1 / 36

Cryptography Part 2

Cryptography Part 2. Using and Managing Keys. Cryptographic Key Sharing. Symmetric encryption efficient, but requires using a shared key. Assymetric or 2 key encryption avoids key sharing problem by allowing distribution of a public key Problem arrises in verifying the public key.

elgin
Download Presentation

Cryptography Part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography Part 2 Using and Managing Keys

  2. Cryptographic Key Sharing • Symmetric encryption efficient, but requires using a shared key. • Assymetric or 2 key encryption avoids key sharing problem by allowing distribution of a public key • Problem arrises in verifying the public key. • Public key needs to be authenticated.

  3. Digital Certificates Digital documents that associate an individual with its specific public key Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party

  4. Certification Authority (CA) The owner of the public key listed in the digital certificate can be identified to the CA in different ways By their e-mail address By additional information that describes the digital certificate and limits the scope of its use Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users

  5. Certification Authority (CA) The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked Can provide the information in a publicly accessible directory, called a Certificate Repository (CR) May use a Registration Authority (RA) to handle some CA tasks such as processing certificate requests and authenticating users

  6. Certificate Information

  7. UMKC Certificate

  8. Certificate Details

  9. Certificate Signature

  10. VeriSignCertificateSN 10

  11. Firefox Certificate Manager

  12. FirefoxCertificateforVeriSign

  13. Get VeriSignpublic key kv (signcert) = ku

  14. Public Key Infrastructure (PKI) Manages keys and identity information required for asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs For a typical enterprise: Provides end-user enrollment software Integrates corporate certificate directories Manages, renews, and revokes certificates Provides related network services and security Consists of one or more CA servers and digital certificates that automate several tasks

  15. The need for PKI Certificate Repository Bob Alice Bob’s Public key Please tell me about the new… Please tell me about the new… Xuskem765m%mT883$ Bob’s Public key Bob’s Private key

  16. PKI Standards A number of standards have been proposed for PKI Public Key Cryptography Standards (PKCS) X509 certificate standards

  17. Public Key Cryptography Standards (PKCS) Numbered set of standards that have been defined by the RSA Corporation since 1991 Composed of 15 standards Encryption and digital signature formats Key syntax and attributes Secret Key generation methods Key exchange protocols Message syntax Etc.

  18. X509 Digital Certificates X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate Most widely used certificate format for PKI X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)

  19. X509 Digital Certificates

  20. Trust Models Refers to the type of relationship that can exist between people or organizations In the direct trust, a personal relationship exists between two individuals Third-party trust refers to a situation in which two individuals trust each other only because each individually trusts a third party The three different PKI trust models are based on direct and third-party trust

  21. Trust Models (cont) Web of Trust model is based on direct trust. Single-point Trust model is based on third-party trust A CA directly issues and signs certificates In an Hierarchical Trust model, the primary or root certificate authority issues and signs the certificates for CAs below it

  22. Web of Trust

  23. Single-point Trust

  24. Hierarchical Trust Certificate Authority Subordinate CA Subordinate CA

  25. Managing Digital Certificates After a user decides to trust a CA, they can download the digital certificate and public key from the CA and store them on their local computer CA certificates are issued by a CA directly to individuals Typically used to secure e-mail transmissions through S/MIME and SSL/TLS

  26. Managing Digital Certificates (cont)

  27. Managing Digital Certificates (cont) Server certificates can be issued from a Web server, FTP server, or mail server to ensure a secure transmission Software publisher certificates are provided by software publishers to verify their programs are secure

  28. Certificate Policy (CP) Published set of rules that govern operation of a PKI Minimum Topics: Statement of Scope Enforcement CA Obligations Compliance Audits RA Obligations Confidentiality User Obligations Operational Reqmts Repository Obligations Training

  29. Certificate Practice Statement (CPS) Describes in detail how the CA uses and manages certificates Topics: End User Registration Issuing Digital Certificates Revoking Digital Certificates Procedural Controls Key Generation and Use Private Key Protection CRL Profiles

  30. Certificate Life Cycle Typically divided into four parts: Creation Revocation Expiration Suspension

  31. Centralized / Decentralized Management An example of a decentralized key management system is the PKI web of trust model Centralized key management is the foundation for single-point trust models and hierarchical trust models, with keys being distributed by the CA

  32. Key Storage May store public keys by embedding them within digital certificates A form of software-based storage and doesn’t involve any cryptography hardware May also store private keys on the user’s local computer Must ensure that keys are encrypted – “key ring” Storing keys in hardware is an alternative to software-based keys

  33. Key Usage If you desire more security than a single set of public and private (single-dual) keys can offer, you can choose to use multiple pairs of dual keys One pair of keys may be used to encrypt information and the public key could be backed up to another location The second pair would be used only for digital signatures and the public key in that pair would never be backed up

  34. Key Handling Procedures Certain procedures can help ensure that keys are properly handled: Escrow – Expiration Renewal – Revocation Recovery – Suspension Destruction

  35. Summary Primary advantage of symmetric cryptography is that encryption and decryption is usually fast and easy to implement A digital signature solves the problem of authenticating the sender when using asymmetric cryptography With asymmetric cryptography, an organization can find itself implementing piecemeal solutions for different applications

  36. Summary (cont) PKCS is a numbered set of standards that have been defined by the RSA Corporation since 1991 The three PKI trust models are based on direct and third-party trust Digital certificates are managed through CPs and CPSs

More Related