1 / 17

Use of Public-Key Infrastructure (PKI)

Use of Public-Key Infrastructure (PKI). Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ - http://www.eidq.org ) Andersen's L-Service consultancy Rapporteur for Directory services, Directory systems, and public-key/attribute certificates era@x500.eu.

conley
Download Presentation

Use of Public-Key Infrastructure (PKI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and RelatedSearch Industry (EIDQ - http://www.eidq.org ) Andersen's L-Service consultancy Rapporteur for Directory services, Directory systems, and public-key/attribute certificates era@x500.eu Addressing security challenges on a global scale

  2. Where it all starts Addressing security challenges on a global scale

  3. What to cover • Introduction to basic PKI principles • Use of PKI within Identity Management • Use of PKI for IP Security (IPSec) • Use of PKI for RFID identification • Use of PKI within cloud computing Addressing security challenges on a global scale

  4. Public-key Certificates The public-key certificate is the basic concept for public-key infrastructure (PKI). Public-key certificate A public-key certificate provides the binding between a name and a public key for a user for a given period and is issued and confirmed by a Certification Authority (CA). Name of user Public key Signed by Certification Authority (CA)

  5. Can I trust a certificate? • A certificate may have expired • The corresponding private key may be compromised • The CA policy for issuing certificates may not be satisfactory • A certificate my be a forgery as the CA's private key may be compromised • Etc. PKI Addressing security challenges on a global scale

  6. Public-Key Infrastructure (PKI) Security is about Trust! • PKI is an infrastructure for checking the validity or quality of a presented public-key certificate • A PKI consists of a number of interworking components • Somewhere there must be a trustanchor Addressing security challenges on a global scale

  7. Relationship with IdM (Identity proofing) • Name to be verified by the Certification Authority or Registration Authority • Uniqueness • Proof of identity • Legal right to name • Level of verification depending on use of certificate • Part of Identity Management (IdM) • Guidelines provided by • ITU-T SG 17 IdM group • CA Browser Forum • ETSI ESI activity • Rules may be expressed in a Certificate Policy document Public-key certificate IdM Name of user Public key Pointer to policy Addressing security challenges on a global scale

  8. IP Security (IPsec) • Specified in RFC 4301 • Provides end-to-end protection for all applications using this end-to-end connection • Uses shared cryptographic keys for authentication, integrity, and confidentiality of data • Uses Internet Key Exchange (IKE) for establishing shared keys (security association) - RFC 5996 • Diffie-Hellman key exchange is used by IKE for that purpose (RFC 3526) Addressing security challenges on a global scale

  9. Problem using Internet Key Exchange without PKI Bob Alice Diffie-Hellman key exchange Bob ”Man-in-the-middle” Alice Diffie-Hellman key exchange Diffie-Hellman key exchange Addressing security challenges on a global scale

  10. Using Internet Key Exchange with PKI Bob Alice Diffie-Hellman key exchange using digital signature and optionally certificate information A man-in-the-middle will be detected! Addressing security challenges on a global scale

  11. Radio-Frequency Identification - Directory infrastructure RFIDreader Clientsystem RFIDtag RFID • The RFID tag contains information, including a unique identity • The unique identity is used access information associated with the tag Addressing security challenges on a global scale

  12. Protecting RFID information RFID tag Unique identity Information Signature over essential information Pharmaceutical drugs from Counterfeit Drugs Inc. • Signature produced by private key of vendor (tag creator) • Signature not produced using Roche’s private key • Signature checked using Rotch’s public key • Signature check fails RFID tag says:Pharmaceutical drugs from Roche Ltd. Addressing security challenges on a global scale

  13. Radio-Frequency Identification (RFID) Directory infrastructure RFIDreader Clientsystem Identifier Signed Info RFIDtag Search using identifier as search criterion Certificate information Other Information Addressing security challenges on a global scale

  14. Authentication and authority for Cloud Computing • Generally of importance • Check of identity • Check of privileges • Even of greater importance for Cloud Computing • A Public-key certificate may contain privilege information • Alternatively, an attribute certificate may be used Public-key certificate Name of user Public key Attributecertificate Privileges Privileges Addressing security challenges on a global scale

  15. Identity and privilege issues for hybrid clouds Hybrid Cloud Private Cloud Public Cloud Cloud • Clouds with multiple service providers/hybrid clouds: • Different privileges • different identities • danger of complex key management Addressing security challenges on a global scale

  16. Authentication and authority for Cloud Computing • ITU-T Study Group 17, Question 11 has the issue on its to-do list • It has relationship with Identity Management • One solution may be use of attribute certificates • Attribute certificate: • Used for assigning privileges to user • Points to user , e.g., by pointer to user's public-key certificate Addressing security challenges on a global scale

  17. END Addressing security challenges on a global scale

More Related