About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

Slides:

Advertisements

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Advertisements

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

© 2012 All rights reserved to Ceedo. Enhanced Mobility with Tighter Security.

Digital Certificate Installation & User Guide For Class-2 Certificates.

PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

About PKI Certificates Dartmouth College PKI Lab.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Lab4 Part2 Lau Ting Nga Virginia Tsang Pui Yu Wong Sin Man.

eToken PKI Client Overview

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

FIT3105 Smart card based authentication and identity management Lecture 4.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

IPhone Security: Understanding the KeyChain Nicholis Bufmack and Ryan Thomas CS 691 Summer 2009.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

KOBIL eBanking authentication experiences with a Turkish Bank Markus Tak, Product Manager.

Certificate and Key Storage Tokens and Software

Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure Ammar Hasayen ….

Page Copyright Giritech A/S an – Excitor company.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Windows 2003 and 802.1x Secure Wireless Deployments.

Digital Certificate Installation & User Guide For Class - 2 Certificates.

PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.

Lesson 8 Operating Systems

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

The Distribution Online Vending Pilot Project Demo Testing Certificate Management Kennedy P Subramoney 23 July 2004.

A Practical Comparison of Modern Authentication Mechanisms.

User Interface Requirement for the Internet X.509 PKI Jaeho Yoon (on behalf of Tae K. Choi) KOREA INFORMATION SECURITY AGENCY August 4, 2004.

Providing secure mobile access to information servers with temporary certificates Diego R. López

1 Thuy, Le Huu | Pentalog VN Web Services Security.

Privilege Management Chapter 22.

About Softex Mission Statement: “To provide innovative security software products and solutions for computing devices” Softex was founded in 1992 by IBM.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

“Candidates were not advantaged by defining every type of operating system provided as examples in the explanatory notes of the standard. Candidates who.

Innovation is Our Passion Online Banking Past, Present and Future.

1 1 Social Security Platform James Wu We Simplify Security.

Microsoft Windows NT 4.0 Authentication Protocols

Product Manager, Keon PKI

FTP - File Transfer Protocol

Building hardware-based security with a Trusted Platform Module (TPM)

Lesson 8 Operating Systems

Public Key Infrastructure from the Most Trusted Name in e-Security

Installation & User Guide

(Authentication / Authorization)

Presentation transcript:

About PKI Key Stores Dartmouth College PKI Lab

Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate A function of their client computer and software Should be locally password protected Should be encrypted and/or protected by specialized hardware May be provided by OS or by application(s) May hold the only copy of a private key

Key Store Anatomy (first look before we launch into details)

Key Store Interfaces Microsoft Windows CAPI RSA PKCS#11 Application specific

Browsers and Key Stores Browsers provide one of the most common ways to access key stores GUI for key generation and certificate enrollment Viewing and manipulating certificates and keys Import/export Mozilla/Netscape does PKCS#11 Internet Explorer/Windows does CAPI

Key Store Types “Software” –Keys encrypted in a file “Hardware” –Keys stored on specialized hardware tokens

OS Key Stores CAPI: Microsoft Windows CryptoAPI “Keychain” from Apple Many Windows applications use CAPI; others have their own key store.

“Software” Key Store Stores certificates and encrypted keys on the local computer’s file system Encryption is password protected Relatively vulnerable to key theft (depending on implementation) Requires exporting and importing to use the key on another computer or in a different key store on the same computer All PKI applications support this type of key store – for some it is the only type supported.

“Hardware” Key Store Stores certificates and keys in special purpose hardware (typically USB token or smart card and reader) Much higher assurance - the key cannot be used without the user’s password, but still not unbreakable Allows easy private key mobility between computers and applications Two-factor security (need token plus password to do anything) makes hardware key stores much more secure than software key stores

PKCS#11 Standard developed by RSA to provide applications with a key store and PKI cryptographic functions Used by Mozilla on all OSes (even Windows) Has a lower-level API for plugging in different implementations (enables hardware tokens) Open source implementations available Similar to MS CAPI – unfortunately MS opted to not support PKCS#11

Microsoft CAPI (AKA CryptoAPI) Microsoft Windows “standard” API for providing PKI functionality to applications Provides: – Key store function –Cryptographic operations using the key store and certificate –GUI for managing certificates and keys –Facilities to create, import, and export certificates and keys Cryptographic Service Provider (CSP) layer allows 3 rd party software, token, and smartcard solutions Microsoft’s software key store CSP has some issues

Key Store Anatomy (revisited now that we are familiar with the pieces)

Application Key Stores Some applications don’t use either CAPI or PKCS#11 Adds undesirable complexity Incompatible with hardware keys (since they can only support PKCS#11 and CAPI/CSP interfaces) Require exporting and importing certificates/keys AOL AIM has its own key store

How PKI Uses Passwords Passwords protect local key stores Stored and managed locally by the user Never stored on servers (an important feature – passwords on servers and traversing a network are more vulnerable) User provides the password to “unlock” their private key – all other operations use asymmetric key cryptography

User Accounts Windows CAPI stores software keys in each user’s profile If user accounts are secure, then CAPI keys are protected by the Windows logon security

PKCS#7 and PKCS#12 More RSA standards No awards for imaginative names… PKCS#7 is general syntax for data that may have cryptography applied to it PKCS#12 specifies secure containers for transporting PKI certificates with private keys