1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Public Key Infrastructure (PKI)
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Lecture 23 Internet Authentication Applications
Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate revocation list
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
06 APPLYING CRYPTOGRAPHY
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Module 9: Fundamentals of Securing Network Communication.
King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,
Authentication 3: On The Internet. 2 Readings URL attacks
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Cryptography and Network Security Chapter 14
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key management issues in PGP
IT443 – Network Security Administration Instructor: Bo Sheng
Cryptography and Network Security
زير ساخت كليد عمومي و گواهي هويت
Digital Certificates and X.509
PKI (Public Key Infrastructure)
Presentation transcript:

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002

2 The problem Problem: How do principals learn each other’s public keys for a number of public-key based protocols, such as IPSec, IKE, PGP, S/MIME, or SSL? Some naïve solutions: –Configure each principal with the public key of every other principal (scalability problem). –Publish public keys in Web sites or newspapers (authentication and scalability problems). One accepted solution is through trusted intermediaries known as certification authorities (CAs).

3 The problem CAs digitally sign data structures known as certificates that state the mapping between names and public keys. –A typical certificate contains a serial number the name of the principal being certified the public key of the principal the name of the certification authority valid duration of the certificate a digital signature

4 Digital signatures Bob’s certificate without signature HashDigest Bob’ private key Bob’s certificate without signature Signature Sent to Alice From Bob Bob’s certificate without signature Signature Bob’ public key HashDigest Compare

5 An example If Alice’s certification is issued by CA1 and Bob knows CA1’s public key, he can securely obtain Alice’s public key from Alice’s certificate. In general, Bob may not know the public key of Alice’s CA (he knows CA1’s public key). Therefore, it is necessary for Bob to obtain a chain of certificates (also known as certification path), e.g., –[CA2’s key is P2] signed by CA1 –[CA3’s key is P3] signed by CA2 –[Alice’s key is P4] signed by CA3

6 Certificate revocation For various reasons (e.g., employment termination), a certificate may no longer be valid before the expiration date. –The solution to this problem is to define a Certification Revocation List (CRL), which contains serial numbers that should not be honored. A CA periodically issues a signed CRL available in a public repository. –An advantage of this approach is that CRLs may be distributed by exactly the same means as certificates. Therefore, a certificate is valid if it has a valid CA signature, has not expired, and is not listed in the CA’s most recent CRL.

7 Authentication using certification Bob is an application that needs to authenticate the user Alice. –Bob needs Alice’s certificate (or certification path) and a recent CRL (or CRLs for the certification path). –Bob can obtain them from directory service (X.500) or from Alice. –If the certificate(s) is (are) valid, Bob obtains Alice’s public key from the certificate(s). –Then, Bob will go through an authentication handshake whereby Alice proves she knows the private key that corresponds to the public key listed in her certificate.

8 Public key infrastructure A PKI is defined as the set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke certificates based on public-key cryptography. A PKI consists of five types of components: –Certification authorities (CAs) –Registration authorities (RAs) –Certificate holders that are issued certificates and can sign digital documents and encrypt documents. –Clients that validate digital signatures and their certification paths from a known public key of a trusted CA. –Repositories that store and make available certificates and CRLs.

9 Public key infrastructure

10 Functions of a PKI Registration: A subject first makes itself known to a CA. Initialization: A subject get the CA’s public key. Certification: A CA issues a certification Key pair recovery: User’s private key may be backup. Key generation: Generate the private-public key pair. Key update –Key expiry: A graceful transition to a new key. –Key compromise: A not so graceful transition to a new key. Cross-certification: One direction or both directions Revocation: Cause a certificate invalid. Certificate revocation notice distribution and publication

11 X.509 PKI (PKIX) PKIX defines a profile to facilitate the use of X.509 certificates within Internet application (RFC 2459). –It specifically profiles the X.509 v3 certificate and X.509 v2 CRL. –This profile does not assume the deployment of an X.500 directory system. –The v3 certificate format extends the v2 format by adding provision for additional extension fields. –The extensions provide methods for associating additional attributes with users or public keys and for managing the certification hierarchy, e.g., The subject alternative names extension allows additional identities to be bound to the subject of the certificate, such as an Internet electronic mail address, a DNS name, an IP address, and a URI.

12 X.509 v3 certificate Version Serial number Signature: Must be the same as the Signature Algorithm. Issuer Name Validity: Not before and not after Subject Subject Public Key Info: Carry the public key and identify the algorithm with which the key is used. Issuer Unique ID and Subject Unique ID (optional) Extensions Signature Algorithm: Algorithm for generating the sig. Signature value

13 A single-CA model A pure single-CA model: consist of a single CA for the world. Problems: –Almost impossible to find such a CA and other nontechnical issues. –It is inconvenient, insecure, and expensive to obtain a certificate. It is difficult for the CA to authenticate the user requesting the certificate. –It is not scalable if CA’s key is changed. A single-CA model with multiple registration authorities (RAs) trusted by the CA. –The RAs authenticate users and users’ keys, and sends a signed request to the CA. –CA is still responsible for issuing certificates.

14 Configured + delegated CAs model This model, implemented in current browsers, configures keys of CAs (configured CAs), but the CAs can sign certificates authorizing other CAs to grant certificates (delegated CAs). CA Configured CAs Delegated CAs

15 A strict hierarchy There is only one configured CA (root CA). The CAs are related in a strict hierarchy and a hierarchical namespace is assumed. –A CA is trusted only to certify name-to-key mappings for the names in the subtree of the namespace (name subordination). –E.g, a CA on the premise polyu.edu.hk is entrusted for certificates with names of the form –Therefore, Alice can authenticate to Bob by sending him all the certificates from the root down to herself. But it turns out that this hierarchy is too rigid for a widespread deployment (experienced by PEM).

16 A strict hierarchy User CA PCA1PCA2 IPRA PCA3 CA IPRA=Internet Policy Registration Authority (root) PCAn=policy certification authority CA=certification authority

17 A less restrictive hierarchy This model also assumes a hierarchical name space and the name subordination rule. Each node in the namespace is represented by a CA. It contains three types of certificates: –Down: a parent certifies the key of the child –Up: a child certifies the key of the parent –Cross: any node certifies the key of any other E.g., SunMIT WestEastJeff RadiaSteve

18 A less restrictive hierarchy If Radia.East.Sun wants to discover Steve.East.Sun’s key, –She starts with her own key and finds the up certificate to the parent East.Sun. –She notes that she has now reached an ancestor of Steve.East.Sun’s name, and proceeds downward from there. If Radia.East.Sun wants to discover Jeff.MIT’s key, –She continues on from East.Sun, following the up certificate to the parent (Sun), and then finding the cross-certificate to MIT, from there down to the name Jeff.MIT.

19 The current status A Federal PKI is currently under development in the US ( HK Government’s Electronic Transactions Ordinance stipulates the Postmaster General to be the CA. PMI (Privilege Management Infrastructure) –Instead of binding public keys to identities, PMI binds attributes to identities. –Support rule-based and role-based access control decisions –Attribute certificates (AC) vs. public key certificates (PKC)

20 Acknowledgements The notes are based on –R. Housley, W. Ford, W. Polk, D. Solo, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile,” RFC 2459, January –R. Perlman, “An Overview of PKI Trust Models,” IEEE Network Magazine, pp , Nov/Dec, 1999.