Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Published byVirgil Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian"— Presentation transcript:

1 Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

2 Digital Signature A Digital Signature is a data item that vouches the origin and the integrity of a Message The originator of a message uses a signing key (Private Key) to sign the message and send the message and its digital signature to a recipient The recipient uses a verification key (Public Key) to verify the origin of the message and that it has not been tampered with while in transit vouch ضمانت‌ كردن‌، اطمينان‌ دادن‌، تاييد كردن‌ Intranet Extranet Internet Alice Bob

3 Digital Signature Signer Channel Receiver Message Message
Digest Algorithm Digest Algorithm Hash Function Hash Function Digest Public Key Encryption Decryption Private Key Expected Digest Actual Digest Signature Signer Channel Receiver

4 Digital Signature There is still a problem linked to the
“Real Identity” of the Signer. Why should I trust what the Sender claims to be? Moving towards PKI …

5 Digital Certificate

6 Digital Certificate A Digital Certificate is a binding between an entity’s Public Key and one or more Attributes relating its Identity. The entity can be a Person, an Hardware Component, a Service, etc. A Digital Certificate is issued (and signed) by someone Usually the issuer is a Trusted Third Party (TTP) A self-signed certificate usually is not very trustworthy

7 Digital Certificate CERTIFICATE Issuer Subject Subject Public Key
Signature

8 Digital Certificate How are Digital Certificates Issued? Problems
Who is issuing them? Why should I Trust the Certificate Issuer? How can I check if a Certificate is valid? How can I revoke a Certificate? Who is revoking Certificates? Moving towards PKI …

9 Public Key Infrastructure (PKI)

10 Public Key Infrastructure (PKI)
A Public Key Infrastructure is an Infrastructure to support and manage Public Key-based Digital Certificates

11 Public Key Infrastructure (PKI)
“A PKI is a set of agreed-upon standards - Certificate structure - Structure between multiple CAs - Methods to discover and validate Certification Paths Operational Protocols Management Protocols “Digital Certificates” book – Jalal Feghhi, Jalil Feghhi, Peter Williams

12 Public Key Infrastructure (PKI)
X509 Digital Certificates standard  Standards defined by IETF, PKIX WG: … however X509 is not the only approach

13 X509 PKI – Technical View Basic Components: Certificate Authority (CA)
Registration Authority (RA) Certificate Distribution System PKI enabled applications “Provider” Side “Consumer” Side

14 X509 PKI – Simple Model CA RA Certification Entity Application Service
Cert. Request RA Application Service Signed Certificate Internet Certs, CRLs Directory Remote Person Local Person

15 Certificate Authority (CA)
X509 PKI Certificate Authority (CA) Basic Tasks: Key Generation Digital Certificate Generation Certificate Issuance and Distribution Revocation Key Backup and Recovery System Cross-Certification

16 Registration Authority (RA)
X509 PKI Registration Authority (RA) Basic Tasks: Registration of Certificate Information Face-to-Face Registration Remote Registration Automatic Registration Revocation

17 Certificate Distribution System
X509 PKI Certificate Distribution System Provide Repository for: Digital Certificates Certificate Revocation Lists (CRLs) Typically: Special Purposes Databases LDAP directories

18 Certificate Revocation List
Revoked Certificates remain in CRL until they expire

19 Certificate Revocation List (CRL)
CRLs are published by CAs at well defined interval of time It is a responsibility of “Users” to “download” a CRL and verify if a certificate has been revoked User application must deal with the revocation processes

20 Online Certificate Status Protocol
(OCSP) An alternative to CRLs IETF/PKIX standard for a real-time check if a certificate has been revoked/suspended Requires a high availability OCSP Server

21 CRL vs OCSP Server CRL OCSP User CA Directory User OCSP Server CA
Download CRL CRL User CA CRL Directory Certificate IDs to be checked Download CRL CRL User OCSP Server CA Answer about Certificate States Directory OCSP

22 PKI-enabled Applications
X509 PKI PKI-enabled Applications Functionality Required: Cryptographic functionality Secure storage of Personal Information Digital Certificate Handling Communication Facilities

23 X509 PKI Trust and Legal Issues

24 X509 PKI Trust and Legal Issues
Why should I Trust a CA? How can I determine the liability of a CA? Legal issues مسائل حقوقی liability تعهد،الزام ،اسناد ديونى ،مسئوليت

25 Approaches to Trust and
X509 PKI Approaches to Trust and Legal Aspects Why should I Trust a CA? How can I determine the liability of a CA? Certificate Hierarchies, Cross-Certification liability تعهد،الزام ،اسناد ديونى ،مسئوليت Certificate Policies (CP) and Certificate Practical Statement (CPS)

26 Certificate Hierarchies
X509 PKI Approach to Trust Certificate Hierarchies and Cross-Certification

27 CA Technology Evolution
RA LRA Directory Services Internet

28 Simple Certificate Hierarchy
Each entity has its own certificate (and may have more than one). The root CA’s certificate is self signed and each sub-CA is signed by its parent CA. Each CA may also issue CRLs. In particular the lowest level CAs issue CRLs frequently. End entities need to “find” a certificate path to a CA that they trust. Root CA Sub-CAs End Entities

29 Simple Certificate Path
* Alice Bob Simple Certificate Path Trusted Root Alice trusts the root CA Bob sends a message to Alice Alice needs Bob’s certificate, the certificate of the CA that signed Bob’s certificate, and so on up to the root CA’s self signed certificate. Alice also needs each CRL for each CA. then Alice can verify that Bob’s certificate is valid and trusted and so verify the Bob’s signature.

