PKI COMPONENTS AND RELATED STANDARDS.

Similar documents
encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Public-Key Infrastructure

Savitribai Phule Pune University

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Securing Distribution Automation

Network Security Protocols

An Introduction to Cryptography as Applied to the Smart Grid

AD CS.

Security Digital Certificate Manager

Strong Encryption for Public Key Management through SSL

Security Digital Certificate Manager

Public Key Infrastructure for a Higher Education Environment

How To Understand And Understand The Security Of A Key Infrastructure

IBM i Version 7.3. Security Digital Certificate Manager IBM

Neutralus Certification Practices Statement

Introduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

CS 356 Lecture 28 Internet Authentication. Spring 2013

Grid Computing - X.509

Trustis FPS PKI Glossary of Terms

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Key Management and Distribution

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

IT Networks & Security CERT Luncheon Series: Cryptography

Controller of Certification Authorities of Mauritius

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

An Introduction to Entrust PKI. Last updated: September 14, 2004

Understanding digital certificates

PKI: Public Key Infrastructure

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

CS 392/681 - Computer Security

How To Encrypt Data With Encryption

A Noval Approach for S/MIME

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

SBClient SSL. Ehab AbuShmais

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Danske Bank Group Certificate Policy

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Lecture VII : Public Key Infrastructure (PKI)

Overview. SSL Cryptography Overview CHAPTER 1

Class 3 Registration Authority Charter

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Digital Certificates Demystified

Introduction to Security and PIX Firewall

Chapter 6 Electronic Mail Security

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Chapter 10. Network Security

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Public Key Infrastructure

Introduction to Network Security Key Management and Distribution

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Chapter 4 Virtual Private Networking

Certification Practice Statement

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Standards and Products. Computer Security. Kerberos. Kerberos

Ciphire Mail. Abstract

Chapter 8. Network Security

Cornerstones of Security

Asymmetric cryptosystems fundamental problem: authentication of public keys

An LDAP/X.500 based distributed PGP Keyserver

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

StartCom Certification Authority

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

SSL Protect your users, start with yourself

HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security

Authentication Application

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

Case Study for Layer 3 Authentication and Encryption

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

EuropeanSSL Secure Certification Practice Statement

HMRC Secure Electronic Transfer (SET)

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Biometrics, Tokens, & Public Key Certificates

TeliaSonera Public Root CA. Certification Practice Statement. Revision Date: Version: Rev A. Published by: TeliaSonera Sverige AB

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Ericsson Group Certificate Value Statement

TELSTRA RSS CA Subscriber Agreement (SA)

Wireless Mobile Internet Security. 2nd Edition

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

PKI - current and future

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

Key Management Interoperability Protocol (KMIP)

ehealth Ontario PKI Certification Policy Manual

Gandi CA Certification Practice Statement

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Transcription:

PKI COMPONENTS AND RELATED STANDARDS. COMESA/POTRAZ Zimbabwe 4-6 May 2016. Dr. Izzeldin Kamil Amin Associate Professor. Faculty of Mathematical Sciences University of Khartoum. izzeldin@outlook.com

PKI Functions. PKI is based on Mathematical Algorithms to convert intelligent digitally encoded information (e.g. plaintext) into unintelligible digitally coded information and vice versa. This process is referred to as Cryptography. 2

Main Purposes of Cryptography. Applications of Cryptography include: Data encryption for Confidentiality Digital signatures to provide Non-repudiation (accountability) and verify data integrity. Issuance of Certificates for Authenticating an entity (e.g. a person, company, people, applications and services,.) Access Control (Authorization) 3

Cryptography. The Algorithm of a Cryptography makes use of a unique Number; selected and used in the Algorithm to de-face the digitally coded information to make it unintelligible. This number is normally referred to as a key. 4

Functions of Digital Certificates and e-signature. Digital Certificates and Digital Signatures provide: Authenticity (assurance of the genuineness of the source/signer), Integrity(assurance that document hasn't been changed after signing), Confidentiality (Ensuring that Data are kept private, stay private), Availability (Ensuring that data are accessible whenever needed by the owner) and Non-repudiation(the signer cannot later deny signing the document ) to electronic documents. 9 May 2016 A Regional Cyber Security Centre. 5 5

