The PKIX Standards and PKI Implementations Simos Xenitellis - - PDF document

the pkix standards and pki implementations
SMART_READER_LITE
LIVE PREVIEW

The PKIX Standards and PKI Implementations Simos Xenitellis - - PDF document

Apr 15, 2023 205 likes •515 views

The PKIX Standards and PKI implementations The PKIX Standards and PKI Implementations Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 16th May, 2000, University of London The PKIX Standards and PKI implementations Agenda

slide-1
SLIDE 1

The PKIX Standards and PKI implementations

The PKIX Standards and PKI Implementations

Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1

16th May, 2000, University of London

slide-2
SLIDE 2

The PKIX Standards and PKI implementations

Agenda

We are going to discuss about

  • open-source software
  • public key cryptography
  • PKI functionality

about

  • the PKIX Standards

and finally about

  • PKI implementations

2

16th May, 2000, University of London

slide-3
SLIDE 3

The PKIX Standards and PKI implementations

Open-source

is

  • a new trend
  • a new software development model
  • is based on the almost zero distribution costs
  • quick initial distribution
  • not expensive life-cycle

In short

  • availability of source code
  • covered by suitable unencumbered licence

3

16th May, 2000, University of London

slide-4
SLIDE 4

The PKIX Standards and PKI implementations

Public Key Cryptography

Algorithms

  • RSA
  • El Gamal
  • Elliptic curves

can

  • encrypt/decrypt
  • sign/verify

4

16th May, 2000, University of London

slide-5
SLIDE 5

The PKIX Standards and PKI implementations

Example of Public Key Cryptography: RSA

Setup

  • Find strong primes p and q.
  • Set n = p * q
  • Pick e co-prime with (p-1)(q-1)
  • and find d so that (d * e) mod ((p-1)(q-1)) = 1

the keys are

  • Public: n and e
  • Private: d

5

16th May, 2000, University of London

slide-6
SLIDE 6

The PKIX Standards and PKI implementations

Creation of a Certification Authority

In the beginning, the CA

  • generates public/private key pair
  • generates certificate request
  • make a certificate out of the certificate request (sign)
  • gives that certificate, the root CA certificate to everyone
  • keeps private key very private

6

16th May, 2000, University of London

slide-7
SLIDE 7

The PKIX Standards and PKI implementations

Client sign-up

Procedure

  • user creates own certificate request
  • sends over to RA to authorise
  • if RA says ok, sends over to CA
  • CA signs the request, thus creating a Certificate
  • CA sends Certificate back to RA
  • RA publishes it somehow
  • user gets Certificate

7

16th May, 2000, University of London

slide-8
SLIDE 8

The PKIX Standards and PKI implementations

Why PKIs?

To improve Internet Security

  • S/MIME
  • TLS
  • IPSec

To provide

  • confidentiality
  • data integrity
  • data-origin authentication
  • non-repudiation

8

16th May, 2000, University of London

slide-9
SLIDE 9

The PKIX Standards and PKI implementations

Historical Events

  • Everything started from X.500, circa 1984
  • X.500 was about directory services
  • became standard at end of 80s
  • defined the X.509 certificate format
  • X.509 too generic and untested in real applications
  • someone had to stand-up and define area of applicability

9

16th May, 2000, University of London

slide-10
SLIDE 10

The PKIX Standards and PKI implementations

X.509 v2 ’93

X.500 revision in 1993 Two fields added in certificate

  • subjectUniqueIdentifier
  • issuerIniqueIdentifier

Support directory access control PEM made use of v2 10

16th May, 2000, University of London

slide-11
SLIDE 11

The PKIX Standards and PKI implementations

X.509 v3 ’96

PEM implementation showed deficiences ISO/IEC/ITU and ANSI X9 standard Standard extensions

  • additional subject identification information
  • key attribute information
  • policy information
  • certification path constraints

11

16th May, 2000, University of London

slide-12
SLIDE 12

The PKIX Standards and PKI implementations

Enter IETF

Still X.509 Certificates were lacking Formed PKIX Working Group (Oct95) Specified Internet PKI profile In detail

  • for X.509 v3 PKCs
  • for X.509 v2 CRLs

Gone through 11 drafts Now it official, RFC2459 12

16th May, 2000, University of London

slide-13
SLIDE 13

The PKIX Standards and PKI implementations

PKIX Definitions

Certificate

  • Attribute Certificate
  • Public Key Certificate

Authority

  • Certification Authority
  • Attribute Authority
  • and maybe Registration Authority

End Entity 13

16th May, 2000, University of London

slide-14
SLIDE 14

The PKIX Standards and PKI implementations

PKIX Definitions (cont’)

Infrastructures

  • Public Key Infrastructure (PKI)
  • Privilege Management Infrastructure (PMI)

Documents

  • Certificate Policy (CP)
  • Certification Practice Statement (CPS)

