Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11...

17
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 [email protected] ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014)

Transcript of Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11...

Page 1: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Geneva, Switzerland, 2 June 2014

Introduction topublic-key infrastructure (PKI)

Erik Andersen,Q.11 Rapporteur,

ITU-T Study Group [email protected]

ITU Workshop on “Caller ID Spoofing”

(Geneva, Switzerland, 2 June 2014)

Page 2: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Geneva, Switzerland, 2 June 2014 2

PKI and PMI

Public-key certificates: The basis for public-key infrastructure (PKI)

Attribute certificates: The basis for privilege management infrastructure (PMI)

Rec. ITU-T X.509 | ISO/IEC 9594-8 base specification for both types of infrastructure

Page 3: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

3

Facts about X.509

Geneva, Switzerland, 2 June 2014

Part of the X.500 Series of RecommendationsAlso issued as ISO/IEC 9594-8Issued in seven editionsFirst edition in 1988Eight edition on its wayNumber one in downloadsDefines:

Public key/private key principlesPublic-key certificatesPublic-key infrastructure (PKI)Attribute certificatesPrivilege management infrastructure (PMI)

PKI

Page 4: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

4

Asymmetric cryptography

Geneva, Switzerland, 2 June 2014

A B

Action usingprivate key

Resolving usingpublic key

Action usingpublic key

Resolving usingprivate key

Private key Public key

Asymmetric cryptography is basic technology behind PKI and PMI

Page 5: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

5

PKI entities

Geneva, Switzerland, 2 June 2014

CRLIssuer

End entity

RegistrationAuthority

CA

Certificate&

CRLrepository(e.g., an LDAP or X.500

directory)

CA

Page 6: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

6

Certifying the identity usingpublic-key certificates

Geneva, Switzerland, 2 June 2014

Certification Authority

OK

Page 7: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

7

Public-key certificate

Geneva, Switzerland, 2 June 2014

Subject

Serial number

Public key info

Version

Algorithm

Validity

Issuer

Issuer unique id

Subject unique id

Extensions

Digital signature of issuer

Version 2 (do not use!)

Version 3 - Important

Page 8: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Extensions

The extension concept allows adding additional information to a public-key certificate.Organizations may define own extensions.If the information changes, the public-key certificate has to be renewed.

Page 9: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Geneva, Switzerland, 2 June 2014 9

Certification authority (CA)

NOT: Certificate authorityVerify the identity of the subject Verify the position of the key-pairVerify the other information as requiredIssues and sign the public-key certificate Maintain revocation statusPublishes revocation status

Page 10: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

10

Checking the credentials

Geneva, Switzerland, 2 June 2014

A passport is a type of certificate binding a picture to a subject IDHas to be issued by a trustworthy authorityA passport may be falseIt is checked by the validator, also called the relying party

SubjectRelying party

Page 11: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

11

Trust

Geneva, Switzerland, 2 June 2014

Would you buy a certificate of this man?

Would you trust a certificate issued by this man?

Certificates

Page 12: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Hierarchical Structure

Trust anchor

CA CA

EE EE EE EE EE EE EE EE

CA CACACA

CA = Certification authorityEE = End entity

Page 13: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

13

Trust anchor

Trusted by a relying party

Trust anchor information:

Configured into relying party

Public-key certificate

or similar information

Geneva, Switzerland, 2 June 2014

Page 14: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Certificate Revocation List (CRLs)

Certificate Serial Number

Revocation Date

Version

Algorithm

Time for this update

Issuer

Extensions

Digital signature of issuer

Time for next update

CRL Extensions

Certificate Serial Number

Revocation Date

Extensions

Revoked Certificate

Revoked Certificate

Page 15: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

15

Online Certificate Status Protocol (OCSP)

Geneva, Switzerland, 2 June 2014

OCSP request

OCSP response

OCSP responder

OCSP client

Page 16: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

Validation procedure

TrustAncho

r

User system A

(end entity)

CA

CA

User system B(Relying Party)

Storing ofTrust AnchorInformation

Check ofrevocation

Signeddata

Page 17: Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu ITU Workshop.

17

Where to go

Geneva, Switzerland, 2 June 2014

The central source for information on theX.500 Directory Standard including X.509.

www.x500standard.com