1 / 29

Public Key Infrastructure

Public Key Infrastructure. By Sarah Wahl. What is PKI?. An arrangement that provides for trusted third party vetting of, and vouching for, user identities

ciro
Download Presentation

Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public Key Infrastructure By Sarah Wahl Sarah Wahl / Graduate Student UCCS

  2. What is PKI? • An arrangement that provides for trusted third party vetting of, and vouching for, user identities • PKI consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures Sarah Wahl / Graduate Student UCCS

  3. Public Key… • Public key encryption — keeping a message secret from anyone that does not possess a specific private key. • Public key digital signature — allowing anyone to verify that a message was created with a specific private key. • Key agreement — generally, allowing two parties that may not initially share a secret key to agree on one. Sarah Wahl / Graduate Student UCCS

  4. Public Key Encryption • On a high level, a user signs his message with his private key, and when the message gets to the other side the end user decrypts the message using the public key, which is published by the Certificate Authority. Sarah Wahl / Graduate Student UCCS

  5. Keys Sarah Wahl / Graduate Student UCCS

  6. Keys Continued • Like a mail slot. Anyone can put a message in the slot, but only owner can access the messages. • Public Key • The published key. (Where the mail slot is located) • Private Key • The secret key (The owner’s key that can unlock the mail slot) Sarah Wahl / Graduate Student UCCS

  7. Identity Certificates • A certificate which uses a digital signature to bind together a public key with an identity • Identity being information on the user- name, organization etc. Sarah Wahl / Graduate Student UCCS

  8. Certificate Authorities • Verify an applicant's credentials, so that users (relying parties) can trust the information in the CA's certificates • This is essential to the PKI scheme, if the CA is compromised then their signed certificates can’t be trusted. Sarah Wahl / Graduate Student UCCS

  9. Certificate Authorities Cont. • It is not always possible to reach back to the original Certificate Authority. • Key Chain, or Certificate Authority Chain. • Allows a user to get a certificate from another source. • Certificate Authority delegates authority to others. Sarah Wahl / Graduate Student UCCS

  10. Certificates • Self-Signed • Certificate signed by certificate’s author • Root Certificate • an unsigned public key certificate • Authorization Certificates • (also known as an attribute certificate) digitally written permission from the issuer to use a service or a resource that the issuer controls or has access to use Sarah Wahl / Graduate Student UCCS

  11. Classes of Certificates • Class 1 for individuals, intended for email • Class 2 for organizations, for which proof of identity is required • Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority (CA). Sarah Wahl / Graduate Student UCCS

  12. Digital Signatures • Can be used as a broad term encompassing message authentication codes, file integrity hashes and digital pen pad devices. • For this discussion a digital signatures is a term to mean cryptographically based signature assurance scheme • Used like a notary endorsement Sarah Wahl / Graduate Student UCCS

  13. Is it a Valid Certificate? • Check the certificate revocation list (CRL) • This is a list of certificates that are no longer valid. • This list is published by 3rd parties (CA). Sarah Wahl / Graduate Student UCCS

  14. OCSP • Online Certificate Status Protocol • An Internet protocol used for obtaining the revocation status of an X.509 digital certificate. • It is described in RFC 2560 and is on the Internet standards track. It was created as an alternative to CRLs Sarah Wahl / Graduate Student UCCS

  15. X.509 Certificate • A certificate typically includes: • The public key being signed. • A name, which can refer to a person, a computer or an organization. • A validity period. • The location (URL) of a revocation center. • The digital signature of the certificate, produced by the CA's private key. Sarah Wahl / Graduate Student UCCS

  16. The Future of PKI: ECC • First, the fact that the security and practicality of a given asymmetric cryptosystems relies upon the difference in difficulty between doing a given operation and its inverse. Sarah Wahl / Graduate Student UCCS

  17. Elliptical Curve Cryptography • Second, the fact that the difference in difficulty between the forward and the inverse operation in a given system is a function of the key length in use, due to the fact that the difficulty of the forward and the inverse operations increase as very different functions of the key length; the inverse operations get harder faster. Sarah Wahl / Graduate Student UCCS

  18. ECC Continued • Third, the fact that as you are forced to use longer key lengths to adjust to the greater processing power now available to attack the cryptosystem, even the 'legitimate' forward operations get harder, and require greater resources (chip space and/or processor time), though by a lesser degree than do the inverse operations. Sarah Wahl / Graduate Student UCCS

  19. Comparison of Algorithms • The difficulty of the forward and inverse operations is at the centre of asymmetric schemes. • RSA, it's integer multiplication (forward) and factorization (inverse) • Diffie Hellman it's discrete exponentiation (forward) and log (inverse). • ECC it's point multiplication (forward) and the elliptic curve discrete logarithm problem (inverse). Sarah Wahl / Graduate Student UCCS

  20. Key Sizes Sarah Wahl / Graduate Student UCCS

  21. ECDSA vs. RSA (ms) Sarah Wahl / Graduate Student UCCS

  22. How ECC Works • The way that the elliptic curve operations are defined is what gives ECC its higher security at smaller key sizes. • An elliptic curve is defined in a standard, two dimensional x,y Cartesian coordinate system by an equation of the form: • y2 = x3 + ax + b Sarah Wahl / Graduate Student UCCS

  23. Elliptical Curve Example Sarah Wahl / Graduate Student UCCS

  24. How ECC Works Continued • Point multiplication is simply calculating kP, where k is an integer and P is a point on the elliptic curve defined in the prime field. • This is the operation which is the key to the use of elliptic curves for asymmetric cryptography — the critical operation which is itself fairly simple, but whose inverse is very difficult. Sarah Wahl / Graduate Student UCCS

  25. The dominant operation in ECC cryptographic schemes is point multiplication. Sarah Wahl / Graduate Student UCCS

  26. Why Use ECC? • It’s More Secure! • It’s Much Faster!! Sarah Wahl / Graduate Student UCCS

  27. Conclusion • PKI is an ever changing infrastructure. • There are new software algorithms being developed. • Different methods for interacting with the Certificate Authority. Sarah Wahl / Graduate Student UCCS

  28. Questions • Any Questions or Comments? Sarah Wahl / Graduate Student UCCS

  29. Resources http://en.wikipedia.org/wiki/Public_key_infrastructure http://www.deviceforge.com/articles/AT4234154468.html http://csrc.nist.gov/pki http://homes.esat.kuleuven.be/~fvercaut/talks/HECC.pdf Sarah Wahl / Graduate Student UCCS

More Related