14

16th May, 2000, University of London

slide-15
SLIDE 15

The PKIX Standards and PKI implementations

More PKIX

  • Profiles for Certs/CRLs
  • Management protocols
  • Operational protocols
  • Certificate Policy and Certification Practice Statement
  • Time-stamping and data-certification services

15

16th May, 2000, University of London

slide-16
SLIDE 16

The PKIX Standards and PKI implementations

PKIX: Profiles

  • Basic Certificate Fields
  • Certificate extensions
  • CRL and CRL extensions
  • Certificate Path Validation
  • Algorithm support
  • plus ASN.1 structures and OIDs

16

16th May, 2000, University of London

slide-17
SLIDE 17

The PKIX Standards and PKI implementations

PKIX: Management protocols

For on-line interactions of client with management entities Certificate Management Protocol (CMP)

  • CMP-TCP
  • CMP-HTTP

17

16th May, 2000, University of London

slide-18
SLIDE 18

The PKIX Standards and PKI implementations

PKIX: Operational protocols

Delivery of Certs/CRLs/status to client systems Good to have variety here Currently

  • FTP
  • HTTP
  • OCSP
  • LDAPv2
  • LDAPv3

18

16th May, 2000, University of London

slide-19
SLIDE 19

The PKIX Standards and PKI implementations

PKIX: CP and CPS

Addresses

  • physical and personal security
  • subject identification requirements
  • revocation policy
  • etc.

Has examples 19

16th May, 2000, University of London

slide-20
SLIDE 20

The PKIX Standards and PKI implementations

PKIX: Time stamps (1/2)

  • Still draft, on 6th revision
  • Talks about TSA, the Time Stamp Authority

Simple (c)

  • Receives request
  • Appends current time
  • Signs
  • Sends back

Offers non-repudiation 20

16th May, 2000, University of London

slide-21
SLIDE 21

The PKIX Standards and PKI implementations

PKIX: PKIX and DVCS

Data Validation and Certification Service What does it do?

  • certify existence
  • certifcy correctness
  • f
  • message
  • signature

Offers non-repudiation 21

16th May, 2000, University of London

slide-22
SLIDE 22

The PKIX Standards and PKI implementations

PKIX: PKI Entities

Certificate/CRL Repository RA End entity CA CA Operational transactions and management transactions Publish certificate Publish CRL Management transactions PKI management entities Management transactions PKI users Publish Certificate

22

16th May, 2000, University of London

slide-23
SLIDE 23

The PKIX Standards and PKI implementations

PKIX: AC Exchange

AC Issuer Server Server Lookup Repository Client Lookup AC "push" (part of app. protocol) Client Acquisition Server Acquisition Client

23

16th May, 2000, University of London

slide-24
SLIDE 24

The PKIX Standards and PKI implementations

Implementations #1

pyCA and OpenCA

  • set of CGI scripts
  • OpenSSL for crypto needs
  • run ok on Unix/Unix-like
  • support Netscape
  • no strict compliance with PKIX
  • allow RAD testing/implementation

24

16th May, 2000, University of London

slide-25
SLIDE 25

The PKIX Standards and PKI implementations

Implementations #2

OSCAR

  • Open Secure Certificate ARchitecture
  • comes from DTSC, Australia
  • good support for X.509v3, crypto, PKCS, PKIX
  • very good Netscape support
  • source code available, but can’t redistribute/sell freely
  • should open license

25

16th May, 2000, University of London

slide-26
SLIDE 26

The PKIX Standards and PKI implementations

Implementaions #3

Mozilla Open Source PKI Projects Provides two libraries

  • NSS, Network Security Services
  • PSM, Personal Security Manager

Comments

  • For integration with Netscape/iPlanet products
  • License is MPL or GPL, you choose
  • Crypto still in trouble
  • No strict PKIX compliance
  • Crypto must get fixed, then go fast

26

16th May, 2000, University of London

slide-27
SLIDE 27

The PKIX Standards and PKI implementations

Implementations #4

MISPC or Minimum Interoperability Specifications for PKI Components

  • Brought to you by NIST
  • CD-only distribution (still waiting for it)
  • Only for Windows
  • Has some PKIX support
  • No crypto for US, yet
  • Gloomy future

27

16th May, 2000, University of London

slide-28
SLIDE 28

The PKIX Standards and PKI implementations

Implementations #5

Reference Implementation from IBM PKIX compliance with

  • RFC 2459 Profiles
  • RFC 2510 Management
  • RFC 2511 CRMF
  • LDAPv2 draft

Comments

  • no crypto for US
  • they verified the PKIX docs, found errata
  • uses CDSA
  • code needs clean-up, looks nice
  • is freeware, me says they changed their mind

28

16th May, 2000, University of London

slide-29
SLIDE 29

The PKIX Standards and PKI implementations

Fin

We talked about

  • open-source software
  • public key cryptography
  • PKI functionality

about

  • the PKIX Standards

and finally about

  • PKI implementations

29

16th May, 2000, University of London