Public Key Cryptography: Concepts and Applications - PowerPoint PPT Presentation

About This Presentation
Title:

Public Key Cryptography: Concepts and Applications

Description:

Title: Financial Reporting: The Institutional Setting Author: me Last modified by: chand Created Date: 9/14/2004 5:47:48 PM Document presentation format – PowerPoint PPT presentation

Number of Views:197
Avg rating:3.0/5.0
Slides: 20
Provided by: me7790
Category:

less

Transcript and Presenter's Notes

Title: Public Key Cryptography: Concepts and Applications


1
Public Key Cryptography Concepts and
Applications
Raval Fichadia John Wiley Sons, Inc. 2007
  • Chapter Six
  • Prepared by Raval, Fichadia

2
(No Transcript)
3
Chapter Six Objectives
  1. Infer various uses of public key cryptography and
    explain the meaning, characteristics, and uses of
    digital signature.
  2. Understand the role of trust in the Internet
    business environment.
  3. Describe the nature and characteristics of public
    key infrastructure.
  4. Interpret the role of public key cryptography in
    achieving security objectives.
  5. Describe various applications of the public key
    infrastructure.

4
How do you get the secret key in the hands of the
receiver of the message?
  • Key distribution Distributing secret key in a
    secured manner.
  • Key agreement Using a key agreement protocol,
    key value is determined by sender and receiver of
    a message.
  • Diffie-Hallman protocol is a widely-used protocol
    for this purpose.

5
Digital Signature
  • Role of signature A signature
    testifies/acknowledges some content. The signor
    links/binds himself/herself to the content.
  • Digital signature A way of electronically
    binding oneself to the content of a message or a
    document.
  • The way to do this is by encrypting message
    digest (or the message) using ones private key.

6
Trust in Public Keys
  • Need for trust
  • Anywhere, anytime, anyone models of doing
    business have surfaced.
  • Transactions (orders) may come from a person you
    may never meet.
  • It is therefore necessary to authenticate the
    person requesting goods or services.

7
Trust Compared to Security
  • Trust means to rely on.
  • Trust has to do with the expectation that the
    person or an entity relied on will behave in a
    predictable manner (e.g., pay dues).
  • Trusting is an act of the receiver security is
    in the hands of those accountable for information
    assets.
  • Trust is viewed in the context of use (e.g.,
    value of transaction) security is a constant,
    regardless of who makes the determination.
  • Therefore, levels of trust can be determined and
    used depending on the context of use security
    has two states, either an information asset is
    secured, or is unsecured.

8
Sources and Levels of Trust
  • Since context of use will vary, different levels
    of trust can be identified.
  • Trust level to be established for a 10
    transaction would be different than for a 50
    million electronic fund transfer.
  • This way of looking at establishing trust also
    provides cost effectiveness to systems that help
    determine whether to trust a user (customer, for
    example).
  • Different organizations or people may trust the
    same entity to different degrees.

9
Meeting Requirements of Trust
  • Digital (public key) certificate
  • Certification authority
  • Trust levels in digital certificate
  • Web trust models

10
Digital (Public Key) Certificate
  • A certificate provided by a certification
    authority, certifying owners public key.
  • The certificate has a plaintext part and an
    encrypted part.
  • The plaintext discloses the certificate holders
    name, the issuer (CA), expiration date, etc.
  • The encrypted part is where the CA has stored the
    subjects public key, encrypted using the CAs
    private key.

11
Certification Authority (CA)
  • An organization that issues digital certificates.
  • The CA performs many tasks
  • Receive application for keys.
  • Verify applicants identity, conduct due
    diligence appropriate to the trust level, and
    issue key pairs.
  • Store public keys and protect them from
    unauthorized modification.
  • Keep a register of valid keys.
  • Revoke and delete keys that are invalid or
    expired. Maintain a certificate revocation list
    (CRL).
  • In doing its work, the CA may appoint agents,
    called registration authorities (RAs).
  • A primary responsibility of RAs is to facilitate
    the certificate application process.

12
Trust Levels in Digital Certificate
  • Trust levels are implied in digital certificates.
  • If anticipated risk is higher in transactions
    with a subject, one might seek a higher level of
    trust in the certificate.
  • The higher the trust level to be assigned to a
    subject, the greater the depth of due diligence.
  • And greater the cost of issuing the certificate.

