Transcript Public Key Infrastructure (PKI)

Public Key Infrastructure
(PKI)
Providing secure communications
and authentication over an open
network.
Topics
• Understanding the technology
– Cryptography, Digital Signatures, Third
Party Trust, and Public Key Certificates.
• Public Key Infrastructure
– Definitions, Components, Infrastructure,
Processes, and Issues.
• Western’s PKI
Cryptography Methods
• 2 Types of Cryptography being used.
– Symmetric Key (shared secret)
Cryptography
– Public Key Cryptography
• Each has a role in a Public Key
Infrastructure.
Symmetric Key Cryptography
• 1 Key known by both parties (shared)
• A message encrypted by the key can
only be decrypted using the same key.
Hello
Ijfd82*7df
Hello
• Issue: Hard to share the key securely.
Public Key Cryptography
• 2 keys generated. 1 private, 1 public.
• A message encrypted by 1 key can only be decrypted
by the other.
Private
Public
Hello
9klfms83f
Hello
Bye
Jf#f9j3f92
Bye
• Public keys are stored in a public repository and are
freely available.
• Private keys are stored on local system protected by
a password. Never transmitted over the network.
Public key Cryptography
• 2 way encrypted communication
possible using 2 sets of public keys.
Party A
Party B’s
Public
Hello
Party B’s
Private
9klfms83f
Party A’s
Private
Bye
Party B
Hello
Party A’s
Public
Jf#f9j3f92
• Issue: Large resources required.
Bye
Their roles in PKI
• Public keys are used •
to securely transmit a
symmetric session
key.
Step 1: Party A
creates
symmetric key
and transmits it
to Party B using
their public key.
Step 2: Secure
communications
setup using the
symmetric key.
Party A
Hello
The symmetric key is
used to setup secure
encrypted
communications.
Party B’s
Public
Party B’s
Private
Ijfd82*7df
Party B
Hello
Digital Signature
• Private keys can be used to sign a document.
• The public key is used to decrypt the signature
which verifies that the message came from the
person who owns the private key.
Party A
Hello Bob
signed Jonny
Party A’s
Private
Party A’s
Public
Hello Bob
signed dfjlf9#fsi
Party B
Hello Bob
signed Jonny
• Issue: How does party B verify Party’s A Public
Key.
Trusted Third Party
• A trusted third party is someone both
communicating parties trusts.
• This party authenticates Party A using older
style methods (ID Card) and verifies they own
the private key.
• This party then uses its own private key to
digitally sign party A’s public key.
• Since party B trusts the public key of the third
party, when it decrypts the signature on party
A’s Public key it can then trust A’s public key.
• Signed public keys can be used for
authentication.
Public Key Certificate (PKC)
• A public key certificate is a document that:
– Contains the public key of its owner.
– Contains a set of attributes that identifies its owner
– Is digitally signed by a trusted third party called a
Certificate Authority (CA).
– Has an life span (expiry date).
• Certificates are stored in public repositories.
• Used to authenticate, setup secure
communications and trust a digital signature.
Public Key Infrastructure (PKI)
• Defined by the IETF PKIX Working
Group as:
“The set of hardware, software, people, policies
and procedures needed to create, manage, store,
distribute, and revoke public key certificates based
on public key cryptography.”
PKI Component Definitions
• Certificate Authority (CA) : An authority trusted to create and
assign public key certificates. Required to validate user information
and verify they own the private key. Required to maintain CRLs.
• Registration Authority (RA) : An optional authority that can act on
behalf of a CA to validate user information and verify they own the
private key.
• Repository : A data base or directory used to store and distribute
Public Key Certificates and CRLs.
• Certificate Revocation Lists (CRL) : A list of certificates that have
been revoked due to their owners breaking one of the rules in the
certificate policy or by having its private key compromised.
• Certificate Policy (CP) : A set of rules which indicates how a
certificate is to be used by a community of users or set of
applications.
• Certificate Practice Statement (CPS) : A set of guidelines a CA
follows when issuing certificates.
The Infrastructure
Governed by Certificate Practice Statement.
Repository
for PKCs
and CRLs
Certificate
and
revocation
list storage.
Certificate
Authority
Registration
process
Registration
Authority
Certificate requests
Certificate
and
revocation
list retrieval.
Application
or Server
Authentication and
Secure communication
User
Governed by Certificate Policy.
Certificate use.
• During setup of connection between a server and user:
– Certificates are withdrawn from the repository for both parties.
– Digital signatures are decrypted using the CA’s public key.
– The Certificate revocation list for the signing CA is referenced to
verify that the certificate has not been revoked.
– If all passes then authentication of the server and user has been
accomplished (i.e. each trusts that the private key is owned by
the person identified in the certificate).
• Secure communications are then setup by the user
generating a symmetric session key and transmitting it
to the server using the servers public key to encrypt it.
Once the server has decrypted the session key using its
private key a secure socket is setup using the session
key.
The Repository(LDAP)
• A Repository:
– Requires an efficient directory capable of
authentication, replication and redundancy
– should be capable of storing more data than
just certificates and must be capable of
complicated searches
• LDAP provides all the requirements plus:
– can use Public Keys during its authentication
– is being integrated into many other
technologies
– Has a good set of standard APIs
Issues with PKI
• Certificate Revocation is still in its infancy.
• Trust
– Do we trust the commercial CAs out there. Why do we
trust them to authenticate information they are not the
authority of.
– How do we trust repositories.
• Non PKI security holes
– How secure are clients, CAs, and repository systems from
hackers and virus attacks. Are they physically secure.
– How well guarded are private keys.
• Is the data in the certificate being check thoroughly.
• The idea of Non-Repudiation.
• Roaming Access (Smart Cards)
Western’s PKI
• Western currently has an agreement with Thawte
Certification (owned by VeriSign) to provided signed
certificates and be our Certificate Authority (CA).
• A representative of ITS acts as a Registration
authority (RA) on behalf of Thawte Certification.
• Currently only Secure Socket Layer (SSL)
certificates are in use to provide encrypted web
communications (Authentication of web server only).
• Thawte offers other types of certificates but they
have not been investigates for use at Western yet
and may be cost prohibitive to use.
Western’s PKI
Repository
for PKCs
and CRLs
SSL
Certificates
are stored
in the web
server and
distributed
by the web
server.
2. Thawte asks ITS
if request is good.
CA: Thawte
Certification
1.Web server
admin
generates
and send a
certificate
request to
Thawte.
Web
Server
3. ITS Verifies
request and say yes.
RA: ITS
Representative
4. Thawte signs
certificate and
returns it to the
web server admin
who loads it into
web serer configuration.
5. User generates session
key and transmits it to
web server using public key.
A secure socket is then
setup. (SSL)
UWO web
user.