1 / 12

Introduction to PKI, Certificates & Public Key Cryptography

Introduction to PKI, Certificates & Public Key Cryptography. Erwan Lemonnier. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com. Role of Computer Security. CIA Confidentiality : protection against data disclosure

kyne
Download Presentation

Introduction to PKI, Certificates & Public Key Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to PKI,Certificates& Public Key Cryptography Erwan Lemonnier

  2. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Role of Computer Security • CIA • Confidentiality: protection against data disclosure • Integrity: protection against data modification • Availability: protection against data disponibility • Identification & Authentication (I&A) • Provide a way of identifying entities, and controlling this identity • Non-repudiability • Bind an entity to its actions

  3. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com How to implement CIA, I&A, N-R ? With Cryptography ! • Main cryptographic tools: • Hash Functions • Secret Key Cryptography • Public Key Cryptography • And their combinations: • Certificates • PKI

  4. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Main cryptographic tools • Hash Functions: • Bind one entity with a unique ID => Signature • Hash + Encryption => trusted signature • Symmetric Key Cryptography • 2 users share a secret key S and • an algorithm. • S(S(M)) = M • Problem: • how to exchange secret keys ? • =>Secret Key Server(ex: kerberos)

  5. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Main cryptographic tools • Public Key Cryptography: • Each user has a public key P and a private key S, and an algorithm A. • P(S(M)) = S(P(M)) = M • No shared secret ! Encryption with Public Key Crypto Authentication with Public Key Crypto

  6. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Main cryptographic tools, PKI • How to distribute public keys ? • Public Key Server (PKS), key exchange protocols Public Key Infrastructure (PKI): PKI = N x (Entities with private keys) + public key exchange system REM: Public Key algorithms are slow • Need to use both Public & Secret Key Cryptography • Public Key Protocols work in 3 phases • Authentication via Public Key Cryptography (challenge) • Exchange of a session Secret Key, encrypted with Public Key Crypto • Session encrypted with Symmetric Cryptography

  7. an entity’s description (name, etc.) + entity’s public key + expiration date, serial number, etc. + CA’s name + a signature issued by a CA Certificate = Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Certificate • A certificate binds an entity with its public key. • It’s just a digitally signed piece of data. • digital ID card The certificate is issued and signed by a trusted Certificate Authority (CA) • Digital signature: • CA signature = certificate hash, • encrypted with CA’s private key

  8. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Certificate • The certificate’s CA is the only entity able to create/modify the certificate • the CA has to be trusted • Certificates enable: • Clients to authenticate servers • Servers to authenticate clients • Public key exchange without Public Key Server • No disclosure of private/secret keys. Certificates are usually stored encrypted. • Special features: • chains of CAs, to distribute the task of issuing Certificates • Certificate Revocation List, to disable certificates

  9. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Usual cryptographic algorithms & infrastructures Hash: MD4, MD5, SHA-1 Symmetric Key: DES, 3DES, AES (Rijnael), IDEA, RC4 Public/Private Key: RSA, Diffie-Hellman Certificat: X509 PKI: IPSec, SSL, (kerberos)

  10. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com example: IPSec • IPSec works at IP level. • Provide authentication and encryption. Used to build VPNs. • Configuration: • 2 transfert modes: tunnel or transport • 2 transfert protocols: • AH (Authentication Header) => authenticated traffic • ESP (Encapsulating Security Payload) => encrypted traffic • Key exchange protocols: • Internet Key Exchange (IKE), • Internet Security Association and Key Management Protocol (ISAKMP), • etc.

  11. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Weaknesses of PKI and Certificates • PKI: • unsecured server: hackable Public Key/Certificate servers • unsecured client: private keys/passwords can be stolen/spied • weak algorithm: short keys, implementation or design breach • Certificate: • unsecured computer: certificates can be stolen, password spied • certificate password: certificates are stored encrypted, with weak password • untrustable CA: easy to be issued a certificate from a CA • users: they seldom check if CA can be trusted before accepting certificates (netscape GUI) • Attack example: • hack client’s computer, steal certificate & password • man in the middle

  12. Introduction to PKI, Certificates & Public Key Cryptography – erwan@defcom.com Links Book: Applied cryptography, Bruce Schneier URLs: theory.lcs.mit.edu/~rivest/crypto-security.html www.counterpane.com/pki-risks.html www.csc.gatech.edu/~copeland/8813/slides/ www.iplanet.com/developer/docs/articles/security/pki.html web.mit.edu/6.857/OldStuff/Fall96/www/main.html

More Related