際際滷

際際滷Share a Scribd company logo

Jerad Bates - Public Key Infrastructure (1).ppt

Download as PPT, PDF
M
MehediHasanShaon1

This document provides an overview of public key infrastructure (PKI). It discusses how PKI uses public key cryptography and digital signatures to establish secure communication channels between users. Certification authorities issue and sign digital certificates that map users' public keys to their identities, allowing other users to verify signatures and establish encryption keys. PKIs can be organized in different models like hierarchies or networks to distribute trust. Overall, PKI aims to provide the flexibility of key servers without requiring direct communication with a central authority.

1 of 30
Download to read offline
Public Key Infrastructure (PKI) Jerad Bates University of Maryland, Baltimore County December 2007
Overview Introduction Building Blocks Certificates Organization Conclusions
Introduction In the beginning there were shared secret keys Early cryptographic systems had to use the same key for encryption and decryption To establish an encrypted channel both users needed to find out this key in some secure fashion Limited Users could meet and exchange the key Flexible Users could use a key server
Introduction Key Exchange User to User This exchange eliminates a communication channel that could be attacked Limited - Users must meet all other users In a system with n users, number of meetings is on the order of O(n2) Users must recognize each other or show proper identification
Introduction Key Exchange Key Server Each user has set to up a key with the Key Server Key Server creates and transmits secure session keys to users Flexible Users need only have a prior established key with the Key Server For a system with n users only (n) meetings must occur Key Server takes care of the initial validation of users identities KA,KS KB,KS
Building Blocks Cryptographic tools Putting them together Names Time A secure communication session
Building Blocks Cryptographic Tools Symmetric Key Cryptography Encryption: SEK(M) = C Decryption: SDK(C) = M Secure as long as only communicating users know K Having K lets one read C Fast to calculate Public Key Cryptography Encryption: PEK+(M) = C Decryption: PDK-(C) = M Secure as long K- is only known by the receiver Having K- lets one read C, but having K+ does not Slow to calculate
Building Blocks Cryptographic Tools Digital Signatures Sign: PEK-(H(M)) = S Verify: PDK+(S) = H(M) Reliable as long as only the signer knows K- Having K- allows one to sign, having K+ only allows one to verify the signature Slow to calculate Ks + and - could just be a users public and private keys
Building Blocks Putting Them Together Symmetric cryptography is used for majority of communications Public Key cryptography is used for exchanging Symmetric keys Digital Signatures are used to validate Public Keys
Building Blocks Names A name in PKI must be unique to a user Assigning these names presents similar difficulties as found in other areas of Distributed Systems Without proper and well thought out naming PKI is pretty much useless
Building Blocks Time A PKI must know the current time Much of a PKIs security relies on having an accurate clock For the most part, time does not need to be known extremely reliably and being off by a minute will usually not be an issue
Building Blocks A Secure Communications Session Alice and Bob wish to set up a secure communications channel They use Public Key Cryptography to exchange a Symmetric key Alice: Private PK = K-A, Public PK = K+A Bob: Private PK = K-B, Public PK = K+B Time T and random Symmetric Key KS Simplified example: 1: Alice -> Bob: PEK+B(Alice, T, K+A, PEK-A(T, KS)) 2: Bob -> Alice: PEK+A(T, KS) 3: Alice <-> Bob: SEKS(Mi)
Certificates What they are How they are issued How they are distributed How they are revoked
Certificates What they are The issue with building a secure session is that it assumes that both Alice and Bob know each others public keys We need some way for them to learn this besides meeting each other (otherwise we are in the same predicament as with Symmetric Key exchange meetings) We could use a similar strategy to the Key Server but can we do better? This is where Certificates come in
Certificates What they are A Certificate is a combination of a users public key, unique name, Certificate start and expiration dates, and possibly other information This Certificate is then digitally signed, by some Trusted 3rd Party, with the signature being attached to the rest of the Certificate This Signed Certificate is commonly referred to as just the users Certificate The Certificate for a user Bob, signed by signer Tim, in essence states I Tim certify that this Public Key belongs to Bob
Certificates How they are issued The users of a PKI must place their trust in a 3rd Party to carefully verify a users identity before signing his or her public key Each user generates their own Public-Private Key pair and Certificate A user then verifies them self to the 3rd Party and shows his or her Certificates content. At this point the third party will sign the Certificate.
