 Example: Confidentiality Different keys Recipient’s public key Recipient’s private key private public Encryption Decryption An unders to PKI and some deploy hints Py75c%bn&*)9|f nmdFgegMs An unders to PKI and some deploy hints Clear-text Input Clear-text Output Cipher-text

11 Example: Authenticity Different keys Sender’s public key Sender’s private key private public Encryption Decryption An unders to PKI and some deploy hints Py75c%bn&*)9|f nmdFgegMs An unders to PKI and some deploy hints Clear-text Input Clear-text Output Cipher-text

12 Agenda  Quick Summary on Cryptography  Fundamentals of PKI  PKI Deployment

13 PKI  PKI is a group of solutions for key distribution problems and other issues:  Key generation  Certificate generation, revocation, validation  Managing trust

14 Is PKI relevant? Who uses this stuff?  Web’s HTTP and other protocols (SSL)  VPN (PPTP, IPSec, L2TP…)  (S/MIME, PGP, Exchange KMS)  Files (PGP, W2K EFS, and many others)  Web Services (WS-Security)  Bad ID Smartcards (Certificates and private key store)  Good ID Smartcards (Certificates and Challenge/Response)  Executables (.NET Assemblies, Drivers, Authenticode)  Copyright protection (DRM)  …

15 Creating a Digital Signature 3kJfgf*£$& Py75c%bn This is the document created by Chizoba Message or File Digital Signature Message Digest Calculate a short message digest from even a long input using a one-way message digest function (hash) Signatory's private key priv GenerateHash SHA, MD5 AsymmetricEncryption RSA This is the document created by Chizoba 3kJfgf*£$& Signed Document (Typically 128 bits)

16 Verifying a Digital Signature RSA This is the document created by Chizoba 3kJfgf*£$& Signed Document Py75c%bn Message Digest GenerateHash Chizoba's public key (from certificate) AsymmetricDecryption pub Digital Signature Py75c%bn ? Compare ?

17  The simplest certificate just contains:  A public key  Information about the entity that is being certified to own that public key  … and the whole is  Digitally signed by someone trusted (like your friend or a CA) 2wsR46%frd EWWrswe(* ^$G*^%#%# %DvtrsdFDf d3%.6,7 What is a Certificate ? pub 3kJfgf*£$&4 6*gd7dT Certificate This public key belongs to Chizoba Digital Signature Can be a person, a computer, a device, a file, some code, anything …

18 X.509 Certificate Who is the owner, CN=Chizoba,O=CERN,C=CH The public key or info about it Who is signing, O=CERN,C=CH Serial Number X.500 Subject Extensions X.500 issuer Expiration date Public Key CA Digital Signature Certificate Info See later why expiration date is important Additional arbitrary information … of the issuer, of course

19 Authentication with Certificates  Owning a Certificate of Chizoba does not mean that you are Chizoba  Owning a Certificate does not imply you are authenticated  How would you verify that the person who comes to you pretending to be Chizoba and showing you a certificate of Chizoba is really Chizoba ?  You have to challenge him !  Only the real Chizoba has the private key that goes in pair with the public key in the certificate.

20 Certificate Validation  Essentially, this is just checking the digital signature  But you may have to “walk the path” of all subordinate authorities until you reach the root  Unless you explicitly trust a subordinate CA Check DS of Foobar “In Foobar We Trust” (installed root CA certificate) Public key Certificate This public key belongs to Chizoba CERN Digital Signature Issued by: CERN Public key Certificate This public key belongs to CERN Foobar Digital Signature Issued by: Foobar Public key Certificate This public key belongs to Foobar Foobar Digital Signature Issued by: Foobar Check DS of CERN

21 Certificate Revocation  (Private) keys get compromised, as a fact of life  You or your CA issue a certificate revocation certificate  Must be signed by the CA, of course  And you do everything you can to let the world know that you issued it  This is not easy  Certificate Revocation Lists (CRL) are used  They require that the process of cert validation actively checks the CRL and keep it up-to-date  It is a non scalable process  Many people disable this function  This explains why  Every certificate has an expiration date  short expiration policies are important

22 Storing Certificates and Keys  Certificates need to be stored so that interested users can obtain them  This is not an issue. Certificates are “public”  Keys need to be stored for data recovery purposes  This weakens the system, but is a necessity  This is a function of most certificate servers offer  Those servers are also responsible for issuing, revoking, signing etc. of certs  But this requires the certificate server to generate the key pairs

23 Example (wrong) Priv pub Certification Server User generates a key pair Certificate is sent to the user Public key is submitted to CA for certification pub DS Cert pub DS Cert

24 Example (Good) Priv pub Certification Server CA generates a key pair Private Key and Certificate are sent to the user pub DS Cert pub DS Cert User request a certificate to CA CA generates certificate Priv This model allows key recovery

25 Agenda  Quick Summary on Cryptography  Fundamentals of PKI  PKI Deployment

26 Current Strength Recommendations  Your infrastructure should be ready to strengthen these at any time MinimumRecommended Symmetric Key 96 bits (avoid DES as it can do only 56, instead use AES-Rijndael or RC5) 256 bits (Rijndael, RC5 128bits, not DES) Asymmetric Key 1024 (RSA)4096 (RSA) ECC Key 192 bits256 bits Hash: SHA/MD5 128 bits (not 64 bits)256 bits or more Cert Classes Class 2Class 3 at least

27 Reference:  A large fraction of the information in this presentation comes from Microsoft Tech’ed conference  More details can be found in the following:  PKI, A. Nash et al., RSA Press, ISBN  Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN  Foundations of Cryptography, O. Goldereich,  Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN  Cryptography in C and C++, M. Welschenbach, Apress, ISBN X (includes code samples CD)  Business Data Communications, William Stallings

28 Questions?

29 Review Questions and allow two communicating parties to disguise information they send to each other. Ans: Encryption and decryption Ensures that nobody can get knowledge of what you transfer even if listening the whole conversation. Ans:Confidentiality Ensures that message has not been modified during the transmission. Ans:Integrity Ensures that y ou can verify that you are talking to the entity you think you are talking to. Ans: Authenticity Ensures that you can verify who is the specific individual behind that entity. Ans: Identity Ensures that the individual behind that asset cannot deny being associated with it Ans: Non-repudiation

30  Thanks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.