170 likes | 328 Views
Introduction to Public Key Infrastructure. January 2004 CSG Meeting Jim Jokl. Cryptography. Symmetric key cryptography A pre-shared secret is used to encrypt the data Some examples: DES, 3-DES, RC4, etc Public key cryptography A pair of mathematically related keys are generated
E N D
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl
Cryptography • Symmetric key cryptography • A pre-shared secret is used to encrypt the data • Some examples: DES, 3-DES, RC4, etc • Public key cryptography • A pair of mathematically related keys are generated • One of the keys, the Public Key, is freely distributed • The other key, the Private Key, is kept confidential • Given one keys, it is computationally very hard to compute the other
EncryptedText PlainText Public Key Cryptography one key • Data encrypted using the public key can only be decrypted by the person with the private key • Likewise, data encrypted with the private key can be decrypted by anyone having a copy of the public key • Assuming that the private key is protected and held by an individual, this is the basis for a digital signature the other key
Digital Signatures and Document Encryption • Public Key operations are too computationally expensive for large volumes of data • Typical digital signature process • Compute the hash of the document • Encrypt the hash using the signer’s private key • Typical document encryption process • Generate a random symmetric cipher key • Encrypt the document using this key • Encrypt the symmetric cipher key using the recipient’s public key
Digital Certificates • A Digital Certificate is: • An object used to bind the identity of a person to their public key • Contains attributes about the person • Contains some information about the identity binding and infrastructure • Digitally signed by a Certification Authority (CA)
Certificate Profiles • A description of the fields in a certificate • Recommended fields to use • Field values • Critical flags • Recommendations for implementers • Example Profile
Certification Authorities (CA) • Certification Authorities • Accept certificate requests from users • Validate the user’s identity • Generate and sign the user’s certificate attesting to the mapping of the identity to the public key • Revoke certificates if needed • Operate under a set of policies and practices • Levels of Assurance
Certification Authorities and Trust • You determine if you trust a certificate by validating all of the certificates starting from the user’s cert up to a root that you trust • 100+ root certificates in my Microsoft store • The “I” in PKI Root Certificate Intermediate Certificate Intermediate Certificate User A Cert User B Cert User D Cert User E Cert User C Cert
PKI, Privacy, and the Pseudo-anonymous CA • As stated earlier: “A certificate binds a person’s identity to their public key” • Typically the “identity” is their name, email address, computing identifier, etc • Poses some interesting privacy concerns in some applications • A pseudo-anonymous CA uses an opaque identifier instead of name/id information
Operating System Support for PKI • Windows 2000/XP • Well integrated out of the box support for PKI • OS-based certificate/key store • APIs for access to crypto providers • Microsoft applications generally support PKI • Many 3rd party applications use OS PKI services • Bridge path validation in XP • Windows 2000 server includes a CA
Operating System Support for PKI • MacOS • Apple has excellent plans to improve their level of OS PKI support to match that of Windows • OS-based certificate/key store exists now and is used by some Apple applications • 3rd party applications should start to use the native support in the future • Linux and general Unix • PKI support generally implemented in applications
Trust, Private Key Protection and Non-repudiation • Digital signatures - based on the idea that only the user has access their private key • A user’s private key is generally protected by the workstation’s operating system • Typical protection is no better than for any password that the user lets the operating system store • Hardware tokens can be used for strong private key protection, mobility, and as a component in a non-repudiation strategy
Two classes of campus PKI applications? • Existing normal processes • A PKI using a light policy/practices framework • Better technology and ease of use for existing services • New applications where passwords would have been sufficient in the past
Two classes of campus PKI applications? • Newer High Assurance services • Access control for critical systems • Authentication for high-value services • HiPAA/FERPA/GLBA • Digital signatures for business processes
Some Campus CA Options • In-source • Commercial CA software • Develop your own or use freely available CA software (typically based on OpenSSL) • KX509 • Outsource to commercial CA • Campus still performs the RA function
Agenda for remainder of session • Motivations for campus PKI deployments • Focus on applications using end-user certificates • Introduction to likely campus PKI applications • National activities • HEBCA, USHER, PKILab, HEPKI, etc • Examples of campus PKI deployments • Wrap-up and discussion