Presentation is loading. Please wait.

Presentation is loading. Please wait.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Published byEmma Washington Modified over 9 years ago

Similar presentations

Presentation on theme: "Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate."— Presentation transcript:

1 Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate binds key pair and its owner... Alice’s Certificate Signed by CA Alice Alice’s Keys

2 Who’s watching your network CA Trust Hierarchy The CA is the root of all trust in a PKI. There can exist multiple sub-CAs, all signed by the Root Certificate Authority. All certificates are traceable back to the Root CA. All certificates issued within a particular CA hierarchy, or topology, conform and must adhere to the same policies.

3 Who’s watching your network Certificates and Trust Once users trust the Root Certificate Authority, they can trust all certificates signed by the CA or sub-CAs. Certificate Authority = CA Signature

4 Who’s watching your network Certificates - A Closer Look We must check to ensure: –We have the right certificate –The key is still valid –The key is still trusted CA Owner: John Q. Public : Encryption public key Issue & expiration dates Revocation information Issued By: CA Name Serial Number !

5 Who’s watching your network Certificates - A Closer Look For interoperability, the certificates conform to standards. The X.509 Certificate contains data attributes set by the ITU-T. The Net Tools PKI Server generates certificates that are X.509 compliant.

6 Who’s watching your network Security Policy The security of any public key crypto-system relies heavily on policies and procedures The conduct of PKI Administrators and users impacts the effectiveness and security of the system Comprehensive policies must support information security and business objectives

7 Who’s watching your network Security Policy PKI Administrators will perform many critical tasks, including: Certificate Authority creation Defining Certificate Attributes Verifying Identity of Certificate Users Certificate Lifecycle Event processing

8 Who’s watching your network Security Policy PKI users will perform many critical tasks, including: Keeping their passwords secure Keeping their private key(s) secure Knowing when/how to trust other’s keys Treating information in accordance with the information security policy

9 Who’s watching your network Security Policy Policies should not inhibit business objectives or day-to-day responsibilities Policy-makers should seek global standards within organization All policies should explicitly define procedures for proper incorporation All policies and procedures must be readily available for those who ask

10 Who’s watching your network Net Tools PKI Server

11 Who’s watching your network The Net Tools PKI Server application contains the following components: –Certificate Authority (CA) Web-based Administration interface Web-based Enrolment interface A Secure Server Enrolment interface –LDAP Directory Certificate Server PKI Server Components

12 Who’s watching your network Net Tools Certificate Authority

13 Who’s watching your network Certificate Authority The Net Tools CA is used to... Implement a CA topology Define a directory schema Manage certificate lifecycle events

14 Who’s watching your network CA Topology The CA Topology is also known as a “CA hierarchy” or “PKI hierarchy” A Root CA exists at the “top” of the topology If needed by an organization, Admin CAs (a.k.a. “sub-CAs”) can be created to develop a hierarchy. See the following diagrams

15 Who’s watching your network CA Topology A multi-level CA Topology: Root CA Certificate Admin CA User Certificates

16 Who’s watching your network CA Topology A Flat CA Topology: Root CA Certificate User Certificates This could represent a smaller organization without a need to distribute the certificate management process.

17 Who’s watching your network CA Topology The Net Tools Certificate Authority initially generates a Root Key. The Root CA will then sign and issue: –Active Security Certificates –User Certificates –Admin CAs –Other application certificates (i.e. SSL certs) –Or, a combination of all four.

18 Who’s watching your network CA Topology Multiple Admin CAs can distribute the certificate management workload Multiple Admin CAs can distribute different security policies A single CA can be implemented in less complex environments, or where there are limited certificate needs.

19 Who’s watching your network Directory Schema Each X.509 certificate contains an X.500 or LDAPv3- compliant distinguished name (DN). The values will be defined with the Net Tools Certificate Authority. C= O= OU= S= L= CN= country organization organizational unit state or province locality common name NOTE: LDAPv3 DN requirements may differ from the X.500 DN requirements

20 Who’s watching your network Directory Schema X.500 is an ITU-T standard X.500 refers to a directory structure standard, and requires a specific naming scheme. The Net Tools PKI Server can generate distinguished names that conform to the X.500 standard (the CA administrator must provide the attribute values).

