Certificates, Certification Authorities and Public-Key Infrastructures

Similar documents
Certificates, Certification Authorities and Public-Key Infrastructures

Certificates, Certification Authorities and Public-Key Infrastructures

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

PUBLIC-KEY CERTIFICATES

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

How To Make A Trustless Certificate Authority Secure

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Public Key Infrastructure

Asymmetric cryptosystems fundamental problem: authentication of public keys

7 Key Management and PKIs

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Key Management and Distribution

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Lecture VII : Public Key Infrastructure (PKI)

Cryptography and Network Security Chapter 14

Key Management and Distribution

DIMACS Security & Cryptography Crash Course, Day 2 Public Key Infrastructure (PKI)

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

CSC/ECE 574 Computer and Network Security. What Is PKI. Certification Authorities (CA)

Public Key Infrastructure. Certificates Standard X509v3

Introduction to Network Security Key Management and Distribution

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Network Security: Public Key Infrastructure

Public Key Infrastructures

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Certificate Management in Ad Hoc Networks

Reducing Certificate Revocation Cost using NPKI

70-299: Implementing and Administering Security in a Microsoft Windows Server 2003 Network (Corso MS-2823)

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

How To Understand And Understand The Security Of A Key Infrastructure

A PKI approach targeting the provision of a minimum security level within Internet

TELSTRA RSS CA Subscriber Agreement (SA)

Number of relevant issues

CSC574 - Computer and Network Security Module: Public Key Infrastructure

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Internet Trust Next Generation Part 1: Requirements

Internet Security Firewalls

CS Network Security: Public Key Infrastructure

The IVE also supports using the following additional features with CA certificates:

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Authentication Applications

Module 7 Security CS655! 7-1!

APPLICATION FOR DIGITAL CERTIFICATE

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

Authentication Applications

StartCom Certification Authority

CS 356 Lecture 28 Internet Authentication. Spring 2013

Visa Public Key Infrastructure Certificate Policy (CP)

Restricting Access with Certificate Attributes in Multiple Root Environments A Recipe for Certificate Masquerading

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Ciphermail S/MIME Setup Guide

Securing Service Access with Digital Certificates

1 Public Key Cryptography and Information Security

CS 392/681 - Computer Security

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

Security - DMARC ed Encryption

Certification Practice Statement

Certificati e Certification Authority

Grid Computing - X.509

X.509 Certificate Revisited

Authentication Application

Evaluation of Certificate Revocation in Microsoft Information Rights Management v1.0

Certificates and network security

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Security Digital Certificate Manager

Configuring Digital Certificates

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

X.509 Certificate Policy for India PKI

Impact of Public Key Enabled Applications on the Operation and Maintenance of Commercial Airplanes

Should You Trust the Padlock? Web Security and the HTTPS Value Chain. Keeping Current 20 November 2013 Ken Calvert

Introduction to Cryptography

Certificate technology on Pulse Secure Access

Public Key Infrastructure (PKI)

Certificate Policy for the United States Patent and Trademark Office November 26, 2013 Version 2.5

Certificate technology on Junos Pulse Secure Access

Digital Signatures in a PDF

Djigzo S/MIME setup guide

Concept of Electronic Approvals

A Survey of State of the Art in Public Key Infrastructure

Lecture 10 - Authentication

Neutralus Certification Practices Statement

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

10/6/2015 PKI. What Is PKI. Certificates. Certification Authorities (CA) PKI Models. Certificates

CMS Illinois Department of Central Management Services

Internet Security Firewalls

AAI - Authentication and Authorization Infrastructure Task Force Certificate Authority Final Report

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Ericsson Group Certificate Value Statement

Tutta la formazione che cerchi, su misura per te.

NIST ITL July 2012 CA Compromise

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

SSL/TLS: The Ugly Truth

Transcription:

Certificati digitali Certificates, Certification Authorities and Public-Key Infrastructures Ozalp Babaoglu La chiave pubblica con la quale stiamo cifrando deve appartenere realmente al destinatario del messaggio Si pone il problema dello scambio delle chiavi (man-in-themiddle attack) I certificati digitali vengono usati per evitare che qualcuno tenti di spacciarsi per un altra persona sostituendone la chiave pubblica ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Babaoglu 2001-2012 Sicurezza 2 PKI Certificates Physical Certificates A certificate is the form in which a PKI communicates public key information It is a binding between a public key and identity information about a subject Signed by a certificate issuer Functions much like a physical certificate Avoids man-in-the-middle attacks Fotograph + Personal data Seals = I certify that the photo corresponds to the personal data Babaoglu 2001-2012 Sicurezza 3 Babaoglu 2001-2012 Sicurezza 4

