1 / 13

Public Key Infrastructure

Public Key Infrastructure. 5 August 2013. What is PKI?. PKI combines the cryptographic mechanisms we talked about during the Encryption session Symmetric Encryption Asymmetric Encryption Hashing Algorithms Digital Signatures Key Distribution

dafydd
Download Presentation

Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Key Infrastructure 5 August 2013

  2. What is PKI? • PKI combines the cryptographic mechanisms we talked about during the Encryption session • Symmetric Encryption • Asymmetric Encryption • Hashing Algorithms • Digital Signatures • Key Distribution • PKI is an ISO authentication framework that users public key cryptography and the X.509 standard • PKI is used all over the internet

  3. Components of PKI • Certificate Authorities (CA) • Certificates • Registration Authorities (RA) • Key Management

  4. Certificate Authorities • The CA is the organization or server than maintains and issues the digital certificates • When a person requests a certificate, the registration authority (RA) sends the request to the CA after verifying that the requestor is who they say they are • The CA creates the cert, signs it, sends it to the requestor, and maintains it Jaci Registration Authority Verifies Identity Certificate Authority Creates & Maintains Certificate Requests Certificate Forwards Request Sends to Requestor Signs Certificate

  5. Certificate Authorities Provide Trust Certificate Authority Creates & Maintains Certificate Jaci trusts the CA Jason trusts the CA Jaci and Jason trust each other indirectly via the CA Jaci Jason

  6. Internal vs. External CAs • Internal CAs • Issue certificates within an organization • External CAs • Publicly available to take certificate requests from anyone • If you have a website with a certificate, it is issued from a public CA

  7. Cross Certification Company A Company B

  8. Certificate Contents • X.509v4 specifies the contents of a certificate • Serial Number • Version Number • Identity Information • Algorithm Information • Lifetime Dates • Signature of Issuing Authority

  9. Registration Authority • Verifies the identity of certificate requestors • Initiates the certificate request process to the CA • No request is generated until identity is assured

  10. PKI Process • Requestor initiates request for certificate with the RA • RA verifies the requestor is the person they claim to be (Driver’s license, etc.) • RA sends certificate request to CA • CA creates a certificate with Requestor's public key and ID information • The private key can be created by either the user or the CA • Usually, the user generates the key pair and sends the public key to the CA

  11. Using PKI • If you want to use PKI to identify someone you are communicating with: • Request the public key from the directory • The directory, or repository, sends the digital certificate • User extracts the desired public key and encrypts a session key • User sends the session key & his certificate, encrypted with receiver’s public key • Receiver gets the user’s certificate and verifies it, decrypts the session key using her own private key • User & receiver communicate securely via the session key

  12. Key Management • Key must be long enough to prevent brute force attacks • Keys should be stored and transmitted securely • Keys should be extremely random, and algorithm should make use of the entire keyspace • Key’s lifetime should be appropriate for the type of information it is protecting • The more a key is used, the shorter its lifetime should be • Keys should be backed up or held in escrow securely in case of failures • Keys should be properly destroyed when they are no longer in use • All of this should be automated

  13. Certificate Revocation Lists • List of compromised or expired certificates • Browsers should check these and respond appropriately • If your browser’s CRL isn’t up to date, your session IS NOT SECURE

More Related