Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000.

Published byCameron Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000."— Presentation transcript:

1 Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000

2 IETF47, Mar 2000, Adelaide Overview S/MIME and PK Certificates S/MIME Problems Secure mail requirements Possible solutions E-mail Attribute Certificates Practical Implementation Issues Attribute Certificates & S/MIME

3 IETF47, Mar 2000, Adelaide S/MIME Certificate Usage alice@foo.com Verification – check signer’s e-mail address against sender’s address Encryption – obtaining “encryptee’s” public key certificate cn=Alice subjAltName=alice@foo.com Attribute Certificates & S/MIME

4 IETF47, Mar 2000, Adelaide S/MIME Problems Multiple e-mail addresses –User has multiple e-mail addresses Maintenance of e-mail addresses –Change company name (and Internet domain) Security Proxy –a proxy signs and decrypts on behalf of many users Privacy/Spam alice@foo.com alice@dev.foo.com alice@bar.com Attribute Certificates & S/MIME

5 IETF47, Mar 2000, Adelaide Essential Requirements Address Aliasing : Associate a single entity with multiple e-mail addresses, with a single PKC. Secure Proxying: Associate multiple entities, each with their own e-mail address, with a common PKC. Address Sharing: Associate multiple entities, each with their own PKC, with a single e-mail address. Attribute Certificates & S/MIME

6 IETF47, Mar 2000, Adelaide Solution Criteria Cryptographically bound association between an e- mail address and a public key Unambiguous reference from e-mail address to PK certificate(s) Dynamic extension of address set Practical aspects –Generation, distribution, publication, retrieval, verification Minimum of changes to current standards Utilize existing infrastructure Attribute Certificates & S/MIME

7 IETF47, Mar 2000, Adelaide Overview of Possible Solutions 1.Embed e-mail address into entity’s cert a)One e-mail address per certificate, each with same public key b)One certificate with multiple e-mail addresses 2.Address  PKC association signed by entity –Authenticated attributes 3.Address  PKC association signed by TTP –Attribute Certificate Attribute Certificates & S/MIME

8 IETF47, Mar 2000, Adelaide Attribute Certificates Flexible Scalable Standards Based Available Infrastructure TTP (AA) Owner E-mail address Signature Other Attributes Attribute Certificates & S/MIME

9 IETF47, Mar 2000, Adelaide Cryptographically bind e-mail addresses with Gateway’s PK certificate alice@foo.com bob@foo.com cn=Gateway AC alice@foo.com bob@foo.com AC E-mail Attribute Certificates Attribute Certificates & S/MIME

10 IETF47, Mar 2000, Adelaide E-mail Attribute Certificates Cryptographically bind e-mail addresses with entity’s PK certificate alice@foo.com alice@dev.foo.com cn=Alice AC alice@foo.com alice@dev.foo.com AC Attribute Certificates & S/MIME

11 IETF47, Mar 2000, Adelaide Practical Implementation (1/5) Generation –Generation by an Attribute Authority(AA) TTP attests that the address is associated with the entity Request –By or on behalf of entity –Automatically by security proxy –By relying party (LAAP) Attribute Certificates & S/MIME

12 IETF47, Mar 2000, Adelaide Practical Implementation (2/5) Distribution & Retrieval –Generate by AA, publish in LDAP –Distribute as part of signed message –Retrieval based on e-mail address Validity & Revocation –Validity: as long as the PKC & e-mail address remain valid –Revocation: use available standards Attribute Certificates & S/MIME

13 IETF47, Mar 2000, Adelaide Practical Implementation (3/5) Retrieving attribute and PK certificates from LDAP 1.Use the from: or to: address from message as a search index 2.Request the directory to retrieve all attribute certificates from the matching entries 3.Out of all returned attribute certificates, select those with required e-mail address 4.Retrieve PK certificates referenced by selected attribute certificates cn=Alice mail=alice@foo.com mail=alice@dev.foo.com certificate= attributeCertificate= Alice’s new LDAP entry Attribute Certificates & S/MIME

14 IETF47, Mar 2000, Adelaide Practical Implementation (4/5) Message Verification Walkthrough –Retrieve e-mail AC(s) using sender’s address as index –Retrieve PKC(s) referenced by AC(s) –Identify signing certificate –Validate... –Validate the message Attribute Certificates & S/MIME

15 IETF47, Mar 2000, Adelaide Practical Implementation (5/5) Message Encryption Walkthrough –Retrieve e-mail AC(s) using recipient’s address as index –Validate... –Retrieve PKC(s) referenced by valid e-mail AC(s) –Validate... –Encrypt the message using valid encryption certificate(s) Attribute Certificates & S/MIME

16 IETF47, Mar 2000, Adelaide Other Considerations Privacy –Remove private information from PK certificate –Different access control on PK certificate than e- mail AC in directory –Different directories for email ACs and PKCs Security –Need to ensure that content of e-mail AC is valid bill.clinton@whitehouse.gov Attribute Certificates & S/MIME

17 IETF47, Mar 2000, Adelaide Comparison with existing Infrastructure Existing Multiple addresses in certificate Re-issue keys in new certificate with new e-mail address Supported by existing PK and S/MIME infrastructure  Difficult for large number of e- mail addresses (ie security proxies)  Difficult to separate internal and external e-mail addresses  Contra to legislation in some countries Proposed Store E-mail address in e-mail AC, which references PKC Issue e-mail AC’s as required Flexible method for maintaining e-mail addresses Infrastructure available Supplements current S/MIME infrastructure Supports security proxies Defined mechanism to retrieve PKC’s from directory, AA  Additions required to processing module’s logic Attribute Certificates & S/MIME

18 IETF47, Mar 2000, Adelaide Summary Maintenance of e-mail addresses limits S/MIME usability Attribute Certificates cryptographically bind e-mail addresses with PK certificates E-mail Attribute Certificates provide a flexible solution for maintaining e-mail addresses Supplements current infrastructure Localized modifications required to S/MIME components to utilize E-mail ACs E-mail ACs can be used to solve other S/MIME limitations Attribute Certificates & S/MIME

Download ppt "Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000."

Similar presentations

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Similar presentations

Ads by Google