open source public key infrastructure pki
play

Open-source Public Key Infrastructure (PKI) Simos Xenitellis - PDF document

Sep 19, 2022 •571 likes •826 views

Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000 Open-source Public Key Infrastructure Agenda We are going to

  1. Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000

  2. Open-source Public Key Infrastructure Agenda We are going to discuss about • open-source software • public key cryptography • PKI functionality about • available standards • open-source PKI implementations and finally about • critic on OS PKI design 2 3rd August 2000, LBW2000

  3. Open-source Public Key Infrastructure Open-source is • a new trend • a new software development model • is based on the almost zero distribution costs • quick initial distribution • not expensive life-cycle In short • availability of source code • covered by suitable unencumbered licence 3 3rd August 2000, LBW2000

  4. Open-source Public Key Infrastructure Public Key Cryptography In a nutshell • one key to encrypt (public) • another to decrypt (private) • the two have strong math relationship Algorithms • RSA • El Gamal • Elliptic curves can • encrypt/decrypt • sign/verify 4 3rd August 2000, LBW2000

  5. Open-source Public Key Infrastructure Example of Public Key Cryptography: RSA Setup • Find strong primes p and q. • Set n = p * q • Pick e co-prime with (p-1)(q-1) (65 is ok) • and find d so that (d * e) mod ((p-1)(q-1)) = 1 the keys are • Public: n and e • Private: d and they can do • encrypt: c = m^e mod n • decrypt: m = c^d mod n can also sign/verify 5 3rd August 2000, LBW2000

  6. Open-source Public Key Infrastructure PGP in a nutshell Both parties create a key pair • I give you my public key • you give me your public key To send a message to you • I encrypt it with your public key To read the received message • you decrypt with your private key Public keys can be stored on servers 6 3rd August 2000, LBW2000

  7. Open-source Public Key Infrastructure Lets do bussines Well • the idea looks nice • could it fit some requirements? • what are those requirements? The requirements • an organisation can have own repository of certificates • ability to attach properties to public keys • allow possible recovery of ’forgotten’ keys • have bigger entities to ’verify’ somehow user keys 7 3rd August 2000, LBW2000

  8. Open-source Public Key Infrastructure Creation of a Certification Authority In the beginning, the CA was created • generates public/private key pair • generates certificate request (attach pub. key and descr. of CA) • make a certificate out of the certificate request (sign) • gives that certificate, the root CA certificate to everyone • keeps private key very private (in a box?) 8 3rd August 2000, LBW2000

  9. Open-source Public Key Infrastructure Client sign-up Then, clients start to sign up • user creates own certificate request • sends over to RA to authorise [optional] • if RA says ok, sends over to CA • CA signs the request, thus creating a Certificate • CA publishes Certificate to a repository • user can be contacted securely 9 3rd August 2000, LBW2000

  10. Open-source Public Key Infrastructure Why PKIs? To improve Internet Security • S/MIME • TLS (a.k.a. SSL) • IPsec To provide • confidentiality • data integrity • data-origin authentication • non-repudiation 10 3rd August 2000, LBW2000

  11. Open-source Public Key Infrastructure The history of that X.509 X.509 is • a specification for certificates • but demasiado generic (can accomodate all cert needs) History • Part of X.500 (directory services) • X.500 has slow adoption, X.509 continues development • Passed 3 major revisions, now X.509v3 • Meanwhile, PEM implementation showed deficiencies • Along the revisions, fields were added • ISO/IEC/ITU and ANSI X9 standard 11 3rd August 2000, LBW2000

  12. Open-source Public Key Infrastructure Enter IETF Still X.509 Certificates were lacking Formed PKIX Working Group (Oct95) Specified Internet PKI profile In detail • for X.509 v3 PKCs • for X.509 v2 CRLs Gone through 11 drafts Now it’s official, RFC2459 certificate profile describes what fields to use on X.509 and how 12 3rd August 2000, LBW2000

  13. Open-source Public Key Infrastructure PKIX Definitions Certificate • Public Key Certificate • Attribute Certificate Authority • Certification Authority • Attribute Authority • and maybe Registration Authority End Entity 13 3rd August 2000, LBW2000

  14. Open-source Public Key Infrastructure PKIX Definitions (cont’) Infrastructures • Public Key Infrastructure (PKI) • Privilege Management Infrastructure (PMI) Documents • Certificate Policy (CP) • Certification Practice Statement (CPS) 14 3rd August 2000, LBW2000

  15. Open-source Public Key Infrastructure More PKIX Keep in mind these too • Management protocols (online interaction with managmt. entities) • Operational protocols (delivery of certs/crls) • Certificate Policy and Certification Practice Statement • Time-stamping and data-certification services 15 3rd August 2000, LBW2000