Distribuzione dei certificati Certificate servers Certificati generati, custoditi e distribuiti da entità fidate Certificate servers Public Key Infrastructures (PKI) Distribuzione manuale o di persona: passaporto, carta d identità Database disponibili su rete Permettono agli utenti di richiedere l inserimento del proprio certificato nel database richiedere il certificato di qualcuno Babaoglu 2001-2012 Sicurezza 5 Babaoglu 2001-2012 Sicurezza 6 Public Key Infrastructure PKI Registration Authority PKI is a collection of services and protocols for Registering Certifying (issuing) Validating Revoking certificates Public-key infrastructure (PKI) Registration Authority (RA) usually a physical person Certification Authority () usually software Invoked when a subject requests a certificate for the first time Subject requesting the certificate must be authenticated In-band authentication: performed using the PKI itself possible only for certain types of identity information (e.g. email address) Out-of-band authentication: performed using more traditional methods, such as mail, fax, over the telephone or physically meeting someone Babaoglu 2001-2012 Sicurezza 7 Babaoglu 2001-2012 Sicurezza 8

Public Key Infrastructure Public Key Infrastructure Is there an Internet PKI? Several proposal for an Internet PKI exist: PGP, PEM, PKIX, Secure DNS, SPKI and SDSI No single one has gained widespread use In the future: Several PKI operating and inter-operating in the Internet There are two basic operations common to all PKIs: Certification: process of binding a public-key value to subject: an individual, organization or other entity Validation: process of verifying that a certification is still valid Babaoglu 2001-2012 Sicurezza 9 Babaoglu 2001-2012 Sicurezza 10 PKI X.509 Certificates Distinguished Name Information X.509 Certificate Information Defined by X.509 Standard Subject:!Distinguished Name, Public Key Issuer:! Distinguished Name, Signature Validity: Not Before Date, Not After Date Administrative Info:! Version, Serial Number Extended Info:! Common Name CN=Calisto Tanzi Organization or Company O=Parmalat Organizational Unit! OU=Management City/Locality!!! L=Parma State/Province!! ST=Emilia Romagna Country (ISO Code)!! C=IT Babaoglu 2001-2012 Sicurezza 11 Babaoglu 2001-2012 Sicurezza 12

PKI Certificates PKI Certificate Authorities The certification process is based on trust users trust the issuing authority to issue only certificates that correctly associate subjects to their public keys The certificate issuer is commonly called a certificate authority () Only a for the entire world? Impractical Instead: most PKI enable one to certify another s one is telling its users that they can trust what a second says in its certificates Different certificates: Leaf certificates (end-user) Intermediate certificates Root certificates Babaoglu 2001-2012 Sicurezza 13 Babaoglu 2001-2012 Sicurezza 14 PKI Certificate Chains PKI Hierarchies DN X PK X Sig X s can be organized as a rooted tree (X.509) as a general graph (PGP) DN Y DN Z DN Bob PK Y PK Z PK Bob Sig X Sig Y Sig Z Babaoglu 2001-2012 Sicurezza 15 Babaoglu 2001-2012 Sicurezza 16

PKI Validation PKI Revocation Validation The information in a certificate can change over time Need to be sure that the information in the certificate is current and that the certificate is authentic Two basic methods of certificate validation: Off-line validation The can include a validity period in the certificate a range during which the information in the certificate can be considered valid On-line validation The user can ask the directly about a certificate s validity every time it is used Revocation the process of informing users when the information in a certificate becomes unexpectedly invalid subject s private key becomes compromised user information changes (e.g., email address, domain name of a server) Off-line Within the validity periods, certificate revocation method is critical On-line revocation problem becomes trivial Babaoglu 2001-2012 Sicurezza 17 Babaoglu 2001-2012 Sicurezza 18 PKI Revocation Certificates in Practice: Firefox Certificate Revocation List (CRL) a list of revoked certificates that is signed and periodically issued by a user must check the latest CRL during validation to make sure that a certificate has not been revoked CRL Problems CRL time-granularity problem how often CRLs must be issued? CRL size incremental CRL Babaoglu 2001-2012 Sicurezza 19 Babaoglu 2001-2012 Sicurezza 20

Certificates in Practice: Firefox Certificates in Practice: Firefox Babaoglu 2001-2012 Sicurezza 21 Babaoglu 2001-2012 Sicurezza 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information