Overview of pki
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Overview of PKI PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on
  • Presentation posted in: General

Overview of PKI. Perry Tancredi VeriSign, Inc. [email protected] Agenda. PKI Defined Terminology Key Techncial Concepts Key Infrastructure Concepts Practical Uses What Who Why Important Considerations of Being a CA. PKI – Public Key Infrastructure.

Download Presentation

Overview of PKI

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Overview of pki

Overview of PKI

Perry Tancredi

VeriSign, Inc.

[email protected]


Agenda

Agenda

  • PKI Defined

  • Terminology

  • Key Techncial Concepts

  • Key Infrastructure Concepts

  • Practical Uses

    • What

    • Who

    • Why

  • Important Considerations of Being a CA


Pki public key infrastructure

PKI – Public Key Infrastructure

The sum total of the hardware, software, people, processes, and policies that, together, using the technology of asymmetric cryptography, facilitate the creation of a verifiable association between a public key (the public component of an asymmetric key pair) and the identity (and/or other attributes) of the holder of the corresponding private key (the private component of that pair), for uses such as authenticating the identity of a specific entity, ensuring the integrity of information, providing support for nonrepudiation, and establishing an encrypted communications section

– PKI Assessment Guidelines v3.0

Information Security Committee

American Bar Association


Basic pki security functions

Basic PKI Security Functions

  • Authentication

    • Be sure you know who you are communicating with

  • Confidentiality

    • Keep secrets secret

  • Integrity

    • Be sure nothing is changed behind your back

  • Access Control

    • Control who can access what

  • Non-repudiation

    • Have the evidence in the event of a dispute


Pki terminology and concepts

PKI Terminology and Concepts

  • Hashing functions

  • Symmetric encryption and decryption

    • Session key

  • Asymmetric encryption and decryption

    • Key pair

  • Digital signature

  • Digital certificate

  • Certification Authorities (CA)

  • Registration Authorities (RA)

  • Hierarchy of trust


Hash functions

It was the best of thymes,

it was the worst of times

Small Difference

Hash Function

Hash Function

3au8 e43j jm8x g84w

b6hy 8dhy w72k 5pqd

Hash Functions

It was the best of times,

it was the worst of times

Large Difference

Examples: MD5 (128 bit), SHA-1 (160 bit)


Symmetric key cryptography encryption

Symmetric Key Cryptography – Encryption

  • DES, AES, RC2, RC5

  • Problems:

    • Alice and Bob must agree on the secret key without anyone else finding out

    • Anyone who intercepts the key in transit can later read, modify, and forge all messages encrypted using that key

    • Doesn’t Scale

Common key

Message

Message

Encrypted Message

A

B

Encrypt

Decrypt

Eavesdropper


Asymmetric key cryptography encryption

Asymmetric Key Cryptography – Encryption

  • RSA, ECC, IDEA

  • Problems:

    • Key exchange has to be done in a secure way

    • Encryption and decryption are extremely SLOW

Public key

Message

Private key

Message

Encrypted Message

A

B

Encrypt

Decrypt

Eavesdropper


Public key encryption

Message

Generate Sym Key

Encrypt Message

Encrypted

Message

Encrypted

Sym Key

Encrypt Sym Key

Public Key Encryption

Symmetric keys encrypt data;

Public keys encrypt symmetric keys

= Private Key

= Public Key

= Symmetric Key

Alice

Bob

Encrypt with Bob’s Public Key


Public key decryption

Decrypt Sym Key

Decrypt Message

Message

Decrypt with Bob’s Private Key

Public-Key – Decryption

= Private Key

= Public Key

Bob

= Symmetric Key

Encrypted

Message

Encrypted

Sym Key

Public key and symmetric key cryptography

are complementary technologies


Public key signature verification

Transmitted Message

Hash Function

Hash Function

Decrypt

Signature

Signature

Message

Digest

Message

Digest

Expected

Digest

Encrypt

If these are the same,

then the message

has not changed

Public-Key – Signature & Verification

Hashing + Encryption = Signature Creation

Bob

Receiver

Sender

Alice

Hashing + Decryption = Signature Verification


Public key encryption1

Message

Generate Sym Key

Encrypt Message

Encrypted

Message

Encrypted

Sym Key

Encrypt Sym Key

Public-Key – Encryption

Alice

Bob


Pki as dmv

PKI as DMV

CAs

(root CA)

