Presentation is loading. Please wait.

Presentation is loading. Please wait.

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SMUCSE 5349/7349 Public-Key Infrastructure (PKI)."— Presentation transcript:

1 SMUCSE 5349/7349 Public-Key Infrastructure (PKI)

2 SMUCSE 5349/7349 What is PKI? Pervasive security infrastructure whose services are implemented and delivered using public-key concepts and techniques -(C. Adams, S. Lloyd) –Secure sign-on –End-user transparency –Comprehensive security

3 SMUCSE 5349/7349 Business Drivers Cost savings Inter-operability Uniformity Potential for validation/testing Choice of provider Consider the analogy with BUS architecture vs. point-to-point links

4 SMUCSE 5349/7349 Components and Services Certification authority Certificate repository Certificate revocation Key backup and recovery Automatic key update Key history Cross-certification Support for non-repudiation Time stamping

5 SMUCSE 5349/7349 Certificates Certificate vs. signature Types of certificates –X.509 (v1, v2, v3) –Simple Public Key Infrastructure (SPKI) certificates –PGP certificates –Attribute certificates

6 SMUCSE 5349/7349 Certificate Format Version number Serial number Signature algorithm identifier Issuer name Period of validity Subject name Subject’s public-key info. Issuer unique ID Subject unique ID Extensions Signature

7 SMUCSE 5349/7349 Key/Certificate Life Cycle Initialization –Registration –Key-pair generation (where?) –Certificate creation and dissemination –Key backup Issued –Certificate retrieval –Certificate validation Cancellation –Expiration –Revocation –History and archive

8 SMUCSE 5349/7349 Certificate Path Processing Eventual objective is to determine whether the key in a given certificate can be trusted –Path construction – aggregation of certificates to form a complete path –Path validation – validating each certificate in the path Target certificate is trusted only if every certificate in the path are trustworthy

9 SMUCSE 5349/7349 X.509 Hierarchy Forward certificates –Certificate of X generated by other CAs Reverse certificates –Certificates of other CAs generated by X Example from the book (showed in last class)

10 SMUCSE 5349/7349 Authentication Procedures One-way Two-way Three-way

11 SMUCSE 5349/7349 Problems with PKI Hierarchical model of trust –Chain of partial trust ending in one “fully trusted” entity Identifier associated with the key pair –Unique distinguished name within the namespace Private-key insecurity –Has to protect the private key Technical and Implementation difficulties –Assumption of global namespace –Difficulty in detecting key compromise –Inefficient revocation

12 SMUCSE 5349/7349 PKI Problems (cont’d) Limited assurance provided in reality –CA’s generally protected in case of failure –What certificate assure (usually) A particular message was generated by an entity that had available to it a particular private key; and CA that provided the certificate has, at some time in the past, had grounds for believing that that private key was associated with a particular entity. CA that provided the certificate has, at some time in the past, had grounds for believing that the entity had some kind of right to use that identifier, or had used that identifier in the past; and CA that provided the certificate has, at some time in the past, had grounds for believing that the entity had access to the appropriate private key.

13 SMUCSE 5349/7349 Problems (cont’d) –What it does not ensure Private key was originally available to other entities as well as the entity to which it purports to be 'bound'; Private key is now available to other entities as well as the entity to which it purports to be 'bound'; Private key invocation that gave rise to a particular message was performed by the entity; and Private key invocation that gave rise to a particular message was performed with the entity's free and informed consent. Privacy invasiveness –Just to talk to your buddy securely, you may need to tell your life story to a third party! Idiosyncrasy: –In order to have trust in the party you are transacting with, you are expected to have trust in organizations you have no relationship with at all

14 SMUCSE 5349/7349 What is Really Needed! Minimal Use of Identifiers Minimal Registration Requirements Mechanisms for Persistent Anonymity Value Authentication without Identity Attribute Authentication without Identity Recourse in case of violation

15 SMUCSE 5349/7349 Alternatives to PKI Web of trust like in PGP Simple Distributed PKI (SDPKI) Login ID, password Biometrics Other form of cetificates

Download ppt "SMUCSE 5349/7349 Public-Key Infrastructure (PKI)."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.

1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Similar presentations

Ads by Google