Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent Joint work with Geraint Price.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent Joint work with Geraint Price."— Presentation transcript:

1 Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent a.dent@rhul.ac.uk Joint work with Geraint Price

2 2 Trust in a ubiquitous environment Trust is a difficult commodity to find/trade in a dynamically evolving network, e.g. in a PAN or PDE. Public key cryptography offers attractive features in such a situation, however – at a computational cost, – with the usual authentication problem. PKIs are hard to implement efficiently in dynamically evolving networks.

3 3 PKIs in dynamic networks Mitchell and Schaffelhofer suggest security criteria for a “personal PKI”. Distributed approaches given by: – Zhou and Haas, 1999. – Luo and Lu, 2000. – Varadharajan, Shankaran and Hitchens, 2004. – Zouridaki, Mark, Gaj and Thomas, 2004. Here a CA is elected by a cluster of devices.

4 4 PKIs in dynamic networks Our solution uses a different form of distributed certification authority. Takes advantage of emerging hardware-based secure execution environment technologies, such as Microsoft’s NGSCB and the Trusted Computing Group’s Trusted Computing Platform. We use an abstract execution environment.

5 5 Secure Execution Environments It can, and is able to demonstrate that it can, – be initialised securely, – download applications in a secure fashion, – securely execute applications, – demonstrate that an application has been successfully executed. Allows “black boxes” to be installed. Allows any TTP service to be installed… …however, not always efficiently.

6 6 CA-applets Let’s examine how to use this technique to distribute CA functionality…

7 7 CA-applets – Initialisation Request for applet Send authentication data Verifies device’s identity using authentication data. Verify authenticity of SEE Initiate a secure download channel Generate a new signature key pair for the device. Download applet with new key pair Download certificate for new key pair

8 8 CA-applets – Registering a key Request certificate for a public key Send authentication data Download newly generated certificate (Download master certificate) Checks identity and issues certificate to person named on initialisation only. Demonstrate proof of possession

9 9 CA applets – In use CA applet can also host a directory service. CA applet can also host a revocation service. Problems with the need for always-on devices. Methods to cope with the renewal problem. Limited methods to cope with the effects of a compromise of the CA applet (i.e. the release of an applet’s private signing key).

10 10 Sub CAs verses CA applets CA applets share a lot of characteristics with a sub CA… … i.e. a smaller CA that has been obtained a certificate from a larger root CA… … especially if the root CA issues a policy when certifying the sub CA that states that the sub CA can only issue certificates to certain individuals or according to a certain policy.

11 11 Sub CAs verses CA applets The main difference is the level of trust the root CA has to extend to its progeny. For a CA applet, the root CA has to trust the hosts SEE and the authentication data. For a sub CA, the root CA has to trust that the user can properly set up and administrate a secure CA application. In a CA applet, the security decisions rest with the security experts – the root CA.

12 12 Sub CAs verses CA applets Sub CAs do not require proof of possession, and, in some instances, this may be a flaw.

13 13 Personal CAs CA applets make excellent personal CAs (according to the criteria laid down by Mitchell and Schaffelhofer). Root CA can either be provided by a company or by a single dedicated device in the user’s PDE. The root CA can be configured by the manufacturer, rather than the user.

14 14 Other applications Ad hoc networks. Short lived certificates. Distributed registration/certificate data preparation. Lightweight PKI. Supporting web services. Paper to appear in upcoming book on Trusted Computing Platforms.

15 15 The End All images of Torg copyright Pete Abrams. http://www.sluggy.com/

Download ppt "Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent Joint work with Geraint Price."

Similar presentations

INFN CA1 active since July 1998 manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.

 Introduction  Benefits of VANET  Different types of attacks and threats  Requirements and challenges  Security Architecture  Vehicular PKI.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Www.mobilevce.com © 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Similar presentations

Ads by Google