Presentation is loading. Please wait.

Presentation is loading. Please wait.

(n)Code Solutions CABasics of PKI 1 Introduction to PKI (n)Code Solutions A division of GNFC.

Similar presentations


Presentation on theme: "(n)Code Solutions CABasics of PKI 1 Introduction to PKI (n)Code Solutions A division of GNFC."— Presentation transcript:

1 (n)Code Solutions CABasics of PKI 1 Introduction to PKI (n)Code Solutions A division of GNFC

2 (n)Code Solutions CABasics of PKI 2 Introduction to PKI At the end of this presentation, you will know: How to achieve secure communications in a public network, including: Cryptography - Public / Private Keys Digital Certificates Certification Authority Public Key Infrastructure (PKI)

3 (n)Code Solutions CABasics of PKI 3 How do I achieve secure communications in a public network? We use the Internet to... –Send –Make purchases –Distribute software –Inventory control & order entry But we have some concerns - How do we... –Know a person is who they claim to be? –Know I’m connected to an authentic merchant? –Protect the privacy of my communications? –Know if information has been tampered with? –Prove later that someone sent me the message?

4 (n)Code Solutions CABasics of PKI 4 Four Security Needs for Network Communications ? Claims Not Sent Not Received Privacy / Confidentiality Integrity AuthenticationNon-repudiation InterceptionModification Fabrication Is my communication private? Has my communication been altered? Who am I dealing with? Who sent/received it and when?

5 (n)Code Solutions CABasics of PKI 5 How do we solve the 4 Security Needs? Cryptography Secret Key Public Key Specialized uses of cryptography: Digital Signature Digital Certificates SecretPublic Digital Certificate

6 (n)Code Solutions CABasics of PKI 6 Secret Key Cryptography Cryptography involves: –encryption –decryption Secret Key cryptography: Data is encrypted & decrypted using the same Secret Key Also known as “Symmetric Key” DES is an example of a secret key algorithm Secret Secret Key algorithm Original Document Original Document Encrypted Document Encrypted Document Secret Secret Key algorithm

7 (n)Code Solutions CABasics of PKI 7 Secret Key Cryptography It’s fast, but... How do I get my secret key to my recipient? Do I have a different secret key for everyone with whom I communicate? INTERNET – If one key is compromised, all copies of that key must be replaced – Does not scale well

8 (n)Code Solutions CABasics of PKI 8 Two keys = key pair Mathematically related, but not identical, public & private key pairs Public Keys are widely distributed Private Keys are held securely by owners Data encrypted with one key can be decrypted only with the other key of the pair a.k.a. “Asymmetric Key” RSA is an example of a public key algorithm Public Key algorithm Original Document Original Document Encrypted Document Encrypted Document Private Public Key algorithm Public Key Cryptography Public

9 (n)Code Solutions CABasics of PKI 9 Public Key Cryptography It’s slower, but... I don’t have to distribute a secret key because I have my Private Key Everyone with whom I communicate can know my Public Key INTERNET – There’s only one copy of the Private Key – Scales well

10 (n)Code Solutions CABasics of PKI 10 Digital Signature Everyone has a Signature Key Pair 1) A provides copy of Public Key to B 2) A signs information using Private Key 3) B verifies signature using A ’s Public Key Public Key Signed Data Public Key A B Private Key signs data Public Key verifies signature on data Public Key may be sent with the signed data (either method) Public Network or Directory

11 (n)Code Solutions CABasics of PKI 11 A Closer Look at Digital Signature Digital Signature: Electronic (digital) stamp appended to data before sending The result of encrypting the Hash of the data to be sent on the network Any change (to data or signature) will cause the signature verification to fail Hash - or Digest: Speeds up the signing (encrypting) process One-way conversion of the data to a fixed length field that uniquely represents the original data So, using a diagram... Data with electronic stamp

12 (n)Code Solutions CABasics of PKI 12 Electronic Data Digital Signature Electronic Data Hash Function Signing Function Hash Result Private of A Signed Data Digital Signing of the Data Only Private Key holder can sign

