Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent Joint work with Geraint Price.

Slides:



Advertisements
Similar presentations
INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
Advertisements

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Configuring Active Directory Certificate Services Lesson 13.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Building Security into Your System Bill Major Gregory Ponto.
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Computer and Network Security - Message Digests, Kerberos, PKI –
Creating and Managing Digital Certificates Chapter Eleven.
Using Public Key Cryptography Key management and public key infrastructures.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key management issues in PGP
Install AD Certificate Services
Building Security into Your System
Chapter 15 Key Management
Presentation transcript:

Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent Joint work with Geraint Price

2 Trust in a ubiquitous environment Trust is a difficult commodity to find/trade in a dynamically evolving network, e.g. in a PAN or PDE. Public key cryptography offers attractive features in such a situation, however – at a computational cost, – with the usual authentication problem. PKIs are hard to implement efficiently in dynamically evolving networks.

3 PKIs in dynamic networks Mitchell and Schaffelhofer suggest security criteria for a “personal PKI”. Distributed approaches given by: – Zhou and Haas, – Luo and Lu, – Varadharajan, Shankaran and Hitchens, – Zouridaki, Mark, Gaj and Thomas, Here a CA is elected by a cluster of devices.

4 PKIs in dynamic networks Our solution uses a different form of distributed certification authority. Takes advantage of emerging hardware-based secure execution environment technologies, such as Microsoft’s NGSCB and the Trusted Computing Group’s Trusted Computing Platform. We use an abstract execution environment.

5 Secure Execution Environments It can, and is able to demonstrate that it can, – be initialised securely, – download applications in a secure fashion, – securely execute applications, – demonstrate that an application has been successfully executed. Allows “black boxes” to be installed. Allows any TTP service to be installed… …however, not always efficiently.

6 CA-applets Let’s examine how to use this technique to distribute CA functionality…

7 CA-applets – Initialisation Request for applet Send authentication data Verifies device’s identity using authentication data. Verify authenticity of SEE Initiate a secure download channel Generate a new signature key pair for the device. Download applet with new key pair Download certificate for new key pair

8 CA-applets – Registering a key Request certificate for a public key Send authentication data Download newly generated certificate (Download master certificate) Checks identity and issues certificate to person named on initialisation only. Demonstrate proof of possession

9 CA applets – In use CA applet can also host a directory service. CA applet can also host a revocation service. Problems with the need for always-on devices. Methods to cope with the renewal problem. Limited methods to cope with the effects of a compromise of the CA applet (i.e. the release of an applet’s private signing key).

10 Sub CAs verses CA applets CA applets share a lot of characteristics with a sub CA… … i.e. a smaller CA that has been obtained a certificate from a larger root CA… … especially if the root CA issues a policy when certifying the sub CA that states that the sub CA can only issue certificates to certain individuals or according to a certain policy.

11 Sub CAs verses CA applets The main difference is the level of trust the root CA has to extend to its progeny. For a CA applet, the root CA has to trust the hosts SEE and the authentication data. For a sub CA, the root CA has to trust that the user can properly set up and administrate a secure CA application. In a CA applet, the security decisions rest with the security experts – the root CA.

12 Sub CAs verses CA applets Sub CAs do not require proof of possession, and, in some instances, this may be a flaw.

13 Personal CAs CA applets make excellent personal CAs (according to the criteria laid down by Mitchell and Schaffelhofer). Root CA can either be provided by a company or by a single dedicated device in the user’s PDE. The root CA can be configured by the manufacturer, rather than the user.

14 Other applications Ad hoc networks. Short lived certificates. Distributed registration/certificate data preparation. Lightweight PKI. Supporting web services. Paper to appear in upcoming book on Trusted Computing Platforms.

15 The End All images of Torg copyright Pete Abrams.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.