1 / 19

How to Start a PKI

How to Start a PKI. A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics. Agenda. Why do you need a PKI? Basic Cryptography “Near Future” PKI Applications PKI Components and Services Deployment of a PKI. Why do you need a PKI?.

ezra-daniel
Download Presentation

How to Start a PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics

  2. Agenda • Why do you need a PKI? • Basic Cryptography • “Near Future” PKI Applications • PKI Components and Services • Deployment of a PKI

  3. Why do you need a PKI? • Protects against eavesdropping • Protects against tampering • Prevents impersonation • Spoofing • Misrepresentation • Provides stronger authentication

  4. Basic Cryptography • Use of Keys for Encryption and Decryption • Types of Keys • Symmetric-Key Encryption • Uses ONE single key (shared secret) • Efficient • Provides a minor degree of authentication • Only effective if symmetric key is kept secret!! • Public-Key Encryption (asymmetric encryption) • Involves a pair of keys: • Public Key – Published • Private Key – Kept secret • Key Length and Encryption Strength • Strength of encryption is related to the difficulty of discovering the key • Encryption strength is described in terms of key size.

  5. Public Key Cryptography Provides: • Encryption and Decryption • Strong authentication • Non-repudiation • Tamper detection

  6. What is a Certificate? • A certificate is an electronic document used to identify: • An individual • A server • A company • Other entities • A certificate associates an identity with a public key

  7. What is a Certificate Authority? • A Certificate Authority (CA) • validates identities • issues certificates • Validation/Assurance of identity • depend on the policies of a given CA

  8. Contents of a Certificate • A certificate (X.509 v3) binds a Distinguished Name (DN) to a public key. • A DN is a series of “values” that uniquely identify an identity. For example: cn=Javier Torner, email=jtorner@csusb.edu, o=California State University San Bernardino, ou=Information Security Office

  9. Near Future Application • Digital Signatures (S/MIME) • Mail Encryption • Certificate Revocation • SSL Client Certificates to POP/IMAP • SSL Client Certificates to NNTP • SSL Client Certificates for network access • Hardware Tokens – Two factor authentication

  10. PKI Components and Services • Certificate Repository • Certificate Revocation • Key backup and recovery • Support for non-repudiation • Time stamping • Client software

  11. PKI Phases • Phase 0 – Basic Infrastructure • Implement a Certificate Authority • Hierarchy Structure • Phase I – Authorization • Phase II – Authentication • Phase III – Incorporate a Trusted Bridge

  12. PKI - Phase 0 • Define Certificate Practice Statement • Define a CA Hierarchy • Root CA • Master or Secondary CA • SSL (Web server) CA • SSL Clients CA • E-mail/Encryption CA • Object CA

  13. CA Certificate Practice Statement • Easy way to start is using PKI-Lite • Edit/modify to your institution • Technology has been around, but relatively new

  14. PKI - Phase I • Select software • OpenSSL, OpenCA • Issue SSL Server Certificates • Class 3 Web servers certificate • Develop/enable users request interface • Provide user education • SSL Client Certificates • Start with certificates for authentication “ONLY” • Test on control systems • ISO sites

  15. SSL Client Certificates • Provides the ability to authenticate (primarily web) users using your institution’s certificate • Allows you to easily restrict the users of your data based upon criteria within a certificate

  16. Contents of a Phase IServer Certificate • CN=www.infosec.csusb.edu • Email= • OU=Information Security Office • O=California State University San Bernardino • L=San Bernardino • ST=California • C=US

  17. Contents of a Phase-IID Certificate • CN=Javier Torner • Email=jtorner@csusb.edu • OU=Information Security Office • O=California State University San Bernardino • L=San Bernardino • ST=California • C=US

  18. The Future of PKI • Phase 3 – Federated • Application Design • CA Development

  19. Valuable Resources • http://www.modssl.org • http://www.openssl.org • http://www.openca.org • http://www.educause.edu/HEPKI • Understanding PKI – Carlisle Adams and Steve Lloyd (ISBN 1-57870-166-x) • Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter Williams (ISBN 0-201-30980-7)b

More Related