Security Services in Information Systems - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Security Services in Information Systems

Description:

Security Services in Information Systems Digital Certificates What is a Digital Certificate? Electronic counterparts to driver licenses,passports. – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 38
Provided by: anaro6
Category:

less

Transcript and Presenter's Notes

Title: Security Services in Information Systems


1
Security Services in Information Systems
2
Digital Certificates
3
What is a Digital Certificate?
  • Electronic counterparts to driver
    licenses,passports.
  • Enable individuals and organizations to secure
    business and personal transactions across
    communication networks.

4
How do they secure the data?
  • Authentication
  • Integrity
  • Encryption
  • Token verification

5
What certificates are typically used for
  • Secure channel TLS / SSL for web servers
  • Sign emails
  • Authentication
  • Code signing
  • Encrypt files (EFS in Windows/2000)
  • IPsec (encrypt network layer)

6
Certificates and PKI
  • A public key certificate consists of some payload
    and a digital signature over this data.
  • The certificate payload consists of a public key
    and some additional data (e.g. subject and issuer
    information, validity period, privileges,
    attributes etc.).
  • The digital signature binds these additional data
    to the public key.
  • It is the responsibility of a PKI (Public Key
    Infrastructure) to generate, distribute, and
    manage certificates.

7
Certificates
CA
Certified Entity
FJRRH
FJRRH
FJRRH
Verifier
8
Real World Analogies
  • Is a certificate an electronic identity?
  • Concerns
  • a certificate is a binding between an identity
    and a key, not a binding between an identity and
    a real person
  • one must submit its certificate to identify
    itself, but submission is not sufficient, the key
    must be used in a protocol
  • anyone can submit someone elses certificate

9
Real World Analogies
  • Result Certificates are not picture IDs
  • So, what is the real world analogy for
    certificates?
  • Endorsed document/card that serves as a binding
    between the identity and signature

10
Issues Related Certificates
  • TRUST
  • verifiers must trust CAs
  • CAs need not trust the certified entities
  • certified entity need not trust its CA, unless it
    is not the verifier
  • What is trust in certification systems?
  • Answer to the question How correct is the
    certificate information?
  • related to certification policies

11
Issues Related Certificates
  • Certificate Revocation
  • certificates have lifetimes, but they may be
    revoked before the expiration time
  • Reasons
  • certificate holder key compromise/lost
  • CA key compromise
  • end of contract (e.g. certificates for employees)
  • Certificate Revocation Lists (CRLs) hold the list
    of certificates that are not expired but revoked
  • each CA periodically issues such a list with
    digital signature on it

12
Digital Certificate - Lifecycle
Key Pair Generated
13
X.509
  • ITU-T standard (recommendation)
  • ISO 9495-2 is the equivalent ISO standard
  • part of X.500 family for directory services
  • distributed set of servers that store user
    information
  • an utopia that has never been carried out
  • X.509 defines the authentication services and the
    pubic-key certificate structure (certificates are
    to be stored in the directory)
  • so that the directory would contain public keys
    of the users

14
X.509
  • Defines identity certificates
  • attribute (authorization) certificates are added
    in 4th edition (2000)
  • Defines certificate structure, not PKI
  • Supports both hierarchical model and cross
    certificates
  • End users cannot be CAs

15
X.509 Certificate Format
16
X.509v3 Extensions
  • Not enough flexibility in X.509 v1 and v2
  • mostly due to directory specific fields
  • real-world security needs are different
  • email/URL names should be included in a
    certificate
  • key identification was missing (so should be
    included)
  • policy details should indicate under which
    conditions a certificate can be used (was not the
    case in v1 and v2)
  • avoidance of blind trust was not possible in v1
    and v2
  • Rather than explicitly naming new fields a
    general extension method is defined
  • extensions consist of extension identifier, value
    and criticality indicator

