Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Published byMilo Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "Security fundamentals Topic 5 Using a Public Key Infrastructure."— Presentation transcript:

1 Security fundamentals Topic 5 Using a Public Key Infrastructure

2 Agenda Certificates Key distribution Certificate lifecycle Trust models Applications of PKI

3 Public Key Infrastructure basics Public key encryption depends on key pairs – public key and private key Public key is available to others to encrypt and decrypt messages When others encrypt messages with your public key only you can decrypt with your private key When you sign a message with your private key, it proves you sent it Public key infrastructure allows users to securely exchange or distribute public keys in a large environment

4 Trusts PKI uses a third party trust model You trust a third party to perform an identity check and verify that a public key belongs to the entity that presents it The check is performed by a Certificate Authority (CA) A CA can be your organisation or a trusted third party You trust the CA to vouch for the identity of the public key owner

5 Certificate components Certificate, also called a digital certificate Used for authentication and secure exchange of information over open networks Certificate binds a public key to the entity that holds the associated private key CA certifies the validity of all information in the certificate after it has performed an identify check Defined by ISO standard X.509, the certificate contains: – The subject of the certificate (name of the computer or user who requested the certificate) – The public key – The certificate’s validity period – Email of owner – Signed hash of the certificate (signed with the private key of the CA) – Uses of the certificate – Details of CA

6 Enrolment The process of requesting and receiving a certificate The requestor (user or computer) generates a key pair The requestor sends the certificate request to the CA – Includes the public key and requestor information A certificate administrator reviews the request – Verifies information Upon approval, the CA issues the certificate – CA creates and signs the certificate with a hash to prevent modification – CA issues the certificate to the applicant

7 Certificate uses Authentication, confidentiality, non-repudiation Secure mail – S/MIME Secure web communications – SSL or TLS Secure websites Custom security solutions Smart card logon process Internet Protocol Security (IPSec) 802.1x Encrypting File System (EFS) Software code signing

8 Components of a PKI Digital Certificate CA: Certification Authority – Commercial: certificates are widely available – Private: for your company’s use only CRL: Certificate Revocation List – Lists certificates that have been revoked before expiry date Certificate publishing points and distribution points – Users can obtain certificates and CRLs – Made available in directories, via X.500 or LDAP protocol and on web servers Certificate and CA management tools – Publish and configure, import and export, recover keys Applications and Services use certificates

9 The certificate lifecycle User or computer generates key pair and submits certificate request including public key and information to CA – Certificate request file – Web enrolment CA verifies identity and generates a certificate Certificate is distributed or published to requesting users/computers User or computer supplies the certificate when using PKI applications Certificate reaches end of lifetime – Either expires – Is renewed and replaced with a new certificate which may or may not use the same public key

10 Certificate revocation Certificate can be revoked before it expires – goes onto the CRL Certificate revocation is final and revoked certificates can’t be reinstated. Should occur when: – the certificate’s owner leaves the company they work for – the certificate’s owner changes their name – a private key has been compromised – the certificate owner’s private key is lost – the CA has been compromised – the certificate has been superseded by a new certificate – the CA has ceased operation

11 Key archival and recovery If the private key is lost it becomes impossible to decrypt the data Key archival and recovery system is used to prevent loss of data When a user generates a key pair, they submit a copy of the private key to the CA along with the certificate request CA stores the private key securely CAs implement stringent security measures for key archival and recovery – Keys can only be recovered by one or more designated key recovery agents (KRAs). Smart cards also required sometimes Key Escrow – A copy of a user’s private key is held by a separate entity. This entity releases the private key to a third party when a prearranged event takes place M of N control – There are a certain number of recovery agents (N), a minimum number of these recovery agents (M) have to approve access to a private key

12 Storage of certificates and keys Access to the private keys is normally secured by a password or a passphrase that the user must enter to decrypt the private key A more secure storage method for private keys is a smart card. A smart card is a credit card-sized computer that generates and stores key pairs. The private key never leaves the smart card. Access to the private key requires that you enter a personal identification number (PIN) or password Smart cards are considered tamperproof and can be removed from a computer Private keys can also be stored in specialized hardware devices that destroy the public keys when someone tampers with the hardware device

