public key infrastructure
play

Public Key Infrastructure Towards a reliable revocation status - PowerPoint PPT Presentation

Aug 18, 2022 •171 likes •446 views

Public Key Infrastructure Towards a reliable revocation status checking method Royal Holloway, University of London Keith Vella Licari Weekend Conference 2013 keith@vellalicari.com Agenda About me Project approach Certificate

  1. Public Key Infrastructure Towards a reliable revocation status checking method Royal Holloway, University of London Keith Vella Licari Weekend Conference 2013 keith@vellalicari.com

  2. Agenda ● About me ● Project approach ● Certificate status validation (CSV) methods ● What could go wrong? ● Criteria to evaluate CSV methods ● Revocation Status Discovery Protocol (RSDP) ● Next steps ● Project tips

  3. Connecting the dots ● 1978: Born ● 1990: First computer in the house (386SX) ● 1991: Took dad’s computer apart ● 1994: Purchased own computer (486DX4) ● 1994: Became interested in networking (BBSs) ● 1995: Started using the Internet (dial-up) ● 1998: Started working in IT ● 2001: Branched off to information security

  4. Connecting the dots ● 2003: Involved in the design and implementation of PKI-enabled secure messaging and a remote access solution ● 2007: Involved in a project that delivered a PKI to support services offered by the Government of Malta ● 2007: Proposed and developed an alternative certificate status validation (CSV) method ● 2013: Developed a set of criteria to evaluate CSV methods and proposed the Revocation Status Discovery Protocol (RSDP)

  5. Project approach ● Identified a challenge in a context ● Looked at the project work as my contribution to help address the identified challenge ● Reviewed state of the practice/art ● Identified shortcomings/security weaknesses in existing methods ● Identified requirements for an alternative method ● Proposed an alternative method

  6. Responding to security threats Security threats Tampering CURTAIL Data origin authentication Security services Data integrity PROVIDE Security mechanisms Digital signature

  7. Key exchange in public key crypto Alice Mallory Bob Trent Alice Bob Certificate Certificate

  8. Card payment processing Acquiring Issuing bank bank 4 1 2 Card holder 3 Merchant Card 1 Request card 3 Transact with merchant 2 Issue card 4 Verify card status

  9. PKI Participants Relying party Issuing CA CA 4 1 2 Subscriber 3 Relying party Certificate 1 Request certificate 3 Transact with relying party 2 Issue certificate 4 Verify certificate status

  10. Typical scenario 5 Acquiring Issuing bank bank Relying party Issuing CA CA 4 2 3 Card holder Merchant Relying party Subscriber 1 1 Entity authentication 3 Submit payment info 5 Fund transfer 2 Validate certificate 4 Request authorisation

  11. Digital certificate (X.509) Standard guarantee offered by a certificate: “This certificate is good until the expiration date. Unless, of course, you hear that it has been revoked”. (Rivest)

  12. Certificate validation ● Certificate discovery: collect issuing CA certificate and all CA certificates up to the root and carry out expiry check ● Path validation: verify digital signatures one by one up to the root ● Revocation checking: ○ Periodic publication mechanisms (e.g. CRL) ○ Online query mechanisms (e.g. OCSP)

  13. Example

  14. Pointers to revocation status service CRL method OCSP method

  15. CRL check Certificate CRL

  16. OCSP check Request OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 39AF18B41C021F39109656FDC6D358EF74858B99 Issuer Key Hash: 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF Serial Number: 77085914F9CB7A7FC924B84F755708CB Request Extensions: OCSP Nonce: 041075DD789343AFE0484E4D24B4329D6BF4 Response WARNING: no nonce in response Response verify OK test-sspev.verisign.com: revoked This Update: Jul 11 08:21:17 2013 GMT Next Update: Oct 5 10:04:24 2013 GMT Reason: unspecified Revocation Time: Oct 30 22:20:23 2012 GMT

