Presentation is loading. Please wait.

Presentation is loading. Please wait.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Similar presentations


Presentation on theme: "Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop."— Presentation transcript:

1 Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014)

2 Geneva, Switzerland, 2 June 2014 2 PKI and PMI Public-key certificates: The basis for public-key infrastructure (PKI) Attribute certificates: The basis for privilege management infrastructure (PMI) Rec. ITU-T X.509 | ISO/IEC 9594-8 base specification for both types of infrastructure

3 Facts about X.509 Geneva, Switzerland, 2 June 20143 Part of the X.500 Series of Recommendations Also issued as ISO/IEC 9594-8 Issued in seven editions First edition in 1988 Eight edition on its way Number one in downloads Defines: Public key/private key principles Public-key certificates Public-key infrastructure (PKI) Attribute certificates Privilege management infrastructure (PMI)

4 Asymmetric cryptography Geneva, Switzerland, 2 June 20144 AB Action using private key Resolving using public key Action using public key Resolving using private key Private keyPublic key Asymmetric cryptography is basic technology behind PKI and PMI

5 PKI entities Geneva, Switzerland, 2 June 20145 CRL Issuer End entity Registration Authority CA Certificate & CRL repository (e.g., an LDAP or X.500 directory) CA

6 Certifying the identity using public-key certificates Geneva, Switzerland, 2 June 20146 Certification Authority

7 Public-key certificate Geneva, Switzerland, 2 June 2014 7 Subject Serial number Public key info Version Algorithm Validity Issuer Issuer unique id Subject unique id Extensions Digital signature of issuer Version 2 (do not use!) Version 3 - Important

8 Extensions The extension concept allows adding additional information to a public- key certificate. Organizations may define own extensions. If the information changes, the public-key certificate has to be renewed.

9 Geneva, Switzerland, 2 June 2014 9 Certification authority (CA) NOT: Certificate authority Verify the identity of the subject Verify the position of the key-pair Verify the other information as required Issues and sign the public-key certificate Maintain revocation status Publishes revocation status

10 Checking the credentials Geneva, Switzerland, 2 June 201410 A passport is a type of certificate binding a picture to a subject ID Has to be issued by a trustworthy authority A passport may be false It is checked by the validator, also called the relying party Subject Relying party

11 Trust Geneva, Switzerland, 2 June 201411 Would you buy a certificate of this man? Would you trust a certificate issued by this man? Certificates

12 Hierarchical Structure Trust anchor CA EE CA CA = Certification authority EE = End entity

13 Trust anchor Trusted by a relying party Trust anchor information: Configured into relying party Public-key certificate or similar information Geneva, Switzerland, 2 June 201413

14 Certificate Revocation List (CRLs) Certificate Serial Number Revocation Date Version Algorithm Time for this update Issuer Extensions Digital signature of issuer Time for next update CRL Extensions Certificate Serial Number Revocation Date Extensions Revoked Certificate

15 Online Certificate Status Protocol (OCSP) Geneva, Switzerland, 2 June 201415 OCSP request OCSP response OCSP responder OCSP client

16 Validation procedure Trust Ancho r User system A (end entity) CA User system B (Relying Party) Storing of Trust Anchor Information Check of revocation Signed data

17 Where to go Geneva, Switzerland, 2 June 201417 The central source for information on the X.500 Directory Standard including X.509. www.x500standard.com


Download ppt "Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop."

Similar presentations


Ads by Google