  16. Open-source Public Key Infrastructure Open-source Public Key Infrastructure Common Data Security Architecture (CDSA) CDSA is a • cross-platform • interoperable • extensible security infrastructure for an Internet applications environment Status • Brought to you by Intel • Endorsed by the The Open Group • Open-source implementation by Intel • ...for win only • But Bull is doing a Linux implementation! • To be delivered on 24th August 2000 • all the above are about CDSA 2.0 16 3rd August 2000, LBW2000

  17. Open-source Public Key Infrastructure More on CDSA Crypto • Comes in CSPs, Cryptographic Service Provider • Can use either hardware or software CSP • an OpenSSL CSP is available! • hmm, hardware accel. crypto card? Bull sells such a thing Misc • Ability for secure net-booting (integrity-wise) • self-integrity check support • and much more at http://developer.intel.com/IAL/security/ 17 3rd August 2000, LBW2000

  18. Open-source Public Key Infrastructure Types of Certificates Why plural • Certs need not only bind name and public key Types • identity certificates • attribute certificates • credential certificates PKIX does 1 and 2 18 3rd August 2000, LBW2000

  19. Open-source Public Key Infrastructure Implementations #1 pyCA and OpenCA • set of CGI scripts • OpenSSL for crypto needs • run ok on Unix/Unix-like • support Netscape • no strict compliance with PKIX • allow RAD testing/implementation pyCA at www.pyca.de OpenCA at www.openca.org 19 3rd August 2000, LBW2000

  20. Open-source Public Key Infrastructure Implementations #2 OSCAR • Open Secure Certificate ARchitecture • comes from DTSC, Australia • good support for X.509v3, crypto, PKCS, PKIX • very good Netscape support • source code available, but can’t redistribute/sell freely • should open license, me thinks 20 3rd August 2000, LBW2000

  21. Open-source Public Key Infrastructure Implementaions #3 Mozilla Open Source PKI Projects Provides two libraries • NSS, Network Security Services • PSM, Personal Security Manager Comments • For integration with Netscape/iPlanet products • License is MPL or GPL, you choose • Crypto still in trouble • Not much PKIX compliance, getting better • Crypto must get fixed, then go fast 21 3rd August 2000, LBW2000

  22. Open-source Public Key Infrastructure Implementations #4 MISPC or Minimum Interoperability Specifications for PKI Components • Brought to you by NIST (it’s .gov) • CD-only distribution (still waiting for it) • That has source code (excl. crypto) • Only for Windows • Has some PKIX support • No crypto for US, yet • Part of the FPKI • Gloomy future, me thinks 22 3rd August 2000, LBW2000

  23. Open-source Public Key Infrastructure Implementations #5 Jonah, the reference implementation from IBM PKIX compliance with • RFCs 2459, 2510, 2511 and LDAPv2 draft Comments • they verified the PKIX docs, found errata, gave feedback • no crypto for US • uses CDSA 1.2 • does not compile on linux • are selling it now • pulled it back on licensing issues (regarding the CDSA) • is freeware, me says they changed their mind 23 3rd August 2000, LBW2000

  24. Open-source Public Key Infrastructure Open-source PKI vision To be • based on the (evolving) PKIX standards • used as a open-source reference model for PKIX • based on CDSA 2.0 • available in server mode implementation • available in CGI mode implementation (RAD) • integrated with the MUSCLE project (smartcards) • used for Single Sign-On (SSO) and PAM 24 3rd August 2000, LBW2000

  25. Open-source Public Key Infrastructure El Fin We are going to discuss about • open-source software • public key cryptography • PKI functionality about • available standards • open-source PKI implementations and finally about • critic on OS PKI design for more, check out http://ospkibook.sourceforge.net 25 3rd August 2000, LBW2000

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source

University of Zrich, March 14, 2019 Sustaining open source digital infrastructure Bogdan Vasilescu @b_vasilescu Open source software: from curiosity to digital infrastructure 1999 2016 Open source code as digital roads or Roads

834 views • 59 slides
Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open

Mozilla Public License 2.0 Open source PHP code Open source MySQL database Parameterized Database Queries Input Valida@on HTML Output Encoding

642 views • 13 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

SLTS Kernel and Base-Layer Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan, Tokyo, June 2, 2017 Our Civilization is Run by Linux Open Source Summit Japan 2017 2

1.03k views • 46 slides
Open Source: A Way of Life Transform Government Operations 1. Deploy open source technology in

Open Source: A Way of Life Transform Government Operations 1. Deploy open source technology in

Open Source: A Way of Life Transform Government Operations 1. Deploy open source technology in the enterprise 2. Arm everyone as a knowledge worker 3. Democratize data: the digital public square Open Source Technology in the Enterprise Arm

166 views • 15 slides
Open-source without headaches Edwin Dalmaijer @esdalmaijer 20 November 2018 Wait, isnt open

Open-source without headaches Edwin Dalmaijer @esdalmaijer 20 November 2018 Wait, isnt open

