Open-source Public Key Infrastructure (PKI) Simos Xenitellis - - PDF document

open source public key infrastructure pki
SMART_READER_LITE
LIVE PREVIEW

Open-source Public Key Infrastructure (PKI) Simos Xenitellis - - PDF document

Sep 19, 2022 571 likes •832 views

Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000 Open-source Public Key Infrastructure Agenda We are going to

slide-1
SLIDE 1

Open-source Public Key Infrastructure

Open-source Public Key Infrastructure (PKI)

Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1

3rd August 2000, LBW2000

slide-2
SLIDE 2

Open-source Public Key Infrastructure

Agenda

We are going to discuss about

  • open-source software
  • public key cryptography
  • PKI functionality

about

  • available standards
  • open-source PKI implementations

and finally about

  • critic on OS PKI design

2

3rd August 2000, LBW2000

slide-3
SLIDE 3

Open-source Public Key Infrastructure

Open-source

is

  • a new trend
  • a new software development model
  • is based on the almost zero distribution costs
  • quick initial distribution
  • not expensive life-cycle

In short

  • availability of source code
  • covered by suitable unencumbered licence

3

3rd August 2000, LBW2000

slide-4
SLIDE 4

Open-source Public Key Infrastructure

Public Key Cryptography

In a nutshell

  • one key to encrypt (public)
  • another to decrypt (private)
  • the two have strong math relationship

Algorithms

  • RSA
  • El Gamal
  • Elliptic curves

can

  • encrypt/decrypt
  • sign/verify

4

3rd August 2000, LBW2000

slide-5
SLIDE 5

Open-source Public Key Infrastructure

Example of Public Key Cryptography: RSA

Setup

  • Find strong primes p and q.
  • Set n = p * q
  • Pick e co-prime with (p-1)(q-1) (65 is ok)
  • and find d so that (d * e) mod ((p-1)(q-1)) = 1

the keys are

  • Public: n and e
  • Private: d

and they can do

  • encrypt: c = m^e mod n
  • decrypt: m = c^d mod n

can also sign/verify 5

3rd August 2000, LBW2000

slide-6
SLIDE 6

Open-source Public Key Infrastructure

PGP in a nutshell

Both parties create a key pair

  • I give you my public key
  • you give me your public key

To send a message to you

  • I encrypt it with your public key

To read the received message

  • you decrypt with your private key

Public keys can be stored on servers 6

3rd August 2000, LBW2000

slide-7
SLIDE 7

Open-source Public Key Infrastructure

Lets do bussines

Well

  • the idea looks nice
  • could it fit some requirements?
  • what are those requirements?

The requirements

  • an organisation can have own repository of certificates
  • ability to attach properties to public keys
  • allow possible recovery of ’forgotten’ keys
  • have bigger entities to ’verify’ somehow user keys

7

3rd August 2000, LBW2000

slide-8
SLIDE 8

Open-source Public Key Infrastructure

Creation of a Certification Authority

In the beginning, the CA was created

  • generates public/private key pair
  • generates certificate request (attach pub. key and descr. of CA)
  • make a certificate out of the certificate request (sign)
  • gives that certificate, the root CA certificate to everyone
  • keeps private key very private (in a box?)

8

3rd August 2000, LBW2000

slide-9
SLIDE 9

Open-source Public Key Infrastructure

Client sign-up

Then, clients start to sign up

  • user creates own certificate request
  • sends over to RA to authorise [optional]
  • if RA says ok, sends over to CA
  • CA signs the request, thus creating a Certificate
  • CA publishes Certificate to a repository
  • user can be contacted securely

9

3rd August 2000, LBW2000

slide-10
SLIDE 10

Open-source Public Key Infrastructure

Why PKIs?

To improve Internet Security

  • S/MIME
  • TLS (a.k.a. SSL)
  • IPsec

To provide

  • confidentiality
  • data integrity
  • data-origin authentication
  • non-repudiation

10

3rd August 2000, LBW2000

slide-11
SLIDE 11

Open-source Public Key Infrastructure

The history of that X.509

X.509 is

  • a specification for certificates
  • but demasiado generic (can accomodate all cert needs)

History

  • Part of X.500 (directory services)
  • X.500 has slow adoption, X.509 continues development
  • Passed 3 major revisions, now X.509v3
  • Meanwhile, PEM implementation showed deficiencies
  • Along the revisions, fields were added
  • ISO/IEC/ITU and ANSI X9 standard

11

3rd August 2000, LBW2000

slide-12
SLIDE 12

Open-source Public Key Infrastructure

Enter IETF

Still X.509 Certificates were lacking Formed PKIX Working Group (Oct95) Specified Internet PKI profile In detail

  • for X.509 v3 PKCs
  • for X.509 v2 CRLs

Gone through 11 drafts Now it’s official, RFC2459 certificate profile describes what fields to use on X.509 and how 12

3rd August 2000, LBW2000

slide-13
SLIDE 13

Open-source Public Key Infrastructure

PKIX Definitions

Certificate

  • Public Key Certificate
  • Attribute Certificate

Authority

  • Certification Authority
  • Attribute Authority
  • and maybe Registration Authority

