Download presentation
Presentation is loading. Please wait.
1
(n)Code Solutions A division of GNFC
Introduction to PKI (n)Code Solutions A division of GNFC (n)Code Solutions CA Basics of PKI
2
At the end of this presentation, you will know:
Introduction to PKI At the end of this presentation, you will know: How to achieve secure communications in a public network, including: Cryptography - Public / Private Keys Digital Certificates Certification Authority Public Key Infrastructure (PKI) Activity: Introduce Module Topics Notes: (n)Code Solutions CA Basics of PKI
3
How do I achieve secure communications in a public network?
We use the Internet to . . . Send Make purchases Distribute software Inventory control & order entry But we have some concerns - How do we . . . Know a person is who they claim to be? Know I’m connected to an authentic merchant? Protect the privacy of my communications? Know if information has been tampered with? Prove later that someone sent me the message? Activity: Introduce security concerns in an open network Notes: Review the concerns, explaining that an OPEN NETWORK is easy for anyone to access. Stress any concerns that might be particularly important to the business of any of the students (based on information from their introductions). (n)Code Solutions CA Basics of PKI
4
Four Security Needs for Network Communications
Privacy / Confidentiality Integrity Interception Modification Is my communication private? Has my communication been altered? Authentication Non-repudiation Activity: Introduce the 4 security needs Notes: The 4 security needs relate to concerns about achieving security in an open public network: Confidentiality (a.k.a. Privacy): How do I protect the privacy of my communications? Integrity: I want to know if my communication has been tampered with, and I want to be able to prevent it from being altered Authentication: I want to deal with an authentic merchant or person, not an impersonator Non-Repudiation: I need to prove that the message was sent or received ? Claims Fabrication Not Sent Not Received Who am I dealing with? Who sent/received it and when? (n)Code Solutions CA Basics of PKI
5
How do we solve the 4 Security Needs?
Cryptography Secret Key Public Key Specialized uses of cryptography: Digital Signature Digital Certificates Secret Public Activity: Introduce cryptography Notes: Explain that cryptography is the basic electronic answer to the 4 security needs We’ll look at: Secret key Public key and 2 specialized uses of cryptography: Digital Certificates Digital Signature Digital Certificate (n)Code Solutions CA Basics of PKI
6
Secret Key Cryptography
Cryptography involves: encryption decryption Secret Key cryptography: Data is encrypted & decrypted using the same Secret Key Also known as “Symmetric Key” DES is an example of a secret key algorithm Encrypted Document Original Document Secret Key algorithm Activity: Explain Secret Key Cryptography Notes: Explain CRYPTOGRAPHY: involves both ENCRYPTION and DECRYPTION a Mathematical function that changes the data an algorithm does the encryption the encrypted data cannot be derived without the KEY to decrypt Stress that it is also called Symmetric key because the same key is used to both ENCRYPT and DECRYPT a document DES = Data Encryption Standard Key sizes (number of BITS in the key): 40-bit 128-bit is the preferred size Original Document Encrypted Document Secret Key algorithm Secret (n)Code Solutions CA Basics of PKI
7
Secret Key Cryptography
It’s fast, but . . . How do I get my secret key to my recipient? Do I have a different secret key for everyone with whom I communicate? INTERNET If one key is compromised, all copies of that key must be replaced Does not scale well Activity: Use the diagram to discuss Secret Key Cryptography Notes: The benefit is that it’s fast However, there are disadvantages - Distribution - Does not scale well to the Internet environment Another difficulty in an Internet environment is: If I communicate with hundreds of people, how do I get the secret key to everyone? (n)Code Solutions CA Basics of PKI
8
Public Key Cryptography
Two keys = key pair Mathematically related, but not identical, public & private key pairs Public Keys are widely distributed Private Keys are held securely by owners Data encrypted with one key can be decrypted only with the other key of the pair a.k.a. “Asymmetric Key” RSA is an example of a public key algorithm Encrypted Document Original Document Public Key algorithm Original Document Public Key algorithm Encrypted Document Private (n)Code Solutions CA Basics of PKI
9
Public Key Cryptography
It’s slower, but . . . I don’t have to distribute a secret key because I have my Private Key Everyone with whom I communicate can know my Public Key INTERNET There’s only one copy of the Private Key Scales well Activity: Use the diagram to discuss Public Key Cryptography Notes: It’s slow because the algorithm takes a long time to process For example: Processing 1024-bit key pair takes several minutes But there are advantages - Scales well to Internet environment Browsers cannot process 2048-bit key pairs (n)Code Solutions CA Basics of PKI
10
Public Network or Directory
