Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

Similar presentations


Presentation on theme: "April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics."— Presentation transcript:

1 April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics

2 April 19-22, 2005SecureIT-2005 Agenda Why do you need a PKI? Basic Cryptography Near Future PKI Applications PKI Components and Services Deployment of a PKI

3 April 19-22, 2005SecureIT-2005 Why do you need a PKI? Protects against eavesdropping Protects against tampering Prevents impersonation –Spoofing –Misrepresentation Provides stronger authentication

4 April 19-22, 2005SecureIT-2005 Basic Cryptography Use of Keys for Encryption and Decryption Types of Keys –Symmetric-Key Encryption Uses ONE single key (shared secret) Efficient Provides a minor degree of authentication Only effective if symmetric key is kept secret!! –Public-Key Encryption (asymmetric encryption) Involves a pair of keys: Public Key – Published Private Key – Kept secret Key Length and Encryption Strength –Strength of encryption is related to the difficulty of discovering the key –Encryption strength is described in terms of key size.

5 April 19-22, 2005SecureIT-2005 Public Key Cryptography Provides: Encryption and Decryption Strong authentication Non-repudiation Tamper detection

6 April 19-22, 2005SecureIT-2005 What is a Certificate? A certificate is an electronic document used to identify: –An individual –A server –A company –Other entities A certificate associates an identity with a public key

7 April 19-22, 2005SecureIT-2005 What is a Certificate Authority? A Certificate Authority (CA) –validates identities –issues certificates Validation/Assurance of identity –depend on the policies of a given CA

8 April 19-22, 2005SecureIT-2005 Contents of a Certificate A certificate (X.509 v3) binds a Distinguished Name (DN) to a public key. A DN is a series of values that uniquely identify an identity. For example: cn=Javier Torner, o=California State University San Bernardino, ou=Information Security Office

9 April 19-22, 2005SecureIT-2005 Near Future Application Digital Signatures (S/MIME) Mail Encryption Certificate Revocation SSL Client Certificates to POP/IMAP SSL Client Certificates to NNTP SSL Client Certificates for network access Hardware Tokens – Two factor authentication

10 April 19-22, 2005SecureIT-2005 PKI Components and Services Certificate Repository Certificate Revocation Key backup and recovery Support for non-repudiation Time stamping Client software

11 April 19-22, 2005SecureIT-2005 PKI Phases Phase 0 – Basic Infrastructure –Implement a Certificate Authority Hierarchy Structure Phase I – Authorization Phase II – Authentication Phase III – Incorporate a Trusted Bridge

12 April 19-22, 2005SecureIT-2005 PKI - Phase 0 Define Certificate Practice Statement Define a CA Hierarchy –Root CA Master or Secondary CA –SSL (Web server) CA –SSL Clients CA – /Encryption CA –Object CA

13 April 19-22, 2005SecureIT-2005 CA Certificate Practice Statement Easy way to start is using PKI-Lite Edit/modify to your institution Technology has been around, but relatively new

14 April 19-22, 2005SecureIT-2005 PKI - Phase I Select software –OpenSSL, OpenCA Issue SSL Server Certificates –Class 3 Web servers certificate –Develop/enable users request interface –Provide user education SSL Client Certificates –Start with certificates for authentication ONLY –Test on control systems ISO sites

15 April 19-22, 2005SecureIT-2005 SSL Client Certificates Provides the ability to authenticate (primarily web) users using your institutions certificate Allows you to easily restrict the users of your data based upon criteria within a certificate

16 April 19-22, 2005SecureIT-2005 Contents of a Phase I Server Certificate CN=www.infosec.csusb.edu = OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US

17 April 19-22, 2005SecureIT-2005 Contents of a Phase-I ID Certificate CN=Javier Torner OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US

18 April 19-22, 2005SecureIT-2005 The Future of PKI Phase 3 – Federated Application Design CA Development

19 April 19-22, 2005SecureIT-2005 Valuable Resources Understanding PKI – Carlisle Adams and Steve Lloyd (ISBN x) Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter Williams (ISBN )b


Download ppt "April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics."

Similar presentations


Ads by Google