Presentation is loading. Please wait.

Presentation is loading. Please wait.

DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.

Published byAnissa Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier."— Presentation transcript:

1 DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier

2 Motivation Digital certificates are being widely used. Digital Certificates also has a validity period after which it expires. So for creating a fault tolerant system where no problem arises due to the expiration of the digital certificates, we should be able to assess the optimal time for which a digital certificate should be active. Here the authors discuss on how to identify the optimal validity period and factors to be considered to calculate it.

3 Introduction Digital certificates are an important component for cryptographic protection of IT infrastructures in large companies A common property of digital certificates is their predefined validity period. The algorithms that are used at the time of creation of certificate may be broken before the expiry of the certificate.

4 Choosing the right crypto period The security level of IT systems should always be in relation to their actual threat. The current threat is not only the system vulnerabilities but also, on the interest in the system for unauthorized persons. The lifetime of an issuing certificate should never end before the lifetime of an issued certificate. Certificates will not be replaced before their expiry.

5 Vulnerability of IT-systems Manual Security Assessment General Security Audit: ◦ A documented status of the detection of defects and security vulnerabilities. IT System Audit: Aspects of ◦ Software versions (authorization (roles & permissions) and passwords) ◦ Safety related configuration

6 Vulnerability of IT-systems Manual Security Assessment Vulnerability Scanning: In the aspects of ◦ Installed operating system and Software ◦ Open ports ◦ Used services Penetration test: ◦ A penetration tester tries with appropriate programs or methods to penetrate a system and exploit vulnerabilities that were identified

7 Vulnerability of IT-systems Automated Security Assessment These automated calculation of system vulnerabilities are based on Configuration Management Database (CMDB) It includes the hardware and software including their exact versions and patch levels.

8 Vulnerability of IT-systems Automated Security Assessment

9 Conditions The calculation formula has to fulfill the following conditions: ◦ The resulting value must lie in the interval [0; 1] (1 means system is completely safe) ◦ The aggregated value must be less than or equal to the smallest single value.

10 Key length & algorithm The longer the key length is, the longer the life time of a certificate can be chosen. Different algorithms and key lengths are compared and stored in the data base. This information needs to be verified and updated on a regular basis. The combination of algorithm and key length must be assessed with a value between 0 and 1 with respect to safety. ◦ 0 – implies the algorithm is known to be broken ◦ 1- considers to be safe for a long time.

11 Revocation Status The revocation status can be checked using an Online Certificate Status Protocol(OCSP) service or (CRL) certificate-revocation-list. OCSP provides more timely information regarding the revocation status is has to be rated in comparison to CRLs in the context of calculation This factor can be quantified trivially: ◦ usage of an OCSP service: 1 ◦ usage of CRL: 0.75 ◦ no revocation checking: 0.5

12 Key storage of CA certificate and length of certificate chain Usually certificates are not issued by Root CA, but by a Sub-CA. Depending on the size and structure of the PKI – operating company the path length from the root CA to the sub- CA can differ. The safety level of a Sub- CA is lower than that of each higher level. For this reason, the path length will be considered and one possible calculation is 1/ path length.

13 Certificate Distribution Delivery : Automatic ◦ Automated methods (SCEP, CMP) in which the certificate using resource generates the keys itself and issues a certificate request. Delivery : Manual ◦ The manual delivery of a particular certificate including the private key with in a container via e- mail is critical.

14 Aggregation

15 Aggregation The security Risk Assessment uses the factors described above to perform the computation of an optimal certificate lifetime. The following condition must be met for the calculated runtime:

16 CLM- Architecture with Security Risk Assessment

17 Conclusion In this paper, an approach is presented to dynamically compute a proper certificate lifetime based on generally accepted factors and current security ratings. It was shown how this dynamic calculation can be embedded into a certificate life-cycle management system.

18 THANK YOU

Download ppt "DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Configuration management

Configuration management
Configuration management

Configuration management
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Similar presentations

Ads by Google