36 th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA Project w Cryptography and PKI Overview w APNIC CA project w Benefits and costs w Project plans w Future developments w References w Questions? ASIA PACIFIC NETWORK INFORMATION CENTRE
Cryptography - Terms w Public key cryptography w Cryptography technique using different keys for encoding and decoding messages w Keypair w Private key and public key, generated together, used in public key cryptography w Encryption/Decryption w To encode/decode a message using a public or private key ASIA PACIFIC NETWORK INFORMATION CENTRE
Public Key Cryptography - Encryption Retrieve Public Keypair Encrypted Message Transmit Encrypt ASIA PACIFIC NETWORK Decrypt INFORMATION CENTRE
Public Key Cryptography - Encryption Retrieve Public Keypair “Signed” Message Transmit Encrypt ASIA PACIFIC NETWORK Decrypt INFORMATION CENTRE
Public Key Cryptography - Digital Signature Keypair Signed Message Assemble Hash Digest Encrypt ASIA PACIFIC NETWORK Signature INFORMATION CENTRE
Public Key Cryptography - Digital Signature Retrieve Public Key Message Signed Message Digest Valid? Signature ASIA PACIFIC NETWORK Decrypt INFORMATION CENTRE Digest
PKI - Terminology w Public Key Infrastructure (PKI) w Administrative structure for support of public key cryptography w Public Key Certificate (Digital Certificate) w Document linking a Public Key to an identity, signed by a CA, defined by X. 509 w Certificate Authority (CA) w Trusted authority which issues digital certificates ASIA PACIFIC NETWORK INFORMATION CENTRE
Digital Certificates w A digital certificate contains: w Identity details w eg Personal ID, email address, web site URL w Public key of identity w Issuer (Certification Authority) w Validity period w Attributes w The certificate is signed by the CA ASIA PACIFIC NETWORK INFORMATION CENTRE
Digital Certificate - Example Certificate : : = SEQUENCE { tbs. Certificate signature. Algorithm signature } TBSCertificate, Algorithm. Identifier, BIT STRING TBSCertificate : : = SEQUENCE { version serial. Number signature issuer validity subject. Public. Key. Info issuer. Unique. ID [1] subject. Unique. ID [2] extensions [3] } ASIA PACIFIC NETWORK [0] EXPLICIT Version DEFAULT v 1, Certificate. Serial. Number, Algorithm. Identifier, Name, Validity, Name, Subject. Public. Key. Info, IMPLICIT Unique. Identifier OPTIONAL, EXPLICIT Extensions OPTIONAL INFORMATION CENTRE
Digital Certificate - Lifecycle Key Pair Generated Certificate Issued Recertify Certificate valid and in use Certificate Expires Keypair Expired ASIA PACIFIC NETWORK INFORMATION CENTRE Private Key compromised Certificate Revoked
APNIC CA - Why? w In response to w Membership concern for greater security w Confidential info exchange with APNIC w Is my database transaction secure? w Whose prefixes do you accept? w Internet community interest in security, PKI, digital certificates w e. g. rps-auth w IETF working group: PKIX ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Overview w Certificate issued to APNIC member w Corresponds to Membership of APNIC w Provides uniform mechanism for all security needs, such as: w Encryption and signature of email with APNIC w Authentication of access to APNIC web site w Secure maintainer mechanism for APNIC database w Future authorisation mechanism for Internet resources w Authentication of resource custodianship ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Benefits/Costs w Benefits w Uniform industry-standard mechanism for “single password” security, authentication and authorisation w Strong public key cryptography, end-to-end w Costs w w Server and client software Change to current procedures New policies Establishment: software purchase and/or development ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Roadmap ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Timeline ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA – Phase 1 Timeline ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Scoping Project w October 1999 - January 2000 w Objectives w Analyse impact of introducing PKI w Provide focus for discussions w Raise awareness of PKI in general w Conclusions w Significant benefits for members’ security w Growing standards support for PKI w See: http: //www. apnic. net/ca ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA – Phase 1 w April – November 2000 w Deliverables w Tender and selection of CA software w Policies for use of APNIC Certificates w Procedures for issuance and revocation of Identity certificates to members w Browser and deployment issues analysis w Issue trial certificates at APNIC Meeting October 2000 w Risk Analysis ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA – Phase 2 w January – June 2001 w Deliverables w Certificates used for website access control w Support for X 509 certificates in whois database w Strong encryption for member correspondence w Investigation of use of Attribute Certificates with resource allocation ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Future w Generalised CA function w APNIC Certificates may be used for general purposes w Requires tight policy and quality framework for APNIC certificates to be trusted w Hierarchical certification w APNIC Members may use their certificates to certify their own members or customers w May be applicable for ISPs and NIRs ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Future w Public Key Certificates w X. 509 certificate linking a Public Key to an identity, issued by CA w Attribute Certificates w X. 509 certificate linking Attributes to an identity, issued by CA or other authority w Provides authorisation, rather than authentication, information w Not yet widely deployed or supported w May be extended to carry resource allocation information ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Future w Resource certification w For verification of resource allocations by RIRs w Currently under discussion in IETF PKIX working group draft-clynn-bgp-x 509 -auth-01. txt “X. 509 Extensions for Authorization of IP Addresses AS Numbers, and Routers within an AS” w APNIC watching developments ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Consultation w Mailing list open after Apricot 2000 w pki-wg@lists. apnic. net w http: //www. apnic. net/wilma-bin/wilma/pki-wg w Further developments w See: http: //www. apnic. net/ca ASIA PACIFIC NETWORK INFORMATION CENTRE
APNIC CA - Documents w IETF PKIX drafts: draft-ietf-pkix-roadmap-04. txt “Internet X. 509 Public Key Infrastructure PKIX Roadmap” draft-clynn-bgp-x 509 -auth-01. txt “X. 509 Extensions for Authorization of IP Addresses AS Numbers, and Routers within an AS” draft-ietf-pkix-ac 509 prof-01. txt “An Internet Attribute Certificate Profile for Authorization” w http: //www. ietf. org/html. charters/pkix-charter. html ASIA PACIFIC NETWORK INFORMATION CENTRE
Questions? ASIA PACIFIC NETWORK INFORMATION CENTRE
Скачать презентацию 36 th RIPE Meeting Budapest 2000 APNIC Certificate
a9fc95372bead2d2042185935246e704.ppt