30 Cross-Certification and
Multiple Hierarchies 1 2 3 Multiple Roots Simple cross-certificate Complex cross-certificate

31 Approach to Trust : Problems
X509 PKI Approach to Trust : Problems Things are getting more and more complex if Hierarchies and Cross-Certifications are used

32 Cross-Certification and
Path Discovery Trusted Root Trusted Root 3 *

33 Approach to Legal Aspects Certificate Practice Statement
X509 PKI Approach to Legal Aspects Certificate Policy And Certificate Practice Statement

34 Certificate Policy (CP)
A document that sets out the rights, duties and obligations of each party in a Public Key Infrastructure The Certificate Policy (CP) is a document which usually has legal effect سند که مجموعه حقوق، وظایف و تعهدات هر یک از طرفین در یک زیرساخت کلید عمومی سیاست های گواهی، سندی که معمولا دارای اثر حقوقی است. مراجع صدور گواهي مجموعه‌اي از قواعد و سياستهاي اتخاذ شده در ارتباط با توليد و يا رده‌بندي گواهي‌ها به همراه ويژگيهاي امنيتي آنها را در قالب خط مشي و بيانيه اجرايي زير ساخت، اعلام مي‌کنند. در اين خط مشي نوع گواهي قابل ارائه به همراه ميزان امنيت و خدمات مرتبط با آنها مشخص مي‌گردد تا کاربران با آگاهي پيدا کردن از آن و با توجه به نوع فعاليتهاي آتي خود گواهي مناسب را انتخاب و دريافت نمايند. به عبارت ديگر بيانيه گواهي مشروح فعاليتهاي مرجع صدور گواهي را مشخص مي‌کند که بايد کاربران از آن آگاهي داشته باشند. در ذيل اين بيانيه آنچه که به سياستهاي صدور يک گواهي ديجيتال مربوط مي‌شود تحت عنوان سياست گواهي (CP) شناخته مي‌شود. در اين سند تعهداتي که زير ساخت کليد عمومي در قبال صدور يک گواهي بر عهده دارد به تفصيل مشخص مي‌شود. در ادامه سند کاملتر ديگري به نام احکام عملي گواهي (CPS) وجود دارد که در آن رويه‌هاي موجود در زير ساخت کليد عمومي با جزييات کامل مشخص مي‌شود. لازم است که پيشنهاد دهنده CP و CPS زير ساخت بومي را به طور کامل ارائه نمايد. در ادامه موارد مهمي که در اين سياست‌نامه‌ها بايد لحاظ شود، آمده است. Certificate Policy Certificate Practices Statement A CP is usually publicly exposed by CAs, for example on a Web Site (VeriSign, etc.)

35 Policy Issues (CP) Liability Issues Repository Access Controls
Confidentiality Requirements Registration Procedures - Uniqueness of Names - Authentication of Users/Organisations مسائل مربوط به تعهدات Liability Issues Suspension معلق کردن Revocation (Online/CRL) Physical Security Controls

36 Certificate Practice Statement (CPS)
A document that sets out what happens in practice to support the policy statements made in the CP in a PKI سند که مجموعه آنچه در عمل اتفاق می افتد برای حمایت از سیاست اظهارات در CP در PKI ساخته شده است

37 Certificate Practice Statement (CPS)
INTRODUCTION GENERAL PROVISIONS IDENTIFICATION & AUTHENTICATION SPECIFICATION ADMINISTRATION CPS CERTIFICATE & CRL PROFILES OPERATIONAL REQUIREMENTS TECHNICAL SECURITY CONTROLS PHYSICAL, PROCEDURAL & PERSONNEL

38 IETF (PKIX) Standards X.509 Certificate and CRL Profiles
PKI Management Protocols Certificate Request Formats CP/CPS Framework LDAP, OCSP, etc.

39 Identity is Not Enough: Attribute Certificates
IETF (PKIX WG) is also defining standards for Attribute Certificates (ACs): Visa Card vs. Passport (Identity) Attribute Certificates specify Attributes associated to an Identity Attribute Certificates don’t contain a Public key but a link to an Identity Certificate

Download ppt "Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian"

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (X509 PKI)

Public Key Infrastructure (X509 PKI)
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

An In-Depth Examination of PKI Strengths, Weaknesses and Recommendations.

Similar presentations

Ads by Google