Some Technical Issues in PKI Deployment David Chadwick

Slides:

Advertisements

Similar presentations

Public Key Infrastructure and Applications

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Report on Attribute Certificates By Ganesh Godavari.

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Public Key Infrastructure (X509 PKI)

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Chapter 11: Active Directory Certificate Services

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Public Key Infrastructure from the Most Trusted Name in e-Security.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

IDA Security Experts Workshop Olivier LIBON Vice President – GlobalSign November 2000.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

Digital Signatures A Brief Overview by Tim Sigmon August, 2000.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Configuring Directory Certificate Services Lesson 13.

Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.

Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Jimmy C. Tseng Assistant Professor of Electronic Commerce

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

SCEP Simple Certificate Enrollment Protocol.

جايگاه گواهی ديجيتالی در ايران

Presentation transcript:

Some Technical Issues in PKI Deployment David Chadwick

Certificate Extensions X.509v3 certificates hold a set of extensions Each extension is uniquely identified by a globally unique number (object identirfier) Every organisation possesses its own OID, so can define their own extensions –Netscape extensions, Microsoft extensions, Entrust extensions, Baltimore extensions, Your very own extensions Therefore certificates are infinitely extensible, which can cause interoperability problems

Certificate Profiles These try to limit the extensions that are allowed in certificates –e.g. PKIX profile specified in RFC2459 But the profiles themselves offer many options e.g. –one key pair, two key pair or three key pair –one policy or more –any algorithm, e.g. DSA, RSA or elliptic curve

Key Lifecycles Key Generation –by the CA or the user? Initial Certification –What protocol? CMP or CMS(PKCS#7) Storage of Private Keys –Where? hardware or software. Software is a problem in a university environment –Portability between applications –Portability of hardware devices e.g. smart cards Revocation of Public Key Certificates –How, and by whom. Automatic, manual, authentication etc.

Key Lifecycles (cont) Publication of Certificates and CRLs –Using LDAP, FTP or the Web? –Retrieval issues - how to select the right certificate Key Update/Roll over –User keys, manual or automatic –Root CA keys, and migration of users Key Backup –Do we want it or not? For decryption probably yes, for signing definitely NO Key Archive –For non-repudiation purposes

Problems with Use of LDAP Cannot search for particular certificates or CRLs –Create separate attributes and Search for them –Retrieve the certificates from the same entry and hope they are the ones you want Cannot retrieve particular certificates or CRLs –Create separate attribute types e.g. encCertificate, userCertificate –Create separate entries e.g. CN=David Chadwick (Enc) –Create separate subtrees e.g.OU=Encryption –Create child entries holding different certificates LDAP is poor at supporting distributed directories –Causes problems for multiple CA interworking

Certification Infrastructures - Which Type? Hierarchy, with a root of trust e.g. Identrus, EuroPKI Cross certification between peer CAs or hierarchies - technical and legal issues Bridge CA - that is a central point for cross certification, sets policy, is a bridge of trust