Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Infrastructure (PKI)

Published byValerie Eaton Modified over 6 years ago

Similar presentations

Presentation on theme: "Public Key Infrastructure (PKI)"— Presentation transcript:

1 Public Key Infrastructure (PKI)
Chapter 7 Public Key Infrastructure (PKI)

2 PKI PKI technology has attracted significant attention, and has become the central focus of modern security mechanisms on the Internet. PKI is closely related to the ideas of asymmetric key cryptography, mainly including message digests, digital signature + encryption services.

3 PKI (cont.) The chief requirement to enable all these services is the technology of digital certificate. Digital certificates are termed as passports on the web. Two popular standards for digital certificates and PKI:- PKIX, PKCS.

4 Digital Certificates Problem:- key agreement / key exchange Answer:-
Diffie-Hellman Key Exchange Asymmetric Key Cryptography pitfalls Digital Certificates Unsolved issue: man-in-the-middle attack

5 Digital Certificates (cont.)
Example: digital certificates which compare to the document such as passport / driving licenses:- full name, nationality, date + place of birth, photograph and digital signature.

6 Concept of Digital Certificates
A digital certificate is simply a small computer file. Example: ladda.cer (where .cer signifies the first three characters of the word “certificate”.) The file extensions can be different. Digital certificate establishes the relationship between a user and her public key. A digital certificate must contain the user name and the user’s public key to prove that a particular public key belongs to a particular user.

7 Concept of Digital Certificates (cont.)
Figure 1 shows a simplified view of a sample digital certificate. Interesting thing in Figure 1 Subject name:- a name may be an individual, a group or an organization). Serial number Table 1 shows similarities between a passport and a digital certificate. Digital certificates must be issued by some trusted entry.

8 Concept of Digital Certificates (cont.)
Figure 1 Example of a digital certificate

9 Concept of Digital Certificates (cont.)
Table 1 Similarities between a passport and a digital certificate.

10 Certification Authority (CA)
A CA is a trusted agency that can issue digital certificates. Usually, a CA is a reputed organization, such as a post office, financial institution, software company, etc. The world’s most famous CAs are Verisign and Entrust. Safescrypt Limited, a subsidiary of Satyam Infoway Limited, became the 1st Indian CA in Feb, 2002.

11 Technical Details of Digital Certificate
X.509 is a standard that defines the structure of a digital certificate. The International Telecommunication Union (ITU) came up with this standard in 1988 and was a part of X.500 at that time. The current version of the standard is X.509V3. The IETF published the RFC2459 for X.509 standard in 1999.

12 Example:

13 Example:

14 Digital Certificate Creation
Parties involved Three parties involved in this process Subject: end user Issuer: CA Registration Authority (RA) CA responsibilities Issue new certificates Maintain the old one. Revoke the ones that have become invalid.

15 Digital Certificate Creation (cont.)
An RA is an intermediate entity between the end users and the CA, which assists the CA in its day-to-day activities as shown in Figure 2 RA provides the following services: Accepting and verifying registration information about new users. Generating keys on behalf of the end users. Accepting and authorizing requests for key backup and recovery.

16 Digital Certificate Creation (cont.)
End user Registration Authority (RA) Certificate Authority (RA) Figure 2 Registration Authority (RA)

17 Digital Certificate Creation (cont.)
Accepting and authorizing the requests for certificate revocation. RA function assists the CA in its day-to-day activities and CA becomes isolated entity, which makes it less susceptible to security attack. RA cannot issue digital certificates.

18 Certificate Creation Steps (cont.)
Key generation Registration Verification Certificate creation Figure 3 Digital certificate creation steps.

19 Certificate Creation Steps
Step 1. Key generation: 2 different approaches a) - The subject can create a private key and public key using some s/w. ( s/w usually a part of web browser / web server.) - The subject keeps the private key thus generated, secret. - The subject then sends herself to RA. - See Figure 4

20 Certificate Creation Steps (cont.)
Figure 4 Subject generating its own key pair.

21 Certificate Creation Steps (cont.)
b) The RA generates a key pair on the subject’s (user’s) behalf. See Figure 5. Disadvantage: possibility of the RA knowing the private key of the user, as well as the scope for this key to be exposed to others while in transit after it is generated and sent to the appropriate user.

22 Certificate Creation Steps (cont.)
Figure 5 RA generating a key pair on behalf of the subject.

23 Certificate Creation Steps (cont.)
Step 2. Registration Only required if the user generates the key pair in the 1st step. Subject sends public key and the associated registration information (e.g. subject name) and all the evidence about herself to the RA. The format for the certificate requests has been standardized, and is called as Certificate Signing Request (CSR) CSR is one of the Public Key Cryptography Standards (PKCS). Also called PKCS#10

24 Certificate Creation Steps (cont.)
The evidence may not be in the form of computer data, and usually consists of paper-based documents Example of evidence: a copy of passport or business documents or income/tax statements, etc. See Figure 6

25 Certificate Creation Steps (cont.)
Figure 6 Subject sends public key and evidences to the RA.

26 Certificate Creation Steps (cont.)
Step 3. Verification The RA verifies the user’s credentials The verifications is as follows: 1) RA verifies the user’s credentials such as the evidences provided, and ensure that they are acceptable. If the user is an organization, RA may check - business records, historical documents and credibility proofs. If the user is an individual user, RA may check - postal address, id, phone number, passport or driving license.

27 Certificate Creation Steps (cont.)
2) checking the Proof of Possession (POP) - RA verifies the user who is requesting for the certificate does indeed possess the private key corresponding to the public key that is sent as a part of the certificate request to the RA. - Many approaches to this check. 1. The user digitally sign her Certificate Signing Request (CSR) using her private key. If RA can verify the signature correctly (using user’s public key), RA believe that user indeed possesses the private key.

28 Certificate Creation Steps (cont.)
2. RA create random number challenge, encrypt it with the user’s public key and send the encrypted challenge to the user. If the user can decrypt it using her private key, the RA assume that the user possesses the right private key. 3) RA generates a dummy certificate for the user, encrypt it using the user’s public key and send it to the user. The user can decrypt it only if she can decrypt the encrypted certificate, and obtain the plain text certificate.

29 Certificate Creation Steps (cont.)
Step 4. Certificate creation RA passes on all the details of the user to the CA. The CA does its own verification (if required) and creates a digital certificate for the user. The CA sends the certificate to the user, and also retains a copy of the certificate for its own record.

Download ppt "Public Key Infrastructure (PKI)"

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Similar presentations

Ads by Google