Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Topics Understanding the technology –Cryptography, Digital Signatures, Third Party Trust, and Public Key Certificates. Public Key Infrastructure –Definitions, Components, Infrastructure, Processes, and Issues. Western’s PKI
Cryptography Methods 2 Types of Cryptography being used. –Symmetric Key (shared secret) Cryptography –Public Key Cryptography Each has a role in a Public Key Infrastructure.
Symmetric Key Cryptography 1 Key known by both parties (shared) A message encrypted by the key can only be decrypted using the same key. Issue: Hard to share the key securely. HelloIjfd82*7dfHello
Public Key Cryptography 2 keys generated. 1 private, 1 public. A message encrypted by 1 key can only be decrypted by the other. Public keys are stored in a public repository and are freely available. Private keys are stored on local system protected by a password. Never transmitted over the network. Hello9klfms83fHello ByeJf#f9j3f92Bye PrivatePublic
Public key Cryptography 2 way encrypted communication possible using 2 sets of public keys. Issue: Large resources required. Hello9klfms83fHello ByeJf#f9j3f92Bye Party A’s Public Party B’s Private Party A’s Private Party B’s Public Party A Party B
Their roles in PKI Public keys are used to securely transmit a symmetric session key. The symmetric key is used to setup secure encrypted communications. Party B’s Private Party B’s Public Party A Party B HelloIjfd82*7dfHello Step 1: Party A creates symmetric key and transmits it to Party B using their public key. Step 2: Secure communications setup using the symmetric key.
Digital Signature Private keys can be used to sign a document. The public key is used to decrypt the signature which verifies that the message came from the person who owns the private key. Issue: How does party B verify Party’s A Public Key. Party A’s Public Party A’s Private Party A Party B Hello Bob signed Jonny Hello Bob signed dfjlf9#fsi Hello Bob signed Jonny
Trusted Third Party A trusted third party is someone both communicating parties trusts. This party authenticates Party A using older style methods (ID Card) and verifies they own the private key. This party then uses its own private key to digitally sign party A’s public key. Since party B trusts the public key of the third party, when it decrypts the signature on party A’s Public key it can then trust A’s public key. Signed public keys can be used for authentication.
Public Key Certificate (PKC) A public key certificate is a document that: –Contains the public key of its owner. –Contains a set of attributes that identifies its owner –Is digitally signed by a trusted third party called a Certificate Authority (CA). –Has an life span (expiry date). Certificates are stored in public repositories. Used to authenticate, setup secure communications and trust a digital signature.
Public Key Infrastructure (PKI) Defined by the IETF PKIX Working Group as: “The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke public key certificates based on public key cryptography.”
PKI Component Definitions Certificate Authority (CA) : An authority trusted to create and assign public key certificates. Required to validate user information and verify they own the private key. Required to maintain CRLs. Registration Authority (RA) : An optional authority that can act on behalf of a CA to validate user information and verify they own the private key. Repository : A data base or directory used to store and distribute Public Key Certificates and CRLs. Certificate Revocation Lists (CRL) : A list of certificates that have been revoked due to their owners breaking one of the rules in the certificate policy or by having its private key compromised. Certificate Policy (CP) : A set of rules which indicates how a certificate is to be used by a community of users or set of applications. Certificate Practice Statement (CPS) : A set of guidelines a CA follows when issuing certificates.
Governed by Certificate Practice Statement. Governed by Certificate Policy. The Infrastructure Repository for PKCs and CRLs Certificate Authority Registration Authority User Application or Server Certificate and revocation list storage. Certificate and revocation list retrieval. Certificate requests Authentication and Secure communication Registration process
Certificate use. During setup of connection between a server and user: –Certificates are withdrawn from the repository for both parties. –Digital signatures are decrypted using the CA’s public key. –The Certificate revocation list for the signing CA is referenced to verify that the certificate has not been revoked. –If all passes then authentication of the server and user has been accomplished (i.e. each trusts that the private key is owned by the person identified in the certificate). Secure communications are then setup by the user generating a symmetric session key and transmitting it to the server using the servers public key to encrypt it. Once the server has decrypted the session key using its private key a secure socket is setup using the session key.
The Repository(LDAP) A Repository: –Requires an efficient directory capable of authentication, replication and redundancy –should be capable of storing more data than just certificates and must be capable of complicated searches LDAP provides all the requirements plus: –can use Public Keys during its authentication –is being integrated into many other technologies –Has a good set of standard APIs
Issues with PKI Certificate Revocation is still in its infancy. Trust –Do we trust the commercial CAs out there. Why do we trust them to authenticate information they are not the authority of. –How do we trust repositories. Non PKI security holes –How secure are clients, CAs, and repository systems from hackers and virus attacks. Are they physically secure. –How well guarded are private keys. Is the data in the certificate being check thoroughly. The idea of Non-Repudiation. Roaming Access (Smart Cards)
Western’s PKI Western currently has an agreement with Thawte Certification (owned by VeriSign) to provided signed certificates and be our Certificate Authority (CA). A representative of ITS acts as a Registration authority (RA) on behalf of Thawte Certification. Currently only Secure Socket Layer (SSL) certificates are in use to provide encrypted web communications (Authentication of web server only). Thawte offers other types of certificates but they have not been investigates for use at Western yet and may be cost prohibitive to use.
Western’s PKI Repository for PKCs and CRLs SSL Certificates are stored in the web server and distributed by the web server. CA: Thawte Certification RA: ITS Representative UWO web user. Web Server 5. User generates session key and transmits it to web server using public key. A secure socket is then setup. (SSL) 1.Web server admin generates and send a certificate request to Thawte. 4. Thawte signs certificate and returns it to the web server admin who loads it into web serer configuration. 2. Thawte asks ITS if request is good. 3. ITS Verifies request and say yes.