Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Published byEdwin Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl."— Presentation transcript:

1 Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl

2 Cryptography Symmetric key cryptography –A pre-shared secret is used to encrypt the data –Some examples: DES, 3-DES, RC4, etc Public key cryptography –A pair of mathematically related keys are generated One of the keys, the Public Key, is freely distributed The other key, the Private Key, is kept confidential –Given one keys, it is computationally very hard to compute the other

3 Public Key Cryptography –Data encrypted using the public key can only be decrypted by the person with the private key –Likewise, data encrypted with the private key can be decrypted by anyone having a copy of the public key Assuming that the private key is protected and held by an individual, this is the basis for a digital signature Plain Text Encrypted Text one key the other key

4 Digital Signatures and Document Encryption Public Key operations are too computationally expensive for large volumes of data Typical digital signature process –Compute the hash of the document –Encrypt the hash using the signer’s private key Typical document encryption process –Generate a random symmetric cipher key –Encrypt the document using this key –Encrypt the symmetric cipher key using the recipient’s public key

5 Digital Certificates A Digital Certificate is: –An object used to bind the identity of a person to their public key –Contains attributes about the person –Contains some information about the identity binding and infrastructure –Digitally signed by a Certification Authority (CA)

6 Certificate Profiles A description of the fields in a certificate –Recommended fields to use –Field values –Critical flags –Recommendations for implementers –Example ProfileExample Profile

7 Certification Authorities (CA) Certification Authorities –Accept certificate requests from users –Validate the user’s identity –Generate and sign the user’s certificate attesting to the mapping of the identity to the public key –Revoke certificates if needed –Operate under a set of policies and practices Levels of Assurance

8 Certification Authorities and Trust You determine if you trust a certificate by validating all of the certificates starting from the user’s cert up to a root that you trust 100+ root certificates in my Microsoft store The “I” in PKI Root Certificate Intermediate Certificate User A Cert User C Cert User B Cert User D Cert User E Cert

9 PKI Bridge Path Validation

10 PKI, Privacy, and the Pseudo- anonymous CA As stated earlier: “A certificate binds a person’s identity to their public key” Typically the “identity” is their name, email address, computing identifier, etc –Poses some interesting privacy concerns in some applications A pseudo-anonymous CA uses an opaque identifier instead of name/id information

11 Operating System Support for PKI Windows 2000/XP –Well integrated out of the box support for PKI –OS-based certificate/key store –APIs for access to crypto providers –Microsoft applications generally support PKI –Many 3 rd party applications use OS PKI services –Bridge path validation in XP –Windows 2000 server includes a CA

12 Operating System Support for PKI MacOS –Apple has excellent plans to improve their level of OS PKI support to match that of Windows –OS-based certificate/key store exists now and is used by some Apple applications –3 rd party applications should start to use the native support in the future Linux and general Unix –PKI support generally implemented in applications

13 Trust, Private Key Protection and Non-repudiation Digital signatures - based on the idea that only the user has access their private key A user’s private key is generally protected by the workstation’s operating system –Typical protection is no better than for any password that the user lets the operating system store Hardware tokens can be used for strong private key protection, mobility, and as a component in a non-repudiation strategy

14 Two classes of campus PKI applications? Existing normal processes –A PKI using a light policy/practices framework –Better technology and ease of use for existing services –New applications where passwords would have been sufficient in the past

15 Two classes of campus PKI applications? Newer High Assurance services –Access control for critical systems –Authentication for high-value services HiPAA/FERPA/GLBA –Digital signatures for business processes

16 Some Campus CA Options In-source –Commercial CA software –Develop your own or use freely available CA software (typically based on OpenSSL) –KX509 Outsource to commercial CA –Campus still performs the RA function

17 Agenda for remainder of session Motivations for campus PKI deployments –Focus on applications using end-user certificates Introduction to likely campus PKI applications National activities –HEBCA, USHER, PKILab, HEPKI, etc Examples of campus PKI deployments Wrap-up and discussion

Download ppt "Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl."

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”

Technology – Broad View1 Networks  For the most part, not a technology, but political/financial issue Available bandwidth continuously increasing (“√2-rule”

Similar presentations

Ads by Google