Public Key Infrastructure
-
Upload
dolan-watkins -
Category
Documents
-
view
46 -
download
4
description
Transcript of Public Key Infrastructure
3
Public Key Distribution issue Public Key cryptography solves the problem of
Confidentiality, Integrity Authenticity Non-repudiation
But how to ensure the public key is not faked? Eve creates a pair of keys (private/public) and tells everyone
that the public key he generated belongs to Alice People send confidential stuff to Alice Alice cannot read (missing of the private key) Eve reads Alice’s messages
4
PKI PKI is a group of solutions for key distribution
problems and other issues: Key generation Certificate generation, revocation, validation Managing trust
Using Certificates
5
How to Verify a Public Key? Two approaches:
Before using anyone public key: Meet to get the right one Have the public key sent in storage device using registered mail
(if you trust registered mail) You can use the telephone (if you trust the telephone)
Contact someone already trust to certify that the key really belongs to real owner By checking for a trusted digital signature on the key That’s were certificates play a role
7
Trust Models Web-of-Trust
P2P model for key certification based on friends and friends of friends Individuals digitally sign each other keys You trust implicitly keys signed by some of your friends Used by “Pretty Good Privacy” (PGP)
Trusted Authority + Path of Trust (CAs) A trusted agent who certifies public keys for general use Everyone trusts the root Certificate Authority (Verisign, Thawte, BT etc.) CA digitally signs keys of anyone having checked their credentials by traditional
methods CA may even nominate others to be CAs
CA model (Trust model)
8
Root Certificate
CA Certificate CA Certificate
Server Cert.Server Cert.Server Cert. Server Cert.
10
Trust Models Issues Web-of-trust
Time-consuming, requires lots of work Works well in small or high connected worlds How to verify a public key from someone who don’t know
before Certification authorities
“big brothers” that everyone must trust Simpler model to deploy
11
A Fully Functional PKI Certification authority Certificate repository Certificate revocation Key backup and recovery Automatic key update Key history management Cross-certification Support for non-repudiation Time stamping Client software
PKI Major Parts
13
PKI is a system that uses public-key encryption and digital certificates to achieve secure Internet services.
There are 4 major parts in PKI. Certification Authority (CA) A directory Service Services, Web servers Business Users
PKI Structure
14
Certification Authority Directory services
UserServices,Webservers
Public/Private Keys
15
Storing Certificates and Keys Certificates need to be stored so that interested users can
obtain them This is not an issue. Certificates are “public”
Keys need to be stored for data recovery purposes This weakens the system, but is a necessity
This is a function of most certificate servers offer Those servers are also responsible for issuing, revoking, signing etc. of certs
But this requires the certificate server to generate the key pairs
16
Example (wrong)
PrivPriv pubpub
Certification Server
User generatesUser generatesa key paira key pair
Certificate is sent Certificate is sent to the userto the user
Public key is Public key is submitted to CA submitted to CA for certificationfor certification
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
17
Example (Good)
PrivPriv pubpub
Certification Server
CA generatesCA generatesa key paira key pair
Private Key and Private Key and Certificate are Certificate are
sent to the usersent to the user
pubpub
DSDS
CertCert
pubpub
DSDS
CertCert
User request a User request a certificate to CAcertificate to CA
CA generatesCA generatescertificatecertificate
PrivPriv
This model allows key This model allows key recoveryrecovery
SSL with PKI
18
Server authentication is necessary for a web client to identify the web site it is communicating with
To use SSL, a special type of digital certificate – “Server certificate” is used
Get a server certificate from a CA Install a server certificate at the Web server Enable SSL on the Web site
20
Single CA A CA that issues certificates to users and systems, but not
to other CAs– Easy to build– Easy to maintain– All users trust this CA– Paths have one certificate and one CRL– Doesn’t scale particularly well
21
Hierarchical PKI CAs have a hierarchical relationship
(as in a tree) All CAs trust the root CA Root’s is self-signed Root CA certifies its child CAs, and
they in turn certify their child CAs, and so on.
Easy to establish/verify trust relationship between any two CAs
Pretty Good Privacy (PGP)
24
Release in June 1991 by Philip Zimmerman (PRZ) PGP is a hybrid cryptosystem that allows user to encrypt
and decrypt Use session key “a random generated number from the
mouse movement or keystrokes”
PGP Public Key
25
Philip R Zimmermann's Public Keys Current DSS/Diffie-Hellman Key: Key fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 7.0.3
mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbDSiv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9dJecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNswMlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQq/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVkdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVnm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMq0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDHWEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcIBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB
………………………………………………………………….. QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/
j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQkcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lbQCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+
-----END PGP PUBLIC KEY BLOCK-----