Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

Published byAlexandra Morse Modified over 10 years ago

Similar presentations

Presentation on theme: "April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics."— Presentation transcript:

1 April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics

2 April 19-22, 2005SecureIT-2005 Agenda Why do you need a PKI? Basic Cryptography Near Future PKI Applications PKI Components and Services Deployment of a PKI

3 April 19-22, 2005SecureIT-2005 Why do you need a PKI? Protects against eavesdropping Protects against tampering Prevents impersonation –Spoofing –Misrepresentation Provides stronger authentication

4 April 19-22, 2005SecureIT-2005 Basic Cryptography Use of Keys for Encryption and Decryption Types of Keys –Symmetric-Key Encryption Uses ONE single key (shared secret) Efficient Provides a minor degree of authentication Only effective if symmetric key is kept secret!! –Public-Key Encryption (asymmetric encryption) Involves a pair of keys: Public Key – Published Private Key – Kept secret Key Length and Encryption Strength –Strength of encryption is related to the difficulty of discovering the key –Encryption strength is described in terms of key size.

5 April 19-22, 2005SecureIT-2005 Public Key Cryptography Provides: Encryption and Decryption Strong authentication Non-repudiation Tamper detection

6 April 19-22, 2005SecureIT-2005 What is a Certificate? A certificate is an electronic document used to identify: –An individual –A server –A company –Other entities A certificate associates an identity with a public key

7 April 19-22, 2005SecureIT-2005 What is a Certificate Authority? A Certificate Authority (CA) –validates identities –issues certificates Validation/Assurance of identity –depend on the policies of a given CA

8 April 19-22, 2005SecureIT-2005 Contents of a Certificate A certificate (X.509 v3) binds a Distinguished Name (DN) to a public key. A DN is a series of values that uniquely identify an identity. For example: cn=Javier Torner, email=jtorner@csusb.edu,email=jtorner@csusb.edu o=California State University San Bernardino, ou=Information Security Office

9 April 19-22, 2005SecureIT-2005 Near Future Application Digital Signatures (S/MIME) Mail Encryption Certificate Revocation SSL Client Certificates to POP/IMAP SSL Client Certificates to NNTP SSL Client Certificates for network access Hardware Tokens – Two factor authentication

10 April 19-22, 2005SecureIT-2005 PKI Components and Services Certificate Repository Certificate Revocation Key backup and recovery Support for non-repudiation Time stamping Client software

11 April 19-22, 2005SecureIT-2005 PKI Phases Phase 0 – Basic Infrastructure –Implement a Certificate Authority Hierarchy Structure Phase I – Authorization Phase II – Authentication Phase III – Incorporate a Trusted Bridge

12 April 19-22, 2005SecureIT-2005 PKI - Phase 0 Define Certificate Practice Statement Define a CA Hierarchy –Root CA Master or Secondary CA –SSL (Web server) CA –SSL Clients CA –E-mail/Encryption CA –Object CA

13 April 19-22, 2005SecureIT-2005 CA Certificate Practice Statement Easy way to start is using PKI-Lite Edit/modify to your institution Technology has been around, but relatively new

14 April 19-22, 2005SecureIT-2005 PKI - Phase I Select software –OpenSSL, OpenCA Issue SSL Server Certificates –Class 3 Web servers certificate –Develop/enable users request interface –Provide user education SSL Client Certificates –Start with certificates for authentication ONLY –Test on control systems ISO sites

15 April 19-22, 2005SecureIT-2005 SSL Client Certificates Provides the ability to authenticate (primarily web) users using your institutions certificate Allows you to easily restrict the users of your data based upon criteria within a certificate

16 April 19-22, 2005SecureIT-2005 Contents of a Phase I Server Certificate CN=www.infosec.csusb.edu Email= OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US

17 April 19-22, 2005SecureIT-2005 Contents of a Phase-I ID Certificate CN=Javier Torner Email=jtorner@csusb.edu OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US

18 April 19-22, 2005SecureIT-2005 The Future of PKI Phase 3 – Federated Application Design CA Development

19 April 19-22, 2005SecureIT-2005 Valuable Resources http://www.modssl.org http://www.openssl.org http://www.openca.org http://www.educause.edu/HEPKI Understanding PKI – Carlisle Adams and Steve Lloyd (ISBN 1-57870-166-x) Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter Williams (ISBN 0-201-30980-7)b

Download ppt "April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Introduction of Grid Security

Introduction of Grid Security
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
PKI Implementation in the Real World

PKI Implementation in the Real World
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google