170 likes | 408 Views
ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014). Introduction to public-key infrastructure (PKI). Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu. PKI and PMI. Public-key certificates: The basis for public-key infrastructure ( PKI )
E N D
ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014) Introduction topublic-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 era@x500.eu
PKI and PMI • Public-key certificates: The basis for public-key infrastructure (PKI) • Attribute certificates: The basis for privilege management infrastructure (PMI) • Rec. ITU-T X.509 | ISO/IEC 9594-8 base specification for both types of infrastructure
Facts about X.509 • Part of the X.500 Series of Recommendations • Also issued as ISO/IEC 9594-8 • Issued in seven editions • First edition in 1988 • Eight edition on its way • Number one in downloads • Defines: • Public key/private key principles • Public-key certificates • Public-key infrastructure (PKI) • Attribute certificates • Privilege management infrastructure (PMI) PKI
Asymmetric cryptography Asymmetric cryptography is basic technology behind PKI and PMI A B Private key Public key Action using private key Resolving using public key Resolving using private key Action using public key
PKI entities End entity Certificate & CRL repository (e.g., an LDAP or X.500 directory) Registration Authority CA CRL Issuer CA
Certifying the identity usingpublic-key certificates Certification Authority OK Anna
Public-key certificate Version Serial number Algorithm Issuer Validity Subject Public key info Issuer unique id Version 2 (do not use!) Subject unique id Version 3 - Important Extensions Digital signature of issuer
Extensions The extension concept allows adding additional information to a public-key certificate. Organizations may define own extensions. If the information changes, the public-key certificate has to be renewed.
Certification authority (CA) • NOT: Certificate authority • Verify the identity of the subject • Verify the position of the key-pair • Verify the other information as required • Issues and sign the public-key certificate • Maintain revocation status • Publishes revocation status
Checking the credentials Relying party Subject A passport is a type of certificate binding a picture to a subject ID Has to be issued by a trustworthy authority A passport may be false It is checked by the validator, also called the relying party
Trust Would you buy a certificate of this man? Would you trust a certificate issued by this man? Certificates
Hierarchical Structure Trust anchor CA CA CA CA CA CA EE EE EE EE EE EE EE EE CA = Certification authority EE = End entity
Trust anchor • Trusted by a relying party • Trust anchor information: • Configured into relying party • Public-key certificate • or similar information
Certificate Revocation List (CRLs) Version Algorithm Issuer Time for this update Time for next update Certificate Serial Number Revoked Certificate Revocation Date Extensions Certificate Serial Number Revoked Certificate Revocation Date Extensions CRL Extensions Digital signature of issuer
Online Certificate Status Protocol (OCSP) OCSP responder OCSP client OCSP request OCSP response
Validation procedure TrustAnchor Storing ofTrust AnchorInformation CA User system B (Relying Party) Check ofrevocation CA Signeddata User system A (end entity)
Where to go The central source for information on theX.500 Directory Standard including X.509. www.x500standard.com