Скачать презентацию Introduction to PKI Seminar What is PKI Robert Скачать презентацию Introduction to PKI Seminar What is PKI Robert

32b70d78f6d819507cdf9f10b6d847a3.ppt

  • Количество слайдов: 18

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004 Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004

Cryptography • A secret key is used to transform data to encrypted form and Cryptography • A secret key is used to transform data to encrypted form and back • Distributing the key must occur in a secure channel • The strength of the system depends on the algorithm and the complexity of the keys 2

Asymmetric Cryptography • A pair of keys is used. • The only way to Asymmetric Cryptography • A pair of keys is used. • The only way to decrypt data encrypted by one key is to use the other key of the pair. • The private key is kept secret by it’s owner. • The public key is published. 3

Asymmetric Key Cryptography • No need to exchange a secret Asymmetric Key Cryptography • No need to exchange a secret "key" by some other channel – Invented in 1976 by Whit Diffie and Martin Hellman – Commercialized by RSA Security • (Rivest, Shamir, Adelman) 4

Encryption • • Anyone encrypts with public key of recipient. Only the recipient can Encryption • • Anyone encrypts with public key of recipient. Only the recipient can decrypt with their private key. No secrets need to be exchanged in advance. If the private key is secret, the data is secure. 5

Digital Signatures • Signer computes content digest, encrypts with their private key. • Reader Digital Signatures • Signer computes content digest, encrypts with their private key. • Reader decrypts with signer’s public key. • Reader re-computes the content digest and verifies match with original – guarantees no one has modified signed data. • If only signer has private key, no one else can produce their digital signature. 6

Why PKI? • Comprehensive way to address securing many applications • No passwords on Why PKI? • Comprehensive way to address securing many applications • No passwords on the wire • No need for shared secrets • Strong underlying security technology • Widely included in Technology Products 7

PKI and Passwords • Passwords NOT even sent to server – Still using password PKI and Passwords • Passwords NOT even sent to server – Still using password to unlock key • Only user knows password • Can recover only if escrow a copy • Harder to share, need key in file and password 8

Policy - Process • • Registration: How individual is identified Generating and storing key Policy - Process • • Registration: How individual is identified Generating and storing key pair Individual education of best practices Stronger Authentication – Strengthens Authorization • Balance Policy/Process with Application’s security requirements 9

Basic applications of PKI • Authentication and Authorization of Web users and servers • Basic applications of PKI • Authentication and Authorization of Web users and servers • Basis for the SSL protocol used to secure web connections • Secure e-mail (signed and encrypted) • Electronic signatures • Data encryption – Business documents, databases, executable code • Network data protection (VPN, wireless) 10

Authentication with PKI • The server challenges the client to encrypt data with their Authentication with PKI • The server challenges the client to encrypt data with their private key. • The server decrypts the response with the client’s public key. • If the response matches the original data, then the client must have the matching private key. • Therefore the client is the entity named in the public key certificate. – Basis for SSL/TSL protocols 11

What is X. 509? • A standard for the format of a public key What is X. 509? • A standard for the format of a public key certificate and related standards for how certificates are used. • Current PKI product offerings inter-operate through this standard • There are many other possible formulations, eg SDSI/SPKI 12

What is a certificate? • Signed data structure that binds some information to a What is a certificate? • Signed data structure that binds some information to a public key • Trusted entity asserts validity of information in certificate • The information is usually a personal identity or a server name • Think of it as an electronic ID card 13

What is a certificate authority? • An organization that creates and publishes certificates • What is a certificate authority? • An organization that creates and publishes certificates • Verifies the information in the certificate • Protects general security and policies of the system and its records • Allows you to check certificates and decide to use them in business transactions 14

What is a CA certificate? • A certificate authority generates a key pair used What is a CA certificate? • A certificate authority generates a key pair used to sign the certificates it issues • Multiple institutions can collaborate via: – Hierachical structure among their CAs – Bridge Certification Authorities "peer to peer" approach 15

Key Validity • Duration requirements: – Limited time as defense against compromise – Retain Key Validity • Duration requirements: – Limited time as defense against compromise – Retain for future decryption – History of Public keys for signature verification • Kerberos – PK technology with short lifetime – Authentication only • Can issue X. 509 certificates with timeframes chosen based on use – Typically longer lived 16

Application Changes • Add client side SSL to web server configuration • Modify application Application Changes • Add client side SSL to web server configuration • Modify application to – Test for presence of https connection – Get user information from environment – Fall through to previous authentication • Rewrite rules to bypass https for unaware web browsers 17

Application Benefits • Authentication - Web Services – Eliminates transmitting passwords on network – Application Benefits • Authentication - Web Services – Eliminates transmitting passwords on network – Improve on Kerberos infrastructure • Digital Signatures – Enables verifiable electronic business processes • NIH Pilot - Grant Applications • Encryption – Secure sensitive data sent via e-mail or electronic documents 18