17
X.509v3 Extensions
  • Key and policy information
  • subject issuer key identifiers
  • indicators of certificate policies supported by
    the cert
  • key usage (list of purposes like signature,
    encryption, etc)
  • Alternative names, in alternative formats for
    certificate subject and issuer
  • Certificate path constraints (for CA to CA certs)
  • to restrict certificate issuance based on
  • path length (restricting number of subordinate
    CAs)
  • policy identifiers
  • names
  • Verifier could exercise its own restrictions
    during verification as well
  • No blind trust to CAs

18
Main parts of a digital certificate system
  • Request and issue certificates (different
    categories) with verification of identity
  • Storage of certificate (including the private
    key)
  • Publishing of certificates (public part) to
    anyone (LDAP, HTTP)
  • Pre-install root certificates in a trusted
    environment
  • Support by platform, applications and services to
    use certificates
  • Maintain database of issued certificates (no
    private keys!)
  • Helpdesk (information, lost compromised private
    keys)
  • Publishing of CRLs (and enforce apps to do
    revocation checking)

19
X.509 Certificate Format
20
Certification Authority
21
Certification Authority(CA)
  • Trusted entity which issue and manage
    certificates for a population of public-private
    key-pair holders.
  • A digital certificate is issued by a CA and is
    signed with CAs private key.

22
CA
Verifica CRL
Verifica certificado
?
?
X
Y
1235
23
CA Policies
  • CA certification policies (Certificate Practice
    Statement)
  • how reliable is the CA?
  • certification policies describe the methodology
    of certificate issuance
  • ID-control practices
  • loose control only email address
  • tight control apply in person and submit picture
    IDs and/or hard documentation

24
Arquitectura típica de una AC
Certificate Distribution
25
VeriSign Certificates
  • Several companies provide CA services Nortel,
    GTE, U.S. Postal Service and VeriSign among
    others. Of those, the most widely used is the
    latter.
  • Over 35K commercial WEB sites were using VeriSign
    digital certificates as early as 1998.
  • Over a million consumer digital certificates had
    been issued to users of Netscape and Microsoft
    browsers.
  • VeriSign Class1 certificate cost U.S. 14.95 per
    year, or free 60-day trial edition

26
VeriSign Certificates
  • There are three classes of VeriSign certificates
  • Class 1. VeriSign confirms the users e-mail
    address by sending a PIN and Digital ID pick-up
    to the e-mail address provided in the
    application.
  • Class 2. VeriSign uses a consumer database in
    addition to performing the checkings of class 1.
    Confirmation is sent to the specific postal
    address alerting the customer that his/her
    certificate is ready for pick-up.
  • Class 3. VeriSign requires a higher level of
    identity assurance. An individual must prove
    his/her identity by providing notarized
    credentials and/or applying in person.

27
Public Key Infrastructure
28
Organization-wide PKI
  • Local PKI for organizations
  • may have global connections, but the registration
    facilities remain local
  • generally to solve local problems
  • local secure access to resources

29
PKI
  • Business Practice Issue certificates and make
    money
  • several CAs
  • Several CAs are also necessary due to political,
    geographical and trust reasons
  • 3 interconnection models
  • hierarchical
  • cross certificates
  • hybrid

30
Public Key Infrastructure (PKI)
  • PKI is a complete system and well-defined
    mechanisms for certificates
  • certificate issuance
  • certificate revocation
  • certificate storage
  • certificate distribution

31
Hierarchical PKI Example
32
Cross Certificate Based PKI Example
33
Hybrid PKI example
34
Certificate Paths
35
Certificate Paths
  • Verifier must know public key of the first CA
  • Other public keys are found out one by one
  • All CAs on the path must be trusted by the
    verifier

36
Certificate Paths with Reverse Certificates
37
Hosted vs. Standalone PKI
  • Hosted PKI
  • PKI vendor acts as CA
  • PKI owner is the RA
  • Standalone PKI
  • PKI owner is both RA and CA
Write a Comment
User Comments (0)
About PowerShow.com