Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advantages of modular PKI

Similar presentations

Presentation on theme: "Advantages of modular PKI"— Presentation transcript:

1 Advantages of modular PKI
Ing. Jiří Mrnuštík Ing. Petr Vaněk

2 Unconventional view of PKI
- I would like to hold this lecture a little less conservative - Implementation of PKI in practice is not limited only on technical an organizational establishing of a trusted third party for issuing of certificates The aim to implement PKI in massive practice have not only a governments but private firms as well PKI is in the place for a many years and analytics with the surprising recognized that such useful technology is still not massively used and implemented Surprising, isn’t it?

3 Unconventional view of PKI
My good friend and ex-boss Tor-Aksel Frolyland from Norman data Defense company wrote me several days ago: „Together we had been developing PKI for many years as well as application operating over it. We spent a lot of financial and human resources in our R&D team, but the sales of this software in civilian sector was not good enough. Only now, when I am working in the bank as ICT security chef officer I start to understand reasons. We spoke to our clients with the language of techies which they didn’t understand“.

4 Unconventional view of PKI
The key is to use the appropriate language Implementation of PKI in the civilian sector is more complicated that in the military sector In the army there is necessary to persuade responsible officers only and they can give the order to use technology to all units which need it Nevertheless with this officer is necessary to communicate with the appropriate language as well. PKI technology is not so transparently useful like for example laser tracking system for intelligent bombs

5 Unconventional view of PKI
On the other side ONLY to give an orders to units is not so easy In these days, in the time of armies and wars of third generation it is necessary more do than simple order Soldier has to have high quality education Soldier needs to speak fluently with more than one human language and he needs to know some programming languages He needs to understand and believe in technologies which he is using And now we are again talking about appropriate common language

6 Unconventional view of PKI
The age of brutal and massive attacks is history Most of recent conflicts are waged on the level of local LIC (low intensity conflicts) And with utilities more sophisticated than is usual M16. Most of LIC takes a place in invisible sphere of battle for information - in Cyberspace. Cyberspace is the battle field for conflicts of third generation

7 Unconventional view of PKI
It is unquestionable that information acquired by special force units is necessary to protect during its way to command and analytical center. In the same way it is necessary to protect information going vice versa from command center to special operational units. Small operative, highly educated and well trained units with the continuous and PROTECTED data flow of information, this is the model for LIC of third generation. Therefore structured and modular PKI is necessary

8 Basic definitions of PKI
What PKI is It is an complex system, which supports a ciphering with public keys and services connected with the electronic signatures. Basic purpose of Public Key Infrastructure is the public keys and certificates management. PKI enables usage of services connected with the ciphering and electronic signatures in the huge range of applications.

9 Basic definitions of PKI
Well designed and realized PKI has to have a several basic features: -         Export of user and management interfaces -         Possibility to add centralized key and certificate management -         Centralized security policy management -         Modularity is basic and inevitable feature of PKI

10 Basic definitions of PKI
Basic components of PKI PKI is the combination of: - Knowledge - software - hardware - Practice standards, legislative rules, politics, and procedures

11 Structure of PKI system
Security policy of PKI Practices and procedures, which defines how the keys and certificates will be generated, managed, distributed and used Security practice of PKI Crash recovery policy PKI Certification Authority and Time stamp Authority Document base for CA Support for Time Stamp (TS) Software (hardware) key generation and their secure storage and management Software (hardware) for certificate management outside of CA system

12 Processes in PKI system
Key generation Key management Certificate generation Certificate management, and also outside of CA system Export interfaces for key and certificate usage Possibility of third party software operation over the PKI

13 Functions of PKI single modules
What such modules are: Key and certificate management Electronic signature as inevitable module executable module operating over the PKI Certification Authority TSA

14 Cryptographic Message Standard, RFC 2630
Electronically signed data – what to do with it ? header SignedData ::= SEQUENCE { version CMSVersion, digestAlgorithms DigestAlgorithmIdentifiers, encapContentInfo EncapsulatedContentInfo, certificates [0] IMPLICIT CertificateSet OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } data Certs, CRLs signatures compact format for signature (signatures) and data itself separated signature (extra signature), where the data are stored separately certificate and/or CRL wrapping either separately or with signatures

15 Signer Info & Trustful signature time
SignerInfo ::= SEQUENCE { version CMSVersion, sid SignerIdentifier, digestAlgorithm DigestAlgorithmIdentifier, signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, signatureAlgorithm SignatureAlgorithmIdentifier, signature SignatureValue, unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL } Signer Identifier Signed Attributes TimeStamp Signature Unsigned Attributes Time Stamp & Signature

16 Data in electronic envelope
EnvelopedData ::= SEQUENCE { version CMSVersion, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, recipientInfos RecipientInfos, encryptedContentInfo EncryptedContentInfo, unprotectedAttrs [1] IMPLICIT UnprotectedAttributes OPTIONAL } RecipientInfo ::= SEQUENCE { version Version, issuerAndSerialNumber IssuerAndSerialNumber, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey }

17 S/MIME Package Redundancy ?
MIME encoding signature CMS Signed data MIME encoding encryption CMS Enveloped data send Or ? signature CMS Signed data encryption CMS Enveloped data send

18 Key, certificate … Key pair generation, algorithms, key length
Request, selfsigned certificates Hw storages – tokens, smart cards Key backup - tokens Signing request, revocate certificate Certificate share, LDAP, web, ..

19 Certification Authority
SQL DB Name Server LDAP Root CA Locality A On-line CA with hw. Engine (Luna,..) LUNA HTTPS CA core RA (RAO) WEB browser RA (RAO) WEB browser RA (RAO) WEB browser Locality B Locality D Locality C

20 Time Stamp Authority RFC 3161, ETSI TS 101 861

21 SDK- Software Development Kit
Client – server technology Digital signature Cert. requests Data encryption Signing CRL,Cert Time Stamp TSA File, DB storages for CRL,Certs, Keys SSL,… USB tokens Smart Cards Objects providers MS storages, … LDAP client/server support Objects exchanger, ..

22 Real Application IS implementation SDK colaboration OS integration
Obtain key pair lResult = pki_Init(&pki_ses, NULL); if(lResult != RET_OK) { printf("Failed to initialize PKI session EC:%d\n", lResult); } else { lResult = pki_InitBucket(pki_ses, &pki_col); printf("Failed to initialize PKI bucket EC:%d\n", lResult); // verify digitally signed file lResult = pki_CBDecryptSgn(pki_ses, pki_col, g_pszSignedFile, g_pszGatheredFile, NUL Managing PKI 3rd party sw RA & CA IS implementation

23 Thank you for your attention

Download ppt "Advantages of modular PKI"

Similar presentations

Ads by Google