Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Published byHubert Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000."— Presentation transcript:

1 Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000

2 Outline u PKI refresher (e.g., public key cryptography, digital signatures, certificates) u Bridge certification architecture motivation –trust models –cross-certification u BCA pilot project –BCA itself –application issues and demo

3 PKI refresher u infrastructure that enables and supports a range of security services –confidentiality, authentication, integrity, non- repudiation u Symmetric key cryptography –same key used to encrypt and decrypt –problem: key sharing u Public key cryptography –public-private keys that are mathematically linked –~500 times slower than symmetric key cryptography –used for symmetric key exchange and digital signatures

4 Digital Signature example

5 Signed Email example u (show example of sending/receiving digitally signed email using Netscape Messenger) u (uses S/MIME)

6 Problem: relying party needs to verify a digital signature u To do this, needs to have an assured copy of the signer’s public key –signer’s identity must be assured –integrity of public key must be assured u Potential options for obtaining public keys –signer personally gives their public key to relying party –relying party obtains the desired public key by other “out of band” means that they trust, e.g., transitive relationships, signing parties, etc. u But, what about strangers? what about integrity of the public key?

7 Public Key (or Digital) Certificates u Purpose: validate both the integrity of a public key and the identity of the owner u How: bind identifying attributes to a public key (and therefore to the keyholder of the corresponding private key) u Binding is done (i.e., digitally signed) by a trusted third party (Certification Authority) u It is this third party's credibility that provides "trust"

8 X.509 v3 Certificates u Subject’s/owner’s identifying info (e.g., name) u Subject’s/owner’s public key u Validity dates (not before, not after) u Serial number u Level of assurance u Issuer’s (CA’s) name and signature u Extensions

9 Distribution of Certificates u since certs carry public info and are integrity- protected, they can be distributed and shared by any and all means, e.g., –distribute via floppies or other removable media –publish on web sites –distribute via email (e.g., S/MIME) –directory lookups (e.g., LDAP, X.500) u distribution via directories is the ultimate solution u however, many important applications and uses of digital signatures can be implemented without the implementation or use of sophisticated directories

10 Trust Domain u Relying party needs to determine whether to trust the certificate before using the public key it contains to verify the original signature –validity dates, revocation lists, policy constraints –verify the cert’s signature, trust the CA? u Trust domain is defined by the root (or self- signed) certificates that the relying party knows and trusts (for reasons outside of PKI) u Very Important: Root certificates are not integrity-protected since they are self-signed

11 CA 1  EE A CA 1  CA 1 Simple Hierarchical Trust Relying Party Signed doc and CA 1  EE A e.g., email or web form application Trust Domain 1) path construction CA 1  EE A CA 1  CA 1 2) path validation 3) signature verification

12 Trust Domain Expansion u Hierarchical CA’s CA 1  CA 1 CA 1  CA 2 CA 1  CA 3 CA 2  CA 4 CA 2  CA 5 CA 5  CA 6 CA 5  EE 1 CA 2  CA 5 CA 1  CA 2 Note: relying party follows issuer chain to verify cert of EE 2 CA 5  EE 1 CA 1  CA 1  trusted ( Governor ) (UVa) (SoED) (tms) (Darden) (DGIF)

13 Trust Domain Expansion u Hierarchical CA’s CA 1  CA 1 CA 1  CA 2 CA 1  CA 3 CA 2  CA 4 CA 2  CA 5 CA 5  CA 6 CA 5  EE 1 Note: if CA 1 ’s private key is compromised, the entire hierarchy collapses CA A  CA A CA Z  CA Z CA C  CA C CA B  CA B... u Multiple root certificates –disservice of Microsoft and Netscape

14 Trust Domain Expansion (cont’d) u Cross certification –two CA’s issue certificates to each other (a cross- certificate pair), i.e., sign each other’s public keys CA A  CA A... CA B  CA B... CA A  CA B CA B  CA A CA B  EE 1 –N 2 problem if N CA’s want to cross-certify with each other

15 Bridge Certification Architecture u addresses the N 2 problem by providing a central cross-certification hub for a group of CA’s who wish to interoperate u each CA does one cross-certification with the bridge CA CA bridge  CA 5 CA 1  CA bridge u Certificate path processing (construction & validation) CA 5  EE 2 CA 1  CA 1  trusted

16 BCA Pilot Implementation u OpenSSL (www.openssl.org) and OpenCA (www.openca.org) open source software running on Red Hat Linux u Bridge is booted only to create cross certificates; remains turned off in secure location most of the time u Cross certificates stored in LDAP directories (using crossCertificatePair attribute) and/or stored with relying parties

17 Example application u Yuji Shinozaki is developing an example application (digitally signed web forms) to illustrate use of BCA u chose server-based app instead of email –current relying party software can only verify hierarchical trust relationships u as part of federal bridge project, Cygnacom developed Certificate Path Library (CPL) that handles general trust relationships u use CPL to help verify digitally-signed web forms in a cross-certification environment

18 Example application u http://atg2000.itc.virginia.edu/signme/signme2.cgi

Download ppt "Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000."

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google