Certificates How they are distributed Users are free to distribute their signed Certificates over any medium, public or private, without concern Other users may acquire this Certificate from any source and check the 3rd Partys signature for tampering If the signature is good then the other users know that the 3rd Party affirms that the Certificate belongs to the user who is listed in the Certificate
Certificates How they are Revoked Periodically Certificates may become compromised, requiring a Certificate Revocation A Certificate Revocation message is simply a message signed by K-i (the private version of the Certificates K+i) saying that the Certificate is revoked A PKI will have a database of revoked Certificates (a Certificate Revocation List, CRL) that users may access periodically for the latest list of revoked Certificates An alternative to certificate revoking is to set the expiration time to very shortly after the issue time. Thus every key in this system is revoked so rapidly that we do not need to worry what may happen to the compromised key
Organization What is Trust? How do we organize a PKI to disseminate trust?
Organization Trust Trust is based on real world contractual obligations between a 3rd Party and users [2] This Trusted 3rd Party is referred to as a Certificate Authority (CA) In other models trust is based on personal relationships that dont have a contractual basis (e.g. PGP) Users may allow a CA to delegate their trust This delegation of trust is what allows us to build large PKIs
Organization Trust If Alice trusts Root CA then she trusts Bobs Certificate signed by Root CA If Alice trusts Root CA to delegate her trust to others then she trusts Chads Certificate signed by Small CA Alice Root CA Small CA Bob Chad
Organization Organizing a PKI A PKI may be organized based on a variety of models using delegation of trust Strict Hierarchy Networked Web Browser PGP
Organization Strict Hierarchy All users trust Root CA Root CA may delegate that trust to other CAs who in turn may be allowed to delegate that trust In this way a PKI may grow without all the burden being placed on Root CA Alice Root CA Small CA Bob Chad Dan Smaller CA Emily Fred
Organization Networked The Networked model addresses what to do when two or more PKIs wish to join together or merge Two techniques Mesh Hub-and-Spoke We only need the Root CAs of each PKI to participate in this model
Organization Networked Mesh Every Root CA signs every other Root CAs Certificate Hard to join a large numbers of CAs Root CA3 Root CA1 Root CA2 Root CA4
Organization Networked Hub-and-Spoke The Root CAs come together to create the Super Root CA Each Root CA signs the Super Root CAs certificate while the Super Root CA signs each of theirs Easier to join large numbers of CAs Question becomes, Who gets to manage the Super Root CA? Root CA3 Root CA1 Root CA2 Root CA4 Super Root CA
Organization Web Browser A Web Browser maintains a list of trusted Root CAs Any Certificate signed by one of these Root CAs is trusted Basically a list of n Hierarchy Models Initial list decided on by Web Browsers producer alice.com bob.com chad.com dan.com Smaller CA emily.com fred.com Root CA3 Root CA1 Root CA2 Root CAn
Organization PGP Each users Certificate is signed by zero or more other users Certificate validity calculated from levels of trust assigned by signers Assigned levels (Chad) Implicit: User themselves Chad Complete: Any Certificate signed by the user them self Fred and Emily Intermediate Calculated Item Partial Trust: Any Certificate signed by a Complete Certificate Bob and Dan Calculated (Chad) Valid: Any Certificate signed by an Implicit or Complete level Certificates Chad, Fred, Emily, Dan, and Bob Marginally Valid: Any Certificate signed by two or more Partial trust Certificates Gary Invalid: Any Certificate signed by a Marginally Valid or no one - Alice Alice Bob Chad Dan Emily Fred Gary
Conclusions A PKI allows us to take the concept of a Key Server and apply it to Public Keys It allows greater flexibility then a Key Server in that users do not need to communicate with the Root CA every time a Session Key is needed There are a vast variety of models for disseminating trust in a PKI Even though PKIs look like an amazing idea, in practice there are numerous problems implementing them on a large scale Who does everyone trust? What format do people use? Security of the multitude of programs that rely on PKIs
Sources [1] Adams, Carlisle, and Steve Lloyd. Understanding PKI: Concepts, Standards, and Deployment Considerations. Second ed. Boston, MA: Addison- Wesley, 2003. [2] Ferguson, Neils, and Bruce Schneier. Practical Cryptography. Indianapolis, IN: Wiley, Inc., 2003. [3] Stinson, Douglas R. Cryptography: Theory and Practice. 3rd ed. Boca Raton, FL: Chapman & Hall/CRC, 2006. [4] Tanenbaum, Andrew S., and Maarten V. Steen. Distributed Systems: Principles and Paradigms. 2nd ed. Upper Saddle River, NJ: Pearson Prentice Hall, 2007.

