Presentation is loading. Please wait.

Presentation is loading. Please wait.

4th October 2008CPE Meet - K S Sesha Prakash1 Today’s subject - PKI is the answer Public Key Infrastructure Answer ?? For what and why.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "4th October 2008CPE Meet - K S Sesha Prakash1 Today’s subject - PKI is the answer Public Key Infrastructure Answer ?? For what and why."— Presentation transcript:

1 4th October 2008CPE Meet - K S Sesha Prakash1 Today’s subject - PKI is the answer Public Key Infrastructure Answer ?? For what and why

2 4th October 2008CPE Meet - K S Sesha Prakash2 This session is Functionally orientated than technical. Shows why a PKI is needed Will give a glimpse of PKI structure in India. My exposure to PKI is from the audits I have conducted on one of the CA’s and several RA’s across India. The subject has fascinated me ever since. I have borrowed information from the sites of CCA, RCAI, IDRBT, WIKIPEDIA and many other web-sites. I acknowledge their copyrights to some of the information reproduced here. Public Key Infrastructure

3 4th October 2008CPE Meet - K S Sesha Prakash3 Cryptography is the root cause for the structure of PKI. PKI’s have their origins to fulfill the need how to share a secret between two & MORE so between groups without compromise how to believe that the information originates from the very person claiming to have sent it Public Key Infrastructure

4 4th October 2008CPE Meet - K S Sesha Prakash4 The Paper World A paper document consists of four components the carrier ( the sheet of paper) text and pictures ( the physical representation of information) information about the originator measures to verify the authenticity (handwriting / written signature) All the four components are physically connected So, paper is the document There is only one original can be reproduced in innumerable copies Signature Supposed to be unique, difficult to be reproduced, not changeable and not reusable Its main functions identification declaration proof The signature is used to identify a person and to associate the person with the content of that document always relates to a physical person Public Key Infrastructure

5 4th October 2008CPE Meet - K S Sesha Prakash5 Electronic World Electronic document produced by a computer, is stored in digital form, and cannot be perceived without using a computer It can be deleted, modified and rewritten without leaving a mark or trail Integrity of an electronic document is “genetically” impossible to verify A copy is indistinguishable from the original It can’t be sealed in the traditional way, where the author affixes his signature The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography. Public Key Infrastructure

6 4th October 2008CPE Meet - K S Sesha Prakash6 To Understand, we need to know certain words and their means before proceeding Plain text Cipher text Encryption Decryption Algorithm Key Key exchange Symmetric Key Asymmetric key Message digest / Hash Digital Signature Electronic Signature Electronic Document Public Key Infrastructure

7 4th October 2008CPE Meet - K S Sesha Prakash7 Plain text is just plain text Cipher text is garbled text, which prima facie one will not be able to read / understand Process of converting the plain text to cipher text is ENCRYPTION The reverse process is DECRYPTION If software does the encryption or decryption, the method adopted is algorithm Key is the actual secret which can unravel the encryptionencryption Public Key Infrastructure

8 4th October 2008CPE Meet - K S Sesha Prakash8 A Symmetric Key, the same key (or Secret Key) can encrypt or decrypt the message – Symmetric cryptography An asymmetric key on the other hand is a pair. One key encrypts and the other decrypts. The same key cannot encrypt and decrypt. To distinguish the keys the terminology used is the Private Key and Public Key. The Private Key is held secret by the owner and the Public Key is distributed. – Who distributes? Public Key Infrastructure

9 4th October 2008CPE Meet - K S Sesha Prakash9 A hash or a message digest is a one way hash – it is of fixed length. It is a unique value for a given data. Any difference would result in a different value & give the same value every time it is recomputed for the same data. It cannot be reversed in the sense that you cannot deduce the original content – hence one way.original content hence one way. Public Key Infrastructure The message length is not the criterion. Hash algorithms return only a fixed length.fixed length The hash value changes even if there is a small change in the content and returns the same value every time it is recomputed.content This assures message INTEGRITY

10 4th October 2008CPE Meet - K S Sesha Prakash10 Large volume messages or data is normally encrypted by Symmetric Cryptography and DES (Data Encryption Standard) or Triple DES or AES (Advanced Encryption Standard). You have a key (symmetric key) which works both ways here.here This Ensures CONFIDENTIALITY This Symmetric Key is to be a secret between two person only. If is More it becomes difficult to pin down a message to a single person. Hence each pair should have one key. If the community is large? No. of Keys required is - No. of people N*(N-1) / 2 Keys 2 persons – 1 Key : 3 persons – 3*(3-1) / 2 ie., 4 Keys 10 persons – 10*(10-1) / 2 ie., 45 Keys 1000 persons – 1000*(1000-1) / 2 ie., 4,99,500 Keys How to distribute these key? & How will you remember whose key is to be applied to which message More so, if the parties are geographically far apart and instantly (internet) Possibility of interchange and therefore key compromise Public Key Infrastructure

