PKI: Public Key Infrastructure

Similar documents
The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Certification Practice Statement

Public Key Infrastructure. A Brief Overview by Tim Sigmon

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Security Digital Certificate Manager

Security Digital Certificate Manager

Digital Certificates Demystified

Introduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001

Key Management and Distribution

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Business Issues in the implementation of Digital signatures

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Network Security Protocols

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Cryptography and Network Security Chapter 14

Introduction to Cryptography

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Ericsson Group Certificate Value Statement

Key Management and Distribution

Cryptography and Network Security Chapter 15

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Danske Bank Group Certificate Policy

IT Networks & Security CERT Luncheon Series: Cryptography

What Are They, and What Are They Doing in My Browser?

Chapter 6 Electronic Mail Security

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

7 Key Management and PKIs

An Introduction to Cryptography as Applied to the Smart Grid

HKUST CA. Certification Practice Statement

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Computer and Network Security. Outline

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Securing your Online Data Transfer with SSL

Understanding digital certificates

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Chapter 10. Cloud Security Mechanisms

Trustis FPS PKI Glossary of Terms


Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Savitribai Phule Pune University

Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

DigiCert Certification Practice Statement

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

How To Understand And Understand The Security Of A Key Infrastructure

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Introduction to Network Security Key Management and Distribution

Concept of Electronic Approvals

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

WiMAX Public Key Infrastructure (PKI) Users Overview

PKI Services: The Best Kept Secret in z/os

Overview. SSL Cryptography Overview CHAPTER 1

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Secure web transactions system

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Receiving Secure from Citi For External Customers and Business Partners

Public Key Infrastructure (PKI)

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

7! Cryptographic Techniques! A Brief Introduction

HMRC Secure Electronic Transfer (SET)

The Role of Digital Certificates in Contemporary Government Systems: the Case of UAE Identity Authority

SBClient SSL. Ehab AbuShmais

Network Security Essentials Chapter 7

How To Encrypt Data With Encryption

DRAFT Standard Statement Encryption

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

An Introduction to Entrust PKI. Last updated: September 14, 2004

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

PGP from: Cryptography and Network Security

SSL Protect your users, start with yourself

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

CIPHERMAIL ENCRYPTION. CipherMail white paper

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

SAFE Digital Signatures in PDF

Public Key Encryption and Digital Signature: How do they work?

Key Management Interoperability Protocol (KMIP)

Understanding Digital Certificates on z/os Share Anaheim, CA Session 8349 March 2nd 2011

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Public-Key Infrastructure

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

Information Security

Asymmetric cryptosystems fundamental problem: authentication of public keys

IBM i Version 7.3. Security Digital Certificate Manager IBM

SSLPost Electronic Document Signing

Understanding Digital Signature And Public Key Infrastructure

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Public Key Infrastructure

Transcription:

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Computing in Kansas June 3, 2004 Wes Hubert Information Services The University of Kansas

Why?

PKI adoption will continue growing to support highly sensitive or regulated business processes. However, the dream of using it for general-purpose authentication and ubiquitous digital signatures is still several years in the future and not a certainty. Public Key Infrastructure: Making Progress, But Many Challenges Remain Dan Blum and Gerry Gebel, Burton Group March 2003 ECAR report

PKI adoption hurdles are lower than ever, and the benefits are greater than ever. The time has come to stop studying and testing and take the plunge. PKI: A Technology Whose Time Has Come in Higher Education Mark Franklin, Larry Levine, Denise Anthony, and Robert Brentrup Dartmouth College EDUCAUSE Review March/April 2004

You should know enough about PKI to determine which view applies to your current situation.

Benefits Strong authentication HIPAA, FERPA, etc. Protection from sniffing attacks S/MIME secure email Signing, encryption Work with other PKI developments Inter-university use of PKI Kansas government PKI use Grant signing requirements

Hurdles Certification Authority Issues Outsource, Buy, or Build? Key/Certificate Management Policy Development Registration of users (vetting) Finding compatible applications User key management

Common PKI Use Establishing SSL Connections Authenticates web server to browser Uses CA root built into browser University buys certificates from CA Protection is only for data transfer Does not authenticate user Does not authenticate a specific service User-level: Individual CA Certs/Keys

Non-PKI Keys/Certificates Argus Server Authentication Certificates for server-to-server authentication Locally generated keys and certs No direct user involvement Argus User Authentication NOT certificate-based User-level: PGP, GPG, SSH

Higher Education Organizations for PKI NMI-EDIT NSF Middleware Initiative Enterprise and Desktop Integration Technologies Members EDUCAUSE Internet 2 SURA (SE Univ Research Assoc) HEPKI-TAG Coordinates many PKI developments

Higher Education Initiatives USHER US Higher Education Root Follow-on to CREN as CA InCommon Shibboleth Federation CA Signs Institutional Shib Certs HEBCA Higher Education Bridge Certification Authority

USHER Certificates Low Few constraints on campus operations Suitable for many campus needs Good for learning Basic CP places more constraints on use HEBCA peering Both will issue only institutional certs

HEBCA Trust HEBCA FBCA InCommon HECP Fd Root CA HECA Agency CA Agency CA Campus Campus

Kansas Government PKI Distributed across several agencies Information Technology Executive Council (ITEC) Responsible for Kansas Certificate Policy Office of Secretary of State (SOS) Responsible for CA services contract Information Network of Kansas (INK) Responsible for KS Info Consortium contract KIC manages official state web site www.accesskansas.org

Kansas Government PKI Distributed across several agencies General state PKI information online at: http://da.state.ks.us/itab/pkimain.htm Agencies using service act as Local Registration Authority Current end-entity certs $40/year

Kansas Government PKI Agencies using PKI State Treasurer s Office The Vault Extranet Department of Revenue E-Lein Department of Transportation