  17. What could go wrong? Main issues: CRL OCSP Lightweight OCSP Can easily become large Ambiguous answer Pre-produced responses and unwieldy (good|revoked|unknown) Timeliness (delay until next Only definitive answers are Only definitive answers are update) digitally signed digitally signed Scalability (self-inflicted Optional protection against No protection against DDoS) replay attacks replay attacks

  18. Internet browser statistics

  19. Default setting

  20. Proprietary method (not online)

  21. Alternative method (naïve) 2 Certificate Relying party status service 4 (DNS) 1 5 6 3 Security service/s 1 Extract serial number Data origin authentication Send status request 2 Data integrity Lookup pre-produced response 3 Send response to requester 4 5 Verify signature 6 Read status in response

  22. Criteria to evaluate CSV methods Design Performance Security Simplicity Status accuracy Protection against impersonation attacks Uniqueness of target Scalability Protection against certificate identifier manipulation Unambiguity of certificate Size of request Protection against replay status information attacks Completeness Size of response Protection against sniffing Extensibility Demand smoothness Auditability

  23. Revocation Status Discovery Protocol (RSDP) 3 Certificate Relying party 4 status service (TLS) 6 1 2 7 5 8 Security service/s 1 Compute certificate identifier (fingerprint) Entity authentication Construct URL (using fingerprint) 2 Confidentiality Establish TLS connection with responder 3 Data origin authentication Data integrity Send status request 4 5 Lookup pre-produced response 7 Verify signature 6 Send response to requester 8 Read status in response

  24. Next steps ● Alternative evaluation ● Peer/Expert review ● Practical implementation ● Standardisation

  25. Recap ● Highlighted the need to validate certificate status ● Looked at 2 standard and 1 proprietary certificate status validation (CSV) methods ● Reviewed challenges in the use of CSV methods ● Introduced evaluation criteria for CSV methods ● Looked at the proposed Revocation Status Discovery Protocol (RSDP)

  26. Project tips ● Get started as early as you can ● Choice of optional modules is key ● Use your project supervisor wisely ● Make use of resources/subscriptions provided ● Focus on analysis rather than implementation ● Use reference management software

  27. Further reading Books/Papers Adams, C. and S. Lloyd, Understanding PKI : concepts, standards, ● and deployment considerations Georgiev, M., et al.,, The most dangerous code in the world : ● validating SSL certificates in non-browser software Gutmann, P., Engineering security ● Kohnfelder, L. M., Towards a practical public-key cryptosystem ● ● Marlinspike, M., Defeating OCSP With The Character '3' VeriSign Inc., VeriSign update on certificate revocation list ● expiration Standards CRL method - X.509, RFC 5280 ● ● OCSP method - RFC 2560 Lightweight OCSP - RFC 5019 ●

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of

Public-key Infrastructure Computer Center, CS, NCTU Public-key Infrastructure A set of hardware, software, people, policies, and procedures. To create, manage, distribute, use, store, and revoke digital certificates. Encryption,

906 views • 34 slides
PUBLIC INFRASTRUCTURE UPDATE CITY COMMISSION PRESENTATION May 23, 2018 PUBLIC INFRASTRUCTURE

PUBLIC INFRASTRUCTURE UPDATE CITY COMMISSION PRESENTATION May 23, 2018 PUBLIC INFRASTRUCTURE

UNDERGROUND UTILITIES & PUBLIC INFRASTRUCTURE PUBLIC INFRASTRUCTURE UPDATE CITY COMMISSION PRESENTATION May 23, 2018 PUBLIC INFRASTRUCTURE UPDATE Orange Avenue Capital Circle SE 2-Lane Southwood TIMES HAVE CHANGED TALLAHASSEE IS

422 views • 31 slides
A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage

248 views • 23 slides
PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key

PKI Milan Sova, CESNET EuroCAMP, Porto, 2005-11-07 Public Key Infrastructure Public key cryptography pair of keys public key (encryption, signature verification) private key (decryption, signing) Infrastructure binding

560 views • 35 slides
The role of government is to provide public h l f d bl infrastructure for further public

The role of government is to provide public h l f d bl infrastructure for further public

