Download presentation
Presentation is loading. Please wait.
Published byEdwin Harrell Modified over 9 years ago
1
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl
2
Cryptography Symmetric key cryptography –A pre-shared secret is used to encrypt the data –Some examples: DES, 3-DES, RC4, etc Public key cryptography –A pair of mathematically related keys are generated One of the keys, the Public Key, is freely distributed The other key, the Private Key, is kept confidential –Given one keys, it is computationally very hard to compute the other
3
Public Key Cryptography –Data encrypted using the public key can only be decrypted by the person with the private key –Likewise, data encrypted with the private key can be decrypted by anyone having a copy of the public key Assuming that the private key is protected and held by an individual, this is the basis for a digital signature Plain Text Encrypted Text one key the other key
4
Digital Signatures and Document Encryption Public Key operations are too computationally expensive for large volumes of data Typical digital signature process –Compute the hash of the document –Encrypt the hash using the signer’s private key Typical document encryption process –Generate a random symmetric cipher key –Encrypt the document using this key –Encrypt the symmetric cipher key using the recipient’s public key
5
Digital Certificates A Digital Certificate is: –An object used to bind the identity of a person to their public key –Contains attributes about the person –Contains some information about the identity binding and infrastructure –Digitally signed by a Certification Authority (CA)
6
Certificate Profiles A description of the fields in a certificate –Recommended fields to use –Field values –Critical flags –Recommendations for implementers –Example ProfileExample Profile
7
Certification Authorities (CA) Certification Authorities –Accept certificate requests from users –Validate the user’s identity –Generate and sign the user’s certificate attesting to the mapping of the identity to the public key –Revoke certificates if needed –Operate under a set of policies and practices Levels of Assurance
8
Certification Authorities and Trust You determine if you trust a certificate by validating all of the certificates starting from the user’s cert up to a root that you trust 100+ root certificates in my Microsoft store The “I” in PKI Root Certificate Intermediate Certificate User A Cert User C Cert User B Cert User D Cert User E Cert
9
PKI Bridge Path Validation
10
PKI, Privacy, and the Pseudo- anonymous CA As stated earlier: “A certificate binds a person’s identity to their public key” Typically the “identity” is their name, email address, computing identifier, etc –Poses some interesting privacy concerns in some applications A pseudo-anonymous CA uses an opaque identifier instead of name/id information
11
Operating System Support for PKI Windows 2000/XP –Well integrated out of the box support for PKI –OS-based certificate/key store –APIs for access to crypto providers –Microsoft applications generally support PKI –Many 3 rd party applications use OS PKI services –Bridge path validation in XP –Windows 2000 server includes a CA
12
Operating System Support for PKI MacOS –Apple has excellent plans to improve their level of OS PKI support to match that of Windows –OS-based certificate/key store exists now and is used by some Apple applications –3 rd party applications should start to use the native support in the future Linux and general Unix –PKI support generally implemented in applications
13
Trust, Private Key Protection and Non-repudiation Digital signatures - based on the idea that only the user has access their private key A user’s private key is generally protected by the workstation’s operating system –Typical protection is no better than for any password that the user lets the operating system store Hardware tokens can be used for strong private key protection, mobility, and as a component in a non-repudiation strategy
14
Two classes of campus PKI applications? Existing normal processes –A PKI using a light policy/practices framework –Better technology and ease of use for existing services –New applications where passwords would have been sufficient in the past
15
Two classes of campus PKI applications? Newer High Assurance services –Access control for critical systems –Authentication for high-value services HiPAA/FERPA/GLBA –Digital signatures for business processes
16
Some Campus CA Options In-source –Commercial CA software –Develop your own or use freely available CA software (typically based on OpenSSL) –KX509 Outsource to commercial CA –Campus still performs the RA function
17
Agenda for remainder of session Motivations for campus PKI deployments –Focus on applications using end-user certificates Introduction to likely campus PKI applications National activities –HEBCA, USHER, PKILab, HEPKI, etc Examples of campus PKI deployments Wrap-up and discussion
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.