13 Certificate authority trust models To trust a CA, your computer must contain the certificates of one or more trusted root CAs This certificate, which has been issued by a root CA, allows your computer to determine the authenticity of other certificates that were signed by that root CA A root certificate is a self-signed certificate When a certificate is presented to an application, one of the validation tests that the application performs is to determine whether the certificate was issued by a CA that is chained to a trusted root If the certificate was issued by a trusted root CA or the certificate chains to a trusted root CA, the certificate is trusted by a client Most Web browsers contain a list of trusted root CAs that the browser vendor has designated as trustworthy You can also place additional root CAs, such as your own organization’s root CA, into the certificate store

14 Trust models For a PKI, a trust is a relationship that allows a CA to trust a certificate issued by another CA A trust path links several CAs together For a CA to form a trust relationship with another CA, one CA must obtain a certificate from the other CA: subordinate CAs There are three common ways to configure trust paths: – Hierarchical architecture – A mesh architecture – A bridge CA

15 Hierarchical architecture A hierarchical architecture depends on root CAs Root CAs can then issue certificates to other CAs and so on

16 Mesh architecture Multiple peer CAs issue certificates to each other To certify, they create certificates for each other

17 Bridge CA architecture A bridge CA connects mesh and hierarchical architectures together Allows different companies to have their own trust architecture and have a single connection using a bridge CA If the trust relationship needs to be broken, there is only a single point to manage

18 Secure communications using SSL SSL: most commonly used to verify a web server’s identity to a web client and to encrypt data between the client and the server Authentication and encryption are based on certificates Web server must have a certificate that was issued by a CA that chains to a root CA that the web client trusts 1. The client establishes the connection with https:// 2. The web server sends its certificate to the client 3. The client verifies the information in the certificate. Checks that the certificate was issued by a CA that chains to a root CA that the client trusts The certificate has not been tampered with The certificate’s name matches the name of the Web site that the client is connecting to The certificate is valid and has not expired The certificate has been issued for the purpose of server authentication If the client is configured to check for certificate revocation, the client checks any valid cached copies of the CRL or retrieves the CRL

19 Secure communications using SSL 4.Displays the security alert box if any check fails. The client extracts the Web server’s public key from the certificate 5.The client creates a pre-master secret, which is a randomly generated block of data, encrypts it with the web server’s public key, and then sends it to the web server 6.The web server uses its private key to decrypt the pre-master secret 7.The web server and the client create a secret session key based on the pre-master secret 8.The web server and the client encrypt all data that they exchange by using the session key 9.When the web server or client closes the connection, both sides discard the session key 10.If the client establishes another connection, the process starts from the beginning, creating a new session key

20 Secure email You can use certificates when you sign or encrypt email. How certificates are used depends on whether they are used for signing or encryption. When a user wants to send a signed email, the following process takes place: 1.The email program creates a hash from the email message and signs the hash with the user’s private key 2.The user sends the email and the sender’s certificate to the recipient 3.The recipient checks the certificate for its validity, checks whether the certificate was issued by a CA that chains to a trusted root CA, and verifies that the certificate was issued to the email message’s sender 4.The recipient extracts the sender’s public key from the certificate and decrypts the message hash with it 5.The recipient computes a hash from the email message and compares this hash with the hash that the sender created. If both hashes match, the message was signed by the sender and the message has not been altered

21 Secure email When a user encrypts an email message to ensure confidentiality, the following process takes place: 1.The sender obtains the recipient’s certificate, checks the certificate for its validity, verifies that the certificate was issued by a CA that chains to a trusted root CA, then verifies that the certificate was issued to the intended recipient of the email message 2.The sender encrypts the email message with a randomly generated secret key 3.The sender extracts the recipient’s public key from the certificate and encrypts the secret key with this public key 4.The sender sends the email message with the encrypted secret key to the recipient 5.The recipient uses her private key to decrypt the secret key. The recipient then uses the secret key to decrypt the email message

22 Summary What digital certificates are How keys are distributed and recovered in a PKI The certificate lifecycle Various PKI trust models How PKI and certificates can be applied

Download ppt "Security fundamentals Topic 5 Using a Public Key Infrastructure."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security

Cryptography and Network Security
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
COMP3123 Internet Security Richard Henson University of Worcester October 2010.

COMP3123 Internet Security Richard Henson University of Worcester October 2010.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Similar presentations

Ads by Google