ISA 562 Information Systems Theory and Practice - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

ISA 562 Information Systems Theory and Practice

Description:

Title: No Slide Title Author: Ravi Sandhu Last modified by: Edgar Created Date: 8/20/1998 7:27:38 PM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 37
Provided by: RaviS
Learn more at: http://mason.gmu.edu
Category:

less

Transcript and Presenter's Notes

Title: ISA 562 Information Systems Theory and Practice


1
ISA 562Information Systems Theory and Practice
  • 10. Digital Certificates

2
PUBLIC-KEY CERTIFICATES-1
  • What is a certificate?
  • A statement claiming some binding of attribute
    values
  • Why do we need them?
  • Identifying entities outside of domain
  • Distributed access control
  • What do they do?
  • Propagates claims
  • Certifier makes a claim that can be checked for
    authenticity and accepted if the recipient
    believe the claimant to be truthful
  • Manages trust distributed trust management

3
X.509v1 CERTIFICATE
VERSION SERIAL NUMBER SIGNATURE
ALGORIT ISSUER VALIDITY SUBJECT SUBJECT PUB KEY
INFO SIGNATURE
1 1234567891011121314 RSAMD5, 512 CUS, SVA,
OGMU, OUISE 9/9/99-1/1/1 CUS, SVA, OGMU,
OUISE, CNAlice RSA, 1024, xxxxxx SIGNATURE
4
PUBLIC-KEY CERTIFICATES
  • For public-key based encryption
  • sender needs public key of receiver
  • For public-key digital signatures
  • receiver needs public key of sender
  • To establish an agreement
  • both need each others public keys

5
CERTIFICATE TRUST
  • Acquisition of public key of the issuer to verify
    the signature
  • Go to through a certificate chain
  • Whether or not to trust certificates signed by
    the issuer for this subject

6
PEM CERTIFICATION GRAPH
Internet Policy Registration Authority
IPRA
Policy Certification Authorities (PCAs)
PERSONA
RESIDENTIAL
MID-LEVEL ASSURANCE
HIGH ASSURANCE
Anonymous
MITRE
GMU
Virginia
Certification Authorities (CAs)
Abrams
LEO
Fairfax
CS
Subjects
Grover
Grover
7
PUBLIC-KEY CERTIFICATES
  • What is a certificate?
  • A statement claiming some binding of attribute
    values
  • Why do we need them?
  • Identifying entities outside of domain
  • Distributed access control
  • What do they do?
  • Propagate claims
  • Certifier makes a claim that can be checked for
    authenticity and accepted if the recipient
    believe the claimant to be truthful
  • Manages trust distributed trust management

8
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY
Root
Brand
Brand
Brand
Geo-Political
Bank
Acquirer
Customer
Merchant
9
Certificate Revocation
  • Sometimes, the issuer need to recant certificate
  • The subjects attributes have changed
  • The subject misused the certificate
  • There are forged certificates
  • Published in a certificate revocation list

10
CRL FORMAT
SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT
UPDATE REVOKED CERTIFICATES SIGNATURE
SERIAL NUMBER REVOCATION DATE
11
X.509 CERTIFICATES
  • X.509v1
  • basic
  • X.509v2
  • adds unique identifiers to prevent against reuse
    of X.500 names
  • X.509v3
  • adds many extensions
  • can be further extended

12
X.509v3 CERTIFICATE INNOVATIONS
  • distinguish various certificates
  • signature, encryption, key-agreement
  • identification info in addition to X.500 name
  • internet names email addresses, host names, URLs
  • issuer can state policy and usage
  • good enough for casual email but not for signing
    checks
  • limits on use of signature keys for further
    certification
  • extensible
  • proprietary extensions can be defined and
    registered
  • attribute certificates
  • ongoing work

13
X.509v2 CRL INNOVATIONS
  • CRL distribution points
  • indirect CRLs
  • delta CRLs
  • revocation reason
  • push CRLs

14
HIERARCHICAL STRUCTURE
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
15
HIERARCHICAL STRUCTURE WITH ADDED LINKS
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
16
TOP-DOWN HIERARCHICAL STRUCTURE
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
17
FORREST OF HIERARCHIES
18
MULTIPLE ROOT CAs INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
19
THE CERTIFICATE TRIANGLE
user
X.509 identity certificate
X.509 attribute certificate
attribute
public-key
SPKI certificate
20
2-WAY SSL HANDSHAKE WITH RSA
Handshake Protocol
Record Protocol
21
SINGLE ROOT CA MODEL
Root CA
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
Root CA
User
22
SINGLE ROOT CAMULTIPLE RAs MODEL
Root CA
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
Root CA
23
MULTIPLE ROOT CAs MODEL
Root CA
Root CA
Root CA
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
Root CA
User
Root CA
User
Root CA
User
24
ROOT CA INTERMEDIATE CAs MODEL
Z
X
Y
Q
R
S
T
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
25
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
26
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
27
MULTIPLE ROOT CAs PLUS INTERMEDIATE CAs MODEL
X
S
T
Q
R
A
C
E
G
I
K
M
O
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
28
MULTIPLE ROOT CAs INTERMEDIATE CAs MODEL
  • Essentially the model on the web today
  • Deployed in server-side SSL mode
  • Client-side SSL mode yet to happen

29
SERVER-SIDE MASQUERADING
Bob Web browser
www.host.com Web server
Server-side SSL
Ultratrust Security Services
www.host.com
30
SERVER-SIDE MASQUERADING
Bob Web browser
www.host.com Web server
Ultratrust Security Services
Server-side SSL
Server-side SSL
Mallorys Web server
www.host.com
BIMM Corporation
www.host.com
31
SERVER-SIDE MASQUERADING
Bob Web browser
www.host.com Web server
Ultratrust Security Services
Server-side SSL
Server-side SSL
BIMM Corporation
Mallorys Web server
www.host.com
Ultratrust Security Services
www.host.com
32
MAN IN THE MIDDLEMASQUERADING PREVENTED
Client Side SSL end-to-end
Ultratrust Security Services
Bob Web browser
www.host.com Web server
Bob
Ultratrust Security Services
Client-side SSL
Client-side SSL
BIMM Corporation
BIMM Corporation
www.host.com
Mallorys Web server
Ultratrust Security Services
Ultratrust Security Services
www.host.com
Bob
33
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING
Joe_at_anywhere Web browser
BIMM.com Web server
Client-side SSL
Ultratrust Security Services
Ultratrust Security Services
Joe_at_anywhere
BIMM.com
34
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING
Alice_at_SRPC Web browser
BIMM.com Web server
Client-side SSL
SRPC
Ultratrust Security Services
Alice_at_SRPC
BIMM.com
35
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING
Bob_at_PPC Web browser
BIMM.com Web server
Client-side SSL
PPC
Ultratrust Security Services
Bob_at_PPC
BIMM.com
36
ATTRIBUTE-BASED CLIENT SIDE MASQUERADING
Alice_at_SRPC Web browser
BIMM.com Web server
Client-side SSL
SRPC
Ultratrust Security Services
BIMM.com
PPC
Bob_at_PPC
Write a Comment
User Comments (0)
About PowerShow.com