Learning Center
Plans & pricing Sign in
Sign Out

Public Key Infrastructure _PKI_


									Public Key Infrastructure
Providing secure communications
 and authentication over an open
• Understanding the technology
  – Cryptography, Digital Signatures, Third
    Party Trust, and Public Key Certificates.
• Public Key Infrastructure
  – Definitions, Components, Infrastructure,
    Processes, and Issues.
• Western’s PKI
     Cryptography Methods
• 2 Types of Cryptography being used.
  – Symmetric Key (shared secret)
  – Public Key Cryptography
• Each has a role in a Public Key
Symmetric Key Cryptography
• 1 Key known by both parties (shared)
• A message encrypted by the key can
  only be decrypted using the same key.

   Hello        Ijfd82*7df      Hello

• Issue: Hard to share the key securely.
     Public Key Cryptography
• 2 keys generated. 1 private, 1 public.
• A message encrypted by 1 key can only be decrypted
  by the other.
               Private                Public

     Hello               9klfms83f             Hello

     Bye                 Jf#f9j3f92            Bye

• Public keys are stored in a public repository and are
  freely available.
• Private keys are stored on local system protected by
  a password. Never transmitted over the network.
    Public key Cryptography
• 2 way encrypted communication
  possible using 2 sets of public keys.
   Party A   Party B’s                Party B’s   Party B
              Public                   Private

   Hello                 9klfms83f                 Hello

             Party A’s                Party A’s
              Private                  Public

   Bye                   Jf#f9j3f92                Bye

• Issue: Large resources required.
                     Their roles in PKI
• Public keys are used •                  The symmetric key is
  to securely transmit a                  used to setup secure
  symmetric session                       encrypted
  key.                                    communications.
Step 1: Party A     Party A                                          Party B
                              Party B’s                  Party B’s
creates                        Public                     Private
symmetric key
and transmits it
to Party B using
their public key.

Step 2: Secure
setup using the      Hello                  Ijfd82*7df                Hello
symmetric key.
                  Digital Signature
• Private keys can be used to sign a document.
• The public key is used to decrypt the signature
  which verifies that the message came from the
  person who owns the private key.
    Party A       Party A’s                       Party A’s   Party B
                   Private                         Public

   Hello Bob                  Hello Bob                       Hello Bob
   signed Jonny               signed dfjlf9#fsi               signed Jonny

• Issue: How does party B verify Party’s A Public
         Trusted Third Party
• A trusted third party is someone both
  communicating parties trusts.
• This party authenticates Party A using older
  style methods (ID Card) and verifies they own
  the private key.
• This party then uses its own private key to
  digitally sign party A’s public key.
• Since party B trusts the public key of the third
  party, when it decrypts the signature on party
  A’s Public key it can then trust A’s public key.
• Signed public keys can be used for
 Public Key Certificate (PKC)
• A public key certificate is a document that:
   – Contains the public key of its owner.
   – Contains a set of attributes that identifies its owner
   – Is digitally signed by a trusted third party called a
     Certificate Authority (CA).
   – Has an life span (expiry date).
• Certificates are stored in public repositories.
• Used to authenticate, setup secure
  communications and trust a digital signature.
Public Key Infrastructure (PKI)
• Defined by the IETF PKIX Working
  Group as:
   “The set of hardware, software, people, policies
   and procedures needed to create, manage, store,
   distribute, and revoke public key certificates based
   on public key cryptography.”
     PKI Component Definitions
• Certificate Authority (CA) : An authority trusted to create and
  assign public key certificates. Required to validate user information
  and verify they own the private key. Required to maintain CRLs.
• Registration Authority (RA) : An optional authority that can act on
  behalf of a CA to validate user information and verify they own the
  private key.
• Repository : A data base or directory used to store and distribute
  Public Key Certificates and CRLs.
• Certificate Revocation Lists (CRL) : A list of certificates that have
  been revoked due to their owners breaking one of the rules in the
  certificate policy or by having its private key compromised.
• Certificate Policy (CP) : A set of rules which indicates how a
  certificate is to be used by a community of users or set of
• Certificate Practice Statement (CPS) : A set of guidelines a CA
  follows when issuing certificates.
             The Infrastructure
                               Governed by Certificate Practice Statement.

                                Certificate                   Registration
                                Authority      Registration    Authority
             Certificate                        process
Repository   list storage.
 for PKCs                                              Certificate requests
and CRLs

             Certificate         or Server       Authentication and
             and                                Secure communication
             revocation             Governed by Certificate Policy.
             list retrieval.
                 Certificate use.
• During setup of connection between a server and user:
   – Certificates are withdrawn from the repository for both parties.
   – Digital signatures are decrypted using the CA’s public key.
   – The Certificate revocation list for the signing CA is referenced to
     verify that the certificate has not been revoked.
   – If all passes then authentication of the server and user has been
     accomplished (i.e. each trusts that the private key is owned by
     the person identified in the certificate).
• Secure communications are then setup by the user
  generating a symmetric session key and transmitting it
  to the server using the servers public key to encrypt it.
  Once the server has decrypted the session key using its
  private key a secure socket is setup using the session
     The Repository(LDAP)
• A Repository:
  – Requires an efficient directory capable of
    authentication, replication and redundancy
  – should be capable of storing more data than
    just certificates and must be capable of
    complicated searches
• LDAP provides all the requirements plus:
  – can use Public Keys during its authentication
  – is being integrated into many other
  – Has a good set of standard APIs
                 Issues with PKI
• Certificate Revocation is still in its infancy.
• Trust
   – Do we trust the commercial CAs out there. Why do we
     trust them to authenticate information they are not the
     authority of.
   – How do we trust repositories.
• Non PKI security holes
   – How secure are clients, CAs, and repository systems from
     hackers and virus attacks. Are they physically secure.
   – How well guarded are private keys.
• Is the data in the certificate being check thoroughly.
• The idea of Non-Repudiation.
• Roaming Access (Smart Cards)
              Western’s PKI
• Western currently has an agreement with Thawte
  Certification (owned by VeriSign) to provided signed
  certificates and be our Certificate Authority (CA).
• A representative of ITS acts as a Registration
  authority (RA) on behalf of Thawte Certification.
• Currently only Secure Socket Layer (SSL)
  certificates are in use to provide encrypted web
  communications (Authentication of web server only).
• Thawte offers other types of certificates but they
  have not been investigates for use at Western yet
  and may be cost prohibitive to use.
                     Western’s PKI
                                        2. Thawte asks ITS
                                        if request is good.
                     CA: Thawte                                        RA: ITS
 for PKCs
                     Certification      3. ITS Verifies
and CRLs
                                        request and say yes.
               1.Web server
                                 4. Thawte signs
    SSL            admin
                                 certificate and
Certificates    and send a
                                 returns it to the
                                 web server admin
are stored       certificate
                                 who loads it into
                 request to
in the web        Thawte.
                                 web serer configuration.
server and
distributed                                                          UWO web
by the web               Web
                                      5. User generates session      user.
  server.               Server          key and transmits it to
                                     web server using public key.
                                       A secure socket is then
                                            setup. (SSL)

To top