pki public key infrastructure
play

PKI: Public Key Infrastructure What is it, and why should I care? - PowerPoint PPT Presentation

Mar 18, 2023 •803 likes •1.28k views

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Wes Hubert Computing in Kansas Information Services June 3, 2004 The University of Kansas Why? PKI adoption will continue growing to support

  1. PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Wes Hubert Computing in Kansas Information Services June 3, 2004 The University of Kansas

  2. Why?

  3. PKI adoption will continue growing to support highly sensitive or regulated business processes. However, the dream of using it for general-purpose authentication and ubiquitous digital signatures is still several years in the future and not a certainty. Public Key Infrastructure: Making Progress, But Many Challenges Remain Dan Blum and Gerry Gebel, Burton Group March 2003 ECAR report

  4. PKI adoption hurdles are lower than ever, and the benefits are greater than ever. The time has come to stop studying and testing and take the plunge. PKI: A Technology Whose Time Has Come in Higher Education Mark Franklin, Larry Levine, Denise Anthony, and Robert Brentrup Dartmouth College EDUCAUSE Review March/April 2004

  5. You should know enough about PKI to determine which view applies to your current situation.

  6. Benefits Strong authentication HIPAA, FERPA, etc. Protection from “sniffing” attacks S/MIME secure email Signing, encryption Work with other PKI developments Inter-university use of PKI Kansas government PKI use Grant signing requirements

  7. Hurdles Certification Authority Issues Outsource, Buy, or Build? Key/Certificate Management Policy Development Registration of users (vetting) Finding compatible applications User key management

  8. Common PKI Use Establishing SSL Connections Authenticates web server to browser Uses CA root built into browser University buys certificates from CA Protection is only for data transfer Does not authenticate user Does not authenticate a specific service User-level: Individual CA Certs/Keys

  9. Non-PKI Keys/Certificates Argus Server Authentication Certificates for server-to-server authentication Locally generated keys and certs No direct user involvement Argus User Authentication NOT certificate-based User-level: PGP, GPG, SSH

  10. Higher Education Organizations for PKI NMI-EDIT NSF Middleware Initiative Enterprise and Desktop Integration Technologies Members EDUCAUSE Internet 2 SURA (SE Univ Research Assoc) HEPKI-TAG Coordinates many PKI developments

  11. Higher Education Initiatives USHER US Higher Education Root Follow-on to CREN as CA InCommon Shibboleth Federation CA Signs Institutional Shib Certs HEBCA Higher Education Bridge Certification Authority

  12. USHER Certificates Low Few constraints on campus operations Suitable for many campus needs Good for learning Basic CP places more constraints on use HEBCA peering Both will issue only institutional certs

  13. HEBCA Trust HEBCA FBCA HECP InCommon Fd Root CA HECA Agency CA Agency CA Campus Campus

  14. Kansas Government PKI Distributed across several agencies Information Technology Executive Council (ITEC) Responsible for Kansas Certificate Policy Office of Secretary of State (SOS) Responsible for CA services contract Information Network of Kansas (INK) Responsible for KS Info Consortium contract KIC manages official state web site www.accesskansas.org

  15. Kansas Government PKI Distributed across several agencies General state PKI information online at: http://da.state.ks.us/itab/PKIMain.htm Agencies using service act as Local Registration Authority Current end-entity certs $40/year

  16. Kansas Government PKI Agencies using PKI State Treasurer’s Office “The Vault” Extranet Department of Revenue E-Lein Department of Transportation

  17. Kansas Government PKI Identity Management Security Levels Level 1 Virtual Vetting (no physical presence) Level 2 Physical Vetting; LRA Level 3, 4 Not yet issuing

  18. Kansas Statutes Chapter 16. Contracts and Promises Article 16. Electronic Transactions Electronic Signature [16-1602(i)] Digital Signature [16-1602(e)] If a law requires a signature, an electronic signature satisfies the law. [16-1607(d)] http://www.kslegislature.org/cgi-bin/ statutes/index.cgi/

  19. Electronic Signature ... an electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

  20. Digital Signature ... a type of electronic signature consisting of a transformation of an electronic message using an asymmetric crypto system such that a person having the initial message and the signer's public key can accurately determine whether: � � � (1) � The transformation was created using the private key that corresponds to the signer's public key; and � � � (2) � the initial message has not been altered since the transformation was made.

