PKI

1
PKI
2
PKI

• Overview of PKI
• Use of PKI
• PKI Certificates

3
Overview of PKI

• Public Key Infrastructure was developed by the
  U.S. Department of Defense in 1999
• PKI consists of
• Software
• Encryption technologies
• Security services
• PKI standard is related to X.509 international
  standard

4
Overview of PKI

• PKI uses public key cryptographic techniques. In
  fact, it derives its name from public key
  cryptography
• PKI identifies a Certificate Authority (CA) who
  provides the public/private key pair
• CA manages the keys
• CA is responsible for managing the Certificate
  Revocation List (CRL)

5
Overview of PKI

• Any one could be a CA, but CAs are usually
  trusted third parties
• Verisign, GeoTrust, BeTrusted are some of the CAs
• Certificates are usually multi-level meaning that
  a national CA certifies regional CAs who in turn
  certify end users
• Key management is a major problem in cryptography
• PKI provides a solution to this problem

6
Overview of PKI

• Revocation of certificate is very hard
• Reason certificate identity is a set of bits and
  it is stored in several computers of people with
  the person deals with
• Revoking a certificate in the CAs database is
  easy but to remove it from use by others is not
  easy
• A genuine user might have his computer hacked and
  may want the certificate revoked

7
Overview of PKI

• A genuine user might move to a new organization
  and may not have the right to take the
  certificate with him/her
• Certificate Revocation List (CRL) may be a
  central or distributed database
• CRL system is expensive
• An alternative to CRL is rapid expiration of
  certificate such as a few minutes to 24 hours
• CRL must be online

8
Overview of PKI

• A person may have multiple identities on the
  Internet (e.g., multiple email addresses)
• CA assigns keys to names (or persons)
• Organizations assign permissions to access
  various data and ties it to userIDs (or names)
• PKI helps connect keys, names, and access
  permissions
• PKI adds another feature called credentialing,
  which means that one user sets permissions for
  access, validity period for the permission and
  transferable rights for the permission

9
Uses of PKI

• VPN access
• The Virtual Private Network should allow the
  employees remote access to the network with
  proper authentication using PKI. Access limits
  will be enforced by PKI
• The organization itself acts as the CA for this
  part
• Electronic Banking
• Customers can have access to their accounts from
  remote locations using PKI authentication
• Bank itself can act as the CA for this part

10
Uses of PKI

• Refinery sensors
• Refineries have a complex network of pipes spread
  over several hundred miles
• SCADA (Supervisory Control And Data Acquisition)
  is a system that controls oil flow in pipelines
• Spoofing sensor data could lead to disasters
• Company can build PKI for each sensor with the
  company itself acting as the CA

11
Uses of PKI

• Credit Cards
• Credit card issuance is by banks
• Several thousand banks are in the credit card
  network
• Banks must exchange payments
• PKI allows banks to identify each other
• Credit card company such as Visa and MasterCard
  could act as CA in this case

12
PKI Certificates

• X.509 is an international standard for PKI
  certificates
• Certificate management functions
• Key Generation/Storage/Recovery
• Certificate and Certificate Revocation List (CRL)
  Generation and Distribution
• Certificate Update, Renewal, and Re-key
• Certificate token initialization
• Access rights management
• System Management Functions (e.g., audit, archive)

13
PKI Certificates

• Certificates are classified as Class 1 to 5
• Class 1 is low risk and Class 5 is high risk
• SSL uses PKI certificates with a liability limit
  of 100