Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 465 Certificates Last Updated: Oct 14, 2017.

Published byJack Knight Modified over 6 years ago

Similar presentations

Presentation on theme: "CS 465 Certificates Last Updated: Oct 14, 2017."— Presentation transcript:

1 CS 465 Certificates Last Updated: Oct 14, 2017

2 Background A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key distribution problem for public keys by narrowing the problem to the secure distribution of the CA public key

3 Certificate Generation
Who generates the subject’s key pair? Usually the subject generates the key pair and the CA only sees the public key. The CA challenges for ownership of the private key. Source: Stallings, Network Security Essentials

4 Terminology Certificate Authority (CA) – Issuer Expiration
Certification Practice Statement (CPS) A statement of the practices employed by the CA to issue certificates Registration Authority (RA) Entity that identifies and authenticates subjects Does not issue certificates Trusted Third Party (TTP) Expiration Valid lifetime of the certificate Certificate Revocation List (CRL) Analogous to a list of lost or stolen credit card numbers When do certificates need to be revoked? Relying party Recipient of a certificate that relies on the information it asserts How does the relying party validate the certificate? (5 steps) Public Key Infrastructure (PKI) Infrastructure necessary to deploy and use public key technology The infrastructure needed to recognize which public key belongs to whom

5 Certificate Verification
What steps should a relying party (e.g., web browser) take to verify a certificate? Integrity Expiration Revocation Usage constraints Basic Constraints Can the subject act as a CA? Is there a limit to the length of the certificate chain? Limitation on key use – encryption or signing Ownership Does the entity presenting the certificate have access to the associated private key? Challenge for ownership of the key at the time of the transaction

6 Compromised CAs There are risks when we trust a third party
The system is only as strong as the weakest link Attack examples (links on the lectures page) 2001: Verisign issued two fraudulent Microsoft certificates No revocation infrastructure, so Microsoft patch had to explicitly blacklist these two certificates in the verification code 2011: Dutch CA DigiNotor was compromised Led to man-in-the-middle attack on 300,000 Iranian citizens

7 PKI Reality Names – how to identify subjects?
Authority – no universal authority Trust – who do we trust as the CA? Revocation – hardest PKI problem to solve Certificate Revocation List (hard to keep updated, lists grow large) Fast expiration through short-lived keys Online certificate verification (OCSP) Source: Cryptography Engineering, Ferguson et al., Chapter 19

8 PKI Examples What are some examples of how a PKI could be implemented and used? Universal PKI Corporate VPN On-line banking University

9 Certificate Hierarchies
Complex organization may distribute the certificate issuing process Example: How might BYU issue student certificates using the University, College, Department organizational structure? BYU CA issues certificates to College CAs College CAs issue certificates to Department Cas Departments issue certificates to students How to create a hierarchy? How to verify a certificate chain? The relying party could only have the BYU public key The client or server has to discover the certificate chain – one method is for the client to deliver the chain to the server

10 Certificate Hierarchies
How to recover from a lost/stolen private key? What if the college has a private key compromised? College has to generate a new key pair and get BYU to sign a certificate with the new public key College has to sign department public keys again with the new key private key Re-issue department certificates Student certificates are ok What if department has it’s key compromised? Only have to re-sign certificates one level below in the hierarchy. Don’t need to re-create the entire hierarchy

Download ppt "CS 465 Certificates Last Updated: Oct 14, 2017."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.

Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Lecture 5 Page 1 CS 236 Online Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document.

Lecture 5 Page 1 CS 236 Online Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document.

Similar presentations

Ads by Google