160 likes | 268 Views
Introduction to PKI. Mark Franklin September 10, 2003 Dartmouth College PKI Lab. Introduction to PKI Technology. Dartmouth College PKI Lab. P ublic K ey I nfrastructure Comprehensive security technology and policies using cryptography and standards to enable users to:
E N D
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab
Introduction to PKI Technology Dartmouth College PKI Lab
Public Key Infrastructure Comprehensive security technology and policies using cryptography and standards to enable users to: Identify (authenticate) themselves to network services. Digitally sign email and other electronic docs and services. Encrypt email and other documents to prevent unauthorized access. What is PKI?
Why PKI? • Uniform way to address securing many applications • Enables digital signing and encryption • No passwords on the wire • No need for shared secrets • Strong underlying security technology • Widely included in technology products
Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.
A pair of asymmetric keys is used, one to encrypt, the other to decrypt. Each key can only decrypt data encrypted with the other. Invented in 1976 by Whit Diffie and Martin Hellman Commercialized by RSA Security Underlying Key Technology
The "public" key is published far and wide. The "private" key is kept a secret by its owner. No need to exchange a secret "key" by some other channel. Public and Private Keys
Applications of PKI Authentication and Authorization of Web users and servers This is the basis for the SSL protocol used to secure web connections using https. Server authentication is common, user authentication getting started. Secure e-mail (signed and encrypted) Electronic signatures Data encryption Business documents, databases, executable code Network data protection (VPN, wireless) Secure instant messaging
What is a certificate? Signed data structure (x.509 standard) binds some information to a public key. Trusted entity asserts validity of information in certificate, enforces policies for issuing certificates. Certificate information is usually a personal identity or a server name. Think of a certificate with its keys as an electronic: ID card, encoder/decoder ring, and official signet ring for sealing wax or notary-style stamp.
Asymmetric encryption prevents need for shared secrets. Anyone encrypts with public key of recipient. Only the recipient can decrypt with their private key. Private key is secret, so “bad guys” can’t read encrypted data. Encryption
Compute message digest, encrypt with your private key. Reader decrypts with your public key. Re-compute the digest and verify match with original – guarantees no one has modified signed data. Only signer has private key, so no one else can spoof their digital signature. Digital Signatures
What is a certificate authority? An organization that creates, publishes, and revokes certificates. Verifies the information in the certificate. Protects general security and policies of the system and its records. Allows you to check certificates so you can decide whether to use them in business transactions. collegeca.dartmouth.edu
Production PKI Applications at Dartmouth • Dartmouth certificate authority • Authentication for: • Library Electronic Journals (including OVID) • Banner SIS • Dartflex totals • S/MIME email
Development PKI Applications at Dartmouth • Authentication for: • Blackboard • TuckStreams • VPN concentrator • Hardware tokens • Digital signatures on documents and forms
For more information • Dartmouth PKI Lab User information, getting a certificate: http://www.dartmouth.edu/~pki PKI Lab information: http://www.dartmouth.edu/~pkilab Mark.J.Franklin@dartmouth.edu