Applications of PKI

1
Applications of PKI Tao Chen February 26, 2002
2
Agenda

• Importance Of PKI in Electronic Commerce
• Components of PKI
• Types of PKI Applications
• PKI Implementation in Department of Defense
• PKI Market Trend
• Conclusion
• Question and Answer

3
Importance Of PKI

• Business Problem
• How to control access to the Intranet and
  Extranet and guarantee the validity of electronic
  transactions?
• PKI protects eCommerce transaction
• Combination of software, encryption
  technologies, and services that enables
  enterprises to protect the security of their
  communications and business transactions on the
  Internet.
• It establishes trusted relationships among
  users, computers, and applications within a
  Intranet or over the Internet.

4
Importance Of PKI

• PKI Offers
• Authenticate identity
• Digital certificates issued as part of PKI allow
  individual users, organizations, and web site
  operators to confidently validate the identity of
  each party in an Internet transaction.
• Verify integrity
• A digital certificate ensures that the message or
  document the certificate "signs" has not been
  changed or corrupted in transit online.

5
Importance Of PKI

• PKI Offers
• Ensure privacy
• Digital certificates protect information from
  interception during Internet transmission.
• Authorize access
• PKI digital certificates replace easily guessed
  and frequently lost user IDs and passwords to
  streamline intranet log-in security - and reduce
  the MIS overhead.

6
Importance Of PKI

• PKI Offers
• Authorize transactions
• Company can control access privileges for
  specified online transactions.
• Support for nonrepudiation
• Digital certificates validate their users'
  identities, making it nearly impossible to later
  repudiate a digitally "signed" transaction, such
  as a purchase made on a web site.

7
Components Of PKI

• Functional pieces that must be considered when
  building applications to use PKI
• Certification authority
• Digital certificates
• A certificate publication point
• Where certificates are stored and published. The
  point can be on the same machine that operates as
  the CA, or a security directory, like Netscape or
  Microsoft's Active Directory.
• A certificate revocation list (CRL)
• Reference list of certificates that have been
  marked for revocation prior to their original
  expiration date
• Management tools
• PKI-enabled applications

8
Types of PKI Applications

• Secure e-mail
• Secure e-mail clients use certificates to ensure
  the integrity of e-mail and to encrypt e-mail
  messages for confidentiality.
• Secure Web communications
• Web servers can authenticate clients for Web
  communications (using client certificates) and
  provide confidential, encrypted Web
  communications (using server certificates).
• Secure Web sites
• Web sites can map client certificates to
  authenticate users to control their rights and
  permissions for Web site resources.

9
Types of PKI Applications

• Digital signing of software files
• Code-signing tools use certificates to digitally
  sign software files to provide proof of file
  origin and to ensure the integrity of data.
• Smart Card authentication
• Servers use certificates and the private key
  stored on smart cards to authenticate network
  users when they log on to the network.
• VPN and IPSec
• IPSec can use certificates to authenticate
  clients for IPSec communications in VPN
  implementation

10
Types of PKI Applications

• Secure Web Applications For e-Business
• The importance
• According to independent analysts, cash
  transactions on the Internet will reach 30
  billion in 2005.
• Eighty-five percent of Web users surveyed
  reported that a lack of security made them
  uncomfortable sending credit card numbers over
  the Internet.

11
Types of PKI Applications

• Secure Web Applications For e-Business
• Risks of unsecured Web Applications
• Spoofing
• Create illegitimate sites that appear to be
  published by established organizations. A person
  can illegally obtain credit card numbers by
  setting up professional-looking storefronts that
  mimic legitimate businesses.
• Unauthorized disclosure
• Hackers can intercept the transmissions to obtain
  customers' sensitive information when
  transactions are transmitted on the Internet.
• Unauthorized action
• A competitor can alter the Web site so that it
  refuses service to the clients.
• Data alteration
• The content of a transaction can be intercepted
  and altered when transmitting

12
Types of PKI Applications
Secure Web Applications For e-Business

• Key Component
• Server Digital ID
• A digital certificate, is the electronic
  equivalent of a business license.
• SSL
• Secure Sockets Layer (SSL) technology, which is
  the industry-standard protocol for secure,
  Web-based communications. Server activates SSL to
  create a secure communications channel between
  the server and customer's browser.
• Client Digital ID
• Session Key
• An encryption key that provides privacy during a
  call and may be changed dynamically by the system.