13 (n)Code Solutions CABasics of PKI 13 Anyone can verify Electronic Data Hash Function Hash Result Valid compare Yes / No ? Signed Data Verify Function Hash Result Digital Signature Public of A Digital Signature Verification So the receiver can compare hashes to verify the signature

14 (n)Code Solutions CABasics of PKI 14 Security Solutions Some security mechanisms: Secret Key encryption Public Key encryption Digital signature — Hashing How can these security mechanisms solve the four communications security needs? Confidentiality Integrity Authentication Non-repudiation

15 (n)Code Solutions CABasics of PKI 15 My Signature & Date Confidentiality Integrity Authentication Non-Repudiation Digital Signature Encryption: Secret key Public key Digital Signature ??? Solving the 4 Security Needs

16 (n)Code Solutions CABasics of PKI 16 Authentication Identification: How you tell someone who you are Authentication: How you prove to someone you are who you say you are

17 (n)Code Solutions CABasics of PKI 17 How Do I Solve Authentication? Physical Solutions: Something you know –Password, combination to safe Something you have –Key, token, badge Something you are –Signature, iris pattern, fingerprint Electronic Solution: So, why does B trust A’s Public Key? Digital Certificates

18 (n)Code Solutions CABasics of PKI 18 Digital Certificates... Because a trusted third party has authenticated that the Public Key belongs to A : Certification Authority (CA) When A provides proof of identity, the Certification Authority creates a signed message containing A ’s name and public key: Digital Certificate Signed Message containing A’s Name & Public Key

19 (n)Code Solutions CABasics of PKI 19 Why trust a Digital Certificate? A Digital Certificate becomes a passport that proves your identity and authenticates you –A passport is issued by a trusted Government - when another Government sees it, they trust it A Digital Certificate issued by a trusted CA, again licensed by the government and can also be trusted

20 (n)Code Solutions CABasics of PKI 20 Certification Authority Certification Authority assumes the responsibility of authenticating Certificate identity information –Like a Government for passports CA authentication techniques: Check against existing records –Employee databases Examine typical identification –Passport, license Background check –Government databases CA authenticates, issues & manages Certificates

21 (n)Code Solutions CABasics of PKI 21 Certification Hierarchy Issuer=CCA Subject=India PKI Issuer=MTNL Subject=MTNL Issuer=(n)Code Subject=GNFC Issuer=(n)Code Subject=Powergrid Employee Issuer=TCS Subject=TCS India Issuer=TCS Subject=TATA Employee Issuer=MTNL Subject=Subscriber X.509 standard is the general model for certification hierarchy If you trust the CA that signed the certificate, you can trust the certificate Root SubCA EE

22 (n)Code Solutions CABasics of PKI 22 Certification Hierarchy Issuer=CCA Subject=India PKI Issuer=MTNL Subject=MTNL Issuer=(n)Code Subject=GNFC Issuer=(n)Code Subject=Powergrid Employee Issuer=TCS Subject=TCS India Issuer=TCS Subject=TATA Employee Issuer=MTNL Subject=Subscriber Root SubCA EE CCA (n)Code TCS CCA (n)Code CCA MTNL Each End Entity has a browser that stores all appropriate certificates

23 (n)Code Solutions CABasics of PKI 23 Information Checkpoint My Signature & Date ConfidentialityIntegrity AuthenticationNon-Repudiation Digital Signature Encryption: Secret key Public key How do we solve the 4 security needs? Digital SignatureDigital Certificates

24 (n)Code Solutions CABasics of PKI 24 So... What is PKI? Public Key Infrastructure (PKI) is the hardware, software, people, policies, & procedures needed to create, manage, store, distribute, & revoke certificates –Required to support the use of Public Key cryptography methods for network security

