1 / 29

Public Key Infrastructures (PKI)

Public Key Infrastructures (PKI). Paper on PKI and Digital Signatures. Symmetric Key versus Public Key Encryption. Key distribution for symmetric keys secure channel for distribution Distributing keys in a group one key per group one key per pair of (group) members

landis
Download Presentation

Public Key Infrastructures (PKI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public Key Infrastructures(PKI)

  2. Paper on PKI and Digital Signatures

  3. Symmetric Key versus Public Key Encryption • Key distribution for symmetric keys • secure channel for distribution • Distributing keys in a group • one key per group • one key per pair of (group) members • one key per (group) member • Compare solutions!

  4. Symmetric Key versus Public Key Encryption • Key distribution for symmetric keys • Number of key distributions depends on communication structure (see figure). • One key per pair

  5. Symmetric Key versus Public Key Encryption • Key distribution for symmetric keys by a central server (KDC): • fixed number of distributions (for given n) • However, need security protocol: • public key encryption for distribution • Needham Schroeder • Kerberos

  6. Symmetric Key versus Public Key Encryption • Efficiency • symmetric key: long messages can be processed fast • 7 megabytes per second (DES) • public key: slower, for short messages • digital signatures • (symmetric) key distribution • Problem with public key encryption • binding between public keys and names (identities)

  7. Problems with Public Keys look up of Aicha’s key But Alice has replaced Aicha’s key by her own! sends encr. message What does Alice do?

  8. Signatures • signing • authenticity of identity • expressing (free) will of signer (by an action) • fixing the content (position of signatures) • confirming integrity (according to interpretation of signer) • checking • recognizing identities • checking authenticity of signature (individual signature) • non repudiation (individual signature) • integrity of content • duplication • Content • Identities • Signatures

  9. Signature Scheme : Key Generation • key generation • RSA, El-Gamal • secure environment key pair key pair • key pair • RSA • El-Gamal public publication of keys signature component uses private key signature component uses private key signature generation : secret key on device from the beginning

  10. Signature Scheme: Signature Components • Signature Component • stores secret key • computation of signature • Smart Card, PDA, … • security: access control/information flow policy may be necessary • key pair • RSA • El-Gamal

  11. Signature Scheme : Public Keys key pair key pair Have to kept in trusted public repository.

  12. Signature Scheme : Trust Ccenter Public Repository: for certificates Trust Centre (TC)

  13. Signature Scheme : Registration and Repository • Registration • checking the identity of users Identity Card, … Identity Card, … • Repository • certificates bind identities to public keys • certificates are signed by TC • requests • revocation • security of server Public Repository

  14. Trust Center: Activities Registration Key Generation TC Cert. Auth. Personali- zation Repository

  15. Signature Scheme : Signing Principle of Digital Signature hash private key encr hash value : fingerprint

  16. Signature Scheme : Signing d • Computing hash value • fixed (small) length) • no collisions • trusted viewer problem hash hash(d) hash value : fingerprint

  17. Signature Scheme : Signing • Signature • encryption with secret key • critical: will of signer • protection against manipulation necessary secret key: sk hash(d) encr sig(d,sk) = encr(hash(d),sk)

  18. Signature Scheme : Checking result hash(d) = decr(sig,pk) ?? sig d pk check

  19. Signature Scheme : Verification Validityof Certificates result hash public key of Alice check fingerprint

  20. Infrastructure Root Authority Trust Center Trust Center User User

  21. Signature Scheme : Verification Certificates DN-U(ser) DOC DN-U DN-TC CERT DN-TC DN-ROOT CERT ? = hash decr. ? = ? = ? = ? = • All keys public • DN: distinguished name hash decr. hash decr.

  22. Signature Scheme : Verification • Online Verification • retrieve certificates and root key or • send/store certificates and root key and check revocation online • online certificate check (OCR) • Offline Verification • send/store certificates • store root key (securely) • store revocation list • update intervals

  23. Basic Notions (revisited) • Hash Functions • fixed length digest of (arbitrary) messages • one way function • 160 bit • Message Authentication Code (MAC) • encrypting a digest • Signatures • encrypted hash value (MAC) can be checked using public key

  24. Basic Notions (revisited) • Certificates • binding of public key to identification and authorization data • Certification Authorities • sign certificates (digitally)

  25. Trust Center (German Signature Law) • Key Generation (KG) • for Trust Center • for participants • Certification Authority (CA) • generation of certificates • signing certificates • Personalization (PS) • transferring keys (secret key) and certificates • Registration Authority (RA) • registration of participants • checking their identity

  26. Trust Center • Directory Service (DS) • keeping certificates in a repository • answer requests (checking certificates) • revocation of certificates • Time Stamping Service • attaching time stamps • digitally signed

  27. Naming (X.500)

  28. Naming (X.500)

  29. Certificates (X.509)

More Related