Scribd Logo
Upload

Welcome to Scribd!

  • Pki

    Uploaded by

    Com22
    26 views15 pages
    PKI

    Original Title

    pki (2)

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PKI

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    26 views15 pages

    Pki

    Uploaded by

    Com22
    PKI

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Public-Key Infrastructure (PKI)

    SMU CSE 5349/7349


    What is PKI?
    • Pervasive security infrastructure whose
    services are implemented and delivered
    using public-key concepts and techniques
    -(C. Adams, S. Lloyd)
    – Secure sign-on
    – End-user transparency
    – Comprehensive security

    SMU CSE 5349/7349


    Business Drivers
    • Cost savings
    • Inter-operability
    • Uniformity
    • Potential for validation/testing
    • Choice of provider

    Consider the analogy with BUS architecture vs.


    point-to-point links

    SMU CSE 5349/7349


    Components and Services
    • Certification authority
    • Certificate repository
    • Certificate revocation
    • Key backup and recovery
    • Automatic key update
    • Key history
    • Cross-certification
    • Support for non-repudiation
    • Time stamping

    SMU CSE 5349/7349


    Certificates
    • Certificate vs. signature
    • Types of certificates
    – X.509 (v1, v2, v3)
    – Simple Public Key Infrastructure (SPKI)
    certificates
    – PGP certificates
    – Attribute certificates

    SMU CSE 5349/7349


    Certificate Format
    • Version number
    • Serial number
    • Signature algorithm identifier
    • Issuer name
    • Period of validity
    • Subject name
    • Subject’s public-key info.
    • Issuer unique ID
    • Subject unique ID
    • Extensions
    • Signature

    SMU CSE 5349/7349


    Key/Certificate Life Cycle
    • Initialization
    – Registration
    – Key-pair generation (where?)
    – Certificate creation and dissemination
    – Key backup
    • Issued
    – Certificate retrieval
    – Certificate validation
    • Cancellation
    – Expiration
    – Revocation
    – History and archive
    SMU CSE 5349/7349
    Certificate Path Processing
    • Eventual objective is to determine whether
    the key in a given certificate can be
    trusted
    – Path construction – aggregation of certificates
    to form a complete path
    – Path validation – validating each certificate in
    the path
    Target certificate is trusted only if every
    certificate in the path are trustworthy

    SMU CSE 5349/7349


    X.509 Hierarchy
    • Forward certificates
    – Certificate of X generated by other CAs
    • Reverse certificates
    – Certificates of other CAs generated by X
    • Example from the book (showed in last
    class)

    SMU CSE 5349/7349


    Authentication Procedures
    • One-way
    • Two-way
    • Three-way

    SMU CSE 5349/7349


    Problems with PKI
    • Hierarchical model of trust
    – Chain of partial trust ending in one “fully trusted” entity
    • Identifier associated with the key pair
    – Unique distinguished name within the namespace
    • Private-key insecurity
    – Has to protect the private key
    • Technical and Implementation difficulties
    – Assumption of global namespace
    – Difficulty in detecting key compromise
    – Inefficient revocation

    SMU CSE 5349/7349


    PKI Problems (cont’d)
    • Limited assurance provided in reality
    – CA’s generally protected in case of failure
    – What certificate assure (usually)
    • A particular message was generated by an entity that had
    available to it a particular private key; and
    • CA that provided the certificate has, at some time in the
    past, had grounds for believing that that private key was
    associated with a particular entity.
    • CA that provided the certificate has, at some time in the
    past, had grounds for believing that the entity had some
    kind of right to use that identifier, or had used that
    identifier in the past; and
    • CA that provided the certificate has, at some time in the
    past, had grounds for believing that the entity had access
    to the appropriate private key.

    SMU CSE 5349/7349


    Problems (cont’d)
    – What it does not ensure
    • Private key was originally available to other entities as well as the
    entity to which it purports to be 'bound';
    • Private key is now available to other entities as well as the entity to
    which it purports to be 'bound';
    • Private key invocation that gave rise to a particular message was
    performed by the entity; and
    • Private key invocation that gave rise to a particular message was
    performed with the entity's free and informed consent.
    • Privacy invasiveness
    – Just to talk to your buddy securely, you may need to tell your
    life story to a third party!
    • Idiosyncrasy:
    – In order to have trust in the party you are transacting with,
    you are expected to have trust in organizations you have no
    relationship with at all

    SMU CSE 5349/7349


    What is Really Needed!
    • Minimal Use of Identifiers
    • Minimal Registration Requirements
    • Mechanisms for Persistent Anonymity
    • Value Authentication without Identity
    • Attribute Authentication without Identity
    • Recourse in case of violation

    SMU CSE 5349/7349


    Alternatives to PKI
    • Web of trust like in PGP
    • Simple Distributed PKI (SDPKI)
    • Login ID, password
    • Biometrics
    • Other form of cetificates

    SMU CSE 5349/7349

    You might also like