Recommended

悋忰悋惷惘悸_悋惠悋愕惺悸_悋惠悋忰 悋惺悋 悸_PKI.ppt
悋忰悋惷惘悸_悋惠悋愕惺悸_悋惠悋忰 悋惺悋 悸_PKI.ppt悋忰悋惷惘悸_悋惠悋愕惺悸_悋惠悋忰 悋惺悋 悸_PKI.ppt
悋忰悋惷惘悸_悋惠悋愕惺悸_悋惠悋忰 悋惺悋 悸_PKI.ppt
AhmedJaha
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
Public Key Infrastructure and Application_Applications.ppt
Public Key Infrastructure and Application_Applications.pptPublic Key Infrastructure and Application_Applications.ppt
Public Key Infrastructure and Application_Applications.ppt
lanhuongvernon
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
CSCJournals
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
PKI_Applications digital certificate.ppt
PKI_Applications digital certificate.pptPKI_Applications digital certificate.ppt
PKI_Applications digital certificate.ppt
ubaidullah75790
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
WAFAA AL SALMAN
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
Vivaka Nand
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
Ch15
Ch15Ch15
Ch15
raja yasodhar
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
P2PSystem
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
Avirot Mitamura
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
Lisa Olive
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI Infrastructure
Shubham Sharma
Everything you need to Know about PKI .pdf
Everything you need to Know about PKI .pdfEverything you need to Know about PKI .pdf
Everything you need to Know about PKI .pdf
Anvesh Vision Private Limited
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
Mohammad Yousri
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebello
prensacespi
PKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by ExelaPKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by Exela
Drysign By Exela
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modi
Mohit Modi
Kumkum digital certificate
Kumkum digital certificateKumkum digital certificate
Kumkum digital certificate
Kumkum Sharma
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
mahesh tawade
Group 8.pptx
Group 8.pptxGroup 8.pptx
Group 8.pptx
MehediHasanShaon1
ccapresentation.ppt
ccapresentation.pptccapresentation.ppt
ccapresentation.ppt
MehediHasanShaon1

More Related Content

Similar to Jerad Bates - Public Key Infrastructure (1).ppt (20)

