1. Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab

2. Introduction to PKI Technology Dartmouth College PKI Lab

3. What is PKI? Public Key Infrastructure Comprehensive security technology and policies using cryptography and standards to enable users to: –Identify (authenticate) themselves to network services. –Digitally sign email and other electronic docs and services. –Encrypt email and other documents to prevent unauthorized access.

4. Why PKI? Uniform way to address securing many applications Enables digital signing and encryption No passwords on the wire No need for shared secrets Strong underlying security technology Widely included in technology products

5. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

6. Underlying Key Technology A pair of asymmetric keys is used, one to encrypt, the other to decrypt. Each key can only decrypt data encrypted with the other. Invented in 1976 by Whit Diffie and Martin Hellman Commercialized by RSA Security

7. Public and Private Keys The "public" key is published far and wide. The "private" key is kept a secret by its owner. No need to exchange a secret "key" by some other channel.

8. Applications of PKI Authentication and Authorization of Web users and servers –This is the basis for the SSL protocol used to secure web connections using https. –Server authentication is common, user authentication getting started. Secure e-mail (signed and encrypted) Electronic signatures Data encryption –Business documents, databases, executable code Network data protection (VPN, wireless) Secure instant messaging

9. What is a certificate? Signed data structure (x.509 standard) binds some information to a public key. Trusted entity asserts validity of information in certificate, enforces policies for issuing certificates. Certificate information is usually a personal identity or a server name. Think of a certificate with its keys as an electronic: –ID card, –encoder/decoder ring, and –official signet ring for sealing wax or notary-style stamp.

10. Encryption Asymmetric encryption prevents need for shared secrets. Anyone encrypts with public key of recipient. Only the recipient can decrypt with their private key. Private key is secret, so “bad guys” can’t read encrypted data.

11. Digital Signatures Compute message digest, encrypt with your private key. Reader decrypts with your public key. Re-compute the digest and verify match with original – guarantees no one has modified signed data. Only signer has private key, so no one else can spoof their digital signature.

12. What is a certificate authority? An organization that creates, publishes, and revokes certificates. Verifies the information in the certificate. Protects general security and policies of the system and its records. Allows you to check certificates so you can decide whether to use them in business transactions. collegeca.dartmouth.edu

13. The PKI Lab at Dartmouth

14. Production PKI Applications at Dartmouth Dartmouth certificate authority Authentication for: –Library Electronic Journals (including OVID) –Banner SIS –Dartflex totals S/MIME email

15. Development PKI Applications at Dartmouth Authentication for: –Blackboard –TuckStreams –VPN concentrator –Hardware tokens Digital signatures on documents and forms

16. For more information Dartmouth PKI Lab User information, getting a certificate: http://www.dartmouth.edu/~pki PKI Lab information: http://www.dartmouth.edu/~pkilab Mark.J.Franklin@dartmouth.edu