Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Jiří Mrnuštík Ing. Petr Vaněk Advantages of modular PKI.

Similar presentations


Presentation on theme: "Ing. Jiří Mrnuštík Ing. Petr Vaněk Advantages of modular PKI."— Presentation transcript:

1 Ing. Jiří Mrnuštík Ing. Petr Vaněk Advantages of modular PKI

2 - I would like to hold this lecture a little less conservative - Implementation of PKI in practice is not limited only on technical an organizational establishing of a trusted third party for issuing of certificates -The aim to implement PKI in massive practice have not only a governments but private firms as well -PKI is in the place for a many years and analytics with the surprising recognized that such useful technology is still not massively used and implemented -Surprising, isn’t it? Unconventional view of PKI

3 My good friend and ex-boss Tor-Aksel Frolyland from Norman data Defense company wrote me several days ago: „Together we had been developing PKI for many years as well as application operating over it. We spent a lot of financial and human resources in our R&D team, but the sales of this software in civilian sector was not good enough. Only now, when I am working in the bank as ICT security chef officer I start to understand reasons. We spoke to our clients with the language of techies which they didn’t understand“. Unconventional view of PKI

4 -The key is to use the appropriate language -Implementation of PKI in the civilian sector is more complicated that in the military sector -In the army there is necessary to persuade responsible officers only and they can give the order to use technology to all units which need it -Nevertheless with this officer is necessary to communicate with the appropriate language as well. PKI technology is not so transparently useful like for example laser tracking system for intelligent bombs Unconventional view of PKI

5 -On the other side ONLY to give an orders to units is not so easy -In these days, in the time of armies and wars of third generation it is necessary more do than simple order -Soldier has to have high quality education -Soldier needs to speak fluently with more than one human language and he needs to know some programming languages -He needs to understand and believe in technologies which he is using -And now we are again talking about appropriate common language Unconventional view of PKI

6 -The age of brutal and massive attacks is history -Most of recent conflicts are waged on the level of local LIC (low intensity conflicts) -And with utilities more sophisticated than is usual M16. -Most of LIC takes a place in invisible sphere of battle for information - in Cyberspace. Cyberspace is the battle field for conflicts of third generation Unconventional view of PKI

7 -It is unquestionable that information acquired by special force units is necessary to protect during its way to command and analytical center. -In the same way it is necessary to protect information going vice versa from command center to special operational units. -Small operative, highly educated and well trained units with the continuous and PROTECTED data flow of information, this is the model for LIC of third generation. Therefore structured and modular PKI is necessary Unconventional view of PKI

8 What PKI is It is an complex system, which supports a ciphering with public keys and services connected with the electronic signatures. Basic purpose of Public Key Infrastructure is the public keys and certificates management. PKI enables usage of services connected with the ciphering and electronic signatures in the huge range of applications. Basic definitions of PKI

9 Well designed and realized PKI has to have a several basic features: - Export of user and management interfaces - Possibility to add centralized key and certificate management - Centralized security policy management - Modularity is basic and inevitable feature of PKI

10 Basic definitions of PKI Basic components of PKI PKI is the combination of: - Knowledge - software - hardware - Practice standards, legislative rules, politics, and procedures

11 Structure of PKI system Security policy of PKI Practices and procedures, which defines how the keys and certificates will be generated, managed, distributed and used Security practice of PKI Crash recovery policy PKI Certification Authority and Time stamp Authority Document base for CA Support for Time Stamp (TS) Software (hardware) key generation and their secure storage and management Software (hardware) for certificate management outside of CA system

12 Processes in PKI system Key generation Key management Certificate generation Certificate management, and also outside of CA system Export interfaces for key and certificate usage Possibility of third party software operation over the PKI

13 Functions of PKI single modules What such modules are: Key and certificate management Electronic signature as inevitable module executable module operating over the PKI Certification Authority TSA

14 Cryptographic Message Standard, RFC 2630 Electronically signed data – what to do with it ? header data Certs, CRLs signatures SignedData ::= SEQUENCE { version CMSVersion, digestAlgorithms DigestAlgorithmIdentifiers, encapContentInfo EncapsulatedContentInfo, certificates [0] IMPLICIT CertificateSet OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } compact format for signature (signatures) and data itself separated signature (extra signature), where the data are stored separately certificate and/or CRL wrapping either separately or with signatures

15 Signer Info & Trustful signature time Signed Attributes Signature Unsigned Attributes Signer Identifier TimeStamp SignerInfo ::= SEQUENCE { version CMSVersion, sid SignerIdentifier, digestAlgorithm DigestAlgorithmIdentifier, signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, signatureAlgorithm SignatureAlgorithmIdentifier, signature SignatureValue, unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL } Time Stamp & Signature

16 Data in electronic envelope EnvelopedData ::= SEQUENCE { version CMSVersion, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, recipientInfos RecipientInfos, encryptedContentInfo EncryptedContentInfo, unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL } RecipientInfo ::= SEQUENCE { version Version, issuerAndSerialNumber IssuerAndSerialNumber, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey }

17 S/MIME Package Redundancy ? signatureMIME encoding encryption signatureencryption Or ? send CMS Signed data CMS Signed data CMS Enveloped data CMS Enveloped data

18 Key, certificate … –Key pair generation, algorithms, key length –Request, selfsigned certificates –Hw storages – tokens, smart cards –Key backup - tokens –Signing request, revocate certificate –Certificate share, LDAP, web,..

19 Certification Authority LUNA HTTPS SQL DB Name Server LDAP Server RA (RAO) WEB browser Root CA RA (RAO) WEB browser RA (RAO) WEB browser CA core Locality A Locality B Locality C Locality D On-line CA with hw. Engine (Luna,..)

20 Time Stamp Authority RFC 3161, ETSI TS

21 SDK- Software Development Kit Digital signature Data encryption Time Stamp SSL,… Cert. requests Signing CRL,Cert TSA File, DB storages for CRL,Certs, Keys USB tokens Smart Cards LDAP client/server support Objects exchanger,.. Objects providers MS storages, … Client – server technology

22 Real Application Obtain key pair Managing PKI RA & CA 3rd party sw OS integration SDK colaboration IS implementation lResult = pki_Init(&pki_ses, NULL); if(lResult != RET_OK) { printf("Failed to initialize PKI session EC:%d\n", lResult); } else { lResult = pki_InitBucket(pki_ses, &pki_col); if(lResult != RET_OK) { printf("Failed to initialize PKI bucket EC:%d\n", lResult); } else { // verify digitally signed file lResult = pki_CBDecryptSgn(pki_ses, pki_col, g_pszSignedFile, g_pszGatheredFile, NUL

23 Thank you for your attention


Download ppt "Ing. Jiří Mrnuštík Ing. Petr Vaněk Advantages of modular PKI."

Similar presentations


Ads by Google