Digital Signature Everyone has a Signature Key Pair 1) A provides copy of Public Key to B 2) A signs information using Private Key 3) B verifies signature using A’s Public Key Public Key Signed Data A B Public Network or Directory (either method) Activity: Use the diagram to illustrate Digital Signature Notes: Use actual examples for A & B to help students understand the process of Digital Signature You would usually have 1 key pair for encryption and another key pair for signature Point out the differences between the 2 functions (Public Key Encryption and Digital Signature) Explain that you will look at Digital Signature in a little more detail in the next 3 slides Private Key signs data Public Key verifies signature on data Public Key may be sent with the signed data (n)Code Solutions CA Basics of PKI
11
A Closer Look at Digital Signature
Data with electronic stamp Digital Signature: Electronic (digital) stamp appended to data before sending The result of encrypting the Hash of the data to be sent on the network Any change (to data or signature) will cause the signature verification to fail Hash - or Digest: Speeds up the signing (encrypting) process One-way conversion of the data to a fixed length field that uniquely represents the original data Activity: Explain Digital Signature and introduce Hashing Notes: Stress that the Digital Signature is appended to the data Explain HASH Fixed length One-way conversion, cannot un-do Typical HASH algorithms: MD2 (Message Digest) MD5 So, using a diagram . . . (n)Code Solutions CA Basics of PKI
12
Digital Signing of the Data
Electronic Data Electronic Data Hash Function Signing Hash Result Digital Signature Activity: Explain the SIGNING of the data Notes: First HASH the data Then SIGN - Encrypt the data with A’s Private Key Why do the Hash? 1. Makes the data smaller 2. See next slide Signed Data Private of A Only Private Key holder can sign (n)Code Solutions CA Basics of PKI
13
Digital Signature Verification
Electronic Data Hash Function So the receiver can compare hashes to verify the signature Hash Result Verify Function Hash Result Digital Signature Activity: Explain Verification Notes: Why do the HASH? 2. Hashing is part of the signature verification: Receiver hashes the data, gets a HASH result Receiver decrypts the data and gets a HASH result Then receiver compares the HASH results Verification is the comparison of HASH results Valid compare Yes / No ? Signed Data Public of A Anyone can verify (n)Code Solutions CA Basics of PKI
14
Security Solutions Some security mechanisms:
Secret Key encryption Public Key encryption Digital signature Hashing How can these security mechanisms solve the four communications security needs? Confidentiality Integrity Authentication Non-repudiation Activity: Use slide to summarize and transition Notes: Let’s look at how cryptography - secret key, public key, and digital signature - can solve our security needs (n)Code Solutions CA Basics of PKI
15
Solving the 4 Security Needs
Confidentiality Integrity Encryption: Secret key Public key Digital Signature Non-Repudiation Activity: Discuss how the Security Needs are solved Notes: Slide builds to show one answer at a time Confidentiality: I protect electronic communications by encrypting them Integrity: The Digital Signature verification process is like a tamper-evident seal - if it fails, I know the data has been compromised Non-Repudiation: Digital Signature proves a message has been sent & received -only the person signing has the private key, so it’s like a hand-written signature Authentication: What about Authentication? See next slide Authentication Digital Signature ??? My Signature & Date (n)Code Solutions CA Basics of PKI
16
Authentication Identification: How you tell someone who you are
Authentication: How you prove to someone you are who you say you are Activity: Introduce Authentication Notes: Transition: Confidentiality was solved by Encryption Integrity was solved by Digital Signature Non-Repudiation was solved by Digital Signature What about Authentication? First, distinguish between the 2 terms as presented on slide: Identification & Authentication (n)Code Solutions CA Basics of PKI
17
How Do I Solve Authentication?
Physical Solutions: Something you know Password, combination to safe Something you have Key, token, badge Something you are Signature, iris pattern, fingerprint Electronic Solution: So, why does B trust A’s Public Key? Activity: Discuss how we solve Authentication Notes: If I want to ensure that I’m dealing with an authentic person, not an impersonator, I can usually trust a passport or drivers license with a photograph The electronic solution is Digital Certificates Remember the question you’ve been holding: Why does B trust A’s Public Key? Now we can answer it . . . . . . See next slide Digital Certificates (n)Code Solutions CA Basics of PKI
18
Signed Message containing A’s Name & Public Key
Digital Certificates . . . Because a trusted third party has authenticated that the Public Key belongs to A: Certification Authority (CA) When A provides proof of identity, the Certification Authority creates a signed message containing A’s name and public key: Digital Certificate Signed Message containing A’s Name & Public Key Activity: Introduce Digital Certificates & Certification Authority Notes: Remember the question you’ve been holding: Why does B trust A’s Public Key? Now we can answer it . . . The Digital Certificate was issued by someone we all trust Explain Certification Authority B trusts the Digital Certificate because B trusts the Certification Authority that issued the Digital Certificate (n)Code Solutions CA Basics of PKI
19
Why trust a Digital Certificate?
