بسم الله. PKI Revealed Ayman Saeed Agenda Cryptography Review. PKI …… WHY and HOW!!!!!. X.509 Certificate. PKI Hierarchies Certification. Practical Implementation.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
(n)Code Solutions A division of GNFC
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (X509 PKI)
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptographic Technologies
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
1 Cryptography Basics. 2 Cryptography Basic terminologies Symmetric key encryption Asymmetric key encryption Public Key Infrastructure Digital Certificates.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
©Copyrights 2011 Eom, Hyeonsang All Rights Reserved Distributed Information Processing 20 th Lecture Eom, Hyeonsang ( 엄현상 ) Department of Computer Science.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
每时每刻 可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Networks Management and Security Lecture 3.
06 APPLYING CRYPTOGRAPHY
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Agenda Cryptography ??. Encryption. Symmetric Encryption. Asymmetric Encryption. Diffie-hellman. Hashing. Digital signature. Authentication Protocols.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
Key management issues in PGP
Basics of Cryptography
Unit 3 Section 6.4: Internet Security
Computer Communication & Networks
CompTIA Security+ Study Guide (SY0-501)
زير ساخت كليد عمومي و گواهي هويت
Digital Certificates and X.509
The Secure Sockets Layer (SSL) Protocol
Presentation transcript:

بسم الله

PKI Revealed Ayman Saeed

Agenda Cryptography Review. PKI …… WHY and HOW!!!!!. X.509 Certificate. PKI Hierarchies Certification. Practical Implementation of PKI.

Cryptography is not encryption, cryptography is a framework by which we can ensure the CIA triad for our information ; C for confidentiality, I for Integrity and A for authenticity.Cryptography is not encryption, cryptography is a framework by which we can ensure the CIA triad for our information ; C for confidentiality, I for Integrity and A for authenticity. We can achieve confidentiality by using encryption service, we can ensure the Integrity of a message by hashing it and we can finally authenticate the sender by using a combination of encryption and hashing.We can achieve confidentiality by using encryption service, we can ensure the Integrity of a message by hashing it and we can finally authenticate the sender by using a combination of encryption and hashing. Cryptosystem is the implemented form of the cryptographic framework, it consists of these three components :Cryptosystem is the implemented form of the cryptographic framework, it consists of these three components : 1- algorithms : cryptographic engines for doing encryption and hashing. 2- protocols : for establishing connections and negotiating parameters between the communicating parties. 3- keys : for encryption algorithms. SSL, IPSEC, SSH and PGP are good examples to be cryptosystems.SSL, IPSEC, SSH and PGP are good examples to be cryptosystems. Cryptography Review

Encryption can be done symmetrically and asymmetrically.Encryption can be done symmetrically and asymmetrically. For symmetric encryption, we are encrypting clear messages using a key and we are decrypting cipher messages using the same key. DES, 3DES, Blowfish, IDEA, RC5, Safer, Serpent and AES are the well known symmetric encryption algorithms.For symmetric encryption, we are encrypting clear messages using a key and we are decrypting cipher messages using the same key. DES, 3DES, Blowfish, IDEA, RC5, Safer, Serpent and AES are the well known symmetric encryption algorithms. For asymmetric encryption, we are encrypting clear messages using a key and we are decrypting cipher messages using a different key. RSA, ECC, ElGamel and Knapsack are the well known asymmetric encryption algorithms.For asymmetric encryption, we are encrypting clear messages using a key and we are decrypting cipher messages using a different key. RSA, ECC, ElGamel and Knapsack are the well known asymmetric encryption algorithms.

Symmetric encryption suffers from two major problems :Symmetric encryption suffers from two major problems : 1- it requires “ out of band “ exchange of keys. 2- not scalable, each pair of communicators should have a different key to use. Asymmetric encryption suffers from only one major problem :Asymmetric encryption suffers from only one major problem : Very slow compared to symmetric encryption, up to 1000 times slower. So, symmetric encryption is the normal choice for encrypting large amount of data, asymmetric encryption is used as the “out of band” way for symmetric encryption key distribution.So, symmetric encryption is the normal choice for encrypting large amount of data, asymmetric encryption is used as the “out of band” way for symmetric encryption key distribution.