(intermediate CAs)

Certs

CAs are like the government agencies

RAs are like the local registries offices


Certificate authority

Certificate Authority

  • An organization that issues certificates

  • Usually a trusted third party

  • Backs the information in the certificate


Registration authority

Registration Authority

  • Performs functions for CA but does not issue certificates directly

  • Processes requests

  • Manages certificate lifecycle

    • Issuance, recovery, revocation, renewal

  • Distributed


Certificate

Certificate

A message which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it

– Digital Signature Guidelines

Information Security Committee

American Bar Association


Digital certificates in use

Digital Certificates in Use

  • Secure e-mail

  • Virtual Private Network (VPN)

  • Wireless (Wi-Fi)

  • Web Servers (SSL/TLS)

  • Network Authentication

  • Code Signing

  • Server to Server


Who uses pki

Who Uses PKI?

  • Physical/Logical access

    • Windows Logon

  • Government and Industry Mandates

  • Corporate Banking

    • Phishing Attacks

    • Identity Theft

  • eCommerce

    • SSL

Current demand for certificates

  • Wireless (WiFi) deployments

  • Devices

    • Web Servers

    • Cable and Satellite

    • Domain Controllers

    • VPN

  • Signed Code

    • PC

    • Mobile


Why use pki

Why Use PKI?

  • Federal Government – HSPD-12

    • Calls for the creation of a NIST standard for gov employees and contractors

    • Builds off of DOD CAC card and External Certification Authority program

  • DOCSIS (Data Over Cable Service Interface Specification)

    • Requires that certificates be imbedded in cable modems for device authentication and code signing

  • HIPAA

    • Mandates the implementation of security measures to maintain patient privacy

    • Email encryption of protected heath information (PHI)

  • FFIEC

    • Guidance to implement two-factor authentication for Internet Banking

    • Mandatory compliance by 2006

  • Gramm-Leach-Bliley Act

    • Requires establishment of technical safeguards to ensure confidentiality and integrity for any institution holding financial data


Specific pki implementations

Specific PKI Implementations

  • The Commonweath of Pennsylvania Justice Network (JNET)

    • Allows disparate law enforement agencies to share information securely

  • Barclays Bank

    • Digital certificates issued to all online clients

    • Account setup time reduced, trading volume increased

  • Department of Interior Buruea of Land Management

    • Smart cards issued to employees for physical and logical access

    • Certificate use expanded to form signing for paper reduction

  • State of New Jersey

    • Allows residents, employees, business partners to share and access informaiton online

    • Streamlined processes, reduced paper and realized cost savings


What is difficult about being a ca

What is Difficult about Being a CA?

  • Understanding PKI risk management

    • Controlling liability exposure

    • Conforming to State and Federal Legislation

  • Policies and Practices

    • Developing a comprehensive Certificate Policy (CP) and Certification Practices Statement (CPS)

    • Maintaining trust

  • Security

    • Technology

    • Physical, personnel, administrative, etc.

  • Operating high availability infrastructure

    • Maintaining hardware and software


Verisign pki snapshot 10 years later

VeriSign PKI Snapshot – 10 Years Later

  • Carrier Class

    • Thousands of enterprise and government customers/CAs

    • 10M+ certificates will be issued in 2005

    • 471K+ SSL certificates in the database

  • Global Presence

    • Support millions of user and device certificates

    • More than 25 large-scale PKI affiliate data centers worldwide

  • VeriSign: the PKI company

    • Our first business, our core competence

    • Full expertise: standards, design, development, operation and support

    • An integral part of our Intelligent Infrastructure Services


What makes a good pki

What Makes a Good PKI?

  • Legislative foundation

    • Electronic Transactions definitions: Kansas Stat. No. 16-1602

    • Use of electronic records and signatures: Kansas Stat. No. 16-1605

  • Documented Policies and Procedures

    • State of Kansas Certificate Policy: IETC Policy 5200

    • VeriSign CP and CPS: http://www.verisign.com/repository

  • Technology

    • Kansas has outsourced the management of the State of Kansas root CA to VeriSign, the worlds leader in PKI

  • Personnel, Technical and Security Controls

    • The Kansas PKI is part of the Kansas IT Governance infrastructure

    • Kansas appointed personnel act as the RA for the Kansas CA

    • VeriSign management the CA back-end infrastructure operations


  • Login