How to Start a PKI

How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics April 19-22, 2005 SecureIT-2005 Agenda • • • • • Why do you need a PKI? Basic Cryptography “Near Future” PKI Applications PKI Components and Services Deployment of a PKI April 19-22, 2005 SecureIT-2005 Why do you need a PKI? • Protects against eavesdropping • Protects against tampering • Prevents impersonation – Spoofing – Misrepresentation • Provides stronger authentication April 19-22, 2005 SecureIT-2005 Basic Cryptography • Use of Keys for Encryption and Decryption • Types of Keys – Symmetric-Key Encryption • • • • Uses ONE single key (shared secret) Efficient Provides a minor degree of authentication Only effective if symmetric key is kept secret!! – Public-Key Encryption (asymmetric encryption) • Involves a pair of keys: • Public Key – Published • Private Key – Kept secret • Key Length and Encryption Strength – Strength of encryption is related to the difficulty of discovering the key – Encryption strength is described in terms of key size. April 19-22, 2005 SecureIT-2005 Public Key Cryptography Provides: • Encryption and Decryption • Strong authentication • Non-repudiation • Tamper detection April 19-22, 2005 SecureIT-2005 What is a Certificate? • A certificate is an electronic document used to identify: – – – – An individual A server A company Other entities • A certificate associates an identity with a public key April 19-22, 2005 SecureIT-2005 What is a Certificate Authority? • A Certificate Authority (CA) – validates identities – issues certificates • Validation/Assurance of identity – depend on the policies of a given CA April 19-22, 2005 SecureIT-2005 Contents of a Certificate • A certificate (X.509 v3) binds a Distinguished Name (DN) to a public key. • A DN is a series of “values” that uniquely identify an identity. For example: cn=Javier Torner, email=jtorner@csusb.edu, o=California State University San Bernardino, ou=Information Security Office April 19-22, 2005 SecureIT-2005 Near Future Application • • • • • • • Digital Signatures (S/MIME) Mail Encryption Certificate Revocation SSL Client Certificates to POP/IMAP SSL Client Certificates to NNTP SSL Client Certificates for network access Hardware Tokens – Two factor authentication SecureIT-2005 April 19-22, 2005 PKI Components and Services • • • • • • Certificate Repository Certificate Revocation Key backup and recovery Support for non-repudiation Time stamping Client software SecureIT-2005 April 19-22, 2005 PKI Phases • Phase 0 – Basic Infrastructure – Implement a Certificate Authority • Hierarchy Structure • Phase I – Authorization • Phase II – Authentication • Phase III – Incorporate a Trusted Bridge April 19-22, 2005 SecureIT-2005 PKI - Phase 0 • Define Certificate Practice Statement • Define a CA Hierarchy – Root CA • Master or Secondary CA – – – – SSL (Web server) CA SSL Clients CA E-mail/Encryption CA Object CA April 19-22, 2005 SecureIT-2005 CA Certificate Practice Statement • Easy way to start is using PKI-Lite • Edit/modify to your institution • Technology has been around, but relatively new April 19-22, 2005 SecureIT-2005 PKI - Phase I • Select software – OpenSSL, OpenCA • Issue SSL Server Certificates – Class 3 Web servers certificate – Develop/enable users request interface – Provide user education • SSL Client Certificates – Start with certificates for authentication “ONLY” – Test on control systems • ISO sites April 19-22, 2005 SecureIT-2005 SSL Client Certificates • Provides the ability to authenticate (primarily web) users using your institution’s certificate • Allows you to easily restrict the users of your data based upon criteria within a certificate April 19-22, 2005 SecureIT-2005 Contents of a Phase I Server Certificate • • • • • • • CN=www.infosec.csusb.edu Email= OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US SecureIT-2005 April 19-22, 2005 Contents of a Phase-I ID Certificate • • • • • • • CN=Javier Torner Email=jtorner@csusb.edu OU=Information Security Office O=California State University San Bernardino L=San Bernardino ST=California C=US SecureIT-2005 April 19-22, 2005 The Future of PKI • Phase 3 – Federated • Application Design • CA Development April 19-22, 2005 SecureIT-2005 Valuable Resources • • • • • http://www.modssl.org http://www.openssl.org http://www.openca.org http://www.educause.edu/HEPKI Understanding PKI – Carlisle Adams and Steve Lloyd (ISBN 1-57870-166-x) • Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter Williams (ISBN 0-201-30980-7)b April 19-22, 2005 SecureIT-2005