21 Who’s watching your network Directory Schema Upon installation and configuration of the PKI Server, the schema is defined. Subsequent to installation and configuration, certificates issued should be named in accordance with this schema.

22 Who’s watching your network The Certificate Lifecycle Events in the lifecycle of a certificate include: 1 2 3 4 5 Certificate Request Certificate Generation Certificate Publication Certificate Revocation Verification (End-user and Key identity) = discussed thus far

23 Who’s watching your network Certificate Request End-user entites... –Human users –Active Security applications –Admin CAs (not strictly an “end-user”) –Other applications …can all request a certificate from the Net Tools PKI Server.

24 Who’s watching your network Certificate Request The Net Tools Certificate Authority provides the interfaces for end-user requests: End EntityInterfacePort HumanWeb Enrollment Server444 Active Security andServer Authenticated other applicationsEnrollment Server445 NOTE: The default port settings are listed. These values can be changed.

25 Who’s watching your network Active Security Certificate Requests The setup of each Active Security component presents an option to: –generate a key pair –request a certificate from the PKI Server The certificate request is completed on the Active Security host machine The certificate issuance is completed on the PKI Server admin page

26 Who’s watching your network The Certificate Lifecycle Events discussed thus far: 4 5 3 Certificate Generation Certificate Publication Certificate Revocation 1 Certificate Request 2 Verification (End-user and Key identity) = discussed thus far

27 Who’s watching your network Verification A critical responsibility of the Certificate Authority administrator is verifying… –the identity of the requester –the association of the public key and private key. Because a Certificate binds the key owner to a key pair, the Verification process is the foundation of certificate validity.

28 Who’s watching your network Verification Even for Active Security components, the CA Administrator should confirm component host machine relationships: –The host name and IP address –The installed Active Security component –The key pair was generated by said machine

29 Who’s watching your network Verification The level of required verification will vary with the amount of trust required in the system, however great detail must be given to the following: –Minimum verification requirements –Separation of verification and issuance duties –Educating responsible parties –Documenting verification policies and procedures in writing

30 Who’s watching your network The Certificate Lifecycle Events discussed thus far: 1 2 3 4 5 Certificate Request Certificate Generation Certificate Publication Certificate Revocation Verification (End-user and Key identity) = discussed thus far

31 Who’s watching your network Certificate Generation The Net Tools Certificate Authority provides a web-based PKI Administrator page (port 443) This is used, among other tasks, to… –check pending certificate requests –issue approved certificates –generate additional CA certificates

32 Who’s watching your network Certificate Generation Using the PKI Administrator page, data is entered to generate a certificate –Review information provided by requester –Distinguished name (following schema) –Other identifying attributes –V3 Extension values

33 Who’s watching your network Certificate Generation Upon generation, the PKI Server Administrator page is used to issue the certificate. Issuance includes: –Notifying the end-user on how to retrieve the certificate –Publishing the certificate to the LDAP directory

34 Who’s watching your network The Certificate Lifecycle Events discussed thus far: 1 2 3 4 5 Certificate Request Certificate Generation Certificate Publication Certificate Revocation Verification (End-user and Key identity) = discussed thus far

35 Who’s watching your network Certificate Revocation On occasion, a certificate will need to be revoked Situations might include: –Loss of trust in certificate for any reason –Compromise of private key –Compromise of private key password –Removal of entity from PKI

36 Who’s watching your network Certificate Revocation Using the PKI Server Administrator page… –certificates can be revoked –Certificate Revocation Lists (CRL) are generated CRLs can be manually updated CRLs can be automatically updated according to a pre-set schedule

37 Who’s watching your network Certificate Revocation This certificate lifecycle event deserves attention to: –Educating Administrators and end-users on how to recognize the need for revocation –Escalation procedures for the revocation process The policies and procedures of revocation should be documented in writing.

38 Who’s watching your network The Certificate Lifecycle Events discussed thus far: 1 2 3 4 5 Certificate Request Certificate Generation Certificate Publication Certificate Revocation Verification (End-user and Key identity) = discussed thus far

Download ppt "Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google