End Entity 13

3rd August 2000, LBW2000

slide-14
SLIDE 14

Open-source Public Key Infrastructure

PKIX Definitions (cont’)

Infrastructures

  • Public Key Infrastructure (PKI)
  • Privilege Management Infrastructure (PMI)

Documents

  • Certificate Policy (CP)
  • Certification Practice Statement (CPS)

14

3rd August 2000, LBW2000

slide-15
SLIDE 15

Open-source Public Key Infrastructure

More PKIX

Keep in mind these too

  • Management protocols (online interaction with managmt. entities)
  • Operational protocols (delivery of certs/crls)
  • Certificate Policy and Certification Practice Statement
  • Time-stamping and data-certification services

15

3rd August 2000, LBW2000

slide-16
SLIDE 16

Open-source Public Key Infrastructure

Common Data Security Architecture (CDSA)

CDSA is a

  • cross-platform
  • interoperable
  • extensible

security infrastructure for an Internet applications environment Status

  • Brought to you by Intel
  • Endorsed by the The Open Group
  • Open-source implementation by Intel
  • ...for win only
  • But Bull is doing a Linux implementation!
  • To be delivered on 24th August 2000
  • all the above are about CDSA 2.0

Open-source Public Key Infrastructure

16

3rd August 2000, LBW2000

slide-17
SLIDE 17

Open-source Public Key Infrastructure

More on CDSA

Crypto

  • Comes in CSPs, Cryptographic Service Provider
  • Can use either hardware or software CSP
  • an OpenSSL CSP is available!
  • hmm, hardware accel. crypto card? Bull sells such a thing

Misc

  • Ability for secure net-booting (integrity-wise)
  • self-integrity check support
  • and much more at http://developer.intel.com/IAL/security/

17

3rd August 2000, LBW2000

slide-18
SLIDE 18

Open-source Public Key Infrastructure

Types of Certificates

Why plural

  • Certs need not only bind name and public key

Types

  • identity certificates
  • attribute certificates
  • credential certificates

PKIX does 1 and 2 18

3rd August 2000, LBW2000

slide-19
SLIDE 19

Open-source Public Key Infrastructure

Implementations #1

pyCA and OpenCA

  • set of CGI scripts
  • OpenSSL for crypto needs
  • run ok on Unix/Unix-like
  • support Netscape
  • no strict compliance with PKIX
  • allow RAD testing/implementation

pyCA at www.pyca.de OpenCA at www.openca.org 19

3rd August 2000, LBW2000

slide-20
SLIDE 20

Open-source Public Key Infrastructure

Implementations #2

OSCAR

  • Open Secure Certificate ARchitecture
  • comes from DTSC, Australia
  • good support for X.509v3, crypto, PKCS, PKIX
  • very good Netscape support
  • source code available, but can’t redistribute/sell freely
  • should open license, me thinks

20

3rd August 2000, LBW2000

slide-21
SLIDE 21

Open-source Public Key Infrastructure

Implementaions #3

Mozilla Open Source PKI Projects Provides two libraries

  • NSS, Network Security Services
  • PSM, Personal Security Manager

Comments

  • For integration with Netscape/iPlanet products
  • License is MPL or GPL, you choose
  • Crypto still in trouble
  • Not much PKIX compliance, getting better
  • Crypto must get fixed, then go fast

21

3rd August 2000, LBW2000

slide-22
SLIDE 22

Open-source Public Key Infrastructure

Implementations #4

MISPC or Minimum Interoperability Specifications for PKI Components

  • Brought to you by NIST (it’s .gov)
  • CD-only distribution (still waiting for it)
  • That has source code (excl. crypto)
  • Only for Windows
  • Has some PKIX support
  • No crypto for US, yet
  • Part of the FPKI
  • Gloomy future, me thinks

22

3rd August 2000, LBW2000

slide-23
SLIDE 23

Open-source Public Key Infrastructure

Implementations #5

Jonah, the reference implementation from IBM PKIX compliance with

  • RFCs 2459, 2510, 2511 and LDAPv2 draft

Comments

  • they verified the PKIX docs, found errata, gave feedback
  • no crypto for US
  • uses CDSA 1.2
  • does not compile on linux
  • are selling it now
  • pulled it back on licensing issues (regarding the CDSA)
  • is freeware, me says they changed their mind

23

3rd August 2000, LBW2000

slide-24
SLIDE 24

Open-source Public Key Infrastructure

Open-source PKI vision

To be

  • based on the (evolving) PKIX standards
  • used as a open-source reference model for PKIX
  • based on CDSA 2.0
  • available in server mode implementation
  • available in CGI mode implementation (RAD)
  • integrated with the MUSCLE project (smartcards)
  • used for Single Sign-On (SSO) and PAM

24

3rd August 2000, LBW2000

slide-25
SLIDE 25

Open-source Public Key Infrastructure

El Fin

We are going to discuss about

  • open-source software
  • public key cryptography
  • PKI functionality

about

  • available standards
  • open-source PKI implementations

and finally about

  • critic on OS PKI design

for more, check out http://ospkibook.sourceforge.net 25

3rd August 2000, LBW2000