11 4th October 2008CPE Meet - K S Sesha Prakash11 Large volumes of either data or text messages cannot be viably done by asymmetric cryptography due to requirement of large computing resources. Hence, it is commercially used for small amount of data or text. Now you have a pair of keys, one a private key & the other a public key. Public Key Infrastructure The Private Key is held secret by the owner and the Public Key is distributed This ensures NON REPUDIATION. The private key should always be a secret. So now it is possible to send the public key with encrypted message over unsecured channels also.

12 4th October 2008CPE Meet - K S Sesha Prakash12 Digital signature is the message hash and Symmetric key of the message – both are encrypted and signed by the private key. A digital signature is not unique to an individual. It is unique to a message Ex. Of digital signatures of same person on different documents is as under Public Key Infrastructure As against the digital signature an Electronic or digitized signature described by many court rulings is the actual signature which can be scanned and reproduced I agree efcc61c1c03db8d8ea8569545c073c814a0ed755 My place of birth is at Gwalior. fe1188eecd44ee23e13c4b6655edc8cd5cdb6f25 I am 62 years old. 0e6d7d56c4520756f59235b6ae981cdb5f9820a0 I am an Engineer. ea0ae29b3b2c20fc018aaca45c3746a057b893e7 I am a Engineer. 01f1d8abd9c2e6130870842055d97d315dff1ea3

13 4th October 2008CPE Meet - K S Sesha Prakash13 Public Key Infrastructure To summarize : When a message is sent or received, we need to ensure the following: Data integrity – is about data not changed since the time it was sent by the originator and received by the recipient - Hash / Message hash addresses this. Confidentiality – Encryption (preferably Symmetric Cryptography) addresses this as only the recipient can decrypt the message/data. We assume that the key is available only with both the originator and the recipient. Non-repudiation – The key pair (Public and Private ie., Asymmetric Cryptography) addresses this. Only the originator can encrypt the message / data with his private key

14 4th October 2008CPE Meet - K S Sesha Prakash14 Public Key Infrastructure Identification and authentication – In a small community this is easily addressed through out of band channels. However, within the global community, this becomes difficult. Key Transport / Key distribution – as above, possible in a small community and not in a global community. In global communities, how to ensure the originator is genuine ie., whom to trust? PKI will address these issues.

15 4th October 2008CPE Meet - K S Sesha Prakash15 Information Technology Act IT Act 2000 : Basic legal framework for E-Commerce - promotes trust in electronic environment – gazetted on 9th June 2000 IT Act creates a conducive environment for promoting E-Commerce in the country. Acceptance of electronic documents as evidence in a court of law. Acceptance of electronic signatures at par with handwritten signatures Acceptance of electronic documents by the government. Defines digital signatures based on asymmetric public key cryptography Provides for the creation of Certifying Authorities to issue public key certificates – digital certificates for electronic authentication of users in electronic commerce. Public Key Infrastructure

16 4th October 2008CPE Meet - K S Sesha Prakash16 The Controller of Certifying Authorities (CCA) Appointed by the Central Government under section 17 of the IT Act. Came into existence on November 1, 2000. Aims at promoting the growth of E-Commerce and E-Governance through the wide use of digital signatures. Public Key Infrastructure

17 4th October 2008CPE Meet - K S Sesha Prakash17 Trust in Electronic Environment in India Controller of Certification Authorities in position : Root of trust, National Repository Licensed CAs Digital signatures for signing documents Certificates, CRLs for access by relying parties PKI operational Other provisions of the IT Act – Cybercrimes not to go unpunished Public Key Infrastructure

18 4th October 2008CPE Meet - K S Sesha Prakash18 PKI Hierarchy in India CCA CA Relying Party Subscriber Directory of Certificates CRLs Directory of Certificates Subscriber RA

19 4th October 2008CPE Meet - K S Sesha Prakash19 Public Key Infrastructure Seven CA’s has been licensed Safescrypt - A subsidiary of Satyam Infoway National Informatics Center (NIC) - Govt. of India Institute for Development & Research in Banking Technology (IDRBT) – A society of RBI Tata Consultancy Services (TCS) M T N L Customs & Central Excise (n) Code Solutions - (A div. of Gujarat Narmada Valley Fertilizers Co. Ltd.)

