1 / 40

Introduction to Roaming PKI

This presentation provides an introduction to Roaming PKI, including the definition of PKI, its core components, principal functions, and cryptography overview. It also covers topics such as managing certificates, roaming certificates, personal entropy, and PKI use cases.

linck
Download Presentation

Introduction to Roaming PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Roaming PKI C2 Roger Younglove, CISSP Distinguished Member Consulting Staff June 17th., 2002

  2. Agenda • PKI definition • Why PKI • The core components of a PKI • Principal functions • Cryptography overview • Managing certificate • Roaming Certificates • Personal Entropy • PKI use case

  3. What is a PKI? • PKI stands for “public key infrastructure” • It’s a trust distribution mechanism • PKI allows any arbitrary level of trust

  4. PKI Definition • It is more than a single technology or product; it’s a complex system. • A public-key infrastructure (PKI) is the set of policies, people, processes, technologies and services that make it possible to deploy and manage the use of public-key cryptography and digital certificates on a wide-scale.

  5. Why PKI … • PKI provides answers to all the elements of secure electronic transactions • Authentication • Access Control • Confidentiality • Integrity • Non–Repudiation

  6. How does PKI achieve this ? • Authentication via Digital Certificates • Access control via Key Management • Confidentiality via Encryption • Integrity via Digital Signatures • Non-Repudiation via Digital Signatures

  7. Components of a PKI

  8. Digital Certificate • It’s a signed data structure that binds one or more attributes of an entity with its corresponding public key. • The data structure is signed by a recognized and trusted authority (i.e. the CA). • It provides assurance that a particular public key belongs to a specific entity (and that the entity possesses the corresponding private key).

  9. Certification Authority • Certification Authorities are the people, processes and tools that are responsible for the: • creation, • delivery • and management of digital certificates that are used within a PKI.

  10. Certification Authority • There can be multiple configurations of CAs. • Root, only • Hierarchical, root and subordinates • Cross certified CAs • Bridge cross certified CAs

  11. Certification Authority HierarchicalRoot and subordinate CAs Root CA CA-1 CA-2

  12. Certification Authority Cross Certified CAs

  13. Certification Authority Bridge CA cross certification Bridge CA

  14. Registration Authority • RA’s are the people, processes and/or tools that are responsible for • authenticating the identity of new entities (user or computing devices) • requiring certificates from CA’s. • They act as agents of CA’s

  15. Certification Repository • A database, or store, which is accessible to all users of a PKI, contains: • public-key certificates, • certificate revocation information • and policy information • It is a x.500 compliant directory server, for access to certificates (x.509) LDAP is used to query the data base.

  16. PKI Client Software • Client-side software is required to ensure PKI-entities are able to make full use of the key and digital certificate management services of PKI such as: • key generation, PKCS 10/7 or PKIX 3.03 • automatic key update • secure storage of private key

  17. PKI- Enabled Applications • Software applications must be PKI aware before they can be used with a PKI. • Typically this involves modifying an application so that it can understand and make use of digital certificates. • i.e. to authenticate a remote user and authenticate itself to a remote user.

  18. Policy • RFC 2527 is the present blue print. • draft-ietf-pkix-ipki-new-rfc2527-00.txt • Certification Policies and Certificate Practice Statements are policy documents that define the procedures and practice to be employed in the: • use, • administration • and management ofcertificates within a PKI.

  19. Relying Parties(RP) • Applications • Equipment • Individuals • Companies

  20. Principal Functions • Register new user – checking their credentials to ensure they are bona fide applicants.by RA • Create public and private key.by PKI client software or can be created by the CA and pushed to the client. • Provide mechanisms to protect the private key(authentication to control access to the private key).by PKI client software • Create and provide public-key certificates for legitimate PKI users. by CA

  21. Principal Functions • Make public-key certificates available for use by other PKI users.by CA • Support revocation checking so that certificates that are no longer valid are easily identified.by CA • Support non-repudiation (by generating and protection the signing key pair).by PKI client Sw

