1 / 17

DIGITAL CERTIFICATES

DIGITAL CERTIFICATES. Prof. Ravi Sandhu. PUBLIC-KEY CERTIFICATES. reliable distribution of public-keys public-key encryption sender needs public key of receiver public-key digital signatures receiver needs public key of sender public-key key agreement both need each other’s public keys.

dora
Download Presentation

DIGITAL CERTIFICATES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DIGITAL CERTIFICATES Prof. Ravi Sandhu

  2. PUBLIC-KEY CERTIFICATES • reliable distribution of public-keys • public-key encryption • sender needs public key of receiver • public-key digital signatures • receiver needs public key of sender • public-key key agreement • both need each other’s public keys

  3. X.509v1 CERTIFICATE VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE

  4. X.509v1 CERTIFICATE 1 1234567891011121314 RSA+MD5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99-1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx SIGNATURE

  5. CERTIFICATE TRUST • how to acquire public key of the issuer to verify signature • whether or not to trust certificates signed by the issuer for this subject

  6. PEM CERTIFICATION GRAPH Internet Policy Registration Authority IPRA Policy Certification Authorities (PCAs) PERSONA RESIDENTIAL MID-LEVEL ASSURANCE HIGH ASSURANCE Anonymous MITRE GMU Virginia Certification Authorities (CAs) Abrams LEO Fairfax ISSE Subjects Sandhu Sandhu

  7. SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Brand Brand Geo-Political Bank Acquirer Customer Merchant

  8. CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE

  9. X.509 CERTIFICATES • X.509v1 • very basic • X.509v2 • adds unique identifiers to prevent against reuse of X.500 names • X.509v3 • adds many extensions • can be further extended

  10. X.509v3 CERTIFICATE INNOVATIONS • distinguish various certificates • signature, encryption, key-agreement • identification info in addition to X.500 name • internet names: email addresses, host names, URLs • issuer can state policy and usage • good enough for casual email but not for signing checks • limits on use of signature keys for further certification • extensible • proprietary extensions can be defined and registered • attribute certificates • ongoing work

  11. X.509v2 CRL INNOVATIONS • CRL distribution points • indirect CRLs • delta CRLs • revocation reason • push CRLs

  12. GENERAL HIERARCHICAL STRUCTURE Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  13. GENERAL HIERARCHICAL STRUCTURE WITH ADDED LINKS Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  14. TOP-DOWN HIERARCHICAL STRUCTURE Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  15. FOREST OF HIERARCHIES

  16. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  17. THE CERTIFICATE TRIANGLE user X.509 attribute certificate X.509 identity certificate attribute public-key SPKI certificate

More Related