20 4th October 2008CPE Meet - K S Sesha Prakash20 PKI Standards Public Key Cryptography  RSA - Asymmetric Cryptosystem  Diffie-Hellman - Asymmetric Cryptosystem  Elliptic Curve Discrete Logarithm Cryptosystem Digital Signature Standards  RSA, DSA and EC Signature Algorithms  MD5, SHA-1 - Hashing Algorithms Directory Services (LDAP ver 3)  X.500 for publication of Public Key Certificates and Certificate Revocation Lists  X.509 version 3 Public Key Certificates  X.509 version 2 Certificate Revocation Lists PKCS family of standards for Public Key Cryptography from RSA  PKCS#1 – PKCS#13 (Public Key Cryptography Standard) Federal Information Processing Standards (FIPS)  FIPS 140-1 level 3 and above for Security Requirement of Cryptographic Modules

21 4th October 2008CPE Meet - K S Sesha Prakash21 Controller of Certifying Authorities as the highest authority of the Trust structure in India. All CA’s in India are under the Umbrella of the CCA. The CCA is under the Ministry of Commerce. CCA to CA is the equivalent of Registrar of companies to Limited companies Registrar of firm to partnerships Registrar of societies to societies and associations We need to know the terms CA – Certifying Authority RA – Registration Authority PKI repository CRL – Certificate Revocation List Public Key Infrastructure

22 4th October 2008CPE Meet - K S Sesha Prakash22 Some Trusted Agency is required which certifies the association of an individual with the key pair. Certifying Authority (CA) This association is done by issuing a certificate to the user by the CA Public key certificate (PKC) All public key certificates are digitally signed by the CA Public Key Infrastructure

23 4th October 2008CPE Meet - K S Sesha Prakash23 Certifying Authority Public Key Infrastructure Must be widely known and trusted Must have well defined Identification process before issuing the certificate Provides online access to all the certificates issued Provides online access to the list of certificates revoked Displays online the license issued by the Controller Displays online approved Certification Practice Statement (CPS) Must adhere to IT Act/Rules/Regulations and Guidelines

24 4th October 2008CPE Meet - K S Sesha Prakash24 IDRBT Certificate PaperElectronic Public Key Infrastructure

25 4th October 2008CPE Meet - K S Sesha Prakash25 Public-Key Certification Signed by using CA’s private key User Name & other credentials User Name & other credentials User’s Public key User’s Public key User Certificate Certificate Database Publis h Certificate Request User Name User’s Public Key CA’s Name Validity Digital Signature of CA Certificate Class User’s Email Address Serial No. Key pair Generation Private Public Web site of CA User 1 certificate User 2 certificate. Public License issued by CCA Public Key Infrastructure

26 4th October 2008CPE Meet - K S Sesha Prakash26 The CA has to ensure the identity of the holder of the key pair to enroll The CA itself may have the facility to do so The CA may hive the arm of processing the identity of a Key Pair holder to an Registration Authority or RA The RA in such an event follows a set of processes to identify the person with the key pair Only when the RA is convinced, it will request the CA to issue the Digital Certificate for the Public key held by the applicant person. A pictographic representation of the processprocess How a Digital Certificate is downloaded from the net.downloaded Public Key Infrastructure Registration Authority

27 4th October 2008CPE Meet - K S Sesha Prakash27 Classes of Certificates: Class 1 Certificate Class 2 Certificate Class 3 Certificate – for servers, objects and Code Types of Certificates: Signing certificate Encryption certificate Web Server Certificate Client Certificate Object Signing Certificate Public Key Infrastructure

28 4th October 2008CPE Meet - K S Sesha Prakash28 PKI Architecture Enterprise architecture Hierarchical Infrastructure (Root CA) Mesh infrastructure (Cross Certificate Pair) Bride PKI architecture Public Key Infrastructure Bridge CA -- Principle CA Peer CA Subordinate CA A Bridge CA may not be trusted by himself. You trust because your Principle CA has issued a self signed certificate to the Bridge CA & The Bridge CA to the Principle CA

29 4th October 2008CPE Meet - K S Sesha Prakash29 PLEASE MAKE IT A POINT TO VOTE – It is your only Weapon - It is in your hand to make Democracy survive Public Key Infrastructure

30 4th October 2008CPE Meet - K S Sesha Prakash30 OPEN FORUM – Any Question? Public Key Infrastructure

Download ppt "4th October 2008CPE Meet - K S Sesha Prakash1 Today’s subject - PKI is the answer Public Key Infrastructure Answer ?? For what and why."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

Similar presentations

Ads by Google