  21. Given a choice between security and convenience, users will choose convenience.

  22. Public Key Infrastructure A system of CAs (and, optionally, RAs and other supporting servers and agents) that perform some set of certificate management, archive management, key management, and token management functions for a community of users in an application of asymmetric cryptography. (RFC2828 Definition)

  23. Traditional Cryptography Symmetric Same key that encrypts, decrypts Key is always secret Problems Exchanging key with trusted parties Same key gives everyone access Access includes ability to modify

  24. Traditional Cryptography DES (Data Encryption Standard) IBM, NIST, NSA 1970s 56-bit key Triple DES, 112-bit effective key size AES (Advanced Encryption Standard) Rijndael 128/192/256-bit key sizes

  25. Public Key Cryptography Diffie-Hellman 1976 Asymmetric Two keys: one private, one public Each decrypts what other encrypts Problems Much slower than symmetric Key management

  26. Public Keys Provide Confidentiality Protection again unauthorized access Integrity Protection against unauthorized changes Authentication Verification of an identity Nonrepudiation Cannot deny private key was used

  27. Key Management Generating Keys Authenticating Public Keys Distributing Keys

  28. Generating Keys Keys are generated in pairs Private/Public Keeping private keys secret Ideally no one but owner ever has key Problems convenience escrow recovery

  29. Authenticating Public Keys X.509 Certificates Bind public keys to identity information Contents Include Version Number Public Key Owner’s Name Initial / Final Dates Valid ... other information ... Signed by issuing CA

  30. Digital Credentials Private Key For exclusive use of owner MUST be kept secure Public Key Certificate Available to everyone Links key with owner’s identity Trust must be established somehow

  31. Distributing Credentials PKCS#12 Standard for secure transportation of user identity information Wraps data in password-protected object Content can include Keys Certificates Passwords

  32. Credential Package PKCS#12 Package Private Key X.509 Certificate Public Key Identity Info Other Info CA Signature

  33. Certificate Management Distribution User to user (e.g. email) LDAP directories Revoking Certificates Certificate Revocation Lists (CRL) Online Cert Status Protocol (OCSP) Keys and Certificates are not the same Certificates not used for private keys

  34. Credential Generation Key Generation Private Key Public Key ID Information Certificate CA Private Key Signing Request CA Signing PKCS#12 Public Key Generation Certificate PKCS#12 Object Package

  35. Public Key Infrastructure Solves some problems of public keys Establishing owner’s identity Defining validity dates, uses Based on trusted third party Signing may be through multiple levels CA cert may sign other CA certs Must end at trusted root CA

  36. Certification Authority Functions Register Users Directly or through Registration Authority Issue Public Key Certificates Revoke Certificates Publish revocation information Archive Key and Certificate Data Retrieve archives when appropriate May or may not ever have user private key

  37. Policies and Procedures Certificate Policy Statement Broad specification of policy objectives Accepted by CA & relying party Certification Practices Statement Detailed practices for issuing certificates Certificate lifetime, revocation, etc.

  38. KU as Certification Authority Strong authentication for campus services Registration already done via Registrar & Human Resources A natural extension of current I/A/A activity KU Online ID, AMS, Argus, LDAP Policy framework: EDUCAUSE, I2 Build on open source foundation

  39. KU Certificate Hierarchy KU Root CA KU Intermediate CA KU Personal CA KU Institutional CA Other potential uses User Certificates User Certificates

  40. KU Root Certificate Available on web at: https://www.ku.edu/kuca Currently root/anchor certificate Must be installed into client system Plan USHER-based path in future Corresponding private key: Used only to sign Intermediate CA Cert Now stored only on encrypted CD

  41. KU Digital Credential Process Action Initiated by Location Test Request User Web Approval CA Server ID Request User Web Generation CA Offline CA Notification CA Email Retrieval User Web Installation User User’s PC Use User Application

  42. S/Mime Email Normal Email is like a postcard Message encryption seals the envelope Digital signature adds unique “sealing wax” stamp

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of hardware, software, people, policies, and procedures. To create, manage, distribute, use, store, and revoke digital certificates. Encryption,

906 views • 34 slides
PUBLIC INFRASTRUCTURE UPDATE CITY COMMISSION PRESENTATION May 23, 2018 PUBLIC INFRASTRUCTURE

PUBLIC INFRASTRUCTURE UPDATE CITY COMMISSION PRESENTATION May 23, 2018 PUBLIC INFRASTRUCTURE

UNDERGROUND UTILITIES & PUBLIC INFRASTRUCTURE PUBLIC INFRASTRUCTURE UPDATE CITY COMMISSION PRESENTATION May 23, 2018 PUBLIC INFRASTRUCTURE UPDATE Orange Avenue Capital Circle SE 2-Lane Southwood TIMES HAVE CHANGED TALLAHASSEE IS

422 views • 31 slides
A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage

248 views • 23 slides
PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key cryptography pair of keys public key (encryption, signature verification) private key (decryption, signing) Infrastructure binding

560 views • 35 slides
The role of government is to provide public h l f d bl infrastructure for further public

The role of government is to provide public h l f d bl infrastructure for further public

The role of government is to provide public h l f d bl infrastructure for further public purpose The national payments system is an element of public infrastructure. Banking functions to provide access to the k f d h payments

560 views • 36 slides
Public Key Infrastructure e-government, e-commerce, e-mail, etc.) Ideally consists of a

Public Key Infrastructure e-government, e-commerce, e-mail, etc.) Ideally consists of a

Public Key Infrastructure A system to securely distribute & manage public keys. Important for wide-area trust management (for Public Key Infrastructure e-government, e-commerce, e-mail, etc.) Ideally consists of a

