Presentation is loading. Please wait.

Presentation is loading. Please wait.

Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -

Similar presentations


Presentation on theme: "Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -"— Presentation transcript:

1 Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ - ) Andersen's L-Service consultancy Rapporteur for Directory services, Directory systems, and public- key/attribute certificates Geneva, 6-7 December 2010Addressing security challenges on a global scale1

2 Geneva, 6-7 December 2010 Addressing security challenges on a global scale 2 Where it all starts

3 What to cover Introduction to basic PKI principles Use of PKI within Identity Management Use of PKI for IP Security (IPSec) Use of PKI for RFID identification Use of PKI within cloud computing Geneva, 6-7 December 2010 Addressing security challenges on a global scale 3

4 Public-key Certificates A public-key certificate provides the binding between a name and a public key for a user for a given period and is issued and confirmed by a Certification Authority (CA). Public-key certificate Name of user Public key Signed by Certification Authority (CA) The public-key certificate is the basic concept for public-key infrastructure (PKI).

5 Can I trust a certificate? A certificate may have expired The corresponding private key may be compromised The CA policy for issuing certificates may not be satisfactory A certificate my be a forgery as the CA's private key may be compromised Etc. Geneva, 6-7 December 2010 Addressing security challenges on a global scale 5

6 Public-Key Infrastructure (PKI) PKI is an infrastructure for checking the validity or quality of a presented public-key certificate A PKI consists of a number of interworking components Somewhere there must be a trust anchor Geneva, 6-7 December 2010 Addressing security challenges on a global scale 6 Security is about Trust!

7 Relationship with IdM (Identity proofing) Geneva, 6-7 December 2010Addressing security challenges on a global scale7 Name of user Public key Pointer to policy Name to be verified by the Certification Authority or Registration Authority Uniqueness Proof of identity Legal right to name Level of verification depending on use of certificate Part of Identity Management (IdM) Guidelines provided by ITU-T SG 17 IdM group CA Browser Forum ETSI ESI activity Rules may be expressed in a Certificate Policy document Public-key certificate

8 IP Security (IPsec) Specified in RFC 4301 Provides end-to-end protection for all applications using this end-to-end connection Uses shared cryptographic keys for authentication, integrity, and confidentiality of data Uses Internet Key Exchange (IKE) for establishing shared keys (security association) - RFC 5996 Diffie-Hellman key exchange is used by IKE for that purpose (RFC 3526) Geneva, 6-7 December 2010 Addressing security challenges on a global scale 8

9 Problem using Internet Key Exchange without PKI Geneva, 6-7 December 2010Addressing security challenges on a global scale Diffie-Hellman key exchange AliceBob AliceBobMan-in-the-middle Diffie-Hellman key exchange Diffie-Hellman key exchange

10 Using Internet Key Exchange with PKI Geneva, 6-7 December 2010Addressing security challenges on a global scale10 Diffie-Hellman key exchange using digital signature and optionally certificate information AliceBob A man-in-the-middle will be detected!

11 Radio-Frequency Identification - Geneva, 6-7 December 2010Addressing security challenges on a global scale11 Directory infrastructure RFID tag RFID reader Client system The RFID tag contains information, including a unique identity The unique identity is used access information associated with the tag

12 Protecting RFID information Geneva, 6-7 December 2010Addressing security challenges on a global scale12 Pharmaceutical drugs from Counterfeit Drugs Inc. RFID tag says: Pharmaceutical drugs from Roche Ltd. RFID tag Unique identity Information Signature over essential information Signature produced by private key of vendor (tag creator) Signature not produced using Roches private key Signature checked using Rotchs public key Signature check fails

13 Radio-Frequency Identification (RFID) Geneva, 6-7 December 2010Addressing security challenges on a global scale13 Directory infrastructure RFID tag RFID reader Client system Identifier Signed Info Search using identifier as search criterion Certificate information Other Information

14 Authentication and authority for Cloud Computing Geneva, 6-7 December 2010Addressing security challenges on a global scale14 Name of user Public key Privileges Generally of importance Check of identity Check of privileges Even of greater importance for Cloud Computing A Public-key certificate may contain privilege information Alternatively, an attribute certificate may be used Public-key certificate Privileges Attribute certificate

15 Identity and privilege issues for hybrid clouds Geneva, 6-7 December 2010Addressing security challenges on a global scale15 Private Cloud Public Cloud Hybrid Cloud Cloud Clouds with multiple service providers/hybrid clouds: Different privileges different identities danger of complex key management

16 Authentication and authority for Cloud Computing ITU-T Study Group 17, Question 11 has the issue on its to-do list It has relationship with Identity Management One solution may be use of attribute certificates Attribute certificate: Used for assigning privileges to user Points to user, e.g., by pointer to user's public-key certificate Geneva, 6-7 December 2010 Addressing security challenges on a global scale 16

17 Geneva, 6-7 December 2010Addressing security challenges on a global scale17 END


Download ppt "Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -"

Similar presentations


Ads by Google