Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-key Infrastructure

Published byPosy Burke Modified over 5 years ago

Similar presentations

Presentation on theme: "Public-key Infrastructure"— Presentation transcript:

1 Public-key Infrastructure

2 Public-key Infrastructure
A set of hardware, software, people, policies, and procedures. To create, manage, distribute, use, store, and revoke digital certificates. Encryption, authentication, signature Bootstrapping secure communication protocols.

3 CA: Certificate Authority (1)
In God We Trust

4 CA: Certificate Authority (2)
Contains data of the owner, such as Company Name, Server Name, Name, , Address,… Public key of the owner. Followed by some digital signatures. Sign for the certificate. In X.509 A certificate is signed by a CA. To verify the correctness of the certificate, check the signature of CA.

5 CA: Certificate Authority (3)
Certificate Authority (CA) “憑證授權” in Windows CHT version. In X.509, it is itself a certificate. The data of CA. To sign certificates for others. Each CA contains a signature of Root CA. To verify a valid certificate Check the signature of Root CA in the certificate of CA. Check the signature of CA in this certificate. Reference:

6 What is a CA ? (1) Certificate Authority (認證中心)
Trusted server which signs certificates One private key and relative public key Tree structure of X.509 Root CA

7 What is a CA ? (2) Root CA (最高層認證中心) In Microsoft:「根目錄授權憑證」
Root CA do not sign the certificates for users. Authorize CA to sign the certificates for users, instead. Root CA signs for itself. It is in the sky. To trust Root CA Install the certificate of Root CA via secure channel.

8 What is a CA ? (3) Tree structure of CA Cost of certificate
HiTrust : NT $30,000 / per year / per domain TWCA: NT $30,000 / per year / per domain GoGetSSL (Comodo): USD 7.85 / per year / per domain GoGetSSL (Comodo Wildcard): USD / per year Myself : NT $0

9 Certificate (1) Digital Certificate, Public-key Certificate, Network Identity A certificate is issued by a CA X A certificate of a user A consists: The name of the issuer CA X His/her public key Apub The signature Sig(Xpriv, A, Apub) by the CA X The expiration date Applications Encryption / Signature

10 Sig(Xpriv, Alice, Apub, T)
Certificate (2) CA X: (3) Generate Sig(Xpriv, Alice, Apub, T) Alice: Generate Apub, Apriv (2) Alice, Apub, ID proof (4) Sig(Xpriv, Alice, Apub, T) CertA,X=[Alice, Apub, Sig(Xpriv, Alice, Apub, T)] Note: CA does not know Apriv

11 Certificate (3) Guarantee of CA and certificate
Guarantee the public key is of someone Someone is not guaranteed to be safe Security of transmitting DATA Transmit session key first Public-key cryptosystem Transmit DATA by session key Symmetric-key cryptosystem

12 OpenSSL

13 OpenSSL http://www.openssl.org/ In system In pkg
/usr/src/crypto/openssl In pkg openssl

14 Example: Apache SSL settings

15 Example: Apache SSL settings – Flow
Generate random seed Generate RootCA Generate private key of RootCA Fill the Request of Certificate. Sign the certificate itself. Generate certificate of Web Server Generate private key of Web Server Fill the Request of certificate Sign the certificate using RootCA Modify apache configuration  restart apache

16 Example: Apache SSL settings – Generate random seed
openssl rand -out rnd-file num % openssl rand -out /etc/ssl/RootCA/private/.rnd 1024 chmod go-rwx rnd-file % chmod go-rwx /etc/ssl/RootCA/private/.rnd

17 Example: Apache SSL settings – Certificate Authority (8)
Include etc/apache22/extra/httpd-ssl.conf SSLEngine on SSLHonorCipherOrder on SSLCompression off SSLSessionTickets Off SSLCipherSuite SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384" SSLCertificateFile /etc/ssl/nasa/nasa.crt.pem SSLCertificateKeyFile /etc/ssl/nasa/private/nasa.key.pem # OCSP Stapling, only in httpd and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # HSTS (mod_headers is required) ( seconds = 6 months) Header always add Strict-Transport-Security "max-age= ; preload“ # Public Key Pinning (HPKP) ##Header set Public-Key-Pins "pin-sha256=\"klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=\"; pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; max-age= ; includeSubDomains"

18 Appendix: PGP

19 PGP Pretty Good Privacy Public key system security/gnupg
Encryption Signature security/gnupg Will talk more in Network Administration Ref:

Download ppt "Public-key Infrastructure"

Similar presentations

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).

Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure e-mail r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.

Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google