Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.

Published byMarybeth Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to."— Presentation transcript:

1 Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. ” Presented by Gene Yang By Don Davis.

2 Outline Public-key infrastructure services How public-key infrastructure (PKI) works Compliance Defects Conclusion

3 Public-key Infrastructure services A public-key security system comprise three infrastructure services –Certification Authority (CA) Signs users’ public keys –Directory Public-access database of valid certificates –Certificate Revocation List (CRL) Public-access database of invalid certificates

4 How PKI Works 1. Key Creation The user create a new key pair. The user proves his ID to CA (not electronically). The CA signs a certificate that names the user as the bearer of his new public key. Public KeyIDRoot CA’s Private key Root CA’s Public Key CA (root) CA Public key Private key The user also recerives the Root CA’s public key for later use. The user chooses a secret pass phrase, and uses it to encrypt his asymmetric private key. 2. Single Sign On At login, the user types his pass phrase to decrypt his private key. With his private key, the user participates in public-key protocols. Certificate User ID Info User’s Public Key CA ID Info Digitally signed by CA’s private key

5 How PKI works cont. 3. Authenticating Others The user either exchanges certificates directly with other users, or he get others' certificates from the Directory service. Before using a certificate, the user must check the CRL for notice of the certificate's revocation. Must validate the CA's signature. 4. Password-Change The user should regularly change the pass phrase with which he decrypts his asymmetric private key. 5. Key-Revocation Certificates are time stamped to expire after a few months or a year. If a user's pass phrase or his private key is compromised, then he must inform the CRL administrator, who disseminates a notice that the corresponding public-key certificate has been revoked The user should check the CRL every time he uses a certificate, because the CRL may be updated at any moment.

6 Compliance Defects Authenticating the User. –CA signs public-key certificate. –Problem: CA cannot trust electronic assurances of new user. –Face to face identification checks are required. However, it becomes unrealistic. Authenticating the CA. –A user must authenticate public key certificate by checking its certifying signature and the signature on each public key in its chain of CAs. –Problem: public-key crytography cannot afford the user any automatic procedure for validating the top-level CA key. –Keep root key in the smart card or under the pass phrase’s encryption.

7 Compliance Defects Cont. Certificate Revocation Lists. –When a user's public key must be removed from use, the only way to enforce prompt revocation is to check every certificate before use against a Certificate Revocation List. –Problem: a rigorous check of a certificate's validity requires that the public key of each CRL in the chain to the Root has to be revocation-checked. –This extra performance burden makes it likely that public- key deployment is proceeding without a revocation infrastructure.

8 Compliance Defects Cont. Private-Key Management. –The user must keep his private key in memory throughout his login session. –Problem: it exposes a long-lived secret, the private key. –Private key can be compromised by physical theft, viruses and Trojan-House programs. Pass phrase Quality. –User don't share their pass phrases with any security service or administrator. –Problem: there is no way to enforce expiration or quality controls on pass phrases. –If the user find the controls of local pass phrase is inconvenient, he can just use a more lenient program to encrypt his private key.

9 Conclusion Public-key's decentralized nature actually places a lot of trust on users, that properly belongs to the security infrastructure and its administrators. Question: Is that public-key cryptography best suited to securing communications between servers or desktop applications?

Download ppt "Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services

Similar presentations

Ads by Google