13
Types of PKI Applications
Secure Web Applications For e-Business

• The process that guarantees protected
  communications between a Web server and a client.
• Customers are assured that web site is
  legitimate.
• Information sent remains private and secure,
  even if intercepted.
• And both parties know that messages are received
  exactly as sent.

1
2
3
4
5
14
Types of PKI Applications
Smart Card authentication

• Smart Card
• A smart card is a device that feels and looks
  like a credit card, but contains a small computer
  that combines dedicated hardware and software
  with more standard components.
• Cryptographic Cards
• cryptographic or crypto smart card. Crypto
  cards are high-end micro-processor memory cards
  with additional support for cryptographic
  operations (digital signatures and encryption).

15
Types of PKI Applications
Smart Card authentication

• Smart Card Example

16
Types of PKI Applications
Smart Card authentication

• How Smart Card Works
• An end user simply inserts it into a read /write
  device/
• The user provides a PIN or password.
• Card interacts with security software on the
  local machine and the network.
• It confines certain operations involving a users
  private key, to the card itself.
• That means the private key and any digital
  certificates never leave the card. All
  computations involving them happen internally and
  securely so only the card holder can access the
  private key.
• 5. Finally, when a session or workday is over,
  the user removes the card and keeps it in a safe
  place.

17
Types of PKI Applications
Smart Card authentication

• Features
• Two-factor Authentication
• The smart card (one factor) and a secret
  user-defined PIN
• (a second factor) are used to prove that the
  cardholder is the rightful owner of that smart
  card.
• Secure Storage for Private Keys
• Users private key and digital certificate are
  generated and securely stored on the smart card.
  pocket. Software drivers (resident on a users
  personal computer) enable the users private key
  and digital certificate for eCommerce
  applications.

18
Types of PKI Applications
Smart Card authentication

• Features
• Non-repudiation
• The private key is always in the sole possession
  of the user. That means the undeniable evidence
  that connects a specific user to each transaction
  is always available.
• Mobility
• A smart card is a highly mobile device that can
  be easily carried in a users wallet or pocket.
  This allows a user to securely access protected
  corporate resources from multiple locations.
• Single Sign-on
• User dont have to remember multiple passwords to
  multiple applications. Passwords and Ids are
  loaded in the card.

19
Types of PKI Applications
VPN and IPSec

• VPN
• VPN is an enterprise owned and managed network
  solution using existing dedicated networks, the
  Internet or a combination of both, to securely
  communicate information. It is a way to simulate
  a private network over a public network.
• IPSec IP Security Protocol
• IPSec is a protocol suite a set of Internet
  Protocol extensions that provide security
  services at the network level.
• IPSec provide strong data authentication and
  privacy guarantees.

20
Types of PKI Applications
VPN and IPSec

• VPN
• VPN is an enterprise owned and managed network
  solution using existing dedicated networks, the
  Internet or a combination of both, to securely
  communicate information. It is a way to simulate
  a private network over a public network.
• IPSec IP Security Protocol
• IPSec is a protocol suite a set of Internet
  Protocol extensions that provide security
  services at the network level.
• IPSec provide strong data authentication and
  privacy guarantees in VPNs.

21
Types of PKI Applications
VPN and IPSec

• Why PKI
• IPsec deals with computers and networks, not
  with people.
• IPS provides authentication of end points, not
  users. Some kind of user-level authentication is
  needed if a VPN is to provide access for remote
  users.
• IPSec does not work well in DHCP environment.
• Since IPsec authentication typically works using
  an IP address as a distinguished name for
  identification purposes, it does not work well in
  a DHCP environment where IP addresses are
  dynamically assigned, e.g. dial-up connections to
  ISPs.

