Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Published byBeryl Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "Wolfgang Schneider NSI: A Client-Server-Model for PKI Services."— Presentation transcript:

1 Wolfgang Schneider NSI: A Client-Server-Model for PKI Services

2 Page 2 Public Key Infrastructures PKIs setup by companies and organizations Allow certificates to be issued and retrieved May be interconnected through cross-certificates Allows for inter-organizational communication –Authenticated, integrity protected, encrypted Problem: PKIs not fully deployed nor easy to use

3 Page 3 Motivation: Slow PKI Deployment Expensive –Development of applications using PKI security services –Administration cost of configuring and maintaining clients Complex –Security enabled software is complex to write –Non-user friendly, not transparent Encryption and digital signatures are not in widespread use

4 Page 4 Motivation II: Complexities of PKI – Trust Path Construction Initial disjoint PKIs –Communication between arbitrary users not possible –Only useful within single PKI structure Cross-certificates –Allows communication between separate PKIs –However, makes path building more complicated PKIs too complicated for user –Validation policies, policy mappings, configuration  Client-Server model

5 Page 5 Complexity of Trust Path Construction Possible certificate path a cross certifies b ab a issues certificate b ab CA - Certificate Authority TA - Trust Anchor IBM Fraunhofer Verifier CA TA CA John‘s certificate

6 Page 6 Problems for Security Applications Support of many protocols is necessary –Certificate and CRL download (HTTP, FTP, LDAP,...) –Certificate Status (OCSP, LDAP) All applications must –Support all protocols –Know addresses of all needed repositories –Have cryptographic functionality –Be able to handle the complexities of PKI Complexity = Bugs = Less security

7 Page 7 Problems for Users Applications are expensive and large –Small devices cannot support storage and computational requirements Must configure applications with addresses of repositories –For path construction and encryption key retrieval Trust path construction is slow

8 Page 8 NSI Solution Develop a Client-Server based PKI Reduce complexity on client-side („Thin Client“) by offering server based services such as: –Signature validation –Trust path construction –Management of CRLs and Revocation Status‘ –Central management of certificate policies Simple access to non-hierarchical interconnected PKIs

9 Page 9 Advantages for Clients Need not support multitude of PKI protocols –Need support only one Client-Server-Protocol Need not be configured with repository addresses –Application only needs to know 1 or 2 PKI-Servers Complex tasks delegated to the PKI Server –Signature and certificate validation –Encryption key retrieval Thus, applications become smaller and simpler Devices with limited resources can utilize PKI functionality –Examples: Cellular phones, PDAs (Personal Digital Assistants)

10 Page 10 PKI-Server Security Services Scenario PKI Server PKI Server PKI Server OCSPLDAP DNSOCSP Centrally managed policies Trust path construction request Certificate retrieval request Signature validation request

11 Page 11 Who will benefit from the PKI Server? Companies –Central management of Security Policies –No longer need to reconfigure every client when PKI or policy changes Developers for small devices –API on client side has low resource requirements –More devices able to use PKI services Security application developers –Decreased development time and costs –More robust security code TrustCentre may provide PKI services

12 Page 12 NSI Goals Develop concrete protocols Develop client library such that clients with limited resources may use it Develop a working PKI Server that is deployable Run field tests

13 Page 13 Issues with NSI approach What is the architecture? Interconnection within existing PKIs What trust relationships are needed?

14 Page 14 PKI Architecture

15 Page 15 Comparison: Internet Routing PKI IP Routing –Cooperation of many IP routers –No computer knows every IP Address in the Internet –Network changes are known only to routers, not clients –Personal computer knows 1 to n DNS servers PKI –Little cooperation between PKIs –Application must know all repositories (incl. PKI meshes) –Every client must be updated for every PKI change

16 Page 16 Interconnection (A)Client-Server-Protocol (B)Server-Server-Protocol (C)Standard-Protocols (LDAP,OCSP,etc.)

17 Page 17 NSI‘s role within PKI PKI Server is separate from CA –Accesses available repositories to build paths –Does not need to be certified by CA Trust in PKI Server is through PKI Server‘s certificate –Must be configured on each client –Revocation check of certificate not defined

18 Page 18 Trust Relationships Client trust in PKI Server –Certificate validation: complete trust –Signature validation: complete trust –Path construction: no trust –Certificate retrieval: no trust PKI Servers deployed within organizations –Clients use organization validation policy and trust server

19 Page 19 Validity of PKI Server Responses All responses are authenticated –Secure connection (eg. SSL, IPsec) or –Digitally signed response Integrity of all requests and responses verifiable –Hashes, signatures, encryption Replay attacks detectable –nonces

20 Page 20 NSI comparison with XKMS Certificate retrieval and validation services supported NSI needs no connection with an RA or CA –XKMS offers registration and revocation services Size of sent and stored responses –XKMS uses XML tags –NSI uses ASN.1 (support embedded within client library) Small storage requirements for audits

21 Page 21 NSI: A Client-Server-Model for PKI Services Wolfgang Schneider wolfgang.schneider@sit.fhg.de Fraunhofer-Institute for Secure Telecooperation http://www.sit.fhg.de/NSI/

Download ppt "Wolfgang Schneider NSI: A Client-Server-Model for PKI Services."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Public Key Infrastructure Ben Sangster February 23, 2006.

Public Key Infrastructure Ben Sangster February 23, 2006.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Similar presentations

Ads by Google