1 / 36

ISA 562 Information Systems Theory and Practice

ISA 562 Information Systems Theory and Practice. 10. Digital Certificates. PUBLIC-KEY CERTIFICATES-1. What is a certificate?: A statement claiming some binding of attribute values Why do we need them? Identifying entities outside of domain Distributed access control What do they do?

tanika
Télécharger la présentation

ISA 562 Information Systems Theory and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISA 562Information Systems Theory and Practice 10. Digital Certificates

  2. PUBLIC-KEY CERTIFICATES-1 • What is a certificate?: • A statement claiming some binding of attribute values • Why do we need them? • Identifying entities outside of domain • Distributed access control • What do they do? • Propagates claims: • Certifier makes a claim that can be checked for authenticity and accepted if the recipient believe the claimant to be truthful • Manages trust – distributed trust management