25 (n)Code Solutions CABasics of PKI 25 Certificate Holder Registration Authority Relying Party Application Web Server Internet PKI Components A Public Key Infrastructure consists of: Certification Authorities (CAs) (Issuers) Registration Authorities (RAs) (Authorize the binding between Public Key & Certificate Holder) Certificate Holders (Subjects) Relying Parties (Validate signatures & certificate paths) Repositories (Store & distribute certificates & status: expired, revoked, etc.) Repository Certification Authority

26 (n)Code Solutions CABasics of PKI 26 PKI Components = Functions The five components of a PKI are functional roles: Certification Authority Certificate Holder Registration Authority Relying Party Repository A single entity, such as (n)Code, could perform one or more of these roles: For example: When an (n)Code employee applies for a certificate, the CA approves, issues, and uses the certificate, and also copies it to an internal directory

27 (n)Code Solutions CABasics of PKI 27 Certification Authority Receives & processes certificate requests Consults with a Registration Authority to determine whether to accept or decline a certificate request Issues or denies the certificate to the requestor Renews certificates Manages Certificate Revocation Lists Provides on-line status to certificates Provides backup service, telephone support, and archival storage for certificates Provides trustworthy security infrastructure, policies for secure operations, and audit information for the CA

28 (n)Code Solutions CABasics of PKI 28 Certificate Holder Registration Authority Relying Party Application Web Server Internet 1. User accesses Enrollment page via Browser 2. Enrollment Request stored for approval 3. Enrollment request approved or rejected 4. Certificate Issued and available for retrieval 5. User downloads Certificate 6. Certificate sent to a Repository Certification Authority Repository 5 How does (n)Code Solutions issue a Certificate? 6

29 (n)Code Solutions CABasics of PKI 29 Status & Future Directions of PKI Certificate-enabled third-party products: Microsoft, Netscape, Oracle, Gemplus, Datakey CA Products offered by Entrust, Computer Associates, Baltimore Technologies CA Hosting Services offered by a number of companies, notably Entrust and Verisign New technology - earliest systems released in 1996

30 (n)Code Solutions CABasics of PKI 30 Status & Future Directions of PKI Digital certificates have become the standard for achieving secure communications in a public network TOMORROW Network-based usage: firewalls, telecommunications device controllers TODAY PC-based usage: , SSL, access control applications (home banking)

31 (n)Code Solutions CABasics of PKI 31 Ways to Use Digital Certificates Where can you go?

32 (n)Code Solutions CABasics of PKI 32 Where can you use PKI ? Web’s HTTP and other protocols (SSL) VPN (PPTP, IPSec, L2TP…) (S/MIME, PGP, Exchange KMS) File Signing (MS Office, Acrobat files, etc.) Web Services / Form Signing Smartcards (Certificates, private key store ) Executables (.NET Assemblies, Drivers, Authenticode) Copyright protection (Code Signing)

33 (n)Code Solutions CABasics of PKI 33 Personal Authentication Server/Client Authentication Secure Electronic Transaction Which Certificate performs each task? Task X.509 Certificate Type SET S/MIME SSL Browser Netscape Microsoft IPSec Virtual Private Networks

34 (n)Code Solutions CABasics of PKI 34    Enterprise Access e-Commerce Netscape Microsoft Netscape Web Services, Form Signing Personal Authentication Web Server Authentication Application Access Control Secure Purchasing, Payments, Authorization A Closer Look at Applications  SSL  Access Control  SET

35 (n)Code Solutions CABasics of PKI 35 Using Digital Certificates for Web-server & Personal Authentication Secure Socket Layer (SSL) is a protocol used to create a secure communication session between a client application (browser) and a server application (web server) over a TCP/IP network Secret Session Key is a Secret Key used by A and B only for the duration of this communication session

36 (n)Code Solutions CABasics of PKI 36 A Connects to B {Exchanged Data} A uses B ’s public key to encrypt Secret Session Key B sends copy of its certificate to A, indicating that SSL 2.0 is enabled B uses its private key to decrypt Secret Session Key A and B use Secret Session Key to encrypt all data exchanged SSL 2.0 Protocol SSL 2.0 provides Web-server authentication Secure Web Server ( B )Browser ( A ) A verifies signature on B ’s certificate A generates Secret Session Key

