1 / 17

Introduction to Public Key Infrastructure

Introduction to Public Key Infrastructure. January 2004 CSG Meeting Jim Jokl. Cryptography. Symmetric key cryptography A pre-shared secret is used to encrypt the data Some examples: DES, 3-DES, RC4, etc Public key cryptography A pair of mathematically related keys are generated

hamish
Download Presentation

Introduction to Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl

  2. Cryptography • Symmetric key cryptography • A pre-shared secret is used to encrypt the data • Some examples: DES, 3-DES, RC4, etc • Public key cryptography • A pair of mathematically related keys are generated • One of the keys, the Public Key, is freely distributed • The other key, the Private Key, is kept confidential • Given one keys, it is computationally very hard to compute the other

  3. EncryptedText PlainText Public Key Cryptography one key • Data encrypted using the public key can only be decrypted by the person with the private key • Likewise, data encrypted with the private key can be decrypted by anyone having a copy of the public key • Assuming that the private key is protected and held by an individual, this is the basis for a digital signature the other key

  4. Digital Signatures and Document Encryption • Public Key operations are too computationally expensive for large volumes of data • Typical digital signature process • Compute the hash of the document • Encrypt the hash using the signer’s private key • Typical document encryption process • Generate a random symmetric cipher key • Encrypt the document using this key • Encrypt the symmetric cipher key using the recipient’s public key

  5. Digital Certificates • A Digital Certificate is: • An object used to bind the identity of a person to their public key • Contains attributes about the person • Contains some information about the identity binding and infrastructure • Digitally signed by a Certification Authority (CA)

  6. Certificate Profiles • A description of the fields in a certificate • Recommended fields to use • Field values • Critical flags • Recommendations for implementers • Example Profile

  7. Certification Authorities (CA) • Certification Authorities • Accept certificate requests from users • Validate the user’s identity • Generate and sign the user’s certificate attesting to the mapping of the identity to the public key • Revoke certificates if needed • Operate under a set of policies and practices • Levels of Assurance

  8. Certification Authorities and Trust • You determine if you trust a certificate by validating all of the certificates starting from the user’s cert up to a root that you trust • 100+ root certificates in my Microsoft store • The “I” in PKI Root Certificate Intermediate Certificate Intermediate Certificate User A Cert User B Cert User D Cert User E Cert User C Cert

  9. PKI Bridge Path Validation

  10. PKI, Privacy, and the Pseudo-anonymous CA • As stated earlier: “A certificate binds a person’s identity to their public key” • Typically the “identity” is their name, email address, computing identifier, etc • Poses some interesting privacy concerns in some applications • A pseudo-anonymous CA uses an opaque identifier instead of name/id information

  11. Operating System Support for PKI • Windows 2000/XP • Well integrated out of the box support for PKI • OS-based certificate/key store • APIs for access to crypto providers • Microsoft applications generally support PKI • Many 3rd party applications use OS PKI services • Bridge path validation in XP • Windows 2000 server includes a CA

  12. Operating System Support for PKI • MacOS • Apple has excellent plans to improve their level of OS PKI support to match that of Windows • OS-based certificate/key store exists now and is used by some Apple applications • 3rd party applications should start to use the native support in the future • Linux and general Unix • PKI support generally implemented in applications

  13. Trust, Private Key Protection and Non-repudiation • Digital signatures - based on the idea that only the user has access their private key • A user’s private key is generally protected by the workstation’s operating system • Typical protection is no better than for any password that the user lets the operating system store • Hardware tokens can be used for strong private key protection, mobility, and as a component in a non-repudiation strategy

  14. Two classes of campus PKI applications? • Existing normal processes • A PKI using a light policy/practices framework • Better technology and ease of use for existing services • New applications where passwords would have been sufficient in the past

  15. Two classes of campus PKI applications? • Newer High Assurance services • Access control for critical systems • Authentication for high-value services • HiPAA/FERPA/GLBA • Digital signatures for business processes

  16. Some Campus CA Options • In-source • Commercial CA software • Develop your own or use freely available CA software (typically based on OpenSSL) • KX509 • Outsource to commercial CA • Campus still performs the RA function

  17. Agenda for remainder of session • Motivations for campus PKI deployments • Focus on applications using end-user certificates • Introduction to likely campus PKI applications • National activities • HEBCA, USHER, PKILab, HEPKI, etc • Examples of campus PKI deployments • Wrap-up and discussion

More Related