The role of government is to provide public h l f d bl infrastructure for further public purpose The national payments system is an element of public infrastructure. Banking functions to provide access to the k f d h payments

560 views • 36 slides
Public Key Infrastructure e-government, e-commerce, e-mail, etc.) Ideally consists of a

Public Key Infrastructure e-government, e-commerce, e-mail, etc.) Ideally consists of a

Public Key Infrastructure A system to securely distribute & manage public keys. Important for wide-area trust management (for Public Key Infrastructure e-government, e-commerce, e-mail, etc.) Ideally consists of a

402 views • 3 slides
COUNTY OF MAUI PUBLIC INFRASTRUCTURE FINANCING WATER AND INFRASTRUCTURE COMMITTEE COMMUNITY

COUNTY OF MAUI PUBLIC INFRASTRUCTURE FINANCING WATER AND INFRASTRUCTURE COMMITTEE COMMUNITY

COUNTY OF MAUI PUBLIC INFRASTRUCTURE FINANCING WATER AND INFRASTRUCTURE COMMITTEE COMMUNITY FACILITIES DISTRICTS NOVEMBER 18, 2019 Curt de Crinis, Managing Director Columbia Capital Management LLC cdecrinis@columbiacapital.com CFD PROJECTS

165 views • 12 slides
Public vs Private Infrastructure & Regulation June 08 Public vs Private Infrastructure &

Public vs Private Infrastructure & Regulation June 08 Public vs Private Infrastructure &

Public vs Private Infrastructure & Regulation June 08 Public vs Private Infrastructure & Regulation K Peter Kolf General Manager & CEO Economic Regulation Authority 23 June 2008 Overview Issues Economic Regulation Authority

563 views • 31 slides
Public Infrastructure Partners LP: Managers Update Presented to NZ Social Infrastructure Fund:

Public Infrastructure Partners LP: Managers Update Presented to NZ Social Infrastructure Fund:

Public Infrastructure Partners LP: Managers Update Presented to NZ Social Infrastructure Fund: 20 th August 2012 STRICTLY CONFIDENTIAL PRESENTATION STRUCTURE Summary Of Fund Activities During Period Portfolio Review Investment

394 views • 23 slides
Public Investment in infrastructure effects in Public Investment in infrastructure effects in the

Public Investment in infrastructure effects in Public Investment in infrastructure effects in the

Public Investment in infrastructure effects in Public Investment in infrastructure effects in the growth and human development of the growth and human development of Nicaragua Nicaragua Expert Group Meeting Macroeconomic Chalanges to

413 views • 13 slides
Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip

Blended Cryptography: Public Key Infrastructure for Devices that dont Public key Phillip Hallam-Baker Principal Scientist VeriSign Inc. Small is not beautiful Not When you write the code PIC 16F88 368 bytes RAM 4K Word ROM 20MHz

390 views • 21 slides
Towards Expanded Investment in Regional Infrastructure - Increasing Traditionally

Towards Expanded Investment in Regional Infrastructure - Increasing Traditionally

Towards Expanded Investment in Regional Infrastructure - Increasing Traditionally Infrastructure has been the exclusive province of the public sector because of its public good aspects. With few Exceptions the public sector has been costly

304 views • 29 slides
Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000 Open-source Public Key Infrastructure Agenda We are going to

826 views • 25 slides
Infrastructure Planning 2015 Annual Report, Section 3.07 Background Ontarios public

Infrastructure Planning 2015 Annual Report, Section 3.07 Background Ontarios public

Value-for-money audit of: Infrastructure Planning 2015 Annual Report, Section 3.07 Background Ontarios public infrastructure has replacement value of $500 billion; 40% of it overseen by the Province Infrastructure is aging, with more

481 views • 7 slides
C ENTRAL W EST E ND Community Needs Assessment on Public Infrastructure August 11, 2016 Schlafly

C ENTRAL W EST E ND Community Needs Assessment on Public Infrastructure August 11, 2016 Schlafly

C ENTRAL W EST E ND Community Needs Assessment on Public Infrastructure August 11, 2016 Schlafly Library Tonights Community Meeting 1) CWE Needs Assessment Committee 2) Presentation on Proposed Public Infrastructure Projects 3) Small

