190 likes | 307 Views
How to Start a PKI. A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics. Agenda. Why do you need a PKI? Basic Cryptography “Near Future” PKI Applications PKI Components and Services Deployment of a PKI. Why do you need a PKI?.
E N D
How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics
Agenda • Why do you need a PKI? • Basic Cryptography • “Near Future” PKI Applications • PKI Components and Services • Deployment of a PKI
Why do you need a PKI? • Protects against eavesdropping • Protects against tampering • Prevents impersonation • Spoofing • Misrepresentation • Provides stronger authentication
Basic Cryptography • Use of Keys for Encryption and Decryption • Types of Keys • Symmetric-Key Encryption • Uses ONE single key (shared secret) • Efficient • Provides a minor degree of authentication • Only effective if symmetric key is kept secret!! • Public-Key Encryption (asymmetric encryption) • Involves a pair of keys: • Public Key – Published • Private Key – Kept secret • Key Length and Encryption Strength • Strength of encryption is related to the difficulty of discovering the key • Encryption strength is described in terms of key size.
Public Key Cryptography Provides: • Encryption and Decryption • Strong authentication • Non-repudiation • Tamper detection
What is a Certificate? • A certificate is an electronic document used to identify: • An individual • A server • A company • Other entities • A certificate associates an identity with a public key
What is a Certificate Authority? • A Certificate Authority (CA) • validates identities • issues certificates • Validation/Assurance of identity • depend on the policies of a given CA
Contents of a Certificate • A certificate (X.509 v3) binds a Distinguished Name (DN) to a public key. • A DN is a series of “values” that uniquely identify an identity. For example: cn=Javier Torner, email=jtorner@csusb.edu, o=California State University San Bernardino, ou=Information Security Office
Near Future Application • Digital Signatures (S/MIME) • Mail Encryption • Certificate Revocation • SSL Client Certificates to POP/IMAP • SSL Client Certificates to NNTP • SSL Client Certificates for network access • Hardware Tokens – Two factor authentication
PKI Components and Services • Certificate Repository • Certificate Revocation • Key backup and recovery • Support for non-repudiation • Time stamping • Client software
PKI Phases • Phase 0 – Basic Infrastructure • Implement a Certificate Authority • Hierarchy Structure • Phase I – Authorization • Phase II – Authentication • Phase III – Incorporate a Trusted Bridge
PKI - Phase 0 • Define Certificate Practice Statement • Define a CA Hierarchy • Root CA • Master or Secondary CA • SSL (Web server) CA • SSL Clients CA • E-mail/Encryption CA • Object CA
CA Certificate Practice Statement • Easy way to start is using PKI-Lite • Edit/modify to your institution • Technology has been around, but relatively new
PKI - Phase I • Select software • OpenSSL, OpenCA • Issue SSL Server Certificates • Class 3 Web servers certificate • Develop/enable users request interface • Provide user education • SSL Client Certificates • Start with certificates for authentication “ONLY” • Test on control systems • ISO sites
SSL Client Certificates • Provides the ability to authenticate (primarily web) users using your institution’s certificate • Allows you to easily restrict the users of your data based upon criteria within a certificate
Contents of a Phase IServer Certificate • CN=www.infosec.csusb.edu • Email= • OU=Information Security Office • O=California State University San Bernardino • L=San Bernardino • ST=California • C=US
Contents of a Phase-IID Certificate • CN=Javier Torner • Email=jtorner@csusb.edu • OU=Information Security Office • O=California State University San Bernardino • L=San Bernardino • ST=California • C=US
The Future of PKI • Phase 3 – Federated • Application Design • CA Development
Valuable Resources • http://www.modssl.org • http://www.openssl.org • http://www.openca.org • http://www.educause.edu/HEPKI • Understanding PKI – Carlisle Adams and Steve Lloyd (ISBN 1-57870-166-x) • Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter Williams (ISBN 0-201-30980-7)b