Presentation on theme: "Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military."— Presentation transcript:
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military Technical Academy Bucharest, Romania
Information Security Requirements Confidentiality protection from disclosure to unauthorized persons Integrity Maintaining data consistency Authentication Assurance of identity of person or data originator Non-repudiation Communication originator can’t deny it later
What is PKI -Public Key Infrastructure- PKI refers to the services providing: generation, production, distribution, control,revocation,archive of certificates management of keys, support to applications providing confidentiality and authentication of network transactions.
PKI for Military Use provide secure interoperability throughout the military organizations and with its partners- government, industry and academia; standards based; uses commercial PKI products to minimize the investment; support digital signature and key exchange; support key recovery; support Federal Information Processing Standards- FIPS compliance requirements.
CA’s are Trusted to Do A central administration - issues certificates: -company to its employees -university to its students -public CA (like VeriSign) to clients The CA must keep confidential his Private Key used to sign certificates The CA does not assign different certificates the same serial number The CA makes sure all the information in a certificate is correct Up to date Certificate Revocation List (CRL)
Our PKI Research/ Study -directions- Understanding PKI technology and establish –applications demanding PKI –PKI architecture Analysis of the possibilities/facilities of a vendor CA software-RSA Keon Developing our own CA software, using Eric Young Open SSL library Defining an adequate certificate policy and practice statement
PKI Main Applications Paperless Office -Document & E-mail Signing and Protecting Secure Web - User Authentication and Secure Communications Security in Organization’s Intranet/Extranet-VPN Certificate Authority -for the Romanian (Military) Internet Users
Deploying a PKI -Main steps- Analysis of Operational Requirements Establish PKI Applications Defining security policies Defining a deployment road map Establish the infrastructure (PKI & CA Design) Personnel Selection Hardware and Software Acquisition PKI Training Management & Administration
Defense PKI (DPKI) Generation, production, distribution, control, revocation, archive of public key certificates; Management of keys; Support to applications providing confidentiality and authentication of network transactions; Data integrity; Non-repudiation.
Certificate Clases For DPKI, it can adopt a certificate policy, which uses 3 classes of certificates: Low Class Certificates (for unclassified/sensitive information on classified network)- May be used for: Digital signatures for classified information on encrypted network; Key exchange for the protection (confidentiality) of communities of persons on encrypted networks; Non-repudiation for medium value financial or for electronic commerce applications.
Certificate Clases Medium Class Certificates (for unclassified/sensitive information on classified network)-. May be used for: Digital signatures for unclassified mission critical and national security information on un encrypted network Key exchange for the confidentiality of high valued compartmented information on encrypted networks or classified data over unencrypted networks Protection information crossing classification boundaring Non-repudiation for large financial or for electronic commerce applications. .
Certificate Clases High Class Certificates (for classified information on open network)- May be used for: Digital signatures for authentication of subscriber identity for accessing classified information over unprotected networks Key exchange for confidentiality of classified information over unencrypted networks Digital signatures for authentication of key material in support of providing confidentiality for classified information over unprotected networks..
CONCLUSIONS PKI -simplifies the management of security RAF structures and organizations can spend less time worrying about security, and more energy on their main activities (confidential documents no longer need to wait for days to be physically shipped; instead, they can be securely sent through e-mail) Web servers can allow secure access for only designated users Military organization networks can securely extend over the Internet, eliminating expensive leased data lines PKI’s possibilities are limitless
CONCLUSIONS For Romanian Armed Forces, the Public Key Infrastructure (PKI) capability may adopt the following components: -Root Certificate Authority -Certificate Authorities -Local Registration Authorities, -Certificate Directory, and principles: -use commercial and/or proprietary products, -use smart cards for protection of private keys and certificates, processing digital signature, access control.
CONCLUSION ? Steve Bellovin AT&T Security Guru “-What are the strongest defenses? -There aren’t any”