354 views • 24 slides
Infrastructure March - 2019 1 What is OCSI? A leading voice of public infrastructure in

Infrastructure March - 2019 1 What is OCSI? A leading voice of public infrastructure in

A Coalition of Ontario Associations Supporting Safe and Sustainable Public Infrastructure March - 2019 1 What is OCSI? A leading voice of public infrastructure in Ontario, the OCSI is a coalition of associations which advocates for the

602 views • 9 slides
Know Thyself: A Decision-Theoretic Model of Over- Education and Educated Unemployment Sanjay Jain

Know Thyself: A Decision-Theoretic Model of Over- Education and Educated Unemployment Sanjay Jain

Know Thyself: A Decision-Theoretic Model of Over- Education and Educated Unemployment Sanjay Jain University of Oxford and IZA 2 nd IZA/World Bank/NJD Conference on Jobs and Development The World Bank, Washington DC, 6-7 June 2019 Educated

736 views • 20 slides
Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio

Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio

Secure upgrade of hardware security modules in bank networks Riccardo Focardi 1 Flaminia Luccio 1 1 Universit` a Ca Foscari di Venezia, Italy { focardi,luccio } @dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work

1.25k views • 69 slides
Operating Systems Synchronization Lecture 5 Michael OBoyle 1 Temporal relations User view

Operating Systems Synchronization Lecture 5 Michael OBoyle 1 Temporal relations User view

Operating Systems Synchronization Lecture 5 Michael OBoyle 1 Temporal relations User view of parallel threads Instructions executed by a single thread are totally ordered A < B < C < In absence of

584 views • 33 slides
Mining personal banking data to detect fraud David J. Hand Imperial College London September

Mining personal banking data to detect fraud David J. Hand Imperial College London September

Mining personal banking data to detect fraud David J. Hand Imperial College London September 2007 Imperial College Workshop on Data Analysis and Classification 1 London In honour of Edwin Diday My research group: Niall Adams, Adam Brentnall,

930 views • 53 slides
CMSC 132: Object-Oriented Programming II Synchronization in Java Department of Computer Science

CMSC 132: Object-Oriented Programming II Synchronization in Java Department of Computer Science

CMSC 132: Object-Oriented Programming II Synchronization in Java Department of Computer Science University of Maryland, College Park Multithreading Overview Motivation & background Threads Creating Java threads Thread states

618 views • 13 slides
Amy Sayre, President of August REI, a Residential Loan Servicing Company. Borrower Mortgage

Amy Sayre, President of August REI, a Residential Loan Servicing Company. Borrower Mortgage

ACQUIRING AND MANAGING A MORTGAGE NOTE PORTFOLIO David Campbell, mortgage note investor / broker founder of Hassle-Free Cashflow Investing Kaaren Hall, president of uDirect IRA Services Amy Sayre, President of August REI, a Residential Loan

779 views • 48 slides
CSC2/458 Parallel and Distributed Systems Parallel Data Structures - I Sreepathi Pai January 18,

CSC2/458 Parallel and Distributed Systems Parallel Data Structures - I Sreepathi Pai January 18,

CSC2/458 Parallel and Distributed Systems Parallel Data Structures - I Sreepathi Pai January 18, 2018 URCS Outline Concurrent Objects Correctness/Safety Outline Concurrent Objects Correctness/Safety Concurrent Objects/Data Structures

602 views • 26 slides
ECOSYSTEM Change, Disruption & Innovation in the Industry Amy Zirkle VP Industry Affairs,

ECOSYSTEM Change, Disruption & Innovation in the Industry Amy Zirkle VP Industry Affairs,

NEW PLAYERS IN THE PAYMENTS ECOSYSTEM Change, Disruption & Innovation in the Industry Amy Zirkle VP Industry Affairs, ETA electran.org DEFINING NEW ROLES IN AN EVOLVING INDUSTRY Industry Evolution Transformation of the Payments

550 views • 26 slides

More recommend