Скачать презентацию DIGITAL CERTIFICATES Prof Ravi Sandhu PUBLIC-KEY CERTIFICATES Скачать презентацию DIGITAL CERTIFICATES Prof Ravi Sandhu PUBLIC-KEY CERTIFICATES

38092b93cd1af23050f39b5b079efdfb.ppt

  • Количество слайдов: 17

DIGITAL CERTIFICATES Prof. Ravi Sandhu DIGITAL CERTIFICATES Prof. Ravi Sandhu

PUBLIC-KEY CERTIFICATES v reliable distribution of public-keys v public-key encryption Ø sender needs public PUBLIC-KEY CERTIFICATES v reliable distribution of public-keys v public-key encryption Ø sender needs public key of receiver v public-key Ø receiver needs public key of sender v public-key Ø both © Ravi Sandhu digital signatures key agreement need each other’s public keys 2

X. 509 v 1 CERTIFICATE VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT PUBLIC X. 509 v 1 CERTIFICATE VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT PUBLIC KEY INFO SIGNATURE © Ravi Sandhu 3

X. 509 v 1 CERTIFICATE 1 1234567891011121314 RSA+MD 5, 512 C=US, S=VA, O=GMU, OU=ISE X. 509 v 1 CERTIFICATE 1 1234567891011121314 RSA+MD 5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99 -1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu RSA, 1024, xxxxxxxxxxxxx SIGNATURE © Ravi Sandhu 4

CERTIFICATE TRUST v how to acquire public key of the issuer to verify signature CERTIFICATE TRUST v how to acquire public key of the issuer to verify signature v whether or not to trust certificates signed by the issuer for this subject © Ravi Sandhu 5

PEM CERTIFICATION GRAPH Internet Policy Registration Authority IPRA Policy Certification Authorities (PCAs) HIGH ASSURANCE PEM CERTIFICATION GRAPH Internet Policy Registration Authority IPRA Policy Certification Authorities (PCAs) HIGH ASSURANCE MITRE MID-LEVEL ASSURANCE Abrams PERSONA GMU Virginia Anonymous ISSE Certification Authorities (CAs) RESIDENTIAL Fairfax LEO Sandhu Subjects © Ravi Sandhu 6

SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Geo-Political Bank Customer © Ravi Sandhu SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Geo-Political Bank Customer © Ravi Sandhu Acquirer Merchant 7

CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE © Ravi Sandhu 8

X. 509 CERTIFICATES v X. 509 v 1 Ø very basic v X. 509 X. 509 CERTIFICATES v X. 509 v 1 Ø very basic v X. 509 v 2 Ø adds unique identifiers to prevent against reuse of X. 500 names v X. 509 v 3 Ø adds many extensions Ø can be further extended © Ravi Sandhu 9

X. 509 v 3 CERTIFICATE INNOVATIONS v distinguish various certificates Ø v identification info X. 509 v 3 CERTIFICATE INNOVATIONS v distinguish various certificates Ø v identification info in addition to X. 500 name Ø v v good enough for casual email but not for signing checks limits on use of signature keys for further certification extensible Ø v internet names: email addresses, host names, URLs issuer can state policy and usage Ø v signature, encryption, key-agreement proprietary extensions can be defined and registered attribute certificates Ø ongoing work © Ravi Sandhu 10

X. 509 v 2 CRL INNOVATIONS CRL distribution points v indirect CRLs v delta X. 509 v 2 CRL INNOVATIONS CRL distribution points v indirect CRLs v delta CRLs v revocation reason v push CRLs v © Ravi Sandhu 11

GENERAL HIERARCHICAL STRUCTURE Z X Y Q A a R C b © Ravi GENERAL HIERARCHICAL STRUCTURE Z X Y Q A a R C b © Ravi Sandhu c S E d e G f g T I h i K j k M l m O n o p 12

GENERAL HIERARCHICAL STRUCTURE WITH ADDED LINKS Z X Y Q A a R C GENERAL HIERARCHICAL STRUCTURE WITH ADDED LINKS Z X Y Q A a R C b © Ravi Sandhu c S E d e G f g T I h i K j k M l m O n o p 13

TOP-DOWN HIERARCHICAL STRUCTURE Z X Y Q A a R C b © Ravi TOP-DOWN HIERARCHICAL STRUCTURE Z X Y Q A a R C b © Ravi Sandhu c S E d e G f g T I h i K j k M l m O n o p 14

FOREST OF HIERARCHIES © Ravi Sandhu 15 FOREST OF HIERARCHIES © Ravi Sandhu 15

MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S Q A a R C MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S Q A a R C b © Ravi Sandhu c T E d e G f g I h i K j k M l m O n o p 16

THE CERTIFICATE TRIANGLE user X. 509 attribute certificate X. 509 identity certificate attribute public-key THE CERTIFICATE TRIANGLE user X. 509 attribute certificate X. 509 identity certificate attribute public-key SPKI certificate © Ravi Sandhu 17