A Digital Certificate becomes a passport that proves your identity and authenticates you A passport is issued by a trusted Government - when another Government sees it, they trust it A Digital Certificate issued by a trusted CA, again licensed by the government and can also be trusted Activity: Explain the importance of TRUST Notes: All this technology depends upon TRUST Use passports as an example to illustrate TRUST: A Customs Officer will only trust a passport issued by a government that can be trusted (n)Code Solutions CA Basics of PKI
20
Certification Authority
Certification Authority assumes the responsibility of authenticating Certificate identity information Like a Government for passports CA authentication techniques: Check against existing records Employee databases Examine typical identification Passport, license Background check Government databases CA authenticates, issues & manages Certificates Activity: Introduce Certification Authority Notes: All of this technology depends upon TRUST Use passports as an example to illustrate TRUST: A passport proves your identity and authenticates you. A Customs Officer will only trust a passport issued by a government that can be trusted. Electronically: A Digital Certificate becomes your passport to prove your identity and authenticate you. A Digital Certificate issued by a trusted Certification Authority can also be trusted. Stress the responsibilities of the Certification Authority: Authenticate Certificates Issue Certificates Manage Certificates (n)Code Solutions CA Basics of PKI
21
Certification Hierarchy
Issuer=CCA Subject=India PKI Root Issuer=(n)Code Subject=GNFC Issuer=MTNL Subject=MTNL SubCA SubCA Issuer=TCS Subject=TCS India Issuer=(n)Code Subject=Powergrid Employee Issuer=MTNL Subject=Subscriber SubCA EE EE Issuer=TCS Subject=TATA Employee X.509 standard is the general model for certification hierarchy If you trust the CA that signed the certificate, you can trust the certificate EE (n)Code Solutions CA Basics of PKI
22
Each End Entity has a browser that stores all appropriate certificates
Certification Hierarchy Issuer=CCA Subject=India PKI Root Issuer=(n)Code Subject=GNFC Issuer=MTNL Subject=MTNL SubCA SubCA Issuer=TCS Subject=TCS India Issuer=(n)Code Subject=Powergrid Employee CCA (n)Code Issuer=MTNL Subject=Subscriber CCA MTNL SubCA EE EE Issuer=TCS Subject=TATA Employee EE CCA (n)Code TCS Each End Entity has a browser that stores all appropriate certificates (n)Code Solutions CA Basics of PKI
23
Information Checkpoint
How do we solve the 4 security needs? Confidentiality Integrity Encryption: Secret key Public key Digital Signature Activity: Check understanding Notes: Slide builds to show one answer at a time Non-Repudiation Authentication Digital Signature Digital Certificates My Signature & Date (n)Code Solutions CA Basics of PKI
24
So . . . What is PKI? Public Key Infrastructure (PKI) . . .
. . . is the hardware, software, people, policies, & procedures needed to create, manage, store, distribute, & revoke certificates Required to support the use of Public Key cryptography methods for network security Activity: Provide a general definition of PKI Notes: (n)Code Solutions CA Basics of PKI
25
Registration Authority Certification Authority
PKI Components A Public Key Infrastructure consists of: Certification Authorities (CAs) (Issuers) Registration Authorities (RAs) (Authorize the binding between Public Key & Certificate Holder) Certificate Holders (Subjects) Relying Parties (Validate signatures & certificate paths) Repositories (Store & distribute certificates & status: expired, revoked, etc.) Relying Party Application Registration Authority Web Server Internet Activity: Use the diagram to introduce Public Key Infrastructure Notes: Now that we have reviewed the security needs and how we solve them, we can look at the concept of PKI: all the components necessary to generate certificates and allow certification trust hierarchies to be implemented. Define each component of PKI, providing actual examples when appropriate For example, the repository is usually a URL or LDAP interface Explain that PKI is discussed in more detail in another module Repository Certification Authority Certificate Holder (n)Code Solutions CA Basics of PKI
26
PKI Components = Functions
The five components of a PKI are functional roles: Certification Authority Certificate Holder Registration Authority Relying Party Repository A single entity, such as (n)Code, could perform one or more of these roles: For example: When an (n)Code employee applies for a certificate, the CA approves, issues, and uses the certificate, and also copies it to an internal directory Activity: Explain the functions of the elements Notes: (n)Code Solutions CA Basics of PKI
27
Certification Authority
Receives & processes certificate requests Consults with a Registration Authority to determine whether to accept or decline a certificate request Issues or denies the certificate to the requestor Renews certificates Manages Certificate Revocation Lists Provides on-line status to certificates Provides backup service, telephone support, and archival storage for certificates Provides trustworthy security infrastructure, policies for secure operations, and audit information for the CA Certification Authority Activity: List the requirements of a CA Notes: (n)Code Solutions CA Basics of PKI
28
How does (n)Code Solutions issue a Certificate?