PKI Terminology and Concepts 6 Hashing functions Asymmetric encryption and decryption Keys: Key pair Digital signature Digital certificate Registration Authorities (RA) Certification Authorities (CA) Hierarchy of trust 6

Hash Functions 7 It was the best of times, it was the worst of times It was the best of thymes, it was the worst of times Hash Function Small Difference Large Difference In the Digest Hash Function 3au8 e43j jm8x g84w Examples: standards Known as MD5 (128 bit), SHA-1 (160 bit) b6hy 8dhy w72k 5pqd Digitally signed documents are signed using the sender's Private Key. Upon receiving the document, a receiver can verify the signature using corresponding sender's Public Key. 7

Asymmetric Key Cryptography Encryption 8 Public key Message A Encrypt Private key Encrypted Message Decrypt B Message Eavesdropper 8

Public-Key Signature & Verification 9 Transmitted Message Signature Receiver Bob Hash Function Message Digest Signature Hash Function Decrypt Encrypt Message Digest Expected Digest Sender Alice Hashing + Encryption = Signature Creation Regional and Global Cyber Perspective Cyber Security and Cyber Crime If these are the same, then the message has not changed Hashing + Decryption = Signature Verification 9

NCDC National Committee for Digital Certification 10 Sudan Root Certificate Authority. SRCA Non Sudanese Root CA Sub-Certification Authorities. Commercial Commercial Commercial Government Government Government Level 1 CA (1) Level 1 CA (2) Level 1 CA (n) Level 1 CA(1) Level 1 CA(2) Level 1 CA(n) LRA LRA LRA LRA Government Level 2 CA(1) LRA LRA Regional and Global Cyber Perspective LRA Cyber Security and Cyber Crime Local Registration Authorities. 10 10

Registration Authority 11 Performs functions for CA by ensuring that the entity to use PKI is what it claims; but does not issue certificates directly 11

Certificate Authority 12 An organization that issues certificates Usually a trusted third party Backs the information in the certificate. Processes requests Manages certificate lifecycle Issuance, recovery, revocation, renewal Distributed 12

PKI COMPONENTS AND FUNCTIONS Three main functions: The Certificate Authority (CA), an entity which issues certificates. Can be in-house or a trusted third party; e.g. Similar to the documents issued by the Ministry of Interior (IDs or Passports). 13

The repository for keys, certificates and Certificate Revocation Lists (CRLs) is usually based on an Lightweight Directory Access Protocol (LDAP)-enabled directory service. A management function, typically implemented via a user interface device used in te process. If the PKI provides automated key recovery, there may also be a key recovery service. Key recovery is an advanced function required to recover data or messages when a key is lost. 14

Figure (1): The Three main functions of PKI plus the recovery process. Regional and Global Cyber Perspective Cyber Security and Cyber Crime Adapted from A White Paper by: 15

Flow of the Process. The process starts by Registration: User registration is the process of collecting user information and verifying user identity, which is then used to register a user according to a certain policy. In brief: it is the mapping between physical verification and providing keys for the PKI process. Since it is a management process, the Human Resources department (or Ministry of Interior) may manage the Registration Authority (RA) function, for instance, while Information Technology manages the CA. 16

A separate RA also makes it harder for any entity subvert the security system. However, every country can choose to have registration handled by a separate RA, or included as part of the Certification Authority (CA) functions. This organization id independent of its implementation: each can be implemented centrally or in distributed way; i.e one single CA (or RA) or more than one CA (or RA). 17

CA Functions. Main CA functions include: Issuing Certificates, Revoking Certificates, and creating Certificate Revocation List (CRL). Creating and publishing CRLs, Storing and retrieving certificates and CRLs, and Key Lifecycle Management. Enhanced or emerging functions include time-stamping and policy-based certificate validation. 18

Partners and International Cooperation Every country needs to evaluate (and accept or reject) certificates issued by CAs from other countries. This can be accomplished through a number of alternatives that we shall explore in a separate session. 19

Work of APPLICATIONS A PKI Applications include: email, web browsing, web servers, any Electronic Data Interchange (EDI), All applications that require secure transactions or communication sesssions utilizing: web or in VPNs using protolcols such as S/MIME, SSL, and IPSEC. Applications that require secure items such as digitally signed documents or code. All applications can be made PKI-enabled. The PKI system manages the keys and digital certificates used to implement cryptography within all applications. 20