Kansas Government PKI Identity Management Security Levels Level 1 Virtual Vetting (no physical presence) Level 2 Physical Vetting; LRA Level 3, 4 Not yet issuing

Kansas Statutes Chapter 16. Contracts and Promises Article 16. Electronic Transactions Electronic Signature [16-1602(i)] Digital Signature [16-1602(e)] If a law requires a signature, an electronic signature satisfies the law. [16-1607(d)] http://www.kslegislature.org/cgi-bin/ statutes/index.cgi/

Electronic Signature... an electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

Digital Signature... a type of electronic signature consisting of a transformation of an electronic message using an asymmetric crypto system such that a person having the initial message and the signer's public key can accurately determine whether:!!! (1)! The transformation was created using the private key that corresponds to the signer's public key; and!!! (2)! the initial message has not been altered since the transformation was made.

Given a choice between security and convenience, users will choose convenience.

Public Key Infrastructure A system of CAs (and, optionally, RAs and other supporting servers and agents) that perform some set of certificate management, archive management, key management, and token management functions for a community of users in an application of asymmetric cryptography. (RFC2828 Definition)

Traditional Cryptography Symmetric Same key that encrypts, decrypts Key is always secret Problems Exchanging key with trusted parties Same key gives everyone access Access includes ability to modify

Traditional Cryptography DES (Data Encryption Standard) IBM, NIST, NSA 1970s 56-bit key Triple DES, 112-bit effective key size AES (Advanced Encryption Standard) Rijndael 128/192/256-bit key sizes

Public Key Cryptography Diffie-Hellman 1976 Asymmetric Two keys: one private, one public Each decrypts what other encrypts Problems Much slower than symmetric Key management

Public Keys Provide Confidentiality Protection again unauthorized access Integrity Protection against unauthorized changes Authentication Verification of an identity Nonrepudiation Cannot deny private key was used

Key Management Generating Keys Authenticating Public Keys Distributing Keys

Generating Keys Keys are generated in pairs Private/Public Keeping private keys secret Ideally no one but owner ever has key Problems convenience escrow recovery

Authenticating Public Keys X.509 Certificates Bind public keys to identity information Contents Include Version Number Public Key Owner s Name Initial / Final Dates Valid... other information... Signed by issuing CA

Digital Credentials Private Key For exclusive use of owner MUST be kept secure Public Key Certificate Available to everyone Links key with owner s identity Trust must be established somehow

Distributing Credentials PKCS#12 Standard for secure transportation of user identity information Wraps data in password-protected object Content can include Keys Certificates Passwords

Credential Package PKCS#12 Package Private Key X.509 Certificate Public Key Identity Info Other Info CA Signature

Certificate Management Distribution User to user (e.g. email) LDAP directories Revoking Certificates Certificate Revocation Lists (CRL) Online Cert Status Protocol (OCSP) Keys and Certificates are not the same Certificates not used for private keys

Credential Generation Key Generation Private Key Public Key ID Information Certificate Signing Request CA Private Key CA Signing PKCS#12 Generation Public Key Certificate PKCS#12 Object Package

Public Key Infrastructure Solves some problems of public keys Establishing owner s identity Defining validity dates, uses Based on trusted third party Signing may be through multiple levels CA cert may sign other CA certs Must end at trusted root CA

Certification Authority Functions Register Users Directly or through Registration Authority Issue Public Key Certificates Revoke Certificates Publish revocation information Archive Key and Certificate Data Retrieve archives when appropriate May or may not ever have user private key

Policies and Procedures Certificate Policy Statement Broad specification of policy objectives Accepted by CA & relying party Certification Practices Statement Detailed practices for issuing certificates Certificate lifetime, revocation, etc.

KU as Certification Authority Strong authentication for campus services Registration already done via Registrar & Human Resources A natural extension of current I/A/A activity KU Online ID, AMS, Argus, LDAP Policy framework: EDUCAUSE, I2 Build on open source foundation

KU Certificate Hierarchy KU Root CA KU Intermediate CA KU Personal CA KU Institutional CA Other potential uses User Certificates User Certificates

KU Root Certificate Available on web at: https://www.ku.edu/kuca Currently root/anchor certificate Must be installed into client system Plan USHER-based path in future Corresponding private key: Used only to sign Intermediate CA Cert Now stored only on encrypted CD

KU Digital Credential Process Action Initiated by Location Test Request User Web Approval CA Server ID Request User Web Generation CA Offline CA Notification CA Email Retrieval User Web Installation User User s PC Use User Application

S/Mime Email Normal Email is like a postcard Message encryption seals the envelope Digital signature adds unique sealing wax stamp

Signing Process Message Sender!s Private Key Sender!s Cert (Public Key) Compute (Optional-- may be obtained by other means) Message Digest Encrypt Encrypted Message Digest Transmitted Message (Original message encrypted digest optional sender cert)

Signature Verification Message (with encrypted digest) (optional public key cert) Sender!s Cert (Public Key) (Extract) Encrypted Message Digest Verify through CA Root Cert Compute Decrypt Message Digest Message Digest Compare The message digests match only if 1) Sender!s private key signed the message 2) The message has not been altered

Encryption Process Message Generate (Random) Symmetric Key Recipient!s Cert (Public Key) (Data) (Key) (Data) (Key) Encrypt Encrypt Encrypted Message Encrypted Symmetric Key (One for each recipient) Transmitted Message (Encrypted message Encrypted key)

Decryption Process Transmitted Message (Encrypted message Encrypted key) Recipient!s Private Key Extract Encrypted Symmetric Key (Data) (Key) Encrypted Message Decrypt Symmetric Key (Data) (Key) Decrypt Message

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information