240 likes | 550 Views
Overview of PKI. Perry Tancredi VeriSign, Inc. ptancredi@verisign.com. Agenda. PKI Defined Terminology Key Techncial Concepts Key Infrastructure Concepts Practical Uses What Who Why Important Considerations of Being a CA. PKI – Public Key Infrastructure.
E N D
Overview of PKI Perry Tancredi VeriSign, Inc. ptancredi@verisign.com
Agenda • PKI Defined • Terminology • Key Techncial Concepts • Key Infrastructure Concepts • Practical Uses • What • Who • Why • Important Considerations of Being a CA
PKI – Public Key Infrastructure The sum total of the hardware, software, people, processes, and policies that, together, using the technology of asymmetric cryptography, facilitate the creation of a verifiable association between a public key (the public component of an asymmetric key pair) and the identity (and/or other attributes) of the holder of the corresponding private key (the private component of that pair), for uses such as authenticating the identity of a specific entity, ensuring the integrity of information, providing support for nonrepudiation, and establishing an encrypted communications section – PKI Assessment Guidelines v3.0 Information Security Committee American Bar Association
Basic PKI Security Functions • Authentication • Be sure you know who you are communicating with • Confidentiality • Keep secrets secret • Integrity • Be sure nothing is changed behind your back • Access Control • Control who can access what • Non-repudiation • Have the evidence in the event of a dispute
PKI Terminology and Concepts • Hashing functions • Symmetric encryption and decryption • Session key • Asymmetric encryption and decryption • Key pair • Digital signature • Digital certificate • Certification Authorities (CA) • Registration Authorities (RA) • Hierarchy of trust
It was the best of thymes, it was the worst of times Small Difference Hash Function Hash Function 3au8 e43j jm8x g84w b6hy 8dhy w72k 5pqd Hash Functions It was the best of times, it was the worst of times Large Difference Examples: MD5 (128 bit), SHA-1 (160 bit)
Symmetric Key Cryptography – Encryption • DES, AES, RC2, RC5 • Problems: • Alice and Bob must agree on the secret key without anyone else finding out • Anyone who intercepts the key in transit can later read, modify, and forge all messages encrypted using that key • Doesn’t Scale Common key Message Message Encrypted Message A B Encrypt Decrypt Eavesdropper
Asymmetric Key Cryptography – Encryption • RSA, ECC, IDEA • Problems: • Key exchange has to be done in a secure way • Encryption and decryption are extremely SLOW Public key Message Private key Message Encrypted Message A B Encrypt Decrypt Eavesdropper
Message Generate Sym Key Encrypt Message Encrypted Message Encrypted Sym Key Encrypt Sym Key Public Key Encryption Symmetric keys encrypt data; Public keys encrypt symmetric keys = Private Key = Public Key = Symmetric Key Alice Bob Encrypt with Bob’s Public Key
Decrypt Sym Key Decrypt Message Message Decrypt with Bob’s Private Key Public-Key – Decryption = Private Key = Public Key Bob = Symmetric Key Encrypted Message Encrypted Sym Key Public key and symmetric key cryptography are complementary technologies
Transmitted Message Hash Function Hash Function Decrypt Signature Signature Message Digest Message Digest Expected Digest Encrypt If these are the same, then the message has not changed Public-Key – Signature & Verification Hashing + Encryption = Signature Creation Bob Receiver Sender Alice Hashing + Decryption = Signature Verification
Message Generate Sym Key Encrypt Message Encrypted Message Encrypted Sym Key Encrypt Sym Key Public-Key – Encryption Alice Bob
PKI as DMV CAs (root CA) (intermediate CAs) Certs CAs are like the government agencies RAs are like the local registries offices
Certificate Authority • An organization that issues certificates • Usually a trusted third party • Backs the information in the certificate
Registration Authority • Performs functions for CA but does not issue certificates directly • Processes requests • Manages certificate lifecycle • Issuance, recovery, revocation, renewal • Distributed
Certificate A message which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it – Digital Signature Guidelines Information Security Committee American Bar Association
Digital Certificates in Use • Secure e-mail • Virtual Private Network (VPN) • Wireless (Wi-Fi) • Web Servers (SSL/TLS) • Network Authentication • Code Signing • Server to Server
Who Uses PKI? • Physical/Logical access • Windows Logon • Government and Industry Mandates • Corporate Banking • Phishing Attacks • Identity Theft • eCommerce • SSL Current demand for certificates • Wireless (WiFi) deployments • Devices • Web Servers • Cable and Satellite • Domain Controllers • VPN • Signed Code • PC • Mobile
Why Use PKI? • Federal Government – HSPD-12 • Calls for the creation of a NIST standard for gov employees and contractors • Builds off of DOD CAC card and External Certification Authority program • DOCSIS (Data Over Cable Service Interface Specification) • Requires that certificates be imbedded in cable modems for device authentication and code signing • HIPAA • Mandates the implementation of security measures to maintain patient privacy • Email encryption of protected heath information (PHI) • FFIEC • Guidance to implement two-factor authentication for Internet Banking • Mandatory compliance by 2006 • Gramm-Leach-Bliley Act • Requires establishment of technical safeguards to ensure confidentiality and integrity for any institution holding financial data
Specific PKI Implementations • The Commonweath of Pennsylvania Justice Network (JNET) • Allows disparate law enforement agencies to share information securely • Barclays Bank • Digital certificates issued to all online clients • Account setup time reduced, trading volume increased • Department of Interior Buruea of Land Management • Smart cards issued to employees for physical and logical access • Certificate use expanded to form signing for paper reduction • State of New Jersey • Allows residents, employees, business partners to share and access informaiton online • Streamlined processes, reduced paper and realized cost savings
What is Difficult about Being a CA? • Understanding PKI risk management • Controlling liability exposure • Conforming to State and Federal Legislation • Policies and Practices • Developing a comprehensive Certificate Policy (CP) and Certification Practices Statement (CPS) • Maintaining trust • Security • Technology • Physical, personnel, administrative, etc. • Operating high availability infrastructure • Maintaining hardware and software
VeriSign PKI Snapshot – 10 Years Later • Carrier Class • Thousands of enterprise and government customers/CAs • 10M+ certificates will be issued in 2005 • 471K+ SSL certificates in the database • Global Presence • Support millions of user and device certificates • More than 25 large-scale PKI affiliate data centers worldwide • VeriSign: the PKI company • Our first business, our core competence • Full expertise: standards, design, development, operation and support • An integral part of our Intelligent Infrastructure Services
What Makes a Good PKI? • Legislative foundation • Electronic Transactions definitions: Kansas Stat. No. 16-1602 • Use of electronic records and signatures: Kansas Stat. No. 16-1605 • Documented Policies and Procedures • State of Kansas Certificate Policy: IETC Policy 5200 • VeriSign CP and CPS: http://www.verisign.com/repository • Technology • Kansas has outsourced the management of the State of Kansas root CA to VeriSign, the worlds leader in PKI • Personnel, Technical and Security Controls • The Kansas PKI is part of the Kansas IT Governance infrastructure • Kansas appointed personnel act as the RA for the Kansas CA • VeriSign management the CA back-end infrastructure operations