Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Published byLeona Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian."— Presentation transcript:

1 Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

2 Digital Signature A Digital Signature is a data item that vouches the origin and the integrity of a Message The originator of a message uses a signing key (Private Key) to sign the The originator of a message uses a signing key (Private Key) to sign the message and send the message and its digital signature to a recipient message and send the message and its digital signature to a recipient The recipient uses a verification key (Public Key) to verify the origin of The recipient uses a verification key (Public Key) to verify the origin of the message and that it has not been tampered with while in transit the message and that it has not been tampered with while in transit IntranetExtranetInternet Alice Bob

3 Digital Signature Hash Function Message Signature Private Key Encryption Digest Message Decryption Public Key ExpectedDigestActualDigest Hash Function SignerReceiver Channel DigestAlgorithmDigestAlgorithm

4 Digital Signature There is still a problem linked to the “Real Identity” of the Signer. Why should I trust what the Sender claims to be? Moving towards PKI …

5 Digital Certificate

6 A Digital Certificate is a binding between an entity’s Public Key and one or more Attributes relating its Identity. The entity can be a Person, an Hardware Component, a Service, etc. The entity can be a Person, an Hardware Component, a Service, etc. A Digital Certificate is issued (and signed) by someone A Digital Certificate is issued (and signed) by someone A self-signed certificate usually is not very trustworthy A self-signed certificate usually is not very trustworthy -Usually the issuer is a Trusted Third Party (TTP)

7 CERTIFICATE Digital Certificate Issuer Subject IssuerDigitalSignature Subject Public Key

8 Digital Certificate How are Digital Certificates Issued? How are Digital Certificates Issued? Who is issuing them? Who is issuing them? Why should I Trust the Certificate Issuer? Why should I Trust the Certificate Issuer? How can I check if a Certificate is valid? How can I check if a Certificate is valid? How can I revoke a Certificate? How can I revoke a Certificate? Who is revoking Certificates? Who is revoking Certificates? Problems Moving towards PKI …

9 Public Key Infrastructure (PKI)

10 A Public Key Infrastructure is an Infrastructure to support and manage Public Key-based Digital Certificates

11 Public Key Infrastructure (PKI) “A PKI is a set of agreed-upon standards - Certificate structure - Certificate structure - Structure between multiple CAs - Methods to discover and validate Certification Paths -Operational Protocols -Management Protocols “Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams

12 Public Key Infrastructure (PKI) X509 Digital Certificates standard  Standards defined by IETF, PKIX WG: http://www.ietf.org/ http://www.ietf.org/ … however X509 is not the only approach

13 X509 PKI – Technical View Basic Components: Certificate Authority (CA) Certificate Authority (CA) Registration Authority (RA) Registration Authority (RA) Certificate Distribution System Certificate Distribution System PKI enabled applications PKI enabled applications “Consumer” Side “Provider” Side

14 X509 PKI – Simple Model CA RA CertificationEntity Directory ApplicationService Remote RemotePersonLocalPerson Certs,CRLs Cert. Request Signed Certificate Internet

15 X509 PKI Certificate Authority (CA) Basic Tasks: Key Generation Key Generation Digital Certificate Generation Digital Certificate Generation Certificate Issuance and Distribution Certificate Issuance and Distribution Revocation Revocation Key Backup and Recovery System Key Backup and Recovery System Cross-Certification Cross-Certification

16 X509 PKI Registration Authority (RA) Basic Tasks: Registration of Certificate Information Registration of Certificate Information Face-to-Face Registration Face-to-Face Registration Remote Registration Remote Registration RevocationRevocation

17 X509 PKI Certificate Distribution System Provide Repository for: Digital Certificates Digital Certificates Certificate Revocation Lists (CRLs) Certificate Revocation Lists (CRLs)Typically: Special Purposes Databases Special Purposes Databases LDAP directories LDAP directories

18 Certificate Revocation List Revoked Certificates remain in CRL until they expire Certificate Revocation List

19 Certificate Revocation List (CRL) CRLs are published by CAs at well defined CRLs are published by CAs at well defined interval of time interval of time It is a responsibility of “Users” to “download” a CRL and verify if a certificate has been revoked It is a responsibility of “Users” to “download” a CRL and verify if a certificate has been revoked User application must deal with the revocation User application must deal with the revocation processes processes

20 Online Certificate Status Protocol (OCSP) An alternative to CRLs An alternative to CRLs IETF/PKIX standard for a real-time check if a IETF/PKIX standard for a real-time check if a certificate has been revoked/suspended certificate has been revoked/suspended Requires a high availability OCSP Server Requires a high availability OCSP Server

21 CRL vs OCSP Server UserCA CRL Directory Download CRL CRL User CA CRL Directory DownloadCRL Certificate IDs to be checked Answer about Certificate States OCSPServer OCSP

22 X509 PKI PKI-enabled Applications Functionality Required: Cryptographic functionality Cryptographic functionality Secure storage of Personal Information Secure storage of Personal Information Digital Certificate Handling Digital Certificate Handling Communication Facilities Communication Facilities

23 X509 PKI Trust and Legal Issues

24 X509 PKI Trust and Legal Issues Why should I Trust a CA? Why should I Trust a CA? How can I determine the liability of a CA? How can I determine the liability of a CA?

25 X509 PKI Approaches to Trust and Legal Aspects Why should I Trust a CA? Why should I Trust a CA? How can I determine the liability of a CA? How can I determine the liability of a CA? Certificate Hierarchies, Cross-Certification Certificate Policies (CP) and Certificate Practical Statement (CPS)

26 X509 PKI Approach to Trust Certificate Hierarchies andCross-Certification

27 CA RA CA RA LRA CA RA CA RA Directory Services Internet Internet CA Technology Evolution

28 Each entity has its own certificate (and may have more than one). The root CA’s certificate is self signed and each sub-CA is signed by its parent CA. Each CA may also issue CRLs. In particular the lowest level CAs issue CRLs frequently. End entities need to “find” a certificate path to a CA that they trust. Simple Certificate Hierarchy Root CA Sub-CAs End Entities

29  Alice Bob Simple Certificate Path Alice trusts the root CA Bob sends a message to Alice Alice needs Bob’s certificate, the certificate of the CA that signed Bob’s certificate, and so on up to the root CA’s self signed certificate. Alice also needs each CRL for each CA. then Alice can verify that Bob’s certificate is valid and trusted and so verify the Bob’s signature. Trusted Root

30 1 23 1.Multiple Roots 2.Simple cross-certificate 3.Complex cross-certificate Cross-Certification and Multiple Hierarchies

31 Things are getting more and more complex if Hierarchies and Cross-Certifications are used X509 PKI Approach to Trust : Problems

32 Trusted Root 3  Cross-Certification and Path Discovery

Download ppt "Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (X509 PKI)

Public Key Infrastructure (X509 PKI)
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

Similar presentations

Ads by Google