1 / 9

Understanding Certificates and Public Key Infrastructure (PKI) in Network Security

This document outlines essential concepts related to certificates and Public Key Infrastructure (PKI), including the role of Certificate Authorities (CA), registration practices, and certificate validation processes. It highlights terminology used in PKI, such as expiration, revocation, and the Certificate Revocation List (CRL). The document emphasizes the importance of verifying certificates, discusses common PKI implementations, and addresses the challenges of compromised CAs and trust in third parties. Real-world examples illustrate the application of PKI in various contexts.

aleda
Télécharger la présentation

Understanding Certificates and Public Key Infrastructure (PKI) in Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 465 Certificates Last Updated: Aug 29, 2013

  2. Background • A certificate was originally created to bind a subject to the subject’s public key • Intended to solve the key distribution problem for public keys by narrowing the problem to the secure distribution of the CA public key

  3. Certificate Generation • Who generates the subject’s key pair? Source: Stallings, Network Security Essentials

  4. Terminology • Certificate Authority (CA) – Issuer • Certification Practice Statement (CPS) • A statement of the practices employed by the CA to issue certificates • Registration Authority (RA) • Entity that identifies and authenticates subjects • Does not issue certificates • Trusted Third Party (TTP) • Expiration • Valid lifetime of the certificate • Certificate Revocation List (CRL) • Analogous to a list of lost or stolen credit card numbers • When do certificates need to be revoked? • Relying party • Recipient of a certificate that relies on the information it asserts • How does the relying party validate the certificate? (5 steps) • Public Key Infrastructure (PKI) • Infrastructure necessary to deploy and use public key technology • The infrastructure needed to recognize which public key belongs to whom

  5. Certificate Verification • What steps should a relying party (e.g., web browser) take to verify a certificate? • Integrity • Expiration • Revocation • Usage constraints • Basic Constraints • Can the subject act as a CA? • Is there a limit to the length of the certificate chain? • Limitation on key use • Ownership • Does the entity presenting the certificate have access to the associated private key?

  6. PKI Reality • Names – how to identify subjects? • Authority – no universal authority • Trust – who do we trust as the CA? • Revocation – hardest PKI problem to solve • CRL • Fast expiration • Online certificate verification (OCSP) • PKI vs. key server • Advantages of PKI server to key server • Recommend key server for small systems, PKI for larger systems Source: Cryptography Engineering, Ferguson et al., Chapter 19

  7. PKI Examples • What are some examples of how a PKI could be implemented and used? • Universal PKI • Corporate VPN • On-line banking • University

  8. Certificate Hierarchies • Complex organization may distribute the certificate issuing process • Example: How might BYU issue student certificates using the University, College, Department organizational structure? • How to create a hierarchy? • How to verify a certificate chain? • How to recover from a lost/stolen private key?

  9. Compromised CAs • There are risks when we trust a third party • Some examples are posted on the lectures page • Verisign issued two fraudulant Microsoft certificates in 2001 • Dutch CA DigiNotor was compromised in 2011

More Related