PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

Cryptography and Network Security Chapter 14

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

1 PKI Update September 2002 CSG Meeting Jim Jokl

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

PKI 150: PKI Parts Policy & Progress Jim Jokl. University of Virginia David Wasley University of California.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

PKI 101 Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder David Wasley Technology.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Cryptography and Network Security

Authentication Applications

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Security in ebXML Messaging

زير ساخت كليد عمومي و گواهي هويت

جايگاه گواهی ديجيتالی در ايران

Resource Certificate Profile

刘振上海交通大学计算机科学与工程系电信群楼3-509

September 2002 CSG Meeting Jim Jokl

刘振上海交通大学计算机科学与工程系电信群楼3-509

Presentation transcript:

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder

PKI Pieces  X.509 v3 certs  Certificate Revocation Lists  Cert management  Directories  Trust models  Cert-enabled apps  Who’s doing what and what’s next

X.509 certs  purpose - bind a public key to a subject  standard fields  extended fields  profiles  client and server cert distinctions

Standard fields in certs  cert serial number  the subject, as x.500 DN or …  the subject’s public key  the validity field  the issuer, as id and common name  signing algorithm  signature info for the cert, in the issuers public key

Extension fields  Examples - auth/subject subcodes, key usage, LDAP URL, CRL distribution points, etc  Key usage is very important - for digsig, non-rep, key or data encipherment, etc.  Certain extensions can be marked critical - if an app can’t understand it, then don’t use the cert  Requires profiles to document, and great care...

Certificate Revocation Lists (CRL)  Purpose - to post revoked certs by serial number  Reasons for revocation include major (disaffiliation, key compromise, etc.) and minor (name change, attribute change)  Path construction - to build the chain of trust from the issuer CA to a CA trusted by the relying party  Certificate validation - uses path to determine if cert is valid  Application and user responses - what to do if revoked? What to do if unknown? Does the app or the user decide?

Cert Management  Certificate Management Protocol - for the creation and management of certs  OSCP - on-line CRL plus….  Storage - where (device, directory, private cache, etc.) and how - format  escrow and archive - when, how, and what else needs to be kept  Cert Authority Software  Authority and policies

CA Software  SUN/Netscape  IBM  W2K Server  SSLEAY (Open SSL and Open CA) ( (  vandyke and Cygnacom in the public domain for path math

Directories  to store certs  to store CRL  to store private keys, for the time being  to store attributes  implement with border directories, or acls within the enterprise directory, or proprietary directories

Trust model components  Certificate Policy Statements - uses of particular certs, assurance levels for I/A, audit and archival requirements  Certificate Practices - the nitty gritty operational issues  Hierarchies vs Bridges a philosopy and an implementation issue the concerns are transitivity and delegation hierarchies assert a common trust model bridges pairwise agree on trust models and policy mappings

Cert-enabled applications  Browsers  S/MIME  IPsec and VPN  Globus

PKI Activities  DLF: UCOP, Columbia, soon Minnesota  FPKI (  PKI for NGI  CREN CA  In-sources - MIT  Out-sources - Pittsburgh, Texas  PKIforum  W2K

PKI Gaps  Trust models  Certificate server software  Local authority  Directories  Ineroperability  Profile Repository  Policies and Policy Mappings

Will it fly?  Well, it has to…  Scalability  Performance  OBE  “With enough thrust, anything can fly”