1 / 32

USING A PUBLIC KEY INFRASTRUCTURE

Chapter 5. USING A PUBLIC KEY INFRASTRUCTURE. CHAPTER OBJECTIVES. Explain what certificates are and how they are used. Describe how a public key infrastructure (PKI) distributes cryptographic keys. Describe the certificate life cycle. Explain how trust models allow a PKI to function.

declan-mckenzie
Download Presentation

USING A PUBLIC KEY INFRASTRUCTURE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 USING A PUBLIC KEY INFRASTRUCTURE

  2. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CHAPTER OBJECTIVES • Explain what certificates are and how they are used. • Describe how a public key infrastructure (PKI) distributes cryptographic keys. • Describe the certificate life cycle. • Explain how trust models allow a PKI to function. • Describe practical applications of a PKI.

  3. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE PKI BASICS • Based on public key cryptography (asymmetric) • Employs trusts: trusted third party • Uses certificates and certificate authorities (CAs) • Is an infrastructure or framework, not a product

  4. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING CERTIFICATE BASICS • A certificate • Is a digital document • Is used for authentication and secure information exchange • Must comply with the X.509 v.3 certificate standard

  5. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE TRUSTS • PKI depends on a trust model. • PKI is a trusted third-party system. • Certificates are issued by a CA.

  6. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE COMPONENTS • Subject of the certificate • The subject’s public key • Valid lifetime dates • Subject identification and location details

  7. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE COMPONENTS (CONT.) • The subject’s distinguished name • The subject’s e-mail address • The identification of the issuing CA • The signed hash from the issuing CA

  8. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE OBTAINING A CERTIFICATE • Enrollment is the process of requesting and receiving a certificate. • The identity of the user or computer is physically proven. • A unique certificate is built. • A new certificate is signed using the CA’s private digital certificate.

  9. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE OBTAINING A CERTIFICATE (CONT.)

  10. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE USES OF CERTIFICATES • Secure e-mail • Secure Web communications • Secure Web sites • Custom security solutions • Smart card logons

  11. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE USES OF CERTIFICATES (CONT.) • Internet Protocol Security (IPSec) • 802.1x wireless • Encrypting File System (EFS) • Software code signing

  12. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE USES OF CERTIFICATES (CONT.)

  13. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE WHAT IS A PKI?

  14. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE ELEMENTS OF A PKI • Digital certificates • CA • Certificate revocation list (CRL) • CA policies

  15. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE ELEMENTS OF A PKI (CONT.) • Certificate and CRL distribution points • Management tools • Secured applications and services

  16. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATION AUTHORITIES (CAs) • Commercial CA • Private CA

  17. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CA POLICIES • Determine the level of trust • Define the CA’s best practices • Define the certificate’s acceptable use policies

  18. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CRL PUBLICATION POINTS • A CRL publication point is a list of revoked certificates. • The CRL must be accessible to all certificate users. • CAs manage and distribute their own CRLs. • Certificates typically include the location of the CA’s CRL.

  19. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CRL DISTRIBUTION

  20. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE ASPECTS OF THE CERTIFICATE LIFECYCLE • Validity period of a certificate • Renewal • Revocation before expiration • Reasons for revocations

  21. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE PHASES OF THE CERTIFICATE LIFECYCLE

  22. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE ISSUANCE • CAs require details about the subject to issue certificates. • Subjects request certificates using Web interfaces or a certificate request file.

  23. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE HOW TO REQUEST CERTIFICATES

  24. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE RENEWAL • Subjects might need to use certificates even after they expire. • Renewed certificates don’t require a new request and identity proofing.

  25. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION • Revocation can occur • Before a certificate expires • Due to a change in subject identity • Due to misuse of certificates • Revoked certificates are made known through the CRL. • CAs publish CRLs for easy access by users.

  26. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE KEY MANAGEMENT • Keeping keys private • Archival or escrow • Key recovery • Key recovery agents (KRAs) • M of N control

  27. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE TRUST MODELS • Root CAs • Trust path • Subordinate CA • Hierarchical CA architecture • Mesh CA architecture • Bridge CA architecture

  28. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE HIERARCHICAL CA ARCHITECTURE

  29. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE MESH CA ARCHITECTURE

  30. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE BRIDGE CA ARCHITECTURE

  31. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE APPLYING PKI • Secure Sockets Layer (SSL) • Secure e-mail

  32. Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE SUMMARY • Certificates bind an identity to a public key and allow public keys to be delivered to users and applications. Certificates can verify the identity of a user or computer. • A PKI consists of all the components that enable the creation, distribution, and revocation of certificates, as well as any applications that use certificates for authentication and to encrypt data. • A certificate has a lifecycle that begins when the certificate is created. At the end of its lifecycle it can expire or be renewed. A CA can revoke a certificate at any point in its lifecycle. • Certificate trust models allow users and computers to trust certificates that are issued by multiple CAs without having to trust every CA. Common CA trust models are hierarchical, mesh, and bridge architectures. • Certificates are commonly used for authentication and to ensure confidentiality in communications; for example, by Web clients, servers, and in secure e-mail.

More Related