402 views • 3 slides
COUNTY OF MAUI PUBLIC INFRASTRUCTURE FINANCING WATER AND INFRASTRUCTURE COMMITTEE COMMUNITY

COUNTY OF MAUI PUBLIC INFRASTRUCTURE FINANCING WATER AND INFRASTRUCTURE COMMITTEE COMMUNITY

COUNTY OF MAUI PUBLIC INFRASTRUCTURE FINANCING WATER AND INFRASTRUCTURE COMMITTEE COMMUNITY FACILITIES DISTRICTS NOVEMBER 18, 2019 Curt de Crinis, Managing Director Columbia Capital Management LLC cdecrinis@columbiacapital.com CFD PROJECTS

165 views • 12 slides
Public vs Private Infrastructure & Regulation June 08 Public vs Private Infrastructure &

Public vs Private Infrastructure & Regulation June 08 Public vs Private Infrastructure &

Public vs Private Infrastructure & Regulation June 08 Public vs Private Infrastructure & Regulation K Peter Kolf General Manager & CEO Economic Regulation Authority 23 June 2008 Overview Issues Economic Regulation Authority

563 views • 31 slides
Public Infrastructure Partners LP: Managers Update Presented to NZ Social Infrastructure Fund:

Public Infrastructure Partners LP: Managers Update Presented to NZ Social Infrastructure Fund:

Public Infrastructure Partners LP: Managers Update Presented to NZ Social Infrastructure Fund: 20 th August 2012 STRICTLY CONFIDENTIAL PRESENTATION STRUCTURE Summary Of Fund Activities During Period Portfolio Review Investment

394 views • 23 slides
Public Investment in infrastructure effects in Public Investment in infrastructure effects in the

Public Investment in infrastructure effects in Public Investment in infrastructure effects in the

Public Investment in infrastructure effects in Public Investment in infrastructure effects in the growth and human development of the growth and human development of Nicaragua Nicaragua Expert Group Meeting Macroeconomic Chalanges to

413 views • 13 slides
Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip Hallam-Baker Principal Scientist VeriSign Inc. Small is not beautiful Not When you write the code PIC 16F88 368 bytes RAM 4K Word ROM 20MHz

390 views • 21 slides
Towards Expanded Investment in Regional Infrastructure - Increasing Traditionally

Towards Expanded Investment in Regional Infrastructure - Increasing Traditionally

Towards Expanded Investment in Regional Infrastructure - Increasing Traditionally Infrastructure has been the exclusive province of the public sector because of its public good aspects. With few Exceptions the public sector has been costly

304 views • 29 slides
Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000 Open-source Public Key Infrastructure Agenda We are going to

826 views • 25 slides
Infrastructure Planning 2015 Annual Report, Section 3.07 Background Ontarios public

Infrastructure Planning 2015 Annual Report, Section 3.07 Background Ontarios public

Value-for-money audit of: Infrastructure Planning 2015 Annual Report, Section 3.07 Background Ontarios public infrastructure has replacement value of $500 billion; 40% of it overseen by the Province Infrastructure is aging, with more

481 views • 7 slides
C ENTRAL W EST E ND Community Needs Assessment on Public Infrastructure August 11, 2016 Schlafly

C ENTRAL W EST E ND Community Needs Assessment on Public Infrastructure August 11, 2016 Schlafly

C ENTRAL W EST E ND Community Needs Assessment on Public Infrastructure August 11, 2016 Schlafly Library Tonights Community Meeting 1) CWE Needs Assessment Committee 2) Presentation on Proposed Public Infrastructure Projects 3) Small

354 views • 24 slides
Infrastructure March - 2019 1 What is OCSI? A leading voice of public infrastructure in

Infrastructure March - 2019 1 What is OCSI? A leading voice of public infrastructure in

A Coalition of Ontario Associations Supporting Safe and Sustainable Public Infrastructure March - 2019 1 What is OCSI? A leading voice of public infrastructure in Ontario, the OCSI is a coalition of associations which advocates for the

602 views • 9 slides
Certificates A ubiquitous form of authentication Generally used with public key

Certificates A ubiquitous form of authentication Generally used with public key

Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document proving you are who you claim to be Often used to help distribute other keys Lecture 5 Page 1 CS 236

339 views • 29 slides
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything weve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.

661 views • 50 slides
Cryptography (+ Web Security): Certificates Spring 2015

Cryptography (+ Web Security): Certificates Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography (+ Web Security): Certificates Spring 2015 Franziska (Franzi) Roesner

505 views • 21 slides
Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J.

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J.

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman University of Michigan Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric HTTPS and TLS How does HTTPS and the CA ecosystem

449 views • 24 slides
Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson Lifecycle of a typical WebPKI certfcate www.liu.se Certificate Certificate Authority Server 1. Issuance www.liu.se Hello 2. Use Certificate

377 views • 10 slides
Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

465 views • 22 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 11: Public-Key Infrastructure Main Topics of this Lecture 1. Digital

433 views • 25 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides

More recommend