PKI - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

PKI

Description:

Blowfish (1993) is a 64-bit block cipher that uses variable length keys. Blowfish is characterized by its ease of implementation, high execution speeds ... – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 35
Provided by: anned158
Category:
Tags: pki | blowfish

less

Transcript and Presenter's Notes

Title: PKI


1
PKI
  • Chapter 14

2
Public Key Infrastructure (PKI)
  • PKI is the combination of software, encryption
    technologies, and services which protects
    business communications and transactions on the
    Internet.
  • PKIs integrate digital certificates, public-key
    cryptography, and certificate authorities into a
    total, enterprise-wide network security
    architecture
  • A way to verify an individuals identity and to
    ensure that a persons public key is bound to
    their identity
  • Uses asymmetrical algorithms
  • http//csrc.nist.gov/pki/

3
Cryptography
  • Study of complex mathematical formulas and
    algorithms used for encryption and decryption
  • Random number generators create numbers that work
    as seed values
  • The algorithm uses the seed value as a starting
    place to create the key
  • If algorithm used the same seed values over and
    over, similar keys would be generated
  • The more random, the more resilient to brute
    force attacks

4
Symmetric versus Asymmetric Algorithms
Type of Algorithm Advantages Disadvantages
Symmetric Single key Requires sender and receiver to agree on a key before transmission of data Security lies only with the key High cost
Asymmetric Encryption and decryption keys are different Decryption key cannot be calculated from encryption key Security of keys can be compromised when malicious users post phony keys
5
Without a PKI, individuals could spoof identities
6
Certificaticate Authority
  • CA is trusted authority for certifying
    individuals and creating an electronic document,
    the digital certificate http//www.pki-page.org/C
    A
  • Consists of software, hardware, procedures,
    policies
  • Every CA outlines how identities are verified,
    keys are secured, what data is placed within a
    digital certificate, and how revocations will be
    handled.

7
Digital Certificates
  • Binds an individuals identity to a public key
    and
  • Contains all the info needed to prove the public
    key belongs to a legitimate owner and has not
    been compromised
  • Consist of
  • Owners public key
  • Information unique to owner
  • Digital signatures or an endorser

8
(No Transcript)
9
Registration Authority
  • RA accepts a request for a digital certificate
    and performs the necessary steps of registering
    and authenticating the person. Different type of
    certs available, the higher the class the more id
    required
  • Class 1 can digitally sign email and encrypt
    message content
  • Class 2 software signing
  • Class 3 set up its own certificate authority

10
Steps for obtaining a digital certificate
11
Digital Signatures
  • Created by using hash functions (message digest)
  • Electronic identification of a person or thing
    created by using a public key algorithm
  • Verify (to a recipient) the integrity of data and
    identity of the sender
  • Provide same features as encryption

12
(No Transcript)
13
Hash Functions
  • Message Digest is a generic version of one of
    three algorithms, all designed to create a
    message digest or hash from plain text.
  • MD2 produces hash of 128 bits, optimized for
    8-bit machine
  • MD4 optimized for 32-bit machines, fast but not
    secure
  • MD5 created to fix security problems of MD4 and
    is slower
  • SHA algorithm modeled on MD4. Accepts an input
    of up to 264 bits or less and compresses down to
    a hash of 160 bits.

14
Certificate Repository
  • Once the certificate is registered, identity
    proven, and a key pair generated, they are placed
    in a public repository.
  • All of the certificates can be in one, large
    distributed database (LDAP)
  • Each signing certificate can maintain its own
    repository and have a means of querying the other
    repositories for information for its users
  • Business communities and governments are starting
    the process of creating their CAs. They are
    linking them by signing or cross-certifying and
    publishing all of their information in
    business-class repositories.

15
Trust and Certificate Verification
  • CAs digital certificate and public keys are
    downloaded onto local PCs.
  • Most browsers have a list of trusted CAs by
    default.

First, Maynard checks the CA against his list
16
Trust and Certificate Verification
  • If CA and integrity of certificate is trusted,
    still need to check
  • Start and stop dates of certificates (life
    cycles)
  • Revocation list (CRL)
  • Lost laptop or smart card
  • Improper software implementation
  • Social engineering attack
  • Employee leaves company

17
Centralized or Decentralized Infrastructure
  • Decentralized approach
  • Local computers generate and store cryptographic
    keys local to the system
  • Centralized server approach
  • Use if the process is resource intensive or has
    large key sizes
  • Easier to backup
  • Needs to be fault tolerance with redundancy
  • Needs to use a secure way to transmit keys to
    local systems
  • The it person needs to be trusted

18
Private Key Protection
  • The key size should provide the necessary level
    of protection for the environment
  • The lifetime should correspond with how often it
    is used and the sensitivity of the data
  • Key should be changed and not used past its
    lifetime
  • Key should be properly destroy at end of lifetime
  • Key should never be exposed in clear test
  • No copies of the private key should be made
  • Key should not be shared
  • Key should be stored securely
  • Authentication should be required before it can
    be used
  • Key should be transported securely
  • Software implementation used for storage needs to
    provide the necessay level of protection

19
Key Escrow
  • Process of giving keys to a third party so that
    they can decrypt and read sensitive information
    when this need arises.
  • Used by government so they can collect evidence
    during investigations
  • Clipper Chip - NSA developed, hardware oriented,
    cryptographic device that implements a symmetric
    encryption/decryption algorithm and a law
    enforcement satisfying key escrow system.

