Download presentation
Presentation is loading. Please wait.
Published byHugh Shields Modified over 9 years ago
1
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014)
2
Geneva, Switzerland, 2 June 2014 2 PKI and PMI Public-key certificates: The basis for public-key infrastructure (PKI) Attribute certificates: The basis for privilege management infrastructure (PMI) Rec. ITU-T X.509 | ISO/IEC 9594-8 base specification for both types of infrastructure
3
Facts about X.509 Geneva, Switzerland, 2 June 20143 Part of the X.500 Series of Recommendations Also issued as ISO/IEC 9594-8 Issued in seven editions First edition in 1988 Eight edition on its way Number one in downloads Defines: Public key/private key principles Public-key certificates Public-key infrastructure (PKI) Attribute certificates Privilege management infrastructure (PMI)
4
Asymmetric cryptography Geneva, Switzerland, 2 June 20144 AB Action using private key Resolving using public key Action using public key Resolving using private key Private keyPublic key Asymmetric cryptography is basic technology behind PKI and PMI
5
PKI entities Geneva, Switzerland, 2 June 20145 CRL Issuer End entity Registration Authority CA Certificate & CRL repository (e.g., an LDAP or X.500 directory) CA
6
Certifying the identity using public-key certificates Geneva, Switzerland, 2 June 20146 Certification Authority
7
Public-key certificate Geneva, Switzerland, 2 June 2014 7 Subject Serial number Public key info Version Algorithm Validity Issuer Issuer unique id Subject unique id Extensions Digital signature of issuer Version 2 (do not use!) Version 3 - Important
8
Extensions The extension concept allows adding additional information to a public- key certificate. Organizations may define own extensions. If the information changes, the public-key certificate has to be renewed.
9
Geneva, Switzerland, 2 June 2014 9 Certification authority (CA) NOT: Certificate authority Verify the identity of the subject Verify the position of the key-pair Verify the other information as required Issues and sign the public-key certificate Maintain revocation status Publishes revocation status
10
Checking the credentials Geneva, Switzerland, 2 June 201410 A passport is a type of certificate binding a picture to a subject ID Has to be issued by a trustworthy authority A passport may be false It is checked by the validator, also called the relying party Subject Relying party
11
Trust Geneva, Switzerland, 2 June 201411 Would you buy a certificate of this man? Would you trust a certificate issued by this man? Certificates
12
Hierarchical Structure Trust anchor CA EE CA CA = Certification authority EE = End entity
13
Trust anchor Trusted by a relying party Trust anchor information: Configured into relying party Public-key certificate or similar information Geneva, Switzerland, 2 June 201413
14
Certificate Revocation List (CRLs) Certificate Serial Number Revocation Date Version Algorithm Time for this update Issuer Extensions Digital signature of issuer Time for next update CRL Extensions Certificate Serial Number Revocation Date Extensions Revoked Certificate
15
Online Certificate Status Protocol (OCSP) Geneva, Switzerland, 2 June 201415 OCSP request OCSP response OCSP responder OCSP client
16
Validation procedure Trust Ancho r User system A (end entity) CA User system B (Relying Party) Storing of Trust Anchor Information Check of revocation Signed data
17
Where to go Geneva, Switzerland, 2 June 201417 The central source for information on the X.500 Directory Standard including X.509. www.x500standard.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.