Diffie-Hellman algorithm is considered as an implementation of key distribution using asymmetric pair of keys. Mohamed will generate two (public and private ) keys using his own Diffie-Hellman algorithm, Ali will do the same thing ; then, both of them will exchange his own public key, so Mohamed will have his own private key and Ali’s public key, he will use his Diffie-Hellman algorithm to generate a new private key ; Ali will have the same private key if he does the same operation.Diffie-Hellman algorithm is considered as an implementation of key distribution using asymmetric pair of keys. Mohamed will generate two (public and private ) keys using his own Diffie-Hellman algorithm, Ali will do the same thing ; then, both of them will exchange his own public key, so Mohamed will have his own private key and Ali’s public key, he will use his Diffie-Hellman algorithm to generate a new private key ; Ali will have the same private key if he does the same operation.

As we have mentioned before data integrity can be ensured using ……. Hashing.As we have mentioned before data integrity can be ensured using ……. Hashing.

Hashing is an irreversible process, with no keys.Hashing is an irreversible process, with no keys. MD2, MD4, MD5, SHA, HAVAL, RIPE and Tiger are the well known hashing algorithms.MD2, MD4, MD5, SHA, HAVAL, RIPE and Tiger are the well known hashing algorithms.

But we did not notice that we have a big huge weakness, if we are depending only on these hashing algorithms.But we did not notice that we have a big huge weakness, if we are depending only on these hashing algorithms. A simple newbie can execute an MITM attack, and he will be able to receive the message with digest from the sender so as to create a new fake message with a new generated hash (using the same hashing algorithm) to be sent to the poor receiver.A simple newbie can execute an MITM attack, and he will be able to receive the message with digest from the sender so as to create a new fake message with a new generated hash (using the same hashing algorithm) to be sent to the poor receiver. We can solve this problem by using HMAC with any hashing algorithm.We can solve this problem by using HMAC with any hashing algorithm.

This is our last step for the CIA triad, how can we ensure authenticity using cryptography !!!This is our last step for the CIA triad, how can we ensure authenticity using cryptography !!! Digital signature is used for achieving authenticity in a cryptographic form, it uses a combination of hashing and asymmetric encryption.Digital signature is used for achieving authenticity in a cryptographic form, it uses a combination of hashing and asymmetric encryption.

PKI …… WHY and HOW!!!!! Public Key Infrastructure is a Trust Connectivity media, I need to trust the sender before beginning a new session with him, but I do not have a direct look at him, how can I know that this public key is the one owned by the real sender; I need someone between us, someone that I can trust and that can trust this remote sender.Public Key Infrastructure is a Trust Connectivity media, I need to trust the sender before beginning a new session with him, but I do not have a direct look at him, how can I know that this public key is the one owned by the real sender; I need someone between us, someone that I can trust and that can trust this remote sender. How do I know I can trust you?How do I know I can trust you? Answer: The CA trusts me. How do I know the CA trusts you ?How do I know the CA trusts you ? Answer: you can see my certificate issued by the CA.

PKI infrastructure can be divided into four basic subsystems :PKI infrastructure can be divided into four basic subsystems : Registration AuthorityRegistration Authority Certification AuthorityCertification Authority Certification RepositoryCertification Repository Certification revocation systemCertification revocation system

Registration authority will deal the requester, who and why?? It could be an office with some humans to evaluate the requester or it could be a piece of software.Registration authority will deal the requester, who and why?? It could be an office with some humans to evaluate the requester or it could be a piece of software. Certification authority will issue the certificate for the requester as it is requested by the Registration authority.Certification authority will issue the certificate for the requester as it is requested by the Registration authority. All certificates issued by the CA will be stored in a certificate repositoryAll certificates issued by the CA will be stored in a certificate repository

Amr wants to participate in a PKI process:Amr wants to participate in a PKI process: He will send a request for the registration authority to be given a certificate.He will send a request for the registration authority to be given a certificate. RA will validate Amr’s Identity.RA will validate Amr’s Identity. RA will send a request for CA with Amr information.RA will send a request for CA with Amr information. CA will generate the certificate and will send it to Amr.CA will generate the certificate and will send it to Amr. A copy from this certificate will be saved at the certificate repo.A copy from this certificate will be saved at the certificate repo. The certificate that will be issued for Amr will have only his public Key, it will not carry Amr’s private key as it will be viewed for the public. So where is the private key !!.The certificate that will be issued for Amr will have only his public Key, it will not carry Amr’s private key as it will be viewed for the public. So where is the private key !!. Before requesting the certificate, Amr can generate both public and private keys at his PC, he can enclose the generated public key with the certificate request, CA will use this public key for the new issued certificate.Before requesting the certificate, Amr can generate both public and private keys at his PC, he can enclose the generated public key with the certificate request, CA will use this public key for the new issued certificate. As a second option, CA can generate both public and private keys, Amr can have his private “out of band”.As a second option, CA can generate both public and private keys, Amr can have his private “out of band”.