22
Types of PKI Applications
VPN and IPSec

• How PKI Enhances VPN security?

IP Tunnel
23
PKI Implementation in DoD

• Goals And Objectives
• Broad Operational Support
• Support over 3.5 million DoD employees and
  hundreds of software applications and the
  thousands of network devices in DoD.
• Interoperability
• Support interactions and coordination with
  external communities. including military
  operations with Allies and Coalition forces,
  Intelligence Community, other federal Government
  agencies and business partners in the U.S. and
  abroad.
• Transparency
• PK-enable DoDs custom software so that it will
  interact effectively with the PKI, transparent to
  the user.

24
PKI Implementation in DoD

• Goals And Objectives
• Ease of Operation
• Enhanced Security
• Provide the security and assurance needed to
  ensure operational integrity for Command and
  Control, Mission Support, and e-Business uses.
• Evolutionary Roll Out
• The DoD PKI is based on commercial industry
  standards. It is being deployed in phases,
  introducing new features and capabilities in an
  orderly fashion, consistent with commercial
  technology progression.   

25
PKI Implementation in DoD
  DoD PKI System Context
(Public Key Infrastructure Roadmap for the
Department of Defense, 18 December, 2000 Version
5.0)
26
PKI Implementation in DoD
  DoD PKI Architecture
(Public Key Infrastructure Roadmap for the
Department of Defense, 18 December, 2000 Version
5.0)
27
PKI Implementation in DoD
  For Further Information

• Public Key Infrastructure Roadmap for the
  Department of Defense, 18 December, 2000, Version
  5.0
• http//iase.disa.mil/pki/roadmap.html
• Public Key Infrastructure Roadmap for the
  Department of Defense, 29 October 1999, Version
  3. 0
• http//www.c3i.osd.mil/ebpublic/dodpki_roadmap.pd
  f

28
PKI Market Trend
  PKI Market Forecast Through 2004

• IDC expects the PKI total market to grow from
  281 million in 1999 to a whopping 3.01 billion
  in 2004.
• The services will generate the majority of the
  market revenue.

Source IDC, 2000
29

• Conclusion
• Why PKI?
• PKIs integrate digital certificates, public-key
  cryptography, and certificate authorities into a
  total, enterprise-wide network security
  architecture.
• Three types of PKI applications are discussed.
• Secure Web Application
• Smart Card
• VPN
• Introduction of PKI Implemented by DoD

30
Thank you!
31

• Reference
• http//verisign.netscape.com/security/pki/understa
  nding.html
• http//www-106.ibm.com/developerworks/security/lib
  rary/s-pki.html
• http//www.microsoft.com/windows2000/techinfo/resk
  it/en/deploy/dgch_pki_izmk.htm
• http//www.verisign.com/resources/gd/secureBusines
  s/secureBusiness.html
• http//www.its.bldrdoc.gov/projects/t1glossary2000
  /_session_key.html
• http//www.howstuffworks.com/encryption1.htm
• http//www.rsasecurity.com/products/securid/smartc
  ards.html
• http//www.baltimore.com/library/whitepapers/mn_vp
  n_white_paper.html
• Defending your digital assets against hackers,
  crackers, spies and thieves, Randall K. Nichols,
  Daniel J. Ryan, Julie J.C.H. Ryan, McGraw-Hill,
  P332, P334, P622
• http//www.avolio.com/columns/ipsecvpns.html
• http//www.isp-planet.com/technology/vpn_public_ke
  y.html
• http//www.c3i.osd.mil/ebpublic/dodpki_roadmap.pdf
  
• http//iase.disa.mil/pki/roadmap.html
• http//www.entrust.com/news/reprints/23368E.htm