13
Web Trust Models
  • The process of establishing trust involves a
    trust model.
  • A trust model allows users to imply trust based
    on what they already know.
  • In a hierarchical trust model (upside down tree),
    the top node (root CA) certifies the next level,
    which in turn certifies the level below, and so
    forth until we reach end entities at the lower
    most level.
  • In a distributed trust model, several independent
    hierarchies, each with its own root CA, are
    formed. Root CAs (also called peer CAs)
    coordinate communication across hierarchies.
  • A Web model is a specific case of the distributed
    model implemented by storing public keys of root
    CAs in widely used browsers.
  • A user-centric trust model (web of trust model)
    relies on the user to act as a de facto CA.
    Example Pretty Good Privacy (PGP).

14
Public Key Infrastructure (PKI)
  • An infrastructure is a network that runs behind
    the scene serving a variety of users having
    different needs.
  • Public key cryptography permits technical
    authentication of the sender, and allows for
    assurance of nonrepudiation.
  • Certification infrastructure, designed using a
    trust model, provides for trust in public key
    necessary in the authentication process.


15
X.509
  • Is a standard for PKI.
  • Specifies formats for and attributes of public
    key certificates and trust models.
  • The standard promotes interoperability and
    consistency, allowing for different software
    vendors and users to work with the same object.
  • The binding of the public key with the end entity
    (subject) is usually done using various sources
    (e.g., email address of the entity for basic
    level of trust).

16
  • Structure of a X.509 v3 digital certificate
  • Certificate
  • Version (to identify the version of certificate
    structure)
  • Serial Number
  • Algorithm ID (to identify the specific
    encryption algorithm used in digitally signing
    (certifying) the public key of the subject (often
    called an end-entity)
  • Issuer (Name of the certification authority)
  • Validity (period for which the certificate is
    valid)
  • Subject (also called end-entity)
  • Subject Public Key Info
  • Public Key Algorithm used in issuing
    public-private key pair
  • Subject Public Key (A string of characters that
    defines the value of the subjects public key)
  • Issuer Unique Identifier (The identifying number
    of the certification authority that issued the
    certificate, e.g., Verisign, RSAsecurity)
  • Subject Unique Identifier (The identifying
    number of the subject)
  • Extensions (Additional information, if any,
    about the subject)
  • Certificate Signature Algorithm (Algorithm that
    the certification authority used to append its
    digital signature, e.g., MD5)
  • Certificate Signature

17
Company Unique features of PKI
Dresdner Bank Designed and implemented a universal PKI registration system. Followed specific procedures to register its corporate clients.
Deutsche Bank Scalable over several platforms. The bank reduced losses due to fraudulent transactions and increased use of its applications. It provided customers with digital identities. It also provided for and certified legally binding signatures.
Canadian Payments Association The Association is a non-profit, national clearing and settlement operation. Their PKI application is intended to address consumer concerns regarding personal and financial information transmitted via the Internet. The association certifies its members (mostly banks), who in turn issue certificates to their customers.
ABN AMRO Bank A complete security solution for its internal, bank-to-bank, and customer-to-bank applications. ABN AMRO is the trusted root CA.
Australian Health Insurance Commission Processes millions of healthcare payment claims each day and handles sensitive clinical information. The PKI links to disparate applications and systems within the commission.
MEDepass Issues a certificate to subscribers and publishes it to the healthcare community. Maintains a CRL.
Veterans Affairs Certificates will be used for veterans benefits (educational, compensation, pension, vocational rehabilitation, etc.) claims processing.
U.S. Government General Services Administration Digital Signature Trust issues digital certificates to the American public on behalf of federal government agencies.
National Institute of Health Designed to electronically create, distribute, and sign forms within its Committee Management System and also to sign some forms electronically.
18
Assurance Considerations
  • Specific issues as related to the certification
    infrastructure include the following
  • Is the private key secure? Are the risks of
    private key compromises known to the owner?
  • How was the CA authorized to become a CA? Can
    you trust the CA?
  • How was trust in implied in the certificate?
    What level of trust is implied? What data were
    used to establish trust?
  • How well does the CA protect public keys and the
    certificates?

19
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com