Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To.

Published byMaria Thompson Modified over 9 years ago

Similar presentations

Presentation on theme: "Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To."— Presentation transcript:

1 Public-key Infrastructure

2 Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To create, manage, distribute, use, store, and revoke digital certificates.  Encryption, authentication, signature  Bootstrapping secure communication protocols.

3 Computer Center, CS, NCTU 3 CA: Certificate Authority (1)  In God We Trust

4 Computer Center, CS, NCTU 4 CA: Certificate Authority (2)  Certificate Contains data of the owner, such as Company Name, Server Name, Name, Email, Address,… Public key of the owner. Followed by some digital signatures.  Sign for the certificate. In X.509  A certificate is signed by a CA.  To verify the correctness of the certificate, check the signature of CA.

5 Computer Center, CS, NCTU 5 CA: Certificate Authority (3)  Certificate Authority (CA) “ 憑證授權 ” in Windows CHT version. In X.509, it is itself a certificate.  The data of CA.  To sign certificates for others. Each CA contains a signature of Root CA. To verify a valid certificate  Check the signature of Root CA in the certificate of CA.  Check the signature of CA in this certificate. Reference: http://www.imacat.idv.tw/tech/sslcerts.html

6 Computer Center, CS, NCTU 6 What is a CA ? (1)  Certificate Authority ( 認證中心 )  Trusted server which signs certificates  One private key and relative public key  Tree structure of X.509 Root CA

7 Computer Center, CS, NCTU 7 What is a CA ? (2)  Root CA ( 最高層認證中心 ) In Micro$oft: 「根目錄授權憑證」 Root CA do not sign the certificates for users.  Authorize CA to sign the certificates for users, instead. Root CA signs for itself.  It is in the sky. To trust Root CA  Install the certificate of Root CA via secure channel.

8 Computer Center, CS, NCTU 8 What is a CA ? (3)  Tree structure of CA  Cost of certificate HiTrust : NT $30,000 / per year / per host Myself : NT $0

9 Computer Center, CS, NCTU 9 Certificate (1)  Digital Certificate, Public-key Certificate, Network Identity  A certificate is issued by a CA X  A certificate of a user A consists: The name of the issuer CA X His/her public key A pub The signature Sig(X priv, A, A pub ) by the CA X The expiration date Applications  Encryption / Signature

10 Computer Center, CS, NCTU 10 Certificate (2) Alice: (1)Generate A pub, A priv CA X: (3) Generate Sig( X priv, Alice, A pub, T ) (2) Alice, A pub, ID proof (4) Sig(X priv, Alice, A pub, T) Cert A,X =[Alice, A pub, Sig(X priv, Alice, A pub, T) ] Note Note: CA does not know A priv

11 Computer Center, CS, NCTU 11 Certificate (3)  Guarantee of CA and certificate Guarantee the public key is of someone Someone is not guaranteed to be safe  Security of transmitting DATA Transmit session key first  Public-key cryptosystem Transmit DATA by session key  Symmetric-key cryptosystem

12 OpenSSL

13 Computer Center, CS, NCTU 13 OpenSSL  http://www.openssl.org/ http://www.openssl.org/  In system /usr/src/crypto/openssl  In ports security/openssl

14 Computer Center, CS, NCTU 14 ports/Mk/bsd.openssl.mk # WITH_OPENSSL_BASE=yes - Use the version in the base system. # WITH_OPENSSL_PORT=yes - Use the port, even if base is up to date # WITH_OPENSSL_BETA=yes - Use a snapshot of recent openssl # WITH_OPENSSL_STABLE=yes - Use an older openssl version …… # if no preference was set, check for an installed base version # but give an installed port preference over it..if !defined(WITH_OPENSSL_BASE) && \ !defined(WITH_OPENSSL_BETA) && \ !defined(WITH_OPENSSL_PORT) && \ !defined(WITH_OPENSSL_STABLE) && \ !exists(${DESTDIR}/${LOCALBASE}/lib/libcrypto.so) && \ exists(${DESTDIR}/usr/include/openssl/opensslv.h) WITH_OPENSSL_BASE=yes.endif

15 Example: Apache SSL settings

16 Computer Center, CS, NCTU 16 Example: Apache SSL settings – Flow  Flow Generate random seed Generate RootCA  Generate private key of RootCA  Fill the Request of Certificate.  Sign the certificate itself. Generate certificate of Web Server  Generate private key of Web Server  Fill the Request of certificate  Sign the certificate using RootCA Modify apache configuration  restart apache

17 Computer Center, CS, NCTU 17 Example: Apache SSL settings – Generate random seed  openssl rand -out rnd-file num % openssl rand -out /etc/ssl/RootCA/private/.rnd 1024  chmod go-rwx rnd-file % chmod go-rwx /etc/ssl/RootCA/private/.rnd

18 Computer Center, CS, NCTU 18 Example: Apache SSL settings – Generate private key of RootCA  openssl genrsa -des3 -rand rnd-file -out rootca-key-file num % openssl genrsa -des3 -rand /etc/ssl/RootCA/private/.rnd \ -out /etc/ssl/RootCA/private/rootca.key.pem 2048 Note: phrase are asked (something like password)  chmod go-rwx rootca-key-file % chmod go-rwx /etc/ssl/RootCA/private/rootca.key.pem