  22. Principal Functions • Periodical update of key pairs – to reduce the risk of key compromise.by PKI client software or CA • Manage key histories so that content encrypted in the past can still be recovered. by PKI client software and/or CA • Provide a mechanism to recover encryption keys.by CA • Support cross certification – thereby users of one PKI may use their certificates in other PKI. by CA

  23. Cryptography …. • The effectiveness of cryptography is based on • the key and its length • the tested algorithms

  24. Symmetric Cryptography • Examples • DES, Triple-DES, AES (in the future) • Blowfish, SAFER, CAST • RC2, RC4 (ARCFOUR), RC5, RC6

  25. Asymmetric Cryptography • It’s based on an algorithm with two different keys: • private Key (it must be protected by his owner) • public Key • Algorithms for public key cryptography are called – asymmetric algorithms • Encryption is defined as Ek(P)=C(using the public key) • Decryption is defined as Dk(C)=P(using the private key)

  26. Asymmetric Cryptography • Examples • RSA • Diffie-Hellman Key Exchange • ElGamal, Digital Signature Standard (DSS)

  27. Objectives (asymmetric cryptography) • One of the most often used cases of asymmetric cryptography, its goal is to send a key over a unsecured carrier. • this key would be used for symmetric cryptography • Conclusion:We need asymmetric cryptography to submit akeywhich we use for symmetric cryptography – to exchange data –this symbioses is calledhybrid cryptography

  28. Example 1/3 (sender Alice) • Alice generates her own key pair. private key public key Alice Alice • Bob generates his own key pair. private key public key Bob Bob Bob Bob • Both sent their public key to a CA and receive a digital certificate.

  29. Example 2/3 • Alice gets Bob’s public key from the CA public key Bob private key Alice • Bob gets Alice’s public key from the CA public key Alice private key Bob

  30. Alice Private Alice Public Example 3/3 Provides signatures with public key Alice Bob Message Hash Hash Message ? = Encryption Decryption Hash

  31. Managing Certificates • Certificate revocation refers to the process of publicly announcing that a certificate has been revoked and should no longer be used. • From a theoretical point of view, certificate revocation is a challenging problem and there are several approaches to address it: • The use of certificates that automatically time out; • The use of a list that itemizes all revoked certificates in an online directory (OCSP); • The use of certificate revocation lists (CRLs).

  32. Roaming Cert • How does a roaming cert differ from the traditional? • The key pair is created on the CA and stored in the data base. • The private key does not reside on the local PC. • The private key is retrieved for each use.

  33. Roaming Cert • What are the benefits of a roaming cert? • A Certificate holder can log into an application from any remote device that has Web capability. • They can down load and use their certificate to authenticate to an application. • They can use their private key for digital signatures and maintain NonRepudiation.

  34. Key Retrieval • Login and password • Low to medium level of security • Login and SecurID • High level of security • Could be costly, if a large user base is required • Login and Personal Entropy • Medium to high level of security • Low cost even for a large user base

  35. Personal Entropy • What is Personal Entropy (PE) • PE is a series of personal questions and answers that are known only to a the specific individual • How is it created • Predetermined questions created by the company, low level security • Series of questions created by the individual user, medium security

  36. Predetermined PE • What is your favorite color? • What is your mothers maiden name? • What is your eye color? • What is your year of birth? • What is your company ID? • What is the balance on your last credit card statement? • What was the balance in your savings account on (date)?

  37. Self Created PE • With guidance provided by the organization highly secure questions can be created based on: • Who? • What? • When? • Where? • and How?

  38. Self Created PE • Who? • Who was my sweet heart in third grade? Sally Smythe • What? • What breed was my first dog? Boxer • When? • When did I get my last dog? Feb. 95 • Where? • Where do I keep my slippers? Under the bed.

  39. PKI Use Cases

  40. Certificate Vendors • Baltmore Technologies • UniCert PKI Software • Provides managed service • Entrust • Entrust Authority PKI Software • Provides managed service • RSA Security • Keon PKI Software • VeriSign • Provides Server Certificates • Provides managed service

More Related