Download presentation
Presentation is loading. Please wait.
Published byAlexandra Morse Modified over 11 years ago
1
April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics
2
April 19-22, 2005SecureIT-2005 Agenda Why do you need a PKI? Basic Cryptography Near Future PKI Applications PKI Components and Services Deployment of a PKI
3
April 19-22, 2005SecureIT-2005 Why do you need a PKI? Protects against eavesdropping Protects against tampering Prevents impersonation –Spoofing –Misrepresentation Provides stronger authentication
4
April 19-22, 2005SecureIT-2005 Basic Cryptography Use of Keys for Encryption and Decryption Types of Keys –Symmetric-Key Encryption Uses ONE single key (shared secret) Efficient Provides a minor degree of authentication Only effective if symmetric key is kept secret!! –Public-Key Encryption (asymmetric encryption) Involves a pair of keys: Public Key – Published Private Key – Kept secret Key Length and Encryption Strength –Strength of encryption is related to the difficulty of discovering the key –Encryption strength is described in terms of key size.
5
April 19-22, 2005SecureIT-2005 Public Key Cryptography Provides: Encryption and Decryption Strong authentication Non-repudiation Tamper detection
6
April 19-22, 2005SecureIT-2005 What is a Certificate? A certificate is an electronic document used to identify: –An individual –A server –A company –Other entities A certificate associates an identity with a public key
7
April 19-22, 2005SecureIT-2005 What is a Certificate Authority? A Certificate Authority (CA) –validates identities –issues certificates Validation/Assurance of identity –depend on the policies of a given CA
8
April 19-22, 2005SecureIT-2005 Contents of a Certificate A certificate (X.509 v3) binds a Distinguished Name (DN) to a public key. A DN is a series of values that uniquely identify an identity. For example: cn=Javier Torner, email=jtorner@csusb.edu,email=jtorner@csusb.edu o=California State University San Bernardino, ou=Information Security Office
9
April 19-22, 2005SecureIT-2005 Near Future Application Digital Signatures (S/MIME) Mail Encryption Certificate Revocation SSL Client Certificates to POP/IMAP SSL Client Certificates to NNTP SSL Client Certificates for network access Hardware Tokens – Two factor authentication
10
April 19-22, 2005SecureIT-2005 PKI Components and Services Certificate Repository Certificate Revocation Key backup and recovery Support for non-repudiation Time stamping Client software
11
April 19-22, 2005SecureIT-2005 PKI Phases Phase 0 – Basic Infrastructure –Implement a Certificate Authority Hierarchy Structure Phase I – Authorization Phase II – Authentication Phase III – Incorporate a Trusted Bridge
12
April 19-22, 2005SecureIT-2005 PKI - Phase 0 Define Certificate Practice Statement Define a CA Hierarchy –Root CA Master or Secondary CA –SSL (Web server) CA –SSL Clients CA –E-mail/Encryption CA –Object CA
13
April 19-22, 2005SecureIT-2005 CA Certificate Practice Statement Easy way to start is using PKI-Lite Edit/modify to your institution Technology has been around, but relatively new
14
April 19-22, 2005SecureIT-2005 PKI - Phase I Select software –OpenSSL, OpenCA Issue SSL Server Certificates –Class 3 Web servers certificate –Develop/enable users request interface –Provide user education SSL Client Certificates –Start with certificates for authentication ONLY –Test on control systems ISO sites
15
April 19-22, 2005SecureIT-2005 SSL Client Certificates Provides the ability to authenticate (primarily web) users using your institutions certificate Allows you to easily restrict the users of your data based upon criteria within a certificate
16
April 19-22, 2005SecureIT-2005 Contents of a Phase I Server Certificate CN=www.infosec.csusb.edu Email= OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US
17
April 19-22, 2005SecureIT-2005 Contents of a Phase-I ID Certificate CN=Javier Torner Email=jtorner@csusb.edu OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US
18
April 19-22, 2005SecureIT-2005 The Future of PKI Phase 3 – Federated Application Design CA Development
19
April 19-22, 2005SecureIT-2005 Valuable Resources http://www.modssl.org http://www.openssl.org http://www.openca.org http://www.educause.edu/HEPKI Understanding PKI – Carlisle Adams and Steve Lloyd (ISBN 1-57870-166-x) Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter Williams (ISBN 0-201-30980-7)b
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.