PKI_Applications digital certificate.ppt
PKI_Applications digital certificate.pptPKI_Applications digital certificate.ppt
PKI_Applications digital certificate.ppt
ubaidullah75790
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
WAFAA AL SALMAN
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
Vivaka Nand
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
Ch15
Ch15Ch15
Ch15
raja yasodhar
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
P2PSystem
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
Avirot Mitamura
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
Lisa Olive
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI Infrastructure
Shubham Sharma
Everything you need to Know about PKI .pdf
Everything you need to Know about PKI .pdfEverything you need to Know about PKI .pdf
Everything you need to Know about PKI .pdf
Anvesh Vision Private Limited
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
Mohammad Yousri
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebello
prensacespi
PKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by ExelaPKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by Exela
Drysign By Exela
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modi
Mohit Modi
Kumkum digital certificate
Kumkum digital certificateKumkum digital certificate
Kumkum digital certificate
Kumkum Sharma
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
mahesh tawade
PKI_Applications digital certificate.ppt
PKI_Applications digital certificate.pptPKI_Applications digital certificate.ppt
PKI_Applications digital certificate.ppt
ubaidullah75790
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
WAFAA AL SALMAN
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
Vivaka Nand
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
Ch15
Ch15Ch15
Ch15
raja yasodhar
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
P2PSystem
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
Avirot Mitamura
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
Lisa Olive
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI Infrastructure
Shubham Sharma
Everything you need to Know about PKI .pdf
Everything you need to Know about PKI .pdfEverything you need to Know about PKI .pdf
Everything you need to Know about PKI .pdf
Anvesh Vision Private Limited
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
Mohammad Yousri
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebello
prensacespi
PKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by ExelaPKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by Exela
Drysign By Exela
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modi
Mohit Modi
Kumkum digital certificate
Kumkum digital certificateKumkum digital certificate
Kumkum digital certificate
Kumkum Sharma
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
mahesh tawade

More from MehediHasanShaon1 (6)

Group 8.pptx
Group 8.pptxGroup 8.pptx
Group 8.pptx
MehediHasanShaon1
ccapresentation.ppt
ccapresentation.pptccapresentation.ppt
ccapresentation.ppt
MehediHasanShaon1
csedigitalsignatureppt-170420041737.pdf
csedigitalsignatureppt-170420041737.pdfcsedigitalsignatureppt-170420041737.pdf
csedigitalsignatureppt-170420041737.pdf
MehediHasanShaon1
seminar-151029231027-lva1-app6892.pdf
seminar-151029231027-lva1-app6892.pdfseminar-151029231027-lva1-app6892.pdf
seminar-151029231027-lva1-app6892.pdf
MehediHasanShaon1
module_14_digital_signatures.pptx
module_14_digital_signatures.pptxmodule_14_digital_signatures.pptx
module_14_digital_signatures.pptx
MehediHasanShaon1
Digital signature.ppt
Digital signature.pptDigital signature.ppt
Digital signature.ppt
MehediHasanShaon1
Group 8.pptx
Group 8.pptxGroup 8.pptx
Group 8.pptx
MehediHasanShaon1
ccapresentation.ppt
ccapresentation.pptccapresentation.ppt
ccapresentation.ppt
MehediHasanShaon1
csedigitalsignatureppt-170420041737.pdf
csedigitalsignatureppt-170420041737.pdfcsedigitalsignatureppt-170420041737.pdf
csedigitalsignatureppt-170420041737.pdf
MehediHasanShaon1
seminar-151029231027-lva1-app6892.pdf
seminar-151029231027-lva1-app6892.pdfseminar-151029231027-lva1-app6892.pdf
seminar-151029231027-lva1-app6892.pdf
MehediHasanShaon1
module_14_digital_signatures.pptx
module_14_digital_signatures.pptxmodule_14_digital_signatures.pptx
module_14_digital_signatures.pptx
MehediHasanShaon1
Digital signature.ppt
Digital signature.pptDigital signature.ppt
Digital signature.ppt
MehediHasanShaon1

Recently uploaded (20)

Wireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdfWireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdf
AbhinandanMishra30
Lecture -3 Cold water supply system.pptx
Lecture -3 Cold water supply system.pptxLecture -3 Cold water supply system.pptx
Lecture -3 Cold water supply system.pptx
rabiaatif2
Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...
Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...
Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...
slayshadow705
Name.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Name.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVName.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Name.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
MerijimArsedelPalmad1
Power Point Presentation for Electrical Engineering 3-phase.ppt
Power Point Presentation for Electrical Engineering 3-phase.pptPower Point Presentation for Electrical Engineering 3-phase.ppt
Power Point Presentation for Electrical Engineering 3-phase.ppt
Aniket_1415
Equipment for Gas Metal Arc Welding Process
Equipment for Gas Metal Arc Welding ProcessEquipment for Gas Metal Arc Welding Process
Equipment for Gas Metal Arc Welding Process
AhmadKamil87
Piping-and-pipeline-calculations-manual.pdf
Piping-and-pipeline-calculations-manual.pdfPiping-and-pipeline-calculations-manual.pdf
Piping-and-pipeline-calculations-manual.pdf
OMI0721
decarbonization steel industry rev1.pptx
decarbonization steel industry rev1.pptxdecarbonization steel industry rev1.pptx
decarbonization steel industry rev1.pptx
gonzalezolabarriaped
eng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfdddddddddddddddddddddddeng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfddddddddddddddddddddddd
aayushkumarsinghec22
Mathematics_behind_machine_learning_INT255.pptx
Mathematics_behind_machine_learning_INT255.pptxMathematics_behind_machine_learning_INT255.pptx
Mathematics_behind_machine_learning_INT255.pptx
ppkmurthy2006
Embedded System intro Embedded System intro.ppt
Embedded System intro Embedded System intro.pptEmbedded System intro Embedded System intro.ppt
Embedded System intro Embedded System intro.ppt
23ucc580
G8 mini project for alcohol detection and engine lock system with GPS tracki...
G8 mini project for alcohol detection and engine lock system with GPS tracki...G8 mini project for alcohol detection and engine lock system with GPS tracki...
G8 mini project for alcohol detection and engine lock system with GPS tracki...
sahillanjewar294
How to Build a Maze Solving Robot Using Arduino
How to Build a Maze Solving Robot Using ArduinoHow to Build a Maze Solving Robot Using Arduino
How to Build a Maze Solving Robot Using Arduino
CircuitDigest
GM Meeting 070225 TO 130225 for 2024.pptx
GM Meeting 070225 TO 130225 for 2024.pptxGM Meeting 070225 TO 130225 for 2024.pptx
GM Meeting 070225 TO 130225 for 2024.pptx
crdslalcomumbai
Multi objective genetic approach with Ranking
Multi objective genetic approach with RankingMulti objective genetic approach with Ranking
Multi objective genetic approach with Ranking
namisha18
health safety and environment presentation
health safety and environment presentationhealth safety and environment presentation
health safety and environment presentation
ssuserc606c7
Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2
Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2
Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2
Daniel Donatelli
Introduction to Safety, Health & Environment
Introduction to Safety, Health & EnvironmentIntroduction to Safety, Health & Environment
Introduction to Safety, Health & Environment
ssuserc606c7
Cloud Computing concepts and technologies
Cloud Computing concepts and technologiesCloud Computing concepts and technologies
Cloud Computing concepts and technologies
ssuser4c9444
CS3451-OPERATING-SYSTEM NOTES ALL123.pdf
CS3451-OPERATING-SYSTEM NOTES ALL123.pdfCS3451-OPERATING-SYSTEM NOTES ALL123.pdf
CS3451-OPERATING-SYSTEM NOTES ALL123.pdf
PonniS7
Wireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdfWireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdf
AbhinandanMishra30
Lecture -3 Cold water supply system.pptx
Lecture -3 Cold water supply system.pptxLecture -3 Cold water supply system.pptx
Lecture -3 Cold water supply system.pptx
rabiaatif2
Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...
Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...
Structural QA/QC Inspection in KRP 401600 | Copper Processing Plant-3 (MOF-3)...
slayshadow705
Name.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Name.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVName.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Name.docxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
MerijimArsedelPalmad1
Power Point Presentation for Electrical Engineering 3-phase.ppt
Power Point Presentation for Electrical Engineering 3-phase.pptPower Point Presentation for Electrical Engineering 3-phase.ppt
Power Point Presentation for Electrical Engineering 3-phase.ppt
Aniket_1415
Equipment for Gas Metal Arc Welding Process
Equipment for Gas Metal Arc Welding ProcessEquipment for Gas Metal Arc Welding Process
Equipment for Gas Metal Arc Welding Process
AhmadKamil87
Piping-and-pipeline-calculations-manual.pdf
Piping-and-pipeline-calculations-manual.pdfPiping-and-pipeline-calculations-manual.pdf
Piping-and-pipeline-calculations-manual.pdf
OMI0721
decarbonization steel industry rev1.pptx
decarbonization steel industry rev1.pptxdecarbonization steel industry rev1.pptx
decarbonization steel industry rev1.pptx
gonzalezolabarriaped
eng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfdddddddddddddddddddddddeng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfddddddddddddddddddddddd
aayushkumarsinghec22
Mathematics_behind_machine_learning_INT255.pptx
Mathematics_behind_machine_learning_INT255.pptxMathematics_behind_machine_learning_INT255.pptx
Mathematics_behind_machine_learning_INT255.pptx
ppkmurthy2006
Embedded System intro Embedded System intro.ppt
Embedded System intro Embedded System intro.pptEmbedded System intro Embedded System intro.ppt
Embedded System intro Embedded System intro.ppt
23ucc580
G8 mini project for alcohol detection and engine lock system with GPS tracki...
G8 mini project for alcohol detection and engine lock system with GPS tracki...G8 mini project for alcohol detection and engine lock system with GPS tracki...
G8 mini project for alcohol detection and engine lock system with GPS tracki...
sahillanjewar294
How to Build a Maze Solving Robot Using Arduino
How to Build a Maze Solving Robot Using ArduinoHow to Build a Maze Solving Robot Using Arduino
How to Build a Maze Solving Robot Using Arduino
CircuitDigest
GM Meeting 070225 TO 130225 for 2024.pptx
GM Meeting 070225 TO 130225 for 2024.pptxGM Meeting 070225 TO 130225 for 2024.pptx
GM Meeting 070225 TO 130225 for 2024.pptx
crdslalcomumbai
Multi objective genetic approach with Ranking
Multi objective genetic approach with RankingMulti objective genetic approach with Ranking
Multi objective genetic approach with Ranking
namisha18
health safety and environment presentation
health safety and environment presentationhealth safety and environment presentation
health safety and environment presentation
ssuserc606c7
Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2
Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2
Best KNow Hydrogen Fuel Production in the World The cost in USD kwh for H2
Daniel Donatelli
Introduction to Safety, Health & Environment
Introduction to Safety, Health & EnvironmentIntroduction to Safety, Health & Environment
Introduction to Safety, Health & Environment
ssuserc606c7
Cloud Computing concepts and technologies
Cloud Computing concepts and technologiesCloud Computing concepts and technologies
Cloud Computing concepts and technologies
ssuser4c9444
CS3451-OPERATING-SYSTEM NOTES ALL123.pdf
CS3451-OPERATING-SYSTEM NOTES ALL123.pdfCS3451-OPERATING-SYSTEM NOTES ALL123.pdf
CS3451-OPERATING-SYSTEM NOTES ALL123.pdf
PonniS7

