
38092b93cd1af23050f39b5b079efdfb.ppt
- Количество слайдов: 17
DIGITAL CERTIFICATES Prof. Ravi Sandhu
PUBLIC-KEY CERTIFICATES v reliable distribution of public-keys v public-key encryption Ø sender needs public key of receiver v public-key Ø receiver needs public key of sender v public-key Ø both © Ravi Sandhu digital signatures key agreement need each other’s public keys 2
X. 509 v 1 CERTIFICATE VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT PUBLIC KEY INFO SIGNATURE © Ravi Sandhu 3
X. 509 v 1 CERTIFICATE 1 1234567891011121314 RSA+MD 5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99 -1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu RSA, 1024, xxxxxxxxxxxxx SIGNATURE © Ravi Sandhu 4
CERTIFICATE TRUST v how to acquire public key of the issuer to verify signature v whether or not to trust certificates signed by the issuer for this subject © Ravi Sandhu 5
PEM CERTIFICATION GRAPH Internet Policy Registration Authority IPRA Policy Certification Authorities (PCAs) HIGH ASSURANCE MITRE MID-LEVEL ASSURANCE Abrams PERSONA GMU Virginia Anonymous ISSE Certification Authorities (CAs) RESIDENTIAL Fairfax LEO Sandhu Subjects © Ravi Sandhu 6
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Geo-Political Bank Customer © Ravi Sandhu Acquirer Merchant 7
CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE © Ravi Sandhu 8
X. 509 CERTIFICATES v X. 509 v 1 Ø very basic v X. 509 v 2 Ø adds unique identifiers to prevent against reuse of X. 500 names v X. 509 v 3 Ø adds many extensions Ø can be further extended © Ravi Sandhu 9
X. 509 v 3 CERTIFICATE INNOVATIONS v distinguish various certificates Ø v identification info in addition to X. 500 name Ø v v good enough for casual email but not for signing checks limits on use of signature keys for further certification extensible Ø v internet names: email addresses, host names, URLs issuer can state policy and usage Ø v signature, encryption, key-agreement proprietary extensions can be defined and registered attribute certificates Ø ongoing work © Ravi Sandhu 10
X. 509 v 2 CRL INNOVATIONS CRL distribution points v indirect CRLs v delta CRLs v revocation reason v push CRLs v © Ravi Sandhu 11
GENERAL HIERARCHICAL STRUCTURE Z X Y Q A a R C b © Ravi Sandhu c S E d e G f g T I h i K j k M l m O n o p 12
GENERAL HIERARCHICAL STRUCTURE WITH ADDED LINKS Z X Y Q A a R C b © Ravi Sandhu c S E d e G f g T I h i K j k M l m O n o p 13
TOP-DOWN HIERARCHICAL STRUCTURE Z X Y Q A a R C b © Ravi Sandhu c S E d e G f g T I h i K j k M l m O n o p 14
FOREST OF HIERARCHIES © Ravi Sandhu 15
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S Q A a R C b © Ravi Sandhu c T E d e G f g I h i K j k M l m O n o p 16
THE CERTIFICATE TRIANGLE user X. 509 attribute certificate X. 509 identity certificate attribute public-key SPKI certificate © Ravi Sandhu 17
38092b93cd1af23050f39b5b079efdfb.ppt