X 9 68 Efficient Public Key Certificate Systems

Зарегистрируйтесь, чтобы просмотреть полный документ!

X 9. 68 Efficient Public Key Certificate Systems for Mobile Electronic Business Robert L. Geiger Motorola Labs

Goal: Business Oriented Public Key Infrastructure z Mobility: mobile terminals, wireless devices, satellite systems y. Low bandwidth, limited storage and processing power z High transaction volumes: Internet trading and commerce z Risk management: business control of business systems; secure trading communities z Adaptable to changing business needs Motorola Labs RLG 3/25/1999

Wireless world z. Huge numbers of mobile devices soon to be data capable z. Wireless Web being defined by Wireless Application Protocol (WAP) Forum z. Need for certificates and public key infrastructure to support this environment Motorola Labs RLG 3/25/1999

Domain Concept z Breaks PKI into autonomous domains y. Compare to an intranet z Aims for efficiency and business control inside domain z Domains hooked together: Contract => crosscertify y. Compare to Internet z Efficiency gained by size reductions and clear system architecture Motorola Labs RLG 3/25/1999

Domain Architecture z. Root CA defines PK system type and algorithms z. Complexity and impact on end entities clearly visible z. Domain root has unique identifier by inclusion of certificate hash with name z. Local identifiers defined by business needs used within domain Motorola Labs RLG 3/25/1999

Domains Inter-domain (cross-certification) Domain root CA CA AA CA Domain root CA CA CA AA End entity Þ Validation services used between domains for inter-operation Motorola Labs RLG 3/25/1999

Registration Authorities z. Seen as account manager type functionality z. Multiple RA’s per CA/AA allowed z. RA may have different levels of allowed access z. Must have certificate issued from CA allowing access; may have other requirements Motorola Labs RLG 3/25/1999

Certification Authorities z. Issue domain member (key bearing) certificates per requests from valid RA’s z. Source point for revocation z. Revocation may be via CRL, online mechanism, or time limitations (i. e. , prepayed monthly service certificate) Motorola Labs RLG 3/25/1999

Attribute Authorities z. Handle issuing of account rights/properties that may change frequently (e. g. , monthly purchased services) z. May be CA or separate entity z. Functionality kept simple, very small certs z. May issue limited validity (i. e. , monthly) attribute certificates with no revocation requirements Motorola Labs RLG 3/25/1999

X 9. 68 Certificate Attributes z Bound to domain member certificate by domain local identifier; can be many small certificates z Simple as possible, must be length bounded z Business use case to be in X 9. 68 base z Can be inheritable (rights, group properties) or non-inheritable (personal properties) z Domains and organizations may define other types (organizational and domain types) Motorola Labs RLG 3/25/1999

X 9. 68 Attributes. . . z. A domain member may have multiple attributes, possibly from different AA’s z. Wireless Application Protocol will define organization specific payloads for its use cases z. Idea is interested standards organizations should define their payloads y. Keep complex payloads to your domain! Motorola Labs RLG 3/25/1999

X 9. 68 Usage: communities z Tie domain to a community; i. e. , stock traders, construction industry, doctors z Each community enrolls members and allows for secure, authenticated interaction between members z Communities make agreements for interaction (cross-certification) áHook like minded communities up to form special nets for business interaction Motorola Labs RLG 3/25/1999

X 9. 68 communities Banking Community Stock Trading Community Financial community net Commodities traders Settlement community • Communities defined by similar businesses or interests • Nets defined by communities interacting to do business • Trading, buying, selling, offering; all secured within and between communities Motorola Labs RLG 3/25/1999

Size Reductions: Key Certificate z. Example used 160 bit uncompressed EC keys, DER encoding, same information z. X 9. 68 certificate saves > 50% over minimal X 509 v 3 with DN’s z. X 9. 68 certificate saves > 30% over X 509 v 3 modified by nulling DN’s and making some items optional Motorola Labs RLG 3/25/1999

Issues z Naming schemes for defined business usage yidentification and “name” issues z Vendor interoperability z Protocols to support inter-domain operation (X 9. 68 defined cross-certificate format but not protocols) z Protocols for validation services for mobile devices (X 9. 68 defines message validation message formats but not protocol) Motorola Labs RLG 3/25/1999

Скачать презентацию X 9 68 Efficient Public Key Certificate Systems

4fdf9396981fd53ba844881f4a451d7e.ppt

Количество слайдов: 15