1. User accesses Enrollment page via Browser 2. Enrollment Request stored for approval 3. Enrollment request approved or rejected 4. Certificate Issued and available for retrieval 5. User downloads Certificate 6. Certificate sent to a Repository Registration Authority 3 Relying Party Application 2 4 Web Server Certification Authority Activity: Discuss a typical sequence of certificate issuance Notes: This is a manual process Internet Repository 6 1 5 Certificate Holder (n)Code Solutions CA Basics of PKI
29
Status & Future Directions of PKI
New technology - earliest systems released in 1996 CA Hosting Services offered by a number of companies, notably Entrust and Verisign CA Products offered by Entrust, Computer Associates, Baltimore Technologies Activity: Discuss PKI Status Notes: Slide builds, one box at a time Certificate-enabled third-party products: Microsoft, Netscape, Oracle, Gemplus, Datakey (n)Code Solutions CA Basics of PKI
30
Status & Future Directions of PKI
TODAY PC-based usage: , SSL, access control applications (home banking) TOMORROW Network-based usage: firewalls, telecommunications device controllers Activity: Discuss PKI Status Notes: Slide builds, one box at a time Digital certificates have become the standard for achieving secure communications in a public network (n)Code Solutions CA Basics of PKI
31
Ways to Use Digital Certificates
Activity: Transition from PKI to look more closely at Digital Certificates and how they can be used Notes: Where can you go? (n)Code Solutions CA Basics of PKI
32
Where can you use PKI ? Web’s HTTP and other protocols (SSL)
VPN (PPTP, IPSec, L2TP…) (S/MIME, PGP, Exchange KMS) File Signing (MS Office, Acrobat files, etc.) Web Services / Form Signing Smartcards (Certificates, private key store ) Executables (.NET Assemblies, Drivers, Authenticode) Copyright protection (Code Signing) (n)Code Solutions CA Basics of PKI
33
Which Certificate performs each task?
X.509 Certificate Type Task S/MIME Server/Client Authentication SSL Browser Netscape Microsoft Activity: Explain the different types and their purposes Notes: Use the diagram to review the different certificate types and their tasks Personal Authentication Secure Electronic Transaction SET Virtual Private Networks IPSec (n)Code Solutions CA Basics of PKI
34
A Closer Look at Applications
Web Services, Form Signing Enterprise Access e-Commerce Application Access Control Secure Purchasing, Payments, Authorization Microsoft Netscape Activity: List 3 applications to discuss in greater detail Notes: SSL - 3 slides Access Control - 1 slide SET - 1 slide SSL Access Control SET Netscape Microsoft Web Server Authentication Personal Authentication (n)Code Solutions CA Basics of PKI
35
Using Digital Certificates for Web-server & Personal Authentication
Secure Socket Layer (SSL) . . . . . . is a protocol used to create a secure communication session between a client application (browser) and a server application (web server) over a TCP/IP network Secret Session Key . . . . . . is a Secret Key used by A and B only for the duration of this communication session Activity: Introduce SSL & Secret Session Key Notes: The objective of SSL is to create a secure communication session SSL involves the use of a Secret Session Key, which is used ONLY for the duration of the communication session Amazon.com is an example (n)Code Solutions CA Basics of PKI
36
SSL 2.0 provides Web-server authentication
SSL 2.0 Protocol SSL 2.0 provides Web-server authentication Browser (A) Secure Web Server (B) A Connects to B B sends copy of its certificate to A, indicating that SSL 2.0 is enabled A verifies signature on B’s certificate A generates Secret Session Key Activity: Use the diagram to review the SSL 2.0 process Notes: Provide an actual example to clarify if necessary A uses B’s public key to encrypt Secret Session Key B uses its private key to decrypt Secret Session Key {Exchanged Data} A and B use Secret Session Key to encrypt all data exchanged (n)Code Solutions CA Basics of PKI
37
SSL 3.0 adds personal client authentication
SSL 3.0 Protocol SSL 3.0 adds personal client authentication Browser (A) Secure Web Server (B) A Connects to B B sends copy of its certificate to A, indicating that SSL 3.0 is enabled with client authentication A verifies signature on B’s certificate A generates Secret Session Key A uses B’s public key to encrypt Secret Session Key Browser asks A to select a certificate to access B Activity: Use the diagram to review the SSL 3.0 process Notes: SSL 3.0 adds personal authentication Review the process and describe the difference from SSL 2.0 Provide an actual example to clarify if necessary Summarize: SSL achieves a secure communication session SSL achieves the 4 security needs with a Digital Certificate SSL uses a Secret Session Key B verifies signature on A’s certificate B uses its private key to decrypt Secret Session Key A sends encrypted Secret Session Key & A’s certificate to B {Exchanged Data} A and B use Secret Session Key to encrypt all data exchanged (n)Code Solutions CA Basics of PKI
