1 / 17

Introduction to public-key infrastructure (PKI)

ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014). Introduction to public-key infrastructure (PKI). Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu. PKI and PMI. Public-key certificates: The basis for public-key infrastructure ( PKI )

verity
Download Presentation

Introduction to public-key infrastructure (PKI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014) Introduction topublic-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu

  2. PKI and PMI • Public-key certificates: The basis for public-key infrastructure (PKI) • Attribute certificates: The basis for privilege management infrastructure (PMI) • Rec. ITU-T X.509 | ISO/IEC 9594-8 base specification for both types of infrastructure

  3. Facts about X.509 • Part of the X.500 Series of Recommendations • Also issued as ISO/IEC 9594-8 • Issued in seven editions • First edition in 1988 • Eight edition on its way • Number one in downloads • Defines: • Public key/private key principles • Public-key certificates • Public-key infrastructure (PKI) • Attribute certificates • Privilege management infrastructure (PMI) PKI

  4. Asymmetric cryptography Asymmetric cryptography is basic technology behind PKI and PMI A B Private key Public key Action using private key Resolving using public key Resolving using private key Action using public key

  5. PKI entities End entity Certificate & CRL repository (e.g., an LDAP or X.500 directory) Registration Authority CA CRL Issuer CA

  6. Certifying the identity usingpublic-key certificates Certification Authority OK Anna

  7. Public-key certificate Version Serial number Algorithm Issuer Validity Subject Public key info Issuer unique id Version 2 (do not use!) Subject unique id Version 3 - Important Extensions Digital signature of issuer

  8. Extensions The extension concept allows adding additional information to a public-key certificate. Organizations may define own extensions. If the information changes, the public-key certificate has to be renewed.

  9. Certification authority (CA) • NOT: Certificate authority • Verify the identity of the subject • Verify the position of the key-pair • Verify the other information as required • Issues and sign the public-key certificate • Maintain revocation status • Publishes revocation status

  10. Checking the credentials Relying party Subject A passport is a type of certificate binding a picture to a subject ID Has to be issued by a trustworthy authority A passport may be false It is checked by the validator, also called the relying party

  11. Trust Would you buy a certificate of this man? Would you trust a certificate issued by this man? Certificates

  12. Hierarchical Structure Trust anchor CA CA CA CA CA CA EE EE EE EE EE EE EE EE CA = Certification authority EE = End entity

  13. Trust anchor • Trusted by a relying party • Trust anchor information: • Configured into relying party • Public-key certificate • or similar information

  14. Certificate Revocation List (CRLs) Version Algorithm Issuer Time for this update Time for next update Certificate Serial Number Revoked Certificate Revocation Date Extensions Certificate Serial Number Revoked Certificate Revocation Date Extensions CRL Extensions Digital signature of issuer

  15. Online Certificate Status Protocol (OCSP) OCSP responder OCSP client OCSP request OCSP response

  16. Validation procedure TrustAnchor Storing ofTrust AnchorInformation CA User system B (Relying Party) Check ofrevocation CA Signeddata User system A (end entity)

  17. Where to go The central source for information on theX.500 Directory Standard including X.509. www.x500standard.com

More Related