Title: Public Key Cryptography: Concepts and Applications
1Public Key Cryptography Concepts and
Applications
Raval Fichadia John Wiley Sons, Inc. 2007
- Chapter Six
- Prepared by Raval, Fichadia
2(No Transcript)
3Chapter Six Objectives
- Infer various uses of public key cryptography and
explain the meaning, characteristics, and uses of
digital signature. - Understand the role of trust in the Internet
business environment. - Describe the nature and characteristics of public
key infrastructure. - Interpret the role of public key cryptography in
achieving security objectives. - Describe various applications of the public key
infrastructure.
4How do you get the secret key in the hands of the
receiver of the message?
- Key distribution Distributing secret key in a
secured manner. - Key agreement Using a key agreement protocol,
key value is determined by sender and receiver of
a message. - Diffie-Hallman protocol is a widely-used protocol
for this purpose.
5Digital Signature
- Role of signature A signature
testifies/acknowledges some content. The signor
links/binds himself/herself to the content. - Digital signature A way of electronically
binding oneself to the content of a message or a
document. - The way to do this is by encrypting message
digest (or the message) using ones private key.
6Trust in Public Keys
- Need for trust
- Anywhere, anytime, anyone models of doing
business have surfaced. - Transactions (orders) may come from a person you
may never meet. - It is therefore necessary to authenticate the
person requesting goods or services.
7Trust Compared to Security
- Trust means to rely on.
- Trust has to do with the expectation that the
person or an entity relied on will behave in a
predictable manner (e.g., pay dues). - Trusting is an act of the receiver security is
in the hands of those accountable for information
assets. - Trust is viewed in the context of use (e.g.,
value of transaction) security is a constant,
regardless of who makes the determination. - Therefore, levels of trust can be determined and
used depending on the context of use security
has two states, either an information asset is
secured, or is unsecured.
8Sources and Levels of Trust
- Since context of use will vary, different levels
of trust can be identified. - Trust level to be established for a 10
transaction would be different than for a 50
million electronic fund transfer. - This way of looking at establishing trust also
provides cost effectiveness to systems that help
determine whether to trust a user (customer, for
example). - Different organizations or people may trust the
same entity to different degrees.
9Meeting Requirements of Trust
- Digital (public key) certificate
- Certification authority
- Trust levels in digital certificate
- Web trust models
10Digital (Public Key) Certificate
- A certificate provided by a certification
authority, certifying owners public key. - The certificate has a plaintext part and an
encrypted part. - The plaintext discloses the certificate holders
name, the issuer (CA), expiration date, etc. - The encrypted part is where the CA has stored the
subjects public key, encrypted using the CAs
private key.
11Certification Authority (CA)
- An organization that issues digital certificates.
- The CA performs many tasks
- Receive application for keys.
- Verify applicants identity, conduct due
diligence appropriate to the trust level, and
issue key pairs. - Store public keys and protect them from
unauthorized modification. - Keep a register of valid keys.
- Revoke and delete keys that are invalid or
expired. Maintain a certificate revocation list
(CRL). - In doing its work, the CA may appoint agents,
called registration authorities (RAs). - A primary responsibility of RAs is to facilitate
the certificate application process.
12Trust Levels in Digital Certificate
- Trust levels are implied in digital certificates.
- If anticipated risk is higher in transactions
with a subject, one might seek a higher level of
trust in the certificate. - The higher the trust level to be assigned to a
subject, the greater the depth of due diligence. - And greater the cost of issuing the certificate.
13Web Trust Models
- The process of establishing trust involves a
trust model. - A trust model allows users to imply trust based
on what they already know. - In a hierarchical trust model (upside down tree),
the top node (root CA) certifies the next level,
which in turn certifies the level below, and so
forth until we reach end entities at the lower
most level. - In a distributed trust model, several independent
hierarchies, each with its own root CA, are
formed. Root CAs (also called peer CAs)
coordinate communication across hierarchies. - A Web model is a specific case of the distributed
model implemented by storing public keys of root
CAs in widely used browsers. - A user-centric trust model (web of trust model)
relies on the user to act as a de facto CA.
Example Pretty Good Privacy (PGP).
14Public Key Infrastructure (PKI)
- An infrastructure is a network that runs behind
the scene serving a variety of users having
different needs. - Public key cryptography permits technical
authentication of the sender, and allows for
assurance of nonrepudiation. - Certification infrastructure, designed using a
trust model, provides for trust in public key
necessary in the authentication process.
15X.509
- Is a standard for PKI.
- Specifies formats for and attributes of public
key certificates and trust models. - The standard promotes interoperability and
consistency, allowing for different software
vendors and users to work with the same object. - The binding of the public key with the end entity
(subject) is usually done using various sources
(e.g., email address of the entity for basic
level of trust).
16- Structure of a X.509 v3 digital certificate
- Certificate
- Version (to identify the version of certificate
structure) - Serial Number
- Algorithm ID (to identify the specific
encryption algorithm used in digitally signing
(certifying) the public key of the subject (often
called an end-entity) - Issuer (Name of the certification authority)
- Validity (period for which the certificate is
valid) - Subject (also called end-entity)
- Subject Public Key Info
- Public Key Algorithm used in issuing
public-private key pair - Subject Public Key (A string of characters that
defines the value of the subjects public key) - Issuer Unique Identifier (The identifying number
of the certification authority that issued the
certificate, e.g., Verisign, RSAsecurity) - Subject Unique Identifier (The identifying
number of the subject) - Extensions (Additional information, if any,
about the subject) - Certificate Signature Algorithm (Algorithm that
the certification authority used to append its
digital signature, e.g., MD5) - Certificate Signature
17Company Unique features of PKI
Dresdner Bank Designed and implemented a universal PKI registration system. Followed specific procedures to register its corporate clients.
Deutsche Bank Scalable over several platforms. The bank reduced losses due to fraudulent transactions and increased use of its applications. It provided customers with digital identities. It also provided for and certified legally binding signatures.
Canadian Payments Association The Association is a non-profit, national clearing and settlement operation. Their PKI application is intended to address consumer concerns regarding personal and financial information transmitted via the Internet. The association certifies its members (mostly banks), who in turn issue certificates to their customers.
ABN AMRO Bank A complete security solution for its internal, bank-to-bank, and customer-to-bank applications. ABN AMRO is the trusted root CA.
Australian Health Insurance Commission Processes millions of healthcare payment claims each day and handles sensitive clinical information. The PKI links to disparate applications and systems within the commission.
MEDepass Issues a certificate to subscribers and publishes it to the healthcare community. Maintains a CRL.
Veterans Affairs Certificates will be used for veterans benefits (educational, compensation, pension, vocational rehabilitation, etc.) claims processing.
U.S. Government General Services Administration Digital Signature Trust issues digital certificates to the American public on behalf of federal government agencies.
National Institute of Health Designed to electronically create, distribute, and sign forms within its Committee Management System and also to sign some forms electronically.
18Assurance Considerations
- Specific issues as related to the certification
infrastructure include the following - Is the private key secure? Are the risks of
private key compromises known to the owner? - How was the CA authorized to become a CA? Can
you trust the CA? - How was trust in implied in the certificate?
What level of trust is implied? What data were
used to establish trust? - How well does the CA protect public keys and the
certificates?
19(No Transcript)