Introduction to Roaming PKI C2

Roger Younglove, CISSP

Distinguished Member

Consulting Staff

June 17th., 2002

Agenda

PKI definition Why PKI The core components of a PKI Principal functions Cryptography overview Managing certificate Roaming Certificates Personal Entropy PKI use case

What is a PKI?

PKI stands for “public key infrastructure” It’s a trust distribution mechanism PKI allows any arbitrary level of trust

PKI Definition

It is more than a single technology or product; it’s a complex system.

A public-key infrastructure (PKI) is the set of policies, people, processes, technologies and services that make it possible to deploy and manage the use of public-key cryptography and digital certificates on a wide-scale.

Why PKI …

PKI provides answers to all the elements of secure electronic transactions

– Authentication

– Access Control

– Confidentiality

– Integrity

– Non–Repudiation

How does PKI achieve this ?

Authentication via Digital Certificates Access control via Key Management Confidentiality via Encryption Integrity via Digital Signatures Non-Repudiation via Digital Signatures

Components of a PKI

Digital Certificate

It’s a signed data structure that binds one or more attributes of an entity with its corresponding public key.

The data structure is signed by a recognized and trusted authority (i.e. the CA).

It provides assurance that a particular public key belongs to a specific entity (and that the entity possesses the corresponding private key).

CertificationAuthority

Certification Authorities are the people, processes and tools that are responsible for the:

– creation,

– delivery

– and management

of digital certificates that are used within a PKI.

CertificationAuthority

There can be multiple configurations of CAs.

• Root, only

• Hierarchical, root and subordinates

• Cross certified CAs

• Bridge cross certified CAs

CertificationAuthority

CA-1 CA-2

Root CA

Hierarchical Root and subordinate CAs

CertificationAuthority

Cross Certified CAs

Certification Authority

Bridge CA cross certification

Bridge CA

Registration Authority

RA’s are the people, processes and/or tools that are responsible for– authenticating the identity of new entities (user or

computing devices)

– requiring certificates from CA’s.

They act as agents of CA’s

Certification Repository

A database, or store, which is accessible to all users of a PKI, contains:– public-key certificates, – certificate revocation information – and policy information

It is a x.500 compliant directory server, for access to certificates (x.509) LDAP is used to query the data base.

PKI Client Software

Client-side software is required to ensure PKI-entities are able to make full use of the key and digital certificate management services of PKI such as:– key generation, PKCS 10/7 or PKIX 3.03

– automatic key update

– secure storage of private key

PKI- EnabledApplications

Software applications must be PKI aware before they can be used with a PKI.

Typically this involves modifying an application so that it can understand and make use of digital certificates.

i.e. to authenticate a remote user and authenticate itself to a remote user.

Policy

RFC 2527 is the present blue print. draft-ietf-pkix-ipki-new-rfc2527-00.txt Certification Policies and Certificate Practice

Statements are policy documents that define the procedures and practice to be employed in the:– use,

– administration

– and management

of certificates within a PKI.

Relying Parties(RP)

Applications Equipment Individuals Companies

Principal Functions

Register new user – checking their credentials to ensure they are bona fide applicants.by RA

Create public and private key.by PKI client software or can be created by the CA and pushed to the client.

Provide mechanisms to protect the private key(authentication to control access to the private key).

by PKI client software Create and provide public-key certificates

for legitimate PKI users. by CA

Principal Functions

Make public-key certificates available for use by other PKI users.by CA

Support revocation checking so that certificates that are no longer valid are easily identified.by CA

Support non-repudiation (by generating and protection the signing key pair).by PKI client Sw

Principal Functions

Periodical update of key pairs – to reduce the risk of key compromise.by PKI client software or CA

Manage key histories so that content encrypted in the past can still be recovered. by PKI client software and/or CA

Provide a mechanism to recover encryption keys.by CA

Support cross certification – thereby users of one PKI may use their certificates in other PKI.

by CA

Cryptography ….

The effectiveness of cryptography is based on– the key and its length

– the tested algorithms

Cryptographysystems

symetricsystems

asymetricsystems

blockcipher

streamcipher

like:DES3DESIDEA

like:RSAElGamal

Symmetric Cryptography

Examples

– DES, Triple-DES, AES (in the future)– Blowfish, SAFER, CAST – RC2, RC4 (ARCFOUR), RC5, RC6

Asymmetric Cryptography

It’s based on an algorithm with two different keys:– private Key (it must be protected by his owner)

– public Key Algorithms for public key cryptography

are called – asymmetric algorithms Encryption is defined as Ek(P)=C

(using the public key)

Decryption is defined as Dk(C)=P(using the private key)

Asymmetric Cryptography

Examples– RSA– Diffie-Hellman Key Exchange – ElGamal, Digital Signature Standard (DSS)

Objectives (asymmetric cryptography)

One of the most often used cases of asymmetric cryptography, its goal is to send a key over a unsecured carrier.

this key would be used for symmetric cryptography

Conclusion:We need asymmetric cryptography to submit a key which we use for symmetric cryptography – to exchange data – this symbioses is calledhybrid cryptography

Example 1/3 (sender Alice)

Alice generates her own key pair.

public keyAlice

private keyAlice

Bob generates his own key pair.

Both sent their public key to a CA and receive a digital certificate.

BobBob

public keyBob

private keyBob

Example 2/3

Alice gets Bob’s public key from the CA

private keyAlice

public key

Bob

private keyBob

public keyAlice

Bob gets Alice’s public key from the CA

Example 3/3

Provides signatures with public key

Message

Alice Bob

Hash MessageHash

Encryption Decryption

AlicePrivate

AlicePublic

Hash=?

Managing Certificates

Certificate revocation refers to the process of publicly announcing that a certificate has been revoked and should no longer be used.

From a theoretical point of view, certificate revocation is a challenging problem and there are several approaches to address it:- The use of certificates that automatically time out;- The use of a list that itemizes all revoked certificates

in an online directory (OCSP);- The use of certificate revocation lists (CRLs).

Roaming Cert

How does a roaming cert differ from the traditional? – The key pair is created on the CA and stored

in the data base.

– The private key does not reside on the local PC.

– The private key is retrieved for each use.

Roaming Cert

What are the benefits of a roaming cert?– A Certificate holder can log into an

application from any remote device that has Web capability.

– They can down load and use their certificate to authenticate to an application.

– They can use their private key for digital signatures and maintain NonRepudiation.

Key Retrieval

Login and password– Low to medium level of security

Login and SecurID– High level of security

– Could be costly, if a large user base is required

Login and Personal Entropy– Medium to high level of security

– Low cost even for a large user base

Personal Entropy

What is Personal Entropy (PE)– PE is a series of personal questions and

answers that are known only to a the specific individual

How is it created– Predetermined questions created by the

company, low level security

– Series of questions created by the individual user, medium security

Predetermined PE

What is your favorite color? What is your mothers maiden name? What is your eye color? What is your year of birth? What is your company ID? What is the balance on your last credit

card statement? What was the balance in your savings

account on (date)?

Self Created PE

With guidance provided by the organization highly secure questions can be created based on:– Who?

– What?

– When?

– Where?

– and How?

Self Created PE

Who?– Who was my sweet heart in third grade?

Sally Smythe

What?– What breed was my first dog? Boxer

When?– When did I get my last dog? Feb. 95

Where?– Where do I keep my slippers? Under the

bed.

PKI Use Cases

Certificate Vendors Baltmore Technologies

– UniCert PKI Software– Provides managed service

Entrust– Entrust Authority PKI Software– Provides managed service

RSA Security– Keon PKI Software

VeriSign– Provides Server Certificates– Provides managed service