200 likes | 420 Views
Use of Public-Key Infrastructure (PKI). Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ - http://www.eidq.org ) Andersen's L-Service consultancy Rapporteur for Directory services, Directory systems, and public-key/attribute certificates era@x500.eu.
E N D
Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and RelatedSearch Industry (EIDQ - http://www.eidq.org ) Andersen's L-Service consultancy Rapporteur for Directory services, Directory systems, and public-key/attribute certificates era@x500.eu Addressing security challenges on a global scale
Where it all starts Addressing security challenges on a global scale
What to cover • Introduction to basic PKI principles • Use of PKI within Identity Management • Use of PKI for IP Security (IPSec) • Use of PKI for RFID identification • Use of PKI within cloud computing Addressing security challenges on a global scale
Public-key Certificates The public-key certificate is the basic concept for public-key infrastructure (PKI). Public-key certificate A public-key certificate provides the binding between a name and a public key for a user for a given period and is issued and confirmed by a Certification Authority (CA). Name of user Public key Signed by Certification Authority (CA)
Can I trust a certificate? • A certificate may have expired • The corresponding private key may be compromised • The CA policy for issuing certificates may not be satisfactory • A certificate my be a forgery as the CA's private key may be compromised • Etc. PKI Addressing security challenges on a global scale
Public-Key Infrastructure (PKI) Security is about Trust! • PKI is an infrastructure for checking the validity or quality of a presented public-key certificate • A PKI consists of a number of interworking components • Somewhere there must be a trustanchor Addressing security challenges on a global scale
Relationship with IdM (Identity proofing) • Name to be verified by the Certification Authority or Registration Authority • Uniqueness • Proof of identity • Legal right to name • Level of verification depending on use of certificate • Part of Identity Management (IdM) • Guidelines provided by • ITU-T SG 17 IdM group • CA Browser Forum • ETSI ESI activity • Rules may be expressed in a Certificate Policy document Public-key certificate IdM Name of user Public key Pointer to policy Addressing security challenges on a global scale
IP Security (IPsec) • Specified in RFC 4301 • Provides end-to-end protection for all applications using this end-to-end connection • Uses shared cryptographic keys for authentication, integrity, and confidentiality of data • Uses Internet Key Exchange (IKE) for establishing shared keys (security association) - RFC 5996 • Diffie-Hellman key exchange is used by IKE for that purpose (RFC 3526) Addressing security challenges on a global scale
Problem using Internet Key Exchange without PKI Bob Alice Diffie-Hellman key exchange Bob ”Man-in-the-middle” Alice Diffie-Hellman key exchange Diffie-Hellman key exchange Addressing security challenges on a global scale
Using Internet Key Exchange with PKI Bob Alice Diffie-Hellman key exchange using digital signature and optionally certificate information A man-in-the-middle will be detected! Addressing security challenges on a global scale
Radio-Frequency Identification - Directory infrastructure RFIDreader Clientsystem RFIDtag RFID • The RFID tag contains information, including a unique identity • The unique identity is used access information associated with the tag Addressing security challenges on a global scale
Protecting RFID information RFID tag Unique identity Information Signature over essential information Pharmaceutical drugs from Counterfeit Drugs Inc. • Signature produced by private key of vendor (tag creator) • Signature not produced using Roche’s private key • Signature checked using Rotch’s public key • Signature check fails RFID tag says:Pharmaceutical drugs from Roche Ltd. Addressing security challenges on a global scale
Radio-Frequency Identification (RFID) Directory infrastructure RFIDreader Clientsystem Identifier Signed Info RFIDtag Search using identifier as search criterion Certificate information Other Information Addressing security challenges on a global scale
Authentication and authority for Cloud Computing • Generally of importance • Check of identity • Check of privileges • Even of greater importance for Cloud Computing • A Public-key certificate may contain privilege information • Alternatively, an attribute certificate may be used Public-key certificate Name of user Public key Attributecertificate Privileges Privileges Addressing security challenges on a global scale
Identity and privilege issues for hybrid clouds Hybrid Cloud Private Cloud Public Cloud Cloud • Clouds with multiple service providers/hybrid clouds: • Different privileges • different identities • danger of complex key management Addressing security challenges on a global scale
Authentication and authority for Cloud Computing • ITU-T Study Group 17, Question 11 has the issue on its to-do list • It has relationship with Identity Management • One solution may be use of attribute certificates • Attribute certificate: • Used for assigning privileges to user • Points to user , e.g., by pointer to user's public-key certificate Addressing security challenges on a global scale
END Addressing security challenges on a global scale