Deploying a Certification Authority for

Networks Security

Prof. Dr. VICTOR-VALERIU PATRICIUCdor.Prof. Dr. AUREL SERB

Computer Engineering DepartmentMilitary Technical Academy

Bucharest, Romania

Information Security Requirements

Confidentiality• protection from disclosure to unauthorized persons

Integrity• Maintaining data consistency

Authentication• Assurance of identity of person or data originator

Non-repudiation• Communication originator can’t deny it later

Public-Key Encryption

Confidentiality

Digital Signatures-creation-

Public Key Distribution

Public Key Distribution

Digital Certificate • Is a person really who claim?

• The public key really belongs to this person?

Certificate Structure

What is PKI-Public Key

Infrastructure-PKI refers to the services providing: • generation, production, distribution,

control,revocation,archive of certificates• management of keys,• support to applications providing

confidentiality and authentication of network transactions.

PKI for Military Use• provide secure interoperability throughout

the military organizations and with its partners- government, industry and academia;

• standards based;• uses commercial PKI products to minimize

the investment;• support digital signature and key exchange;• support key recovery;• support Federal Information Processing

Standards- FIPS compliance requirements.

General PKI Structure

CA’s are Trusted to Do • A central administration - issues certificates:

-company to its employees-university to its students-public CA (like VeriSign) to clients

• The CA must keep confidential his Private Key used to sign certificates

• The CA does not assign different certificates the same serial number

• The CA makes sure all the information in a certificate is correct

• Up to date Certificate Revocation List (CRL)

Our PKI Research/ Study -directions-

• Understanding PKI technology and establish – applications demanding PKI– PKI architecture

• Analysis of the possibilities/facilities of a vendor CA software-RSA Keon

• Developing our own CA software, using Eric Young Open SSL library

• Defining an adequate certificate policy and practice statement

PKI Main Applications

• Paperless Office -Document & E-mail Signing and Protecting

• Secure Web - User Authentication and Secure Communications

• Security in Organization’s Intranet/Extranet-VPN

• Certificate Authority -for the Romanian (Military) Internet Users

Deploying a PKI -Main steps-

•Analysis of Operational Requirements•Establish PKI Applications•Defining security policies

•Defining a deployment road map•Establish the infrastructure (PKI & CA Design)

•Personnel Selection•Hardware and Software Acquisition

•PKI Training•Management & Administration

Defense PKI (DPKI)   Generation, production, distribution,

control, revocation, archive of public key certificates;

    Management of keys; Support to applications providing

confidentiality and authentication of network transactions;

     Data integrity;      Non-repudiation.

Certificate ClasesFor DPKI, it can adopt a certificate policy, which uses 3

classes of certificates:Low Class Certificates (for unclassified/sensitive

information on classified network)- May be used for:  Digital signatures for classified information on

encrypted network;  Key exchange for the protection (confidentiality) of

communities of persons on encrypted networks;  Non-repudiation for medium value financial or for

electronic commerce applications.

Certificate Clases      Medium Class Certificates (for unclassified/sensitive

information on classified network)-. May be used for:  Digital signatures for unclassified mission critical and national

security information on un encrypted network   Key exchange for the confidentiality of high valued

compartmented information on encrypted networks or classified data over unencrypted networks

  Protection information crossing classification boundaring   Non-repudiation for large financial or for electronic commerce

applications.     

.

Certificate Clases            High Class Certificates (for classified

information on open network)- May be used for:  Digital signatures for authentication of subscriber

identity for accessing classified information over unprotected networks

  Key exchange for confidentiality of classified information over unencrypted networks

  Digital signatures for authentication of key material in support of providing confidentiality for classified information over unprotected networks.

.

CONCLUSIONS • PKI -simplifies the management of security • RAF structures and organizations can spend

less time worrying about security, and more energy on their main activities (confidential documents no longer need to wait for days to be physically shipped; instead, they can be securely sent through e-mail)

• Web servers can allow secure access for only designated users

• Military organization networks can securely extend over the Internet, eliminating expensive leased data lines

• PKI’s possibilities are limitless

CONCLUSIONS• For Romanian Armed Forces, the Public Key

Infrastructure (PKI) capability may adopt the following components: -Root Certificate Authority

       -Certificate Authorities       -Local Registration Authorities,       -Certificate Directory, and principles:       -use commercial and/or proprietary products,

-use smart cards for protection of private keys and certificates, processing digital signature, access control.

CONCLUSION ?

Steve BellovinAT&T Security Guru

“-What are the strongest defenses?

-There aren’t any”