37 (n)Code Solutions CABasics of PKI 37 A Connects to B A verifies signature on B ’s certificate A generates Secret Session Key A uses B ’s public key to encrypt Secret Session Key Browser asks A to select a certificate to access B B sends copy of its certificate to A, indicating that SSL 3.0 is enabled with client authentication B verifies signature on A ’s certificate B uses its private key to decrypt Secret Session Key A and B use Secret Session Key to encrypt all data exchanged SSL 3.0 Protocol SSL 3.0 adds personal client authentication Browser ( A )Secure Web Server ( B ) {Exchanged Data} A sends encrypted Secret Session Key & A ’s certificate to B

38 (n)Code Solutions CABasics of PKI 38 ACCESS Using Digital Certificates for Access Control Access control to data, networks, services –Personal records (medical, employment) –Trusted method for transmitting ‘privileges’ over networks After verifying the signature, information inside the certificate can be checked to provide access control: Allow Organization = PowerGrid Allow Organization Unit = Human Resources Deny User State = Tamil Nadu An application enforcing these rules will allow access to an individual from Powergrid’s Human Resources Department as long as that person is not based in Tamil Nadu.

39 (n)Code Solutions CABasics of PKI 39 Secret Session Key Private of A Secret Key Algorithm Session Key Encrypted + Message Encrypted Hash resul t Digital Signature Signed Data Session Key Encrypted + Message Encrypted Public of B Confidentiality is achieved by encrypting the data with Receiver’s Public Key Message ______ _______ CA has issued and Authenticated a Digital Certificate to Users A & B Public Key Encrypt Function Hash Function Signing Function Typical Send Scenario

40 (n)Code Solutions CABasics of PKI 40 Private of B Hash resul t Secret Session Key Message Encrypted Public of A Hash resul t Verification will fail if any changes to the data or signature are detected - Integrity Verification with public key shows who signed the data (sender can’t deny) - Non-repudiation Message ______ _______ Digital Signature Signed Data Session Key Encrypted + Message Encrypted Secret Key Algorithm Public Key Encrypt Function Hash Function Verify Function Typical Receive Scenario

41 (n)Code Solutions CABasics of PKI 41 Applications for PKI GNFC has the following applications already developed on a pilot basis and can be deployed with customization as required by the client –e-Filing / Form Signing –e-Billing –e-Tendering / e-Procurement –SignIT

42 (n)Code Solutions CABasics of PKI 42 e-Filing / Form Signing Web based application for submission of digitally signed forms Can be used to manage online client interaction for –Online application –Grievance handling –Information sharing –Online payment Can seamlessly integrate with any existing application if required Can be used very effectively in G2B and G2C interactions or any type of consumer interactions

43 (n)Code Solutions CABasics of PKI 43 e-Billing PKI enabled web based application Online bill presentation and payment application A customer can use this application to digitally sign bills and present to their customers online or send digitally signed bills to such customers The customer can verify the digital signature for authenticity and integrity of the bill The customer can also choose to pay online

44 (n)Code Solutions CABasics of PKI 44 e-Tendering / e-Procurement PKI enabled web based application for end-to-end procurement management. Can manage the entire procurement cycle from raising an internal indent to placing the order Any company can realize a substantial saving in processing time and operational costs like printing, logistics and paper flow management Can bring transparency to the procurement process A multitude of MIS reports can be generated from this applications

45 (n)Code Solutions CABasics of PKI 45 SignIT PKI enabled web based application that helps in delivering digitally signed documents or forms to clients online as well as by . Many customer services can be automated with this application A customer need not install any application or hardware as this is a web based application

46 (n)Code Solutions CABasics of PKI 46 Thank You.


Download ppt "(n)Code Solutions CABasics of PKI 1 Introduction to PKI (n)Code Solutions A division of GNFC."

Similar presentations


Ads by Google