Introduction to Roaming PKI C2
Roger Younglove, CISSP
Distinguished Member
Consulting Staff
June 17th., 2002
Agenda
PKI definition Why PKI The core components of a PKI Principal functions Cryptography overview Managing certificate Roaming Certificates Personal Entropy PKI use case
What is a PKI?
PKI stands for “public key infrastructure” It’s a trust distribution mechanism PKI allows any arbitrary level of trust
PKI Definition
It is more than a single technology or product; it’s a complex system.
A public-key infrastructure (PKI) is the set of policies, people, processes, technologies and services that make it possible to deploy and manage the use of public-key cryptography and digital certificates on a wide-scale.
Why PKI …
PKI provides answers to all the elements of secure electronic transactions
– Authentication
– Access Control
– Confidentiality
– Integrity
– Non–Repudiation
How does PKI achieve this ?
Authentication via Digital Certificates Access control via Key Management Confidentiality via Encryption Integrity via Digital Signatures Non-Repudiation via Digital Signatures
Components of a PKI
Digital Certificate
It’s a signed data structure that binds one or more attributes of an entity with its corresponding public key.
The data structure is signed by a recognized and trusted authority (i.e. the CA).
It provides assurance that a particular public key belongs to a specific entity (and that the entity possesses the corresponding private key).
CertificationAuthority
Certification Authorities are the people, processes and tools that are responsible for the:
– creation,
– delivery
– and management
of digital certificates that are used within a PKI.
CertificationAuthority
There can be multiple configurations of CAs.
• Root, only
• Hierarchical, root and subordinates
• Cross certified CAs
• Bridge cross certified CAs
CertificationAuthority
CA-1 CA-2
Root CA
Hierarchical Root and subordinate CAs
CertificationAuthority
Cross Certified CAs
Certification Authority
Bridge CA cross certification
Bridge CA
Registration Authority
RA’s are the people, processes and/or tools that are responsible for– authenticating the identity of new entities (user or
computing devices)
– requiring certificates from CA’s.
They act as agents of CA’s
Certification Repository
A database, or store, which is accessible to all users of a PKI, contains:– public-key certificates, – certificate revocation information – and policy information
It is a x.500 compliant directory server, for access to certificates (x.509) LDAP is used to query the data base.
PKI Client Software
Client-side software is required to ensure PKI-entities are able to make full use of the key and digital certificate management services of PKI such as:– key generation, PKCS 10/7 or PKIX 3.03
– automatic key update
– secure storage of private key
PKI- EnabledApplications
Software applications must be PKI aware before they can be used with a PKI.
Typically this involves modifying an application so that it can understand and make use of digital certificates.
i.e. to authenticate a remote user and authenticate itself to a remote user.
Policy
RFC 2527 is the present blue print. draft-ietf-pkix-ipki-new-rfc2527-00.txt Certification Policies and Certificate Practice
Statements are policy documents that define the procedures and practice to be employed in the:– use,
– administration
– and management
of certificates within a PKI.
Relying Parties(RP)
Applications Equipment Individuals Companies
Principal Functions
Register new user – checking their credentials to ensure they are bona fide applicants.by RA
Create public and private key.by PKI client software or can be created by the CA and pushed to the client.
Provide mechanisms to protect the private key(authentication to control access to the private key).
by PKI client software Create and provide public-key certificates
for legitimate PKI users. by CA
Principal Functions
Make public-key certificates available for use by other PKI users.by CA
Support revocation checking so that certificates that are no longer valid are easily identified.by CA
Support non-repudiation (by generating and protection the signing key pair).by PKI client Sw
Principal Functions
Periodical update of key pairs – to reduce the risk of key compromise.by PKI client software or CA
Manage key histories so that content encrypted in the past can still be recovered. by PKI client software and/or CA
Provide a mechanism to recover encryption keys.by CA
Support cross certification – thereby users of one PKI may use their certificates in other PKI.
by CA
Cryptography ….
The effectiveness of cryptography is based on– the key and its length
– the tested algorithms
Cryptographysystems
symetricsystems
asymetricsystems
blockcipher
streamcipher
like:DES3DESIDEA
like:RSAElGamal
Symmetric Cryptography
Examples
– DES, Triple-DES, AES (in the future)– Blowfish, SAFER, CAST – RC2, RC4 (ARCFOUR), RC5, RC6
Asymmetric Cryptography
It’s based on an algorithm with two different keys:– private Key (it must be protected by his owner)
– public Key Algorithms for public key cryptography
are called – asymmetric algorithms Encryption is defined as Ek(P)=C
(using the public key)
Decryption is defined as Dk(C)=P(using the private key)
Asymmetric Cryptography
Examples– RSA– Diffie-Hellman Key Exchange – ElGamal, Digital Signature Standard (DSS)
Objectives (asymmetric cryptography)
One of the most often used cases of asymmetric cryptography, its goal is to send a key over a unsecured carrier.
this key would be used for symmetric cryptography
Conclusion:We need asymmetric cryptography to submit a key which we use for symmetric cryptography – to exchange data – this symbioses is calledhybrid cryptography
Example 1/3 (sender Alice)
Alice generates her own key pair.
public keyAlice
private keyAlice
Bob generates his own key pair.
Both sent their public key to a CA and receive a digital certificate.
BobBob
public keyBob
private keyBob
Example 2/3
Alice gets Bob’s public key from the CA
private keyAlice
public key
Bob
private keyBob
public keyAlice
Bob gets Alice’s public key from the CA
Example 3/3
Provides signatures with public key
Message
Alice Bob
Hash MessageHash
Encryption Decryption
AlicePrivate
AlicePublic
Hash=?
Managing Certificates
Certificate revocation refers to the process of publicly announcing that a certificate has been revoked and should no longer be used.
From a theoretical point of view, certificate revocation is a challenging problem and there are several approaches to address it:- The use of certificates that automatically time out;- The use of a list that itemizes all revoked certificates
in an online directory (OCSP);- The use of certificate revocation lists (CRLs).
Roaming Cert
How does a roaming cert differ from the traditional? – The key pair is created on the CA and stored
in the data base.
– The private key does not reside on the local PC.
– The private key is retrieved for each use.
Roaming Cert
What are the benefits of a roaming cert?– A Certificate holder can log into an
application from any remote device that has Web capability.
– They can down load and use their certificate to authenticate to an application.
– They can use their private key for digital signatures and maintain NonRepudiation.
Key Retrieval
Login and password– Low to medium level of security
Login and SecurID– High level of security
– Could be costly, if a large user base is required
Login and Personal Entropy– Medium to high level of security
– Low cost even for a large user base
Personal Entropy
What is Personal Entropy (PE)– PE is a series of personal questions and
answers that are known only to a the specific individual
How is it created– Predetermined questions created by the
company, low level security
– Series of questions created by the individual user, medium security
Predetermined PE
What is your favorite color? What is your mothers maiden name? What is your eye color? What is your year of birth? What is your company ID? What is the balance on your last credit
card statement? What was the balance in your savings
account on (date)?
Self Created PE
With guidance provided by the organization highly secure questions can be created based on:– Who?
– What?
– When?
– Where?
– and How?
Self Created PE
Who?– Who was my sweet heart in third grade?
Sally Smythe
What?– What breed was my first dog? Boxer
When?– When did I get my last dog? Feb. 95
Where?– Where do I keep my slippers? Under the
bed.
PKI Use Cases
Certificate Vendors Baltmore Technologies
– UniCert PKI Software– Provides managed service
Entrust– Entrust Authority PKI Software– Provides managed service
RSA Security– Keon PKI Software
VeriSign– Provides Server Certificates– Provides managed service