Jerad Bates - Public Key Infrastructure (1).ppt

  • 1. Public Key Infrastructure (PKI) Jerad Bates University of Maryland, Baltimore County December 2007
  • 2. Overview Introduction Building Blocks Certificates Organization Conclusions
  • 3. Introduction In the beginning there were shared secret keys Early cryptographic systems had to use the same key for encryption and decryption To establish an encrypted channel both users needed to find out this key in some secure fashion Limited Users could meet and exchange the key Flexible Users could use a key server
  • 4. Introduction Key Exchange User to User This exchange eliminates a communication channel that could be attacked Limited - Users must meet all other users In a system with n users, number of meetings is on the order of O(n2) Users must recognize each other or show proper identification
  • 5. Introduction Key Exchange Key Server Each user has set to up a key with the Key Server Key Server creates and transmits secure session keys to users Flexible Users need only have a prior established key with the Key Server For a system with n users only (n) meetings must occur Key Server takes care of the initial validation of users identities KA,KS KB,KS
  • 6. Building Blocks Cryptographic tools Putting them together Names Time A secure communication session
  • 7. Building Blocks Cryptographic Tools Symmetric Key Cryptography Encryption: SEK(M) = C Decryption: SDK(C) = M Secure as long as only communicating users know K Having K lets one read C Fast to calculate Public Key Cryptography Encryption: PEK+(M) = C Decryption: PDK-(C) = M Secure as long K- is only known by the receiver Having K- lets one read C, but having K+ does not Slow to calculate
  • 8. Building Blocks Cryptographic Tools Digital Signatures Sign: PEK-(H(M)) = S Verify: PDK+(S) = H(M) Reliable as long as only the signer knows K- Having K- allows one to sign, having K+ only allows one to verify the signature Slow to calculate Ks + and - could just be a users public and private keys
  • 9. Building Blocks Putting Them Together Symmetric cryptography is used for majority of communications Public Key cryptography is used for exchanging Symmetric keys Digital Signatures are used to validate Public Keys
  • 10. Building Blocks Names A name in PKI must be unique to a user Assigning these names presents similar difficulties as found in other areas of Distributed Systems Without proper and well thought out naming PKI is pretty much useless
  • 11. Building Blocks Time A PKI must know the current time Much of a PKIs security relies on having an accurate clock For the most part, time does not need to be known extremely reliably and being off by a minute will usually not be an issue
  • 12. Building Blocks A Secure Communications Session Alice and Bob wish to set up a secure communications channel They use Public Key Cryptography to exchange a Symmetric key Alice: Private PK = K-A, Public PK = K+A Bob: Private PK = K-B, Public PK = K+B Time T and random Symmetric Key KS Simplified example: 1: Alice -> Bob: PEK+B(Alice, T, K+A, PEK-A(T, KS)) 2: Bob -> Alice: PEK+A(T, KS) 3: Alice <-> Bob: SEKS(Mi)
  • 13. Certificates What they are How they are issued How they are distributed How they are revoked
  • 14. Certificates What they are The issue with building a secure session is that it assumes that both Alice and Bob know each others public keys We need some way for them to learn this besides meeting each other (otherwise we are in the same predicament as with Symmetric Key exchange meetings) We could use a similar strategy to the Key Server but can we do better? This is where Certificates come in
  • 15. Certificates What they are A Certificate is a combination of a users public key, unique name, Certificate start and expiration dates, and possibly other information This Certificate is then digitally signed, by some Trusted 3rd Party, with the signature being attached to the rest of the Certificate This Signed Certificate is commonly referred to as just the users Certificate The Certificate for a user Bob, signed by signer Tim, in essence states I Tim certify that this Public Key belongs to Bob
  • 16. Certificates How they are issued The users of a PKI must place their trust in a 3rd Party to carefully verify a users identity before signing his or her public key Each user generates their own Public-Private Key pair and Certificate A user then verifies them self to the 3rd Party and shows his or her Certificates content. At this point the third party will sign the Certificate.
  • 17. Certificates How they are distributed Users are free to distribute their signed Certificates over any medium, public or private, without concern Other users may acquire this Certificate from any source and check the 3rd Partys signature for tampering If the signature is good then the other users know that the 3rd Party affirms that the Certificate belongs to the user who is listed in the Certificate
