Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Communications … or, the usability of PKI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Communications … or, the usability of PKI."— Presentation transcript:

1 Secure Communications … or, the usability of PKI

2 Agenda Announcement: Security Symposium on Oct. 10. Announcement: Security Symposium on Oct. 10. Questions? Stories to share? Questions? Stories to share? Project discussion & IRB overview Project discussion & IRB overview Secure communications Secure communications

3 Project Initial draft: 2 weeks Initial draft: 2 weeks Final plan: 4 weeks Final plan: 4 weeks Initial draft is NOT graded, credit for reasonable effort Initial draft is NOT graded, credit for reasonable effort –Some introduction, motivation, related work –Draft of tasks, survey & interview questions, etc. –Mockup or description if you are building something –The more complete it is, the more feedback you’ll get! We will pilot your materials during class in 2 weeks (SO BRING YOUR MATERIALS TO CLASS!!!) We will pilot your materials during class in 2 weeks (SO BRING YOUR MATERIALS TO CLASS!!!)

4 IRB http://www.research.uncc.edu/comp/h uman.cfm http://www.research.uncc.edu/comp/h uman.cfm http://www.research.uncc.edu/comp/h uman.cfm http://www.research.uncc.edu/comp/h uman.cfm Download application form and consent form template Download application form and consent form template See Wiki for one sample application See Wiki for one sample application

5 Public Key Infrastructure “A PKI is a set of agreed-upon standards, Certification Authorities (CA), structure between multiple CAs, methods to discover and validate Certification Paths, Operational Protocols, Management Protocols, Interoperable Tools and supporting Legislation” “Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams A Public Key Infrastructure is an Infrastructure to support and manage Public Key-based In other words: A Public Key Infrastructure is an Infrastructure to support and manage Public Key-based Digital Certificates

6 Secure Communications PKI: PKI: –What is your best technical explanation? –What is your best non-tech explanation? –How much should users be aware of keys? –What’s a CA? How to explain a CA? Should users be aware of CAs?

7 Communication under PKI Both Alice and Bob have their own individual private and public keys signed by a certificate authority. Both Alice and Bob have their own individual private and public keys signed by a certificate authority. –The CA might be an employer, Verisign, or some other organization.

8 Communication under PKI The public key is used for encryption and digital signature verification. The public key is used for encryption and digital signature verification. The private key is used for decryption and the creation of digital signatures. The private key is used for decryption and the creation of digital signatures. 100110 Bob’s public key Alice’s public key

9 Digital Signature

10 Digital Certificate A Digital Certificate is a binding between an entity’s Public Key and one or more Attributes relating its Identity. The entity can be a Person, an Hardware Component, a Service, etc. The entity can be a Person, an Hardware Component, a Service, etc. A Digital Certificate is issued (and signed) by someone A Digital Certificate is issued (and signed) by someone A self-signed certificate usually is not very trustworthy A self-signed certificate usually is not very trustworthy - Usually the issuer is a Trusted Third Party

11 X509 PKI 11  Alice Bob Trusted Root Alice trusts the root CA Bob sends a message to Alice Alice needs Bob’s certificate, the certificate of the CA that signed Bob’s certificate, and so on up to the root CA’s self signed certificate. Alice also needs each CRL for each CA. Only then can Alice verify that Bob’s certificate is valid and trusted and so verify the Bob’s signature.

12 Secure Communications PKI: PKI: –What is your best technical explanation? –What is your best non-tech explanation? –How much should users be aware of keys? –What’s a CA? How to explain a CA? Should users be aware of CAs?

13 Problems with PKI Public-key cryptography is counterintuitive. Public-key cryptography is counterintuitive. PKI seems too far removed from application goals. PKI seems too far removed from application goals. –Users do not understand how their tasks require PKI. PKI tasks are too cumbersome. PKI tasks are too cumbersome. Large CAs run into naming collisions. Large CAs run into naming collisions. –Users shoulder the burden of ensuring that the person they’re looking up is indeed the person they want.

14 IBM Lotus Notes & Domino Solution Client/server infrastructure for collaborative applications Client/server infrastructure for collaborative applications Usage of PKI Usage of PKI –Authentication of Notes client to Domino Server –Signing and encrypting mail messages Implementation Implementation –Note keys are created by Notes administrator and distributed to user in a “identity file” –Most of key management is hidden from user within the organization –Communicating outside the enterprise requires user input to acquire or verify certificates Thoughts? Thoughts?

15 Alternative: iPKI 15 Lightweight PKI centered around a local, standalone CA Automated PKI and CA setup Simple, intuitive enrollment mechanism A simple, intuitive trust model Secure bootstrapping Certificates as capabilities No need for direct user interactions with certificates

16 Example: Network-in-a-box Utilize location-limited channels to simplify configuration while maintaining security Utilize location-limited channels to simplify configuration while maintaining security Laptop and AP exchange public keys Laptop and AP exchange public keys Use it to perform full-fledged security auto- configuration Use it to perform full-fledged security auto- configuration

17 iPKI discussion Easier? Easier? Secure enough? Secure enough? What is it good for? What is it good for? Limitations? Limitations?

18 NiaB validation Users study with 12? users Users study with 12? users –Task: connect to a secure wireless network, NiaB or other –Results: NiaB 10x faster, fewer errors, more confidence and satisfaction 2 nd study in an enterprise 2 nd study in an enterprise –Watched 5 users with each enrollment –Same results as before, but even bigger differences!

19 Alternative: Key Continuity Management Goal: Make key generation & management easier to accomplish Goal: Make key generation & management easier to accomplish Ignore the X.509 certification chain Ignore the X.509 certification chain Applications are directly aware of public key certificates Applications are directly aware of public key certificates User would be notified only when server’s key suddenly changes User would be notified only when server’s key suddenly changes Thoughts? Thoughts?

20 Johnny 2 Study conducted on KCM Study conducted on KCM –Closely followed the original Johnny study –Same scenario, recruiting, descriptions, etc. –Added additional attacks to examine user understanding and trust of keys –43 subjects –3 conditions: no KCM no KCM Color Color Color + briefing Color + briefing Question: study critique? Question: study critique?

21 Results? KCM worked against New Key Attack KCM worked against New Key Attack KCM didn’t work against New Identity Attack KCM didn’t work against New Identity Attack –Users noticed the change, but felt it was justified KCM really didn’t work against Unsigned Message Attack KCM really didn’t work against Unsigned Message Attack –users instead noticed they were being asked to send to hotmail and distrusted those instructions

22 Trust The encryption itself is not the problem The encryption itself is not the problem Trust required to make PKI work Trust required to make PKI work –Did Alice really send this? Is this the right Alice or another one? Is this the right Alice or another one? Do I trust the certificate? Do I trust the certificate? Do I trust the CA? Do I trust the CA? Do I trust that no one has taken over her computer? Do I trust that no one has taken over her computer? At what point do I decide to not trust the message? At what point do I decide to not trust the message?

Download ppt "Secure Communications … or, the usability of PKI."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Public Key Infrastructure (X509 PKI)

Public Key Infrastructure (X509 PKI)
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google