Download presentation
Presentation is loading. Please wait.
1
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier
2
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Role of Computer Security CIA Confidentiality: protection against data disclosure Integrity: protection against data modification Availability: protection against data disponibility Identification & Authentication (I&A) Provide a way of identifying entities, and controlling this identity Non-repudiability Bind an entity to its actions
3
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com How to implement CIA, I & A, N-R ? With Cryptography ! Main cryptographic tools: Hash Functions Secret Key Cryptography Public Key Cryptography And their combinations: Certificates PKI
4
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Main cryptographic tools Hash Functions: Bind one entity with a unique ID => Signature Hash + Encryption => trusted signature Symmetric Key Cryptography 2 users share a secret key S and an algorithm. S(S(M)) = M Problem: how to exchange secret keys ? =>Secret Key Server (ex: kerberos)
5
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Main cryptographic tools Public Key Cryptography: Each user has a public key P and a private key S, and an algorithm A. P(S(M)) = S(P(M)) = M No shared secret ! Encryption with Public Key CryptoAuthentication with Public Key Crypto
6
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Main cryptographic tools, PKI How to distribute public keys ? Public Key Server (PKS), key exchange protocols Public Key Infrastructure (PKI): PKI = N x (Entities with private keys) + public key exchange system REM: Public Key algorithms are slow Need to use both Public & Secret Key Cryptography Public Key Protocols work in 3 phases 1.Authentication via Public Key Cryptography (challenge) 2.Exchange of a session Secret Key, encrypted with Public Key Crypto 3.Session encrypted with Symmetric Cryptography
7
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Certificate A certificate binds an entity with its public key. It’s just a digitally signed piece of data. digital ID card an entity’s description (name, etc.) + entity’s public key + expiration date, serial number, etc. + CA’s name + a signature issued by a CA Certificate = The certificate is issued and signed by a trusted Certificate Authority (CA) Digital signature: CA signature = certificate hash, encrypted with CA’s private key
8
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Certificate The certificate’s CA is the only entity able to create/modify the certificate the CA has to be trusted Certificates enable: Clients to authenticate servers Servers to authenticate clients Public key exchange without Public Key Server No disclosure of private/secret keys. Certificates are usually stored encrypted. Special features: chains of CAs, to distribute the task of issuing Certificates Certificate Revocation List, to disable certificates
9
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Usual cryptographic algorithms & infrastructures Hash:MD4, MD5, SHA-1 Symmetric Key:DES, 3DES, AES (Rijnael), IDEA, RC4 Public/Private Key:RSA, Diffie-Hellman Certificat: X509 PKI:IPSec, SSL, (kerberos)
10
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com example: IPSec IPSec works at IP level. Provide authentication and encryption. Used to build VPNs. Configuration: 2 transfert modes: tunnel or transport 2 transfert protocols: AH (Authentication Header) => authenticated traffic ESP (Encapsulating Security Payload) => encrypted traffic Key exchange protocols: Internet Key Exchange (IKE), Internet Security Association and Key Management Protocol (ISAKMP), etc.
11
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Weaknesses of PKI and Certificates PKI: unsecured server: hackable Public Key/Certificate servers unsecured client:private keys/passwords can be stolen/spied weak algorithm:short keys, implementation or design breach Certificate: unsecured computer: certificates can be stolen, password spied certificate password: certificates are stored encrypted, with weak password untrustable CA: easy to be issued a certificate from a CA users: they seldom check if CA can be trusted before accepting certificates (netscape GUI) Attack example: hack client’s computer, steal certificate & password man in the middle
12
Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Links Book: Applied cryptography, Bruce Schneier URLs: theory.lcs.mit.edu/~rivest/crypto-security.html www.counterpane.com/pki-risks.html www.csc.gatech.edu/~copeland/8813/slides/ www.iplanet.com/developer/docs/articles/security/pki.html web.mit.edu/6.857/OldStuff/Fall96/www/main.html
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.