  • 18. Certificates How they are Revoked Periodically Certificates may become compromised, requiring a Certificate Revocation A Certificate Revocation message is simply a message signed by K-i (the private version of the Certificates K+i) saying that the Certificate is revoked A PKI will have a database of revoked Certificates (a Certificate Revocation List, CRL) that users may access periodically for the latest list of revoked Certificates An alternative to certificate revoking is to set the expiration time to very shortly after the issue time. Thus every key in this system is revoked so rapidly that we do not need to worry what may happen to the compromised key
  • 19. Organization What is Trust? How do we organize a PKI to disseminate trust?
  • 20. Organization Trust Trust is based on real world contractual obligations between a 3rd Party and users [2] This Trusted 3rd Party is referred to as a Certificate Authority (CA) In other models trust is based on personal relationships that dont have a contractual basis (e.g. PGP) Users may allow a CA to delegate their trust This delegation of trust is what allows us to build large PKIs
  • 21. Organization Trust If Alice trusts Root CA then she trusts Bobs Certificate signed by Root CA If Alice trusts Root CA to delegate her trust to others then she trusts Chads Certificate signed by Small CA Alice Root CA Small CA Bob Chad
  • 22. Organization Organizing a PKI A PKI may be organized based on a variety of models using delegation of trust Strict Hierarchy Networked Web Browser PGP
  • 23. Organization Strict Hierarchy All users trust Root CA Root CA may delegate that trust to other CAs who in turn may be allowed to delegate that trust In this way a PKI may grow without all the burden being placed on Root CA Alice Root CA Small CA Bob Chad Dan Smaller CA Emily Fred
  • 24. Organization Networked The Networked model addresses what to do when two or more PKIs wish to join together or merge Two techniques Mesh Hub-and-Spoke We only need the Root CAs of each PKI to participate in this model
  • 25. Organization Networked Mesh Every Root CA signs every other Root CAs Certificate Hard to join a large numbers of CAs Root CA3 Root CA1 Root CA2 Root CA4
  • 26. Organization Networked Hub-and-Spoke The Root CAs come together to create the Super Root CA Each Root CA signs the Super Root CAs certificate while the Super Root CA signs each of theirs Easier to join large numbers of CAs Question becomes, Who gets to manage the Super Root CA? Root CA3 Root CA1 Root CA2 Root CA4 Super Root CA
  • 27. Organization Web Browser A Web Browser maintains a list of trusted Root CAs Any Certificate signed by one of these Root CAs is trusted Basically a list of n Hierarchy Models Initial list decided on by Web Browsers producer alice.com bob.com chad.com dan.com Smaller CA emily.com fred.com Root CA3 Root CA1 Root CA2 Root CAn
  • 28. Organization PGP Each users Certificate is signed by zero or more other users Certificate validity calculated from levels of trust assigned by signers Assigned levels (Chad) Implicit: User themselves Chad Complete: Any Certificate signed by the user them self Fred and Emily Intermediate Calculated Item Partial Trust: Any Certificate signed by a Complete Certificate Bob and Dan Calculated (Chad) Valid: Any Certificate signed by an Implicit or Complete level Certificates Chad, Fred, Emily, Dan, and Bob Marginally Valid: Any Certificate signed by two or more Partial trust Certificates Gary Invalid: Any Certificate signed by a Marginally Valid or no one - Alice Alice Bob Chad Dan Emily Fred Gary
  • 29. Conclusions A PKI allows us to take the concept of a Key Server and apply it to Public Keys It allows greater flexibility then a Key Server in that users do not need to communicate with the Root CA every time a Session Key is needed There are a vast variety of models for disseminating trust in a PKI Even though PKIs look like an amazing idea, in practice there are numerous problems implementing them on a large scale Who does everyone trust? What format do people use? Security of the multitude of programs that rely on PKIs
  • 30. Sources [1] Adams, Carlisle, and Steve Lloyd. Understanding PKI: Concepts, Standards, and Deployment Considerations. Second ed. Boston, MA: Addison- Wesley, 2003. [2] Ferguson, Neils, and Bruce Schneier. Practical Cryptography. Indianapolis, IN: Wiley, Inc., 2003. [3] Stinson, Douglas R. Cryptography: Theory and Practice. 3rd ed. Boca Raton, FL: Chapman & Hall/CRC, 2006. [4] Tanenbaum, Andrew S., and Maarten V. Steen. Distributed Systems: Principles and Paradigms. 2nd ed. Upper Saddle River, NJ: Pearson Prentice Hall, 2007.
AboutCopyright
息 2025 際際滷