Open-source without headaches Edwin Dalmaijer @esdalmaijer 20 November 2018 Wait, isnt open source a Good Thing ? To science , open-source if unequivocally good Tools are free and open to public scrutiny Wait, isnt open source a

649 views • 45 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

My Kind of Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and modular infrastructure built using open source and delivered with: Better quality and security Lower costs No vendor

941 views • 40 slides
Open Source CDN (RMT w/FEC) to enable low-cost satellite Internet infrastructure for education in

Open Source CDN (RMT w/FEC) to enable low-cost satellite Internet infrastructure for education in

Open Source CDN (RMT w/FEC) to enable low-cost satellite Internet infrastructure for education in remote and developing regions Thomas Jacobson www.tcjnet.com 25/03/08 IETF #71 RMT 1 The Users 25/03/08 IETF #71 RMT 2 Introduction It

364 views • 17 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
EUCALYPTUS: An Open Source Infrastructure for Elastic Computing Research Rich Wolski Chris

EUCALYPTUS: An Open Source Infrastructure for Elastic Computing Research Rich Wolski Chris

EUCALYPTUS: An Open Source Infrastructure for Elastic Computing Research Rich Wolski Chris Grzegorczyk, Dan Nurmi, Graziano Obertelli, Shriram Rajagopalan, Sunil Soman, Lamia Youseff, Dmitrii Zagorodnov The MAYHEM Lab Computer Science

378 views • 20 slides
Zalandos Open Source Infrastructure on AWS with Docker bernd.herding@zalando.de GOTO Con

Zalandos Open Source Infrastructure on AWS with Docker bernd.herding@zalando.de GOTO Con

Zalandos Open Source Infrastructure on AWS with Docker bernd.herding@zalando.de GOTO Con Berlin 2015, 2015-12-04 @01k One of Europes largest online Fashion Retailers 15 countries 3 fulfillment centers 17+ million active customers 2.2+

486 views • 35 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Mapping of Belgian open source market Presenter : Dr Ir Robert Viseur Open source in Belgian

Mapping of Belgian open source market Presenter : Dr Ir Robert Viseur Open source in Belgian

[ RMLL 2013, Bruxelles Thursday 11 th July 2013 ] Mapping of Belgian open source market Presenter : Dr Ir Robert Viseur Open source in Belgian public sector 2 Prerequisite: organization of Belgium Belgium = federal state composed of

1.01k views • 25 slides
PANEL TITLE: A free choice for Europe: encouraging an independent Open Source industry

PANEL TITLE: A free choice for Europe: encouraging an independent Open Source industry

PANEL TITLE: A free choice for Europe: encouraging an independent Open Source industry James Lovegrove, Red H Director, EMEA public Po European Parliament Open Source Software Hearing Brussels, 16 May 2019 OPEN SOURCE SOFTWARE IS ALL

360 views • 22 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2 Transfer rules P [ i ] = push n P [ i ] = binop op i st se ( i ) :: st i k 1 :: k 2 :: st ( k 1 k 2 ) :: st se ( i ) k

1.83k views • 153 slides
Functional Languages Languages: LISP, Scheme (dialect of LISP from MIT, mid 70s), ML,

Functional Languages Languages: LISP, Scheme (dialect of LISP from MIT, mid 70s), ML,

7/6/2015 Functional Programming Paradigm The program is a collection of functions A function computes and returns a value No side effects (i.e., no changes to state) No program variables whose values change Basically, no

95 views • 8 slides
Mixing Mutability into the Nanopass Framework Andy Keep Background Nanopass framework is a

Mixing Mutability into the Nanopass Framework Andy Keep Background Nanopass framework is a

Mixing Mutability into the Nanopass Framework Andy Keep Background Nanopass framework is a DSL for writing compilers Provides a syntax for defining the grammar of an intermediate representation Intermediate representations are

1.08k views • 71 slides
Kubernetes as a Streaming Data Platform A Federated Operator Approach Data Council - Barcelona,

Kubernetes as a Streaming Data Platform A Federated Operator Approach Data Council - Barcelona,

Kubernetes as a Streaming Data Platform A Federated Operator Approach Data Council - Barcelona, October 2nd, 2019 Gerard Maas Principal Engineer, Lightbend, Inc. @maasg Gerard Maas Principal Engineer gerard.maas@lightbend.com @maasg

1.07k views • 58 slides
1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product

1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product

1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product .../ReconstructionDataProduct/TrackIoniz.* Now ../Reco/tpctrackfit2_module.cc , in the KalmanFit function, will (forward pass only): for (TPCCluster=1 to

486 views • 12 slides
OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -> Common

OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -> Common

Agenda Agenda Security Ratings Security Ratings ITSEC E3 ITSEC E3 C2 & E3 B1 update on C2 & E3 B1 update on V6 V6.2 .2 OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -> Common >

570 views • 7 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies Seldom Make Into Actual

608 views • 21 slides

More recommend