CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

Slides:



Advertisements
Similar presentations
DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
Advertisements

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Computer Science Public Key Management Lecture 5.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Unit 1: Protection and Security for Grid Computing Part 2
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Lecture 25 Presented by: Dr. Munam Ali Shah.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Cryptography and Network Security Chapter 14
ECE Prof. John A. Copeland fax Office: GCATT Bldg.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
April 20023CSG11 Electronic Commerce Authentication John Wordsworth Department of Computer Science The University of Reading Room.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
GRID-FR French CA Alice de Bignicourt.
or call for office visit, or call Kathy Cheek,
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
Authentication Applications
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Combinations COURSE 3 LESSON 11-3
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
Message Security, User Authentication, and Key Management
زير ساخت كليد عمومي و گواهي هويت
Public-Key Certificates
Information Security message M one-way hash fingerprint f = H(M)
Digital Certificates and X.509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
PKI (Public Key Infrastructure)
Presentation transcript:

CS5204 – Operating Systems 1 Authentication

CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered in transmission  came from owner of the private key How does a “relying party” know to whom the private key belongs?  Key Servers  Certificates

Authentication CS 5204 – Operating Systems3 Key Server “What is the public key of identity I?” “The public key of identity I is K.” The key server stores [identity, public key] pairs The key request can be in plaintext The key server reply is encrypted using the private key of the key server The public key of key server is known to the relying party The key server can be a point of attack or performance bottleneck The key server must be trustworthy Observations: the relying party only cares about the reply the reply can be precomputed and distributed

Authentication CS 5204 – Operating Systems4 Authentication using a Key Server Message 2 can be compromised to allow some other party to masquerade as Bob. Message 3 can be compromised to allow some other party to masquerade as Alice.

Authentication CS 5204 – Operating Systems5 Needham-Schroeder Protocol

Authentication CS 5204 – Operating Systems6 Certificates issuesstored in retrieved the certificate contains an (identity,public key) pair is signed with the private key of the CA the repository need not be trusted is read-only may be duplicated for performance the certificate can be “pushed” to the relying party

Authentication CS 5204 – Operating Systems7 Chain of Trust identity signed by presented identity certificate trusted CA (root CA, trust anchor) identity

Authentication CS 5204 – Operating Systems8 X.509 Certificate Format SERIAL NUMBER v1 or v2 or v3 C=US, S=VA, O=RSA Labs VERSION SIGNATURE ALGORITHM RSA with SHA-1 ISSUER VALIDITY 1/1/06 - 1/1/08 SUBJECT C=US, S=VA, O=RSA Labs CN=Russell Housley SUBJECT PUBLIC KEY INFO RSA, ISSUER UNIQUE ID ACBDEFGH SUBJECT UNIQUE ID RSTUVWXY EXTENSIONS SIGNATURE

Authentication CS 5204 – Operating Systems9 Example Certificate Certificate: Data: Version: 3 (0x2) Serial Number: (0x10bf74) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA v1 Validity Not Before: Jul 31 14:07: GMT Not After : Jul 31 14:07: GMT Subject: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA v1, CN=Jeffrey I Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cf:01:0a:e5:f1:3c:60:c1:f2:c1:ca:99:96:1d: 7d:39:97:8c:72:cf:e8:7c:51:a1:84:a4:5b:b8:b3: 3a:dc:dd:c5:99:76:cb:5d:b1:24:86:67:46:52:45: 69:09:fb:01:b0:dd:41:02:de:27:c2:b7:cd:b1:cd: 47:9a:ae:55:bb:83:cd:bd:c1:aa:2b:23:3d:85:06: e0:4a:6c:a8:af:b4:cb:64:ea:c9:33:f7:ef:a9:8f: d9:7a:20:68:a1:09:c4:4e:62:20:00:d1:fd:a5:7c: 14:90:48:79:a9:7d:ef:f5:46:b6:fb:4e:c5:fc:94: 8f:11:bf:1a:ef:7b:2d:06:ef Exponent: (0x10001) X509v3 extensions: X509v3 Key Usage: : 0....]/e.ii;....m......j....Nr....$wF..t...QZ... Signature Algorithm: md5WithRSAEncryption 30:4c:3b:a5:d8:11:e1:04:61:d2:39:ff:e1:74:c3:06:2f:3b: 52:59:9c:75:05:2e:31:cc:c3:99:5c:02:e5:67:bf:06:99:7f: c8:2a:5b:dd:bd:67:a5:a7:98:74:14:44:a7:db:76:19:9c:80: 0a:58:1d:53:35:d0:75:82:9d:2a:e7:12:53:3f:8b:60:cc:a3: c9:5b:dd:34:b6:a4:33:a9:a5:93:64:3e:50:0d:e4:ae:a8:5d: c9:8d:f9:96:68:22:cd:66:3d:eb:66:11:68:04:f6:3d:64:05: 62:64:01:41:af:23:f9:d2:a3:5b:be:e3:33:45:71:08:05:e2: 2a:6e

Authentication CS 5204 – Operating Systems10 Revocation Is a certificate still valid? Private key compromise CA compromise Affiliation changed Superseded CA ceased operation … Certificate Revocation List (CRL) provides a list of the unexpired certificates that should no longer be used

Authentication CS 5204 – Operating Systems11 CRL Format VERSION SIGNATURE ALGORITHM RSA with SHA-1 v1 or v2 C=US, S=VA, O=RSA Labs ISSUER LAST UPDATE 11/25/01 NEXT UPDATE 12/2/01 REVOKED CERTIFICATES CRL EXTENSIONS SIGNATURE SEQUENCE OF SERIAL NUMBER REVOCATION DATE 9/27/01 CRL ENTRY EXTENSIONS

Authentication CS 5204 – Operating Systems12 PKIX Architecture From: PKI Basics – A Technical Perspective (PKI Forum)

Authentication CS 5204 – Operating Systems13 PKIX Elements From: PKI Basics – A Technical Perspective (PKI Forum)

Authentication CS 5204 – Operating Systems14 Role of the CA Verifies certificate request information Generates and digitally signs the certificate Revokes certificate if information changes Revokes certificate if private key is disclosed Support certificate hierarchies Optional services  Key generation  Issue hardware token

Authentication CS 5204 – Operating Systems15 CA Topologies Hierarchy Mesh

Authentication CS 5204 – Operating Systems16 Cross Certification Hierarchy Mesh

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.