db15d7af5ccac80581bd168be5190c24.ppt
- Количество слайдов: 34
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center tic@mail. state. ar. us 3/27/2002
Inside PKI n Vocabulary n How PKI Works n When it Doesn’t
Vocabulary
Asymmetric Cryptography Use of algorithms that use different keys for encryption than decryption and the decryption key cannot be derived from the encryption key.
Authentication Verifying the identity of a person or a computer system.
Certificate Authority (CA) The authority in a network (PKI) that issues and manages security credentials and public keys for message encryption.
Certificate Practice Statement CPS Provides a detailed explanation of how the certificate authority manages the certificates it issues and associated services such as key management. The CPS acts as a contact between the CA and users, describing the obligations and legal limitations and setting the foundation for future audits.
Ciphertext Encrypted text. Plaintext or cleartext is what you have before encryption and ciphertext is the encrypted result.
Digital Certificate A digital document which is generally stored and administered in a central directory. It contains the certificate holder's name, a serial number, expiration dates, public key, and the digital signature of the certificate issuing authority.
Digital Signature An electronic signature that authenticates the identity of the sender, ensures the original content of the message is unchanged, is easily transportable, cannot be easily repudiated, cannot be imitated, and can be automatically time-stamped.
Directory A specialized, highly available database organized to be primarily used for lookup.
Directory Service A collection of software, hardware, processes, policies and administrative procedures involved in organizing the information in a directory and making it available to users.
Hashing A mathematical summary that can be used to provide message integrity popular because it is simple and small.
Integrity The state of being unaltered.
Nonrepudiation The basis of insisting that the document signed by a particular private key represents acknowledgement by the private key owner.
Private Key The private part of a two-part, public key asymmetric cryptography system. The private key is provided by a certificate authority, kept secret and never transmitted over a network.
Public Key The public part of a two-part, public key asymmetric cryptography system. The public key is provided by a certificate authority and can be retrieved over a network.
Public Key Infrastructure (PKI) A system that enables users of a public network to exchange data securely and privately through the use of a public and private cryptographic key pair that is obtained and shared through a trusted authority.
Registration Authority The authority in a Public Key Infrastructure that verifies user requests for a digital certificate and tells the certificate authority it is alright to issue a certificate.
Rivest-Shamir-Adleman (RSA) An algorithm used for key pairs used for authentication, encryption and decryption.
How PKI Works Get a Certificate n Send a Signed Message n Receive a Signed Message n Send an Encrypted Message n Receive an Encrypted Message n Different Answers! n
Get a Certificate Supply information to a Certificate Authority n Certificate Authority generates the keys n Certificate Authority creates the certificate n Registration Authority may authorize the certificate n The private key is delivered to the user n The certificate is stored in a directory n
Digital Certificate n n n Version of certificate format Certificate serial number Signature algorithm identifier Certificate authority (CA) X. 500 name Validity period (start, expiration) Subject X. 500 name Subject public key info (algorithm, public key) Issuer unique identifier (optional) Subject unique identifier (optional) Extensions Certificate Authority's digital signature
Private Key One of two numeric keys derived from an algorithm n Can be stored on a computer n Can be memorized (not practical) n Can be held in a token n Can be combined with a biometric or token n Must be kept secure n Is not stored in the certificate n
Get a Certificate The CA creates keys and certificate RA approves the Certificate Information is given to CA Private Key goes to the User The Certificate, which contains the Public Key, is filed in a Directory
Send a Signed Message Compose the message n Sign with your own (sender’s) private key n Create a message hash n Encrypt hash with private key n n Send the message and the digital signature
Receive a Signed Message Receive the message and the signature n Get the sender’s public key n Use the key to decrypt the signature (hash) n Generate a new hash of the message n Compare the two hashes to assure the integrity of the message and the authentication of the sender n
Signed Message Compose the Message SENDER Receive the Message and Digital Signature RECIPIENT Sign the Message with Private Key Get the Sender’s Public Key Send the Message and Digital Signature Compare the hashes
Send an Encrypted Message Compose the message n Get the receiver’s public key n Encrypt the message n Send the message n But can be more complex, especially for long messages n
Receive an Encrypted Message Receive the message n Decrypt with you own (receiver’s) private key n But can be more complex, especially for long messages n
Encrypted Message Compose the Message Get the Recipient’s Public Key Send the Encrypted Message Encrypt the Message with Public Key Decrypt with Private Key Get the Encrypted Message
Different Answers Depending On: Where the public key is stored and how it is managed n If a user has multiple public keys n If multiple encryption algorithms are used n If both message encryption and digital signature are required n
When PKI Doesn’t Work n When it isn’t trusted When the private key isn’t secure n When the CA isn’t trusted by all parties n When the authentication required by the CA isn’t adequate for all parties n When there’s more than one John Smith n n When the sender and receiver can’t interoperate
Longer Looks at PKI This Group n Handout n Office of Information Technology n Other States n Vendors n
db15d7af5ccac80581bd168be5190c24.ppt