38
Using Digital Certificates for Access Control
Access control to data, networks, services Personal records (medical, employment) Trusted method for transmitting ‘privileges’ over networks After verifying the signature, information inside the certificate can be checked to provide access control: Allow Organization = PowerGrid Allow Organization Unit = Human Resources Deny User State = Tamil Nadu An application enforcing these rules will allow access to an individual from Powergrid’s Human Resources Department as long as that person is not based in Tamil Nadu. ACCESS Activity: Review Access Control Notes: Remember, Access Control is an application of Digital Certificates A trusted method for transmitting “ACCESS RIGHTS” over the network After Authentication, look inside the certificate to determine access rights (n)Code Solutions CA Basics of PKI
39
Typical Send Scenario CA has issued and Authenticated a Digital Certificate to Users A & B Public of B Digital Signature Signed Data Session Key Encrypted + Message Public Key Encrypt Function Secret Session Key Session Key Encrypted + Message Hash result Hash Function Signing Function Secret Key Algorithm Message ______ _______ Activity: Use the diagram to review the process Notes: Point out how Confidentiality and Authentication have been achieved Authentication - The Digital Certificate has been issued and authenticated by a Certification Authority trusted by both A and B Confidentiality - Data is encrypted with B’s Public Key Private of A Confidentiality is achieved by encrypting the data with Receiver’s Public Key (n)Code Solutions CA Basics of PKI
40
Typical Receive Scenario
Digital Signature Signed Data Session Key Encrypted + Message Secret Session Key Public Key Encrypt Function Secret Key Algorithm Hash result Hash Function Message Encrypted Message ______ _______ Private of B Hash result Activity: Use the diagram to review the process Notes: Point out how Integrity and Non-repudiation have been achieved Integrity - Signature verification ensures the integrity of the message Non-repudiation - Only A has the Private Key that signed the data Verify Function Verification will fail if any changes to the data or signature are detected - Integrity Verification with public key shows who signed the data (sender can’t deny) - Non-repudiation Public of A (n)Code Solutions CA Basics of PKI
41
Applications for PKI GNFC has the following applications already developed on a pilot basis and can be deployed with customization as required by the client e-Filing / Form Signing e-Billing e-Tendering / e-Procurement SignIT (n)Code Solutions CA Basics of PKI
42
e-Filing / Form Signing
Web based application for submission of digitally signed forms Can be used to manage online client interaction for Online application Grievance handling Information sharing Online payment Can seamlessly integrate with any existing application if required Can be used very effectively in G2B and G2C interactions or any type of consumer interactions (n)Code Solutions CA Basics of PKI
43
e-Billing PKI enabled web based application
Online bill presentation and payment application A customer can use this application to digitally sign bills and present to their customers online or send digitally signed bills to such customers The customer can verify the digital signature for authenticity and integrity of the bill The customer can also choose to pay online (n)Code Solutions CA Basics of PKI
44
e-Tendering / e-Procurement
PKI enabled web based application for end-to-end procurement management. Can manage the entire procurement cycle from raising an internal indent to placing the order Any company can realize a substantial saving in processing time and operational costs like printing, logistics and paper flow management Can bring transparency to the procurement process A multitude of MIS reports can be generated from this applications (n)Code Solutions CA Basics of PKI
45
SignIT PKI enabled web based application that helps in delivering digitally signed documents or forms to clients online as well as by . Many customer services can be automated with this application A customer need not install any application or hardware as this is a web based application (n)Code Solutions CA Basics of PKI
46
Thank You. (n)Code Solutions CA Basics of PKI
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.