230 likes | 357 Views
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military Technical Academy Bucharest, Romania. Information Security Requirements. Confidentiality
E N D
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military Technical Academy Bucharest, Romania
Information Security Requirements Confidentiality • protection from disclosure to unauthorized persons Integrity • Maintaining data consistency Authentication • Assurance of identity of person or data originator Non-repudiation • Communication originator can’t deny it later
Digital Certificate • Is a person really who claim? • The public key really belongs to this person?
What is PKI-Public Key Infrastructure- PKI refers to theservicesproviding: • generation, production, distribution, control,revocation,archive of certificates • management of keys, • support to applications providing confidentiality and authentication of network transactions.
PKI for Military Use • provide secure interoperability throughout the military organizations and with its partners- government, industry and academia; • standards based; • uses commercial PKI products to minimize the investment; • support digital signature and key exchange; • support key recovery; • support Federal Information Processing Standards- FIPS compliance requirements.
CA’s are Trusted to Do • A central administration -issues certificates: -company to its employees -university to its students -public CA (like VeriSign) to clients • The CA mustkeep confidential his Private Keyused to sign certificates • The CA doesnot assign different certificates the same serial number • The CA makes sureall the information in a certificate is correct • Up to date Certificate Revocation List (CRL)
Our PKI Research/ Study -directions- • Understanding PKI technology and establish • applications demanding PKI • PKI architecture • Analysis of the possibilities/facilities of a vendor CA software-RSA Keon • Developing our own CA software, using Eric Young Open SSL library • Defining an adequate certificate policy and practice statement
PKI Main Applications • Paperless Office-Document & E-mail Signing and Protecting • Secure Web- User Authentication and Secure Communications • Security in Organization’s Intranet/Extranet-VPN • Certificate Authority-for the Romanian (Military) Internet Users
Deploying a PKI -Main steps- • Analysis of Operational Requirements • Establish PKI Applications • Defining security policies • Defining a deployment road map • Establish the infrastructure (PKI & CA Design) • Personnel Selection • Hardware and Software Acquisition • PKI Training • Management & Administration
Defense PKI (DPKI) • ·Generation, production, distribution, control, revocation, archive of public key certificates; • ·Management of keys; • · Support to applications providing confidentiality and authentication of network transactions; • ·Data integrity; • ·Non-repudiation.
Certificate Clases For DPKI, it can adopt a certificate policy, which uses 3 classes of certificates: ·Low Class Certificates (for unclassified/sensitive information on classified network)- May be used for: ÞDigital signatures for classified information on encrypted network; ÞKey exchange for the protection (confidentiality) of communities of persons on encrypted networks; ÞNon-repudiation for medium value financial or for electronic commerce applications.
Certificate Clases ·Medium Class Certificates (for unclassified/sensitive information on classified network)-. May be used for: ÞDigital signatures for unclassified mission critical and national security information on un encrypted network ÞKey exchange for the confidentiality of high valued compartmented information on encrypted networks or classified data over unencrypted networks ÞProtection information crossing classification boundaring ÞNon-repudiation for large financial or for electronic commerce applications. · .
Certificate Clases ··High Class Certificates (for classified information on open network)- May be used for: ÞDigital signatures for authentication of subscriber identity for accessing classified information over unprotected networks ÞKey exchange for confidentiality of classified information over unencrypted networks ÞDigital signatures for authentication of key material in support of providing confidentiality for classified information over unprotected networks. .
CONCLUSIONS • PKI -simplifies the management of security • RAF structures and organizations can spend less time worrying about security, and more energy on their main activities (confidential documents no longer need to wait for days to be physically shipped; instead, they can be securely sent through e-mail) • Web servers can allow secure access for only designated users • Military organization networks can securely extend over the Internet, eliminating expensive leased data lines • PKI’s possibilities are limitless
CONCLUSIONS • ForRomanian Armed Forces, the Public Key Infrastructure (PKI) capability may adopt the following components: -Root Certificate Authority -Certificate Authorities -Local Registration Authorities, -Certificate Directory, and principles: -use commercial and/or proprietary products, -use smart cards for protection of private keys and certificates, processing digital signature, access control.
CONCLUSION ? Steve Bellovin AT&T Security Guru “-What are the strongest defenses? -There aren’t any”