How to Start a PKI

Document Sample

Shared by: club56

Tags

How to Start a PKI

Stats

views:: 342
posted:: 11/14/2008
language:: Indonesian
pages:: 19

Public Domain

How to Start a PKI

A Practical Guide

Dr. Javier Torner

Information Security Officer

Professor of Physics

April 19-22, 2005 SecureIT-2005

Agenda

• Why do you need a PKI?

• Basic Cryptography

• “Near Future” PKI Applications

• PKI Components and Services

• Deployment of a PKI

April 19-22, 2005 SecureIT-2005

Why do you need a PKI?

• Protects against eavesdropping

• Protects against tampering

• Prevents impersonation

– Spoofing

– Misrepresentation

• Provides stronger authentication

April 19-22, 2005 SecureIT-2005

Basic Cryptography

• Use of Keys for Encryption and Decryption

• Types of Keys

– Symmetric-Key Encryption

• Uses ONE single key (shared secret)

• Efficient

• Provides a minor degree of authentication

• Only effective if symmetric key is kept secret!!

– Public-Key Encryption (asymmetric encryption)

• Involves a pair of keys:

• Public Key – Published

• Private Key – Kept secret

• Key Length and Encryption Strength

– Strength of encryption is related to the difficulty of discovering the key

– Encryption strength is described in terms of key size.

April 19-22, 2005 SecureIT-2005

Public Key Cryptography

Provides:

• Encryption and Decryption

• Strong authentication

• Non-repudiation

• Tamper detection

April 19-22, 2005 SecureIT-2005

What is a Certificate?

• A certificate is an electronic document used

to identify:

– An individual

– A server

– A company

– Other entities

• A certificate associates an identity with a

public key

April 19-22, 2005 SecureIT-2005

What is a Certificate Authority?

• A Certificate Authority (CA)

– validates identities

– issues certificates

• Validation/Assurance of identity

– depend on the policies of a given CA

April 19-22, 2005 SecureIT-2005

Contents of a Certificate

• A certificate (X.509 v3) binds a

Distinguished Name (DN) to a public key.

• A DN is a series of “values” that uniquely

identify an identity.

For example:

cn=Javier Torner, email=jtorner@csusb.edu,

o=California State University San Bernardino,

ou=Information Security Office

April 19-22, 2005 SecureIT-2005

Near Future Application

• Digital Signatures (S/MIME)

• Mail Encryption

• Certificate Revocation

• SSL Client Certificates to POP/IMAP

• SSL Client Certificates to NNTP

• SSL Client Certificates for network access

• Hardware Tokens – Two factor authentication

April 19-22, 2005 SecureIT-2005

PKI Components and Services

• Certificate Repository

• Certificate Revocation

• Key backup and recovery

• Support for non-repudiation

• Time stamping

• Client software

April 19-22, 2005 SecureIT-2005

PKI Phases

• Phase 0 – Basic Infrastructure

– Implement a Certificate Authority

• Hierarchy Structure

• Phase I – Authorization

• Phase II – Authentication

• Phase III – Incorporate a Trusted Bridge

April 19-22, 2005 SecureIT-2005

PKI - Phase 0

• Define Certificate Practice Statement

• Define a CA Hierarchy

– Root CA

• Master or Secondary CA

– SSL (Web server) CA

– SSL Clients CA

– E-mail/Encryption CA

– Object CA

April 19-22, 2005 SecureIT-2005

CA Certificate Practice Statement

• Easy way to start is using PKI-Lite

• Edit/modify to your institution

• Technology has been around, but relatively

new

April 19-22, 2005 SecureIT-2005

PKI - Phase I

• Select software

– OpenSSL, OpenCA

• Issue SSL Server Certificates

– Class 3 Web servers certificate

– Develop/enable users request interface

– Provide user education

• SSL Client Certificates

– Start with certificates for authentication “ONLY”

– Test on control systems

• ISO sites

April 19-22, 2005 SecureIT-2005

SSL Client Certificates

• Provides the ability to authenticate

(primarily web) users using your

institution’s certificate

• Allows you to easily restrict the users of

your data based upon criteria within a

certificate

April 19-22, 2005 SecureIT-2005

Contents of a Phase I

Server Certificate

• CN=www.infosec.csusb.edu

• Email=

• OU=Information Security Office

• O=California State University San Bernardino

• L=San Bernardino

• ST=California

• C=US

April 19-22, 2005 SecureIT-2005

Contents of a Phase-I

ID Certificate

• CN=Javier Torner

• Email=jtorner@csusb.edu

• OU=Information Security Office

• O=California State University San Bernardino

• L=San Bernardino

• ST=California

• C=US

April 19-22, 2005 SecureIT-2005

The Future of PKI

• Phase 3 – Federated

• Application Design

• CA Development

April 19-22, 2005 SecureIT-2005

Valuable Resources

• http://www.modssl.org

• http://www.openssl.org

• http://www.openca.org

• http://www.educause.edu/HEPKI

• Understanding PKI – Carlisle Adams and Steve Lloyd

(ISBN 1-57870-166-x)

• Digital Certificates – Jalal Feghhi, Jalil Feghhi, Peter

Williams (ISBN 0-201-30980-7)b

April 19-22, 2005 SecureIT-2005