19 Computer Center, CS, NCTU 19 Example: Apache SSL settings – Fill the Request of Certificate  openssl req -new -key rootca-key-file -out rootca-req-file % openssl req -new -key /etc/ssl/RootCA/private/rootca.key.pem \ -out /etc/ssl/RootCA/private/rootca.req.pem  chmod go-rwx rootca-req-file % chmod go-rwx /etc/ssl/RootCA/private/rootca.req.pem Enter pass phrase for rootca-key-file: Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:Taiwan Locality Name (eg, city) []:HsinChu Organization Name (eg, company) [Internet Widgits Pty Ltd]:NCTU Organizational Unit Name (eg, section) []:CS Common Name (eg, YOUR name) []:nasa.cs.nctu.edu.tw Email Address []:liuyh@cs.nctu.edu.tw A challenge password []: (No need , Enter please) An optional company name []: (Enter please)

20 Computer Center, CS, NCTU 20 Example: Apache SSL settings – Sign the certificate itself  openssl x509 -req -days num -sha1 -extfile path_of_openssl.cnf -extensions v3_ca -signkey rootca-key-file -in rootca-req-file -out rootca-crt-file % openssl x509 -req -days 5109 -sha1 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey /etc/ssl/RootCA/private/rootca.key.pem -in /etc/ssl/RootCA/private/rootca.req.pem -out /etc/ssl/RootCA/private/rootca.crt.pem  rm -f rootca-req-file %rm -f /etc/ssl/RootCA/private/rootca.req.pem  chmod go-rwx rootca-crt-file %chmod go-rwx /etc/ssl/RootCA/private/rootca.crt.pem

21 Computer Center, CS, NCTU 21 Example: Apache SSL settings – Generate private key of Web Server  openssl genrsa -out host-key-file num %openssl genrsa -out /etc/ssl/nasa/private/nasa.key.pem 2048  chmod go-rwx host-key-file %chmod go-rwx /etc/ssl/nasa/private/nasa.key.pem

22 Computer Center, CS, NCTU 22 Example: Apache SSL settings – Fill the Request of Certificate  openssl req -new -key host-key-file -out host-req-file % openssl req -new -key /etc/ssl/nasa/private/nasa.key.pem -out /etc/ssl/nasa/private/nasa.req.pem  chmod go-rwx host-req-file % chmod go-rwx /etc/ssl/nasa/private/nasa.req.pem

23 Computer Center, CS, NCTU 23 Example: Apache SSL settings – Sign the certificate using RootCA  Tramsmit host-req-file to Root CA, and do following steps in RootCA openssl x509 -req -days num -sha1 -extfile path_of_openssl.cnf -extensions v3_ca -CA rootca-crt-file -CAkey rootca-key-file -CAserial rootca-srl-file -CAcreateserial -in host-req-file -out host-crt-file % openssl x509 -req -days 365 -sha1 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -CA /etc/ssl/RootCA/private/rootca.crt.pem -CAkey /etc/ssl/RootCA/private/rootca.key.pem -CAserial /etc/ssl/RootCA/private/rootca.srl -CAcreateserial -in /etc/ssl/nasa/private/nasa.req.pem -out /etc/ssl/nasa/private/nasa.crt.pem rm -f host-req-file ( in both RootCA and Web Server) % rm -f /etc/ssl/nasa/private/nasa.req.pem Transmit host-crt-file back to Web Server

24 Computer Center, CS, NCTU 24 Example: Apache SSL settings – Certificate Authority (8) Include etc/apache22/extra/httpd-ssl.conf ## ## SSL Virtual Host Context ## # General setup for the virtual host DocumentRoot /home/wwwadm/data Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all ServerName nasa.cs.nctu.edu.tw:443 ServerAdmin liuyh@nasa.cs.nctu.edu.tw ErrorLog /var/log/httpd/nasa.cs-error.log CustomLog /var/log/httpd/nasa.cs-access.log common SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL SSLCertificateFile /etc/ssl/nasa/nasa.crt.pem SSLCertificateKeyFile /etc/ssl/nasa/private/nasa.key.pem

25 Appendix: PGP

26 Computer Center, CS, NCTU 26 PGP  Pretty Good Privacy  Public key system Encryption Signature  security/gnupg  Will talk more in Network Administration  Ref: http://security.nknu.edu.tw/textbook/chap15.pdf

Download ppt "Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.

HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.
Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.

Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Apache ssl Objectives Contents Practical Summary Setup Apache + ssl

Apache ssl Objectives Contents Practical Summary Setup Apache + ssl
Homework 5a: Installing Webservers Apache (or Lighttpd) MySQL PHP CGI and Dynamic Pages.

Homework 5a: Installing Webservers Apache (or Lighttpd) MySQL PHP CGI and Dynamic Pages.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”

Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Similar presentations

Ads by Google