X.509 Certificate Before we proceed into the certificate anatomy ; I would like to predict the certificate structure from the view of what we really need from the certificate itself.Before we proceed into the certificate anatomy ; I would like to predict the certificate structure from the view of what we really need from the certificate itself. The certificate is a proof of trust from the CA to a specific user, so it should declare the name of this user ( this is the certificate of amr.saeed).The certificate is a proof of trust from the CA to a specific user, so it should declare the name of this user ( this is the certificate of amr.saeed). The certificate should declare the authority that issued this certificate (xyx.company).The certificate should declare the authority that issued this certificate (xyx.company). The certificate should have the public key of Amr in a clear form.The certificate should have the public key of Amr in a clear form. The contents of this certificate should be hashed and digitally signed by the issuer CA.The contents of this certificate should be hashed and digitally signed by the issuer CA.

This is X.509 certificate anatomy :This is X.509 certificate anatomy :

This certificate’s version is V3, serial number is 6b 3c ……., signature algorithms are SHA with RSA, issuer is Class 3 …….. Etc.This certificate’s version is V3, serial number is 6b 3c ……., signature algorithms are SHA with RSA, issuer is Class 3 …….. Etc.

This is the sequence of signing a digital certificate :This is the sequence of signing a digital certificate :

This is the sequence of verifying a digital certificate :This is the sequence of verifying a digital certificate :

Certificate loses its validity in one of these three cases :Certificate loses its validity in one of these three cases : 1-loss of integrity. 2-date expiration. 3-being revoked. Certificate revocation can be done if we have a sudden change ; a user loses his private key, someone leaves the company or something like that.Certificate revocation can be done if we have a sudden change ; a user loses his private key, someone leaves the company or something like that. Loss of integrity and date expiration can be easily known by the entity that receives the certificate ; how do this entity know that this certificate had been revoked !!! this the new problem that we should solve.Loss of integrity and date expiration can be easily known by the entity that receives the certificate ; how do this entity know that this certificate had been revoked !!! this the new problem that we should solve. Each of your trusted certification authorities should have a list of revoked certificates that were issued by this CA. This list is known as Certificate Revocation List (CRL) and this list should be broadcasted to all systems that trust this CA.bEach of your trusted certification authorities should have a list of revoked certificates that were issued by this CA. This list is known as Certificate Revocation List (CRL) and this list should be broadcasted to all systems that trust this CA.b

Each system should check CRL advertised by the CA that issued the received certificate.Each system should check CRL advertised by the CA that issued the received certificate.

Let us assume two situations to deal with, for a solid understanding of PKI Hierarchies and Cross-Certification:Let us assume two situations to deal with, for a solid understanding of PKI Hierarchies and Cross-Certification:

We have a big company that has multiple branches, each branch should have a dedicated CA for issuing certificates in this branch ; these branches should be authorized from subordinate CAs and subordinate CAs should be authorized from one root CA. This is known as hierarchal cross-certification. PKI Hierarchies Certification

The CA at the top of the hierarchy is called a root CA. Root CAs have self- signed certificates. Root CAs are the most trusted CAs in the organization. Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services.The CA at the top of the hierarchy is called a root CA. Root CAs have self- signed certificates. Root CAs are the most trusted CAs in the organization. Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services. So if a user receives a certificate that was issued by a CA which is a member in a hieratical cross certification model, this certificate should contain its certification path.So if a user receives a certificate that was issued by a CA which is a member in a hieratical cross certification model, this certificate should contain its certification path.

The belowfigure shows an example of certification path. The recipient should verify theses certificates one by one starting from bottom to top with the condition >>>>>>> the user trusts the root CA.The belowfigure shows an example of certification path. The recipient should verify theses certificates one by one starting from bottom to top with the condition >>>>>>> the user trusts the root CA.

سبحانك اللهم وبحمدك أشهد ان لا اله الا انت أستغفرك وأتوب اليك أستغفرك وأتوب اليك

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.