Download presentation

Presentation is loading. Please wait.

1
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl

2
November 1, 2006Sarah Wahl / Graduate Student UCCS2 What is PKI? An arrangement that provides for trusted third party vetting of, and vouching for, user identities PKI consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures

3
November 1, 2006Sarah Wahl / Graduate Student UCCS3 Public Key… Public key encryption — keeping a message secret from anyone that does not possess a specific private key. Public key digital signature — allowing anyone to verify that a message was created with a specific private key. Key agreement — generally, allowing two parties that may not initially share a secret key to agree on one.

4
November 1, 2006Sarah Wahl / Graduate Student UCCS4 Public Key Encryption On a high level, a user signs his message with his private key, and when the message gets to the other side the end user decrypts the message using the public key, which is published by the Certificate Authority.

5
November 1, 2006Sarah Wahl / Graduate Student UCCS5 Keys

6
November 1, 2006Sarah Wahl / Graduate Student UCCS6 Keys Continued Like a mail slot. Anyone can put a message in the slot, but only owner can access the messages. Public Key The published key. (Where the mail slot is located) Private Key The secret key (The owner’s key that can unlock the mail slot)

7
November 1, 2006Sarah Wahl / Graduate Student UCCS7 Identity Certificates A certificate which uses a digital signature to bind together a public key with an identity Identity being information on the user- name, organization etc.

8
November 1, 2006Sarah Wahl / Graduate Student UCCS8 Certificate Authorities Verify an applicant's credentials, so that users (relying parties) can trust the information in the CA's certificates This is essential to the PKI scheme, if the CA is compromised then their signed certificates can’t be trusted.

9
November 1, 2006Sarah Wahl / Graduate Student UCCS9 Certificate Authorities Cont. It is not always possible to reach back to the original Certificate Authority. Key Chain, or Certificate Authority Chain. Allows a user to get a certificate from another source. Certificate Authority delegates authority to others.

10
November 1, 2006Sarah Wahl / Graduate Student UCCS10 Certificates Self-Signed Certificate signed by certificate’s author Root Certificate an unsigned public key certificate Authorization Certificates (also known as an attribute certificate) digitally written permission from the issuer to use a service or a resource that the issuer controls or has access to use

11
November 1, 2006Sarah Wahl / Graduate Student UCCS11 Classes of Certificates Class 1 for individuals, intended for email Class 2 for organizations, for which proof of identity is required Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority (CA).

12
November 1, 2006Sarah Wahl / Graduate Student UCCS12 Digital Signatures Can be used as a broad term encompassing message authentication codes, file integrity hashes and digital pen pad devices. For this discussion a digital signatures is a term to mean cryptographically based signature assurance scheme Used like a notary endorsement

13
November 1, 2006Sarah Wahl / Graduate Student UCCS13 Is it a Valid Certificate? Check the certificate revocation list (CRL) This is a list of certificates that are no longer valid. This list is published by 3rd parties (CA).

14
November 1, 2006Sarah Wahl / Graduate Student UCCS14 OCSP Online Certificate Status Protocol An Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to CRLs

15
November 1, 2006Sarah Wahl / Graduate Student UCCS15 X.509 Certificate A certificate typically includes: The public key being signed. A name, which can refer to a person, a computer or an organization. A validity period. The location (URL) of a revocation center. The digital signature of the certificate, produced by the CA's private key.

16
November 1, 2006Sarah Wahl / Graduate Student UCCS16 The Future of PKI: ECC First, the fact that the security and practicality of a given asymmetric cryptosystems relies upon the difference in difficulty between doing a given operation and its inverse.

17
November 1, 2006Sarah Wahl / Graduate Student UCCS17 Elliptical Curve Cryptography Second, the fact that the difference in difficulty between the forward and the inverse operation in a given system is a function of the key length in use, due to the fact that the difficulty of the forward and the inverse operations increase as very different functions of the key length; the inverse operations get harder faster.

18
November 1, 2006Sarah Wahl / Graduate Student UCCS18 ECC Continued Third, the fact that as you are forced to use longer key lengths to adjust to the greater processing power now available to attack the cryptosystem, even the 'legitimate' forward operations get harder, and require greater resources (chip space and/or processor time), though by a lesser degree than do the inverse operations.

19
November 1, 2006Sarah Wahl / Graduate Student UCCS19 Comparison of Algorithms The difficulty of the forward and inverse operations is at the centre of asymmetric schemes. RSA, it's integer multiplication (forward) and factorization (inverse) Diffie Hellman it's discrete exponentiation (forward) and log (inverse). ECC it's point multiplication (forward) and the elliptic curve discrete logarithm problem (inverse).

20
November 1, 2006Sarah Wahl / Graduate Student UCCS20 Key Sizes

21
November 1, 2006Sarah Wahl / Graduate Student UCCS21 ECDSA vs. RSA (ms)

22
November 1, 2006Sarah Wahl / Graduate Student UCCS22 How ECC Works The way that the elliptic curve operations are defined is what gives ECC its higher security at smaller key sizes. An elliptic curve is defined in a standard, two dimensional x,y Cartesian coordinate system by an equation of the form: y 2 = x 3 + ax + b

23
November 1, 2006Sarah Wahl / Graduate Student UCCS23 Elliptical Curve Example

24
November 1, 2006Sarah Wahl / Graduate Student UCCS24 How ECC Works Continued Point multiplication is simply calculating kP, where k is an integer and P is a point on the elliptic curve defined in the prime field. This is the operation which is the key to the use of elliptic curves for asymmetric cryptography — the critical operation which is itself fairly simple, but whose inverse is very difficult.

25
November 1, 2006Sarah Wahl / Graduate Student UCCS25 The dominant operation in ECC cryptographic schemes is point multiplication.

26
November 1, 2006Sarah Wahl / Graduate Student UCCS26 Why Use ECC? It’s More Secure! It’s Much Faster!!

27
November 1, 2006Sarah Wahl / Graduate Student UCCS27 Conclusion PKI is an ever changing infrastructure. There are new software algorithms being developed. Different methods for interacting with the Certificate Authority.

28
November 1, 2006Sarah Wahl / Graduate Student UCCS28 Questions Any Questions or Comments?

29
November 1, 2006Sarah Wahl / Graduate Student UCCS29 Resources http://en.wikipedia.org/wiki/Public_key_infrastru cture http://www.deviceforge.com/articles/AT4234154 468.html http://csrc.nist.gov/pki http://homes.esat.kuleuven.be/~fvercaut/talks/H ECC.pdf

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google