Presentation is loading. Please wait.

Presentation is loading. Please wait.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report."— Presentation transcript:

1 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report

2 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA Project  Cryptography and PKI Overview  APNIC CA project  Benefits and costs  Project plans  Future developments  References  Questions?

3 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Cryptography - Terms  Public key cryptography  Cryptography technique using different keys for encoding and decoding messages  Keypair  Private key and public key, generated together, used in public key cryptography  Encryption/Decryption  To encode/decode a message using a public or private key

4 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Decrypt Message Transmit Encrypted Message Public Key Cryptography - Encryption Encrypt Encrypted Message Keypair Retrieve Public Key

5 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Decrypt Message Transmit “Signed” Message Public Key Cryptography - Encryption Encrypt “Signed” Message Keypair Retrieve Public Key

6 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Public Key Cryptography - Digital Signature Assemble Signed Message Digest Hash Signature Encrypt Message Keypair

7 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Public Key Cryptography - Digital Signature Signature Message Digest Valid? Signed Message Digest Decrypt Retrieve Public Key

8 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E PKI - Terminology  Public Key Infrastructure (PKI)  Administrative structure for support of public key cryptography  Public Key Certificate (Digital Certificate)  Document linking a Public Key to an identity, signed by a CA, defined by X.509  Certificate Authority (CA)  Trusted authority which issues digital certificates

9 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Digital Certificates  A digital certificate contains:  Identity details  eg Personal ID, email address, web site URL  Public key of identity  Issuer (Certification Authority)  Validity period  Attributes  The certificate is signed by the CA

10 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Digital Certificate - Example Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING signature BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, signature AlgorithmIdentifier, issuer Name, issuer Name, validity Validity, validity Validity, subject Name, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, extensions [3] EXPLICIT Extensions OPTIONAL extensions [3] EXPLICIT Extensions OPTIONAL }

11 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Digital Certificate - Lifecycle Key Pair Generated Certificate Issued Certificate valid and in use Private Key compromised Certificate Expires Recertify Certificate Revoked Keypair Expired

12 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Why?  In response to  Membership concern for greater security  Confidential info exchange with APNIC  Is my database transaction secure?  Whose prefixes do you accept?  Internet community interest in security, PKI, digital certificates  e.g. rps-auth  IETF working group: PKIX

13 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Overview  Certificate issued to APNIC member  Corresponds to Membership of APNIC  Provides uniform mechanism for all security needs, such as :  Encryption and signature of email with APNIC  Authentication of access to APNIC web site  Secure maintainer mechanism for APNIC database  Future authorisation mechanism for Internet resources  Authentication of resource custodianship

14 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Benefits/Costs  Benefits  Uniform industry-standard mechanism for “single password” security, authentication and authorisation  Strong public key cryptography, end-to-end  Costs  Server and client software  Change to current procedures  New policies  Establishment: software purchase and/or development

15 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Roadmap

16 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Timeline

17 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA – Phase 1 Timeline

18 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Scoping Project  October 1999 - January 2000  Objectives  Analyse impact of introducing PKI  Provide focus for discussions  Raise awareness of PKI in general  Conclusions  Significant benefits for members’ security  Growing standards support for PKI  See: http://www.apnic.net/ca

19 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA – Phase 1  April – November 2000  Deliverables  Tender and selection of CA software  Policies for use of APNIC Certificates  Procedures for issuance and revocation of Identity certificates to members  Browser and deployment issues analysis  Issue trial certificates at APNIC Meeting October 2000  Risk Analysis

20 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA – Phase 2  January – June 2001  Deliverables  Certificates used for website access control  Support for X509 certificates in whois database  Strong encryption for member correspondence  Investigation of use of Attribute Certificates with resource allocation

21 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Future  Generalised CA function  APNIC Certificates may be used for general purposes  Requires tight policy and quality framework for APNIC certificates to be trusted  Hierarchical certification  APNIC Members may use their certificates to certify their own members or customers  May be applicable for ISPs and NIRs

22 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Future  Public Key Certificates  X.509 certificate linking a Public Key to an identity, issued by CA  Attribute Certificates  X.509 certificate linking Attributes to an identity, issued by CA or other authority  Provides authorisation, rather than authentication, information  Not yet widely deployed or supported  May be extended to carry resource allocation information

23 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Future  Resource certification  For verification of resource allocations by RIRs  Currently under discussion in IETF PKIX working group draft-clynn-bgp-x509-auth-01.txt “X.509 Extensions for Authorization of IP Addresses AS Numbers, and Routers within an AS”  APNIC watching developments

24 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Consultation  Mailing list open after Apricot2000  pki-wg@lists.apnic.net  http://www.apnic.net/wilma-bin/wilma/pki-wg  Further developments  See: http://www.apnic.net/ca

25 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC CA - Documents  IETF PKIX drafts: draft-ietf-pkix-roadmap-04.txt “Internet X.509 Public Key Infrastructure PKIX Roadmap” draft-clynn-bgp-x509-auth-01.txt “X.509 Extensions for Authorization of IP Addresses AS Numbers, and Routers within an AS” draft-ietf-pkix-ac509prof-01.txt “An Internet Attribute Certificate Profile for Authorization”  http://www.ietf.org/html.charters/pkix-charter.html

26 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Questions?

Download ppt "A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Work Plan 2000 APNIC Annual Member Meeting Seoul, 3 March 2000.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Work Plan 2000 APNIC Annual Member Meeting Seoul, 3 March 2000.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CP3397 ECommerce.

CP3397 ECommerce.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Similar presentations

Ads by Google