1 / 24

PKI

PKI. Notes. If have a Dell see use about a CDROM to install Debian. Have try computers as soon as possible. Both Derick & Dr. Munger can check off. Derick will mail list of what to do in the lab. What is PKI.

dale
Download Presentation

PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKI

  2. Notes • If have a Dell see use about a CDROM to install Debian. • Have try computers as soon as possible. • Both Derick & Dr. Munger can check off. • Derick will mail list of what to do in the lab.

  3. What is PKI • Public-key infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet. • PKIs integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture. A typical enterprise's PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with corporate certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.

  4. PKI protects your information assets : • * Authenticate identity. • * Verify integrity. • * Ensure privacy.. • * Authorize access. • * Authorize transactions. • * Support for nonrepudiation.

  5. Open/Closed PKI • Closed PKI. • need a special software interface from the PKI vendor to work with the certificates. • Open PKI. • Applications interface seamlessly with certificates issued under an open PKI, the roots of which are already embedded. Open PKI systems allow enterprises to become their own CA, while taking advantage of the PKI vendor's service and support.

  6. PKI & PKIX • PKI -- Public Key Infrustructure • PKIX -- PKI using X50* as a basis • X500 -- Simplified standard • X509 -- PKI standard

  7. Trust Models • Monopoly Model -- One company controls all. • Monopoly + RA -- Add authorized organizations to check others. • Delegated CAs • Oligarchy • Anarchy • Name Constraints • Top-Down with name constraints • Bottom-Up with Name Constraints

  8. Monopoly • One trusted authority • If broken into all is gone • Someone else who is not forced to listen controls your keys • Difficult to changes after deployed • Not scaleable -- can be come a bottleneck. • Problems of a monopoly: • Quality control degenerates • Cost goes up • Security goes down. -- corruption & bribes

  9. Monopoly + RA • Breaks the bottle neck but has all the other problems

  10. Delegated CA • Difference is whether Alice sees a chain of certificates or just a single certificate. • Has many of the same problem of Monopoly.

  11. Oligarchy • Few rule (Greek) • Used in browsers. • Over 80 trust anchors • Competition instead of Monopoly • Users does not know who to trust and ends up trusting everyone.

  12. Questions • How far will user go? • Accept a certificate signed by unknown CA? • Accept a certificate without being asked? • Always accept certificates from this CA? • Accept certificates from any CA? • Since you are so trusting would you allow me to randomly edit files on your harddrive?

  13. Anarchy • Model use by PGP • Each user is responsible to establish his own database. • Would be large and not up to date. • Chains would be very complex?

  14. Name constraints • Have a range of trustworthiness of a CA! • They are only trustworthy in their domain. • User must be certified in each domain. Can have different keys in each.

  15. Top-Down with Name Constraints • Similar to Monopoly. • Domain gets certificate from central authority and then certifies in its domain. • Has all the problems of the Monopoly. Cause by a central authority.

  16. Bottom-Up with Name Constraints • Model favored by authors. • Not deployed but Lotus Notes is close. • Originated in the late 80s • The parent certifies the child name the child certifies the parents name. • Then Alice must find a chain in the certification from Bob to someone that Alice trusts. • The search could be difficult.

  17. Advantages Are • Easy to find route in most cases. • Policy says if they are known then you trust them. • PKI can be deployed without having a central authority. • Since chains do not go outside your own organization then security is the best.(under your control) • Replacing keys is easy. • None of the problems of a monopoly. • Configuration is easy.

  18. Relative name • Using domain names as a example • Full name --> pmunger.wmunger.com • Relative name --> pmunger • Child would carry only the extension of the name and then the parents name. • Reorganization is easier. Since the name is the same only the parent changes.

  19. Name Constraints • Adopted by PKIX • List of names which the issuer is trusted to certify. • Parent would contain any names except myself and below. • Authors still argue bottom-up best. But strict up*-cross once- down* could be useful.

  20. Policies in Certificates • PKI in PEM (privacy enhanced mail) allows for a CA to put policies in the certificate. Can allow a definition of security clearance needed. • Allow future hierachies with different policies. • OID Object Identifier.

  21. Revocation • Could get by without a time to live. • But would have to have a large list. • List needs to be published often and at given intervals. So no one can get on the list and then be removed. • Used some on the internet since some browsers do not check the expiration date. • Helps CA who receive money to make money.

  22. Revocation Mechanisms • Delta CRL (Certificate revocation list) list only changes. • First valid Certificate. Serial number that is the first valid one. • OLRS(on-line revocation server) -- monopoly problems. • Good-list/Bad-lists • Good list gives Info -- but info probably not a problem.

  23. Directories & PKI • LDAP is a directory. • DNS • Not really used

  24. Sources • http://verisign.netscape.com/security/pki/understanding.html • http://www.ietf.org/rfc/rfc2693.txt

More Related