PKI-RELATED STANDARDS Two groups of standards: PKI Standards: those that specifically define the PKI, and user-level standards: that rely on the PKI, but don t define it. PKI standards permit multiple PKIs to interoperate, and multiple applications to interface with a single, consolidated PKI. 21

Standard Functions. Standards are necessary for: Enrollment procedures. Certificate formats. CRL formats. Formats for certificate enrollment messages (client requests certificate, server issues certificate). Digital signature formats. Challenge/response protocols. 22

PKI Group (IETF Task Force). The primary focus of interoperable PKI standards is the PKI working group of the Internet Engineering Task Force (IETF), known as the PKIX group (for PKI for X.509 certificates ). 23

PKIX Component Standards The PKIX specifications are based on two other standards: X.509 set by International Telecommunication Union (ITU) and The Public Key Cryptography Standards (PKCS) from RSA Data Security. X.509 was intended to specify authentication services for X.500 directory services. In fact, the certificate syntax of X.509 has been widely adopted outside X.500 environments. However, X.509 was not intended to define a complete, interoperable PKI. To supplement X.509, vendors, users and standards committees have turned primarily to de facto PKI standards defined in PKCS. 24

PKI standards define the PKI. Security standards for Aplication may require, assume or allow the use of PKI. Adapted from A White Paper by: 25

X.509 X.509, set by the ITU, is considered the foundational and most universally supported PKI standard. Its primary purpose is to define a standard digital certificate format. 26

PKCS It is actually a series of standards covering PKI in areas of certificate enrollment and renewal, and CRL distribution. For PKI interoperability, the three most important PKCS standards are: PKCS #7, Cryptographic Message Syntax Standard, PKCS #10, Certificate Request Syntax Standard, and PKCS #12, Personal Information Exchange Syntax Standard. 27

Standards Based on a PKI. Major security standards are designed to work with a PKI: Secure Sockets Layer (SSL), Transport Layer Security (TLS), Secure Multipurpose Internet Mail Extensions (S/MIME), Secure Electronic Transactions (SET) and IP Security (IPSEC), All assume, require or allow the use of a PKI. 28

S/MIME S/MIME is the IETF standard for secure messaging. S/MIME assumes a PKI for digitally signing messages and to support encryption of messages and attachments, without requiring prior shared secrets. It was an early standard which is now considered mature. S/MIME committee has led the way in implementing and extending PKI standards, taking advantage of the PKIX standards when possible, and filling in where additional standards were necessary. The most important standards developed by the S/MIME committee are Cryptographic Message Syntax, Message Specification, Certificate Handling, and Certificate Request Syntax. 29

SSL and TLS. SSL and the emerging IETF standard, TLS, which is based on SSL, are the most important standards for providing secure access to Web servers. SSL and TLS are also being used for general client/server security in a variety of non-web applications. Both rely on a PKI for certificate issuance for clients and servers. 30

Secure Electronic Transactions (SET) SET is utilized in securing an electronic bank card payment. SET uses keys for authentication, confidentiality and data integrity. PKI is a critical underpinning for authentication of the parties involved in a payment transaction. 31

IPSEC The IPSEC standard defines protocols for IP encryption, and is one of the primary protocols used for deploying VPNs. IPSEC requires keys for encryption and authentication. Complete PKI standards for IPSEC are still under deveopment, and a PKI is the most scalable way of managing IPSEC keys. The use of IPSEC is still fairly limited, and the need for PKI will grow with IPSEC deployment. 32

SOME ISSUES IN PKI DEPLOYMENT Countries need to deploy PKI for limited applications at the beginning; e.g. Electronic Passport, Bank Swift applications,.etc. Strategically, a countr should concentrate on establishing the main necessary architecture.; e.g. ROOT CA and one sub- CA. Interoperability is a main issue! 33

How will interoperability be achieved? There are Possibly two basic approaches to PKI interoperability: 1. Focus on a particular vendor s product or OPEN SOURCE products; e.g. Primekey EJBCA (Enterprise Java Beans Cert. Authority). 2. Focus on standards. After reaching a maturing stage, expanding PKI market, vendor-independent standards will increasingly be the method of choice for achieving interoperability and consolidation. 34

Thank you for your attendance and Listening. 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information