Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Similar presentations


Presentation on theme: "Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002."— Presentation transcript:

1 Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center tic@mail.state.ar.us 3/27/2002

2 Inside PKI Vocabulary Vocabulary How PKI Works How PKI Works When it Doesn’t When it Doesn’t

3 Vocabulary

4 Asymmetric Cryptography Use of algorithms that use different keys for encryption than decryption and the decryption key cannot be derived from the encryption key.

5 Authentication Verifying the identity of a person or a computer system.

6 Certificate Authority (CA) The authority in a network (PKI) that issues and manages security credentials and public keys for message encryption.

7 Certificate Practice Statement CPS Provides a detailed explanation of how the certificate authority manages the certificates it issues and associated services such as key management. The CPS acts as a contact between the CA and users, describing the obligations and legal limitations and setting the foundation for future audits.

8 Ciphertext Encrypted text. Plaintext or cleartext is what you have before encryption and ciphertext is the encrypted result.

9 Digital Certificate A digital document which is generally stored and administered in a central directory. It contains the certificate holder's name, a serial number, expiration dates, public key, and the digital signature of the certificate issuing authority.

10 Digital Signature An electronic signature that authenticates the identity of the sender, ensures the original content of the message is unchanged, is easily transportable, cannot be easily repudiated, cannot be imitated, and can be automatically time-stamped.

11 Directory A specialized, highly available database organized to be primarily used for lookup.

12 Directory Service A collection of software, hardware, processes, policies and administrative procedures involved in organizing the information in a directory and making it available to users.

13 Hashing A mathematical summary that can be used to provide message integrity popular because it is simple and small.

14 Integrity The state of being unaltered.

15 Nonrepudiation The basis of insisting that the document signed by a particular private key represents acknowledgement by the private key owner.

16 Private Key The private part of a two-part, public key asymmetric cryptography system. The private key is provided by a certificate authority, kept secret and never transmitted over a network.

17 Public Key The public part of a two-part, public key asymmetric cryptography system. The public key is provided by a certificate authority and can be retrieved over a network.

18 Public Key Infrastructure (PKI) A system that enables users of a public network to exchange data securely and privately through the use of a public and private cryptographic key pair that is obtained and shared through a trusted authority.

19 Registration Authority The authority in a Public Key Infrastructure that verifies user requests for a digital certificate and tells the certificate authority it is alright to issue a certificate.

20 Rivest-Shamir-Adleman (RSA) An algorithm used for key pairs used for authentication, encryption and decryption.

21 How PKI Works Get a Certificate Get a Certificate Send a Signed Message Send a Signed Message Receive a Signed Message Receive a Signed Message Send an Encrypted Message Send an Encrypted Message Receive an Encrypted Message Receive an Encrypted Message Different Answers! Different Answers!

22 Get a Certificate Supply information to a Certificate Authority Supply information to a Certificate Authority Certificate Authority generates the keys Certificate Authority generates the keys Certificate Authority creates the certificate Certificate Authority creates the certificate Registration Authority may authorize the certificate Registration Authority may authorize the certificate The private key is delivered to the user The private key is delivered to the user The certificate is stored in a directory The certificate is stored in a directory

23 Digital Certificate Version of certificate format Version of certificate format Certificate serial number Certificate serial number Signature algorithm identifier Signature algorithm identifier Certificate authority (CA) X.500 name Certificate authority (CA) X.500 name Validity period (start, expiration) Validity period (start, expiration) Subject X.500 name Subject X.500 name Subject public key info (algorithm, public key) Subject public key info (algorithm, public key) Issuer unique identifier (optional) Issuer unique identifier (optional) Subject unique identifier (optional) Subject unique identifier (optional) Extensions Extensions Certificate Authority's digital signature Certificate Authority's digital signature

24 Private Key One of two numeric keys derived from an algorithm One of two numeric keys derived from an algorithm Can be stored on a computer Can be stored on a computer Can be memorized (not practical) Can be memorized (not practical) Can be held in a token Can be held in a token Can be combined with a biometric or token Can be combined with a biometric or token Must be kept secure Must be kept secure Is not stored in the certificate Is not stored in the certificate

25 Get a Certificate RA approves the Certificate Information is given to CA The CA creates keys and certificate The Certificate, which contains the Public Key, is filed in a Directory Private Key goes to the User

26 Send a Signed Message Compose the message Compose the message Sign with your own (sender’s) private key Sign with your own (sender’s) private key Create a message hash Create a message hash Encrypt hash with private key Encrypt hash with private key Send the message and the digital signature Send the message and the digital signature

27 Receive a Signed Message Receive the message and the signature Receive the message and the signature Get the sender’s public key Get the sender’s public key Use the key to decrypt the signature (hash) Use the key to decrypt the signature (hash) Generate a new hash of the message Generate a new hash of the message Compare the two hashes to assure the integrity of the message and the authentication of the sender Compare the two hashes to assure the integrity of the message and the authentication of the sender

28 Signed Message Compose the Message Sign the Message with Private Key Send the Message and Digital Signature Receive the Message and Digital Signature Get the Sender’s Public Key Compare the hashes SENDER RECIPIENT

29 Send an Encrypted Message Compose the message Compose the message Get the receiver’s public key Get the receiver’s public key Encrypt the message Encrypt the message Send the message Send the message But can be more complex, especially for long messages But can be more complex, especially for long messages

30 Receive an Encrypted Message Receive the message Receive the message Decrypt with you own (receiver’s) private key Decrypt with you own (receiver’s) private key But can be more complex, especially for long messages But can be more complex, especially for long messages

31 Encrypted Message Compose the Message Get the Recipient’s Public Key Encrypt the Message with Public Key Send the Encrypted Message Get the Encrypted Message Decrypt with Private Key

32 Different Answers Depending On: Where the public key is stored and how it is managed Where the public key is stored and how it is managed If a user has multiple public keys If a user has multiple public keys If multiple encryption algorithms are used If multiple encryption algorithms are used If both message encryption and digital signature are required If both message encryption and digital signature are required

33 When PKI Doesn’t Work When it isn’t trusted When it isn’t trusted When the private key isn’t secure When the private key isn’t secure When the CA isn’t trusted by all parties When the CA isn’t trusted by all parties When the authentication required by the CA isn’t adequate for all parties When the authentication required by the CA isn’t adequate for all parties When there’s more than one John Smith When there’s more than one John Smith When the sender and receiver can’t interoperate When the sender and receiver can’t interoperate

34 Longer Looks at PKI This Group This Group Handout Handout Office of Information Technology Office of Information Technology Other States Other States Vendors Vendors


Download ppt "Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002."

Similar presentations


Ads by Google