20
PKI Standards
  • Business process
  • Applications
  • Standards/protocols that use PKI
  • PKI implementation level

Online banking and shopping
Email, VPNs
S/MIME, SSL, TLS, WTLS, IPsec, PPTP
ISAKMP, CMP, SKMS, X.509, PKIX, PKCS
21
PKI Standards
  • PKI Implementation relies on
  • PKIX -Public Key Intrastructure
  • PKCS - Public Key Cryptography
  • X.509
  • ISAKMP and XKMS is a key management protocol
  • CMP manages certificates
  • S/MIME manages email
  • SSL, TLS and WTLS for secure packet transmissions
  • IPSEC and PPTP for VPN

Online banking and shopping
Email, VPNs
S/MIME, SSL, TLS, WTLS, IPsec, PPTP
ISAKMP, CMP, XKMS, X.509, PKIX, PKCS
22
PKI Standards
  • PKIX/PKCS based on the X.509 standard defines
    four components
  • The user
  • Certificate Authority (CA)
  • Registration authority (RA)
  • Certificate revocation lists
  • X.509 info about data formats and procedures
    used for CA signed PKC

Online banking and shopping
Email, VPNs
S/MIME, SSL, TLS, WTLS, IPsec, PPTP
ISAKMP, CMP, XKMS, X.509, PKIX, PKCS
23
X.509 Certificates
  • Late 1980, the X.500 OSI directory standard was
    defined by ISO and the ITU. X.509 addresses the
    structure of certificates used for
    authentication.
  • X.509 defines a hierarchical certification
    structure that relies on a root certificate
    authority that is self-certifying.
  • Rather than define its own certificate type (like
    PGP), S/MIME relies on X.509
  • To obtain a X.509, you must ask a CA to issue you
    one.

24
(No Transcript)
25
Trust Models
  • A trust domain is a construct of systems,
    personnel, applications, protocols, technologies,
    and policies that work together to provide
    protection.
  • Need to determine criteria of trust
  • Drivers license
  • Digital signature of trusted entity
  • CA

26
Trust Model
  • Techniques that establish how users validate
    certificates
  • Direct trust not scalable
  • Hierarchical trust based on number of root CA
  • Web of trust

27
Web of Trust
  • Combines concepts of direct trust and
    hierarchical trust
  • Adds the idea that trust is relative to each
    requester
  • Central theme the more information available,
    the better the decision
  • By mixing and matching the basic building blocks,
    network designers can put together PKI for a
    department, a company, many companies or many
    individuals. The design phase is where PKI gets
    tricky.

28
Setting up an Enterprise PKI
  • Extremely complex task with enormous demands on
    financial, human, hardware, and software
    resources
  • Areas to explore
  • Basic support
  • Training
  • Documentation issues

29
Areas to Explore in Detail When Setting up an
Enterprise PKI
  • Support for standards, protocols, and third-party
    applications
  • Issues related to cross-certification,
    interoperability, and trust models
  • Multiple key pairs and key pair uses
  • How to PKI-enable applications and client-side
    software availability

continued
30
Areas to Explore in Detail When Setting up an
Enterprise PKI
  • Impact on end user for key backup, key or
    certificate update, and nonrepudiation services
  • Performance, scalability, and flexibility issues
    regarding distribution, retrieval, and revocation
    systems
  • Physical access control to facilities

31
Common Encryption Algorithms
  • Most encryption algorithms in use today are based
    on a structure developed by Horst Feistel of IBM
    in 1973.
  • Lucifer (1974) to protect non-classified data.
    It utilizes a 128-bit key and 16 rounds in the
    encryption process. Lucifer suffers from a weak
    key structure and is vulnerable to attacks, yet
    it still can be used in tandem with other
    algorithms effectively.
  • Diffie-Hellman (1976) utilizes a public key
    system, which is the oldest public key system in
    use. It is commonly used in IPSec.

32
Common Encryption Algorithms
  • RSA (1977) - Named for its developers, Rivest,
    Shamir, and Adleman, the RSA algorithm is based
    on the Diffie-Helman cipher and uses a variable
    key length and block size. Flexible algorithm,
    but with greater key lengths and block sizes, it
    can be slow to compute in some environments.
  • DES (1977) The Data Encryption Standard algorithm
    is a modified version of the Lucifer algorithm
    and uses a 56-bit key. In 1998, the Electronic
    Frontier Foundation cracked the DES algorithm in
    less than 3 days. This led to the development of
    Triple DES.

33
Common Encryption Algorithms
  • Triple DES (1998) - uses the same algorithm as
    DES, but uses three keys and three executions of
    the algorithm to encrypt and decrypt data,
    resulting in a 168-bit key. It is three times
    slower than DES but much more secure.. Triple DES
    is very easy to implement in encryption systems
    that are currently using DES as its encryption
    algorithm, but it is not foolproof.
  • IDEA (1992) - IDEA is a block cipher operating on
    64-bit blocks and using a 128-bit key. IDEA is
    commonly used in PGP and is a substitute for DES
    and Triple DES. There are no known attacks at
    this time for this algorithm.

34
Common Encryption Algorithms
  • Blowfish (1993) is a 64-bit block cipher that
    uses variable length keys. Blowfish is
    characterized by its ease of implementation, high
    execution speeds and low memory usage. At this
    time, there are no known attacks for this
    algorithm.
  • RC5 (1995) RC5 (1995). The RC5 algorithm was
    created to be suitable for either hardware or
    software functions. Like Blowfish, it is very
    fast, easy to implement, and has low memory
    usage. RC5 uses a variable key length and a
    variable number of rounds that makes it very
    flexible and adaptable. At this time, there are
    no known attacks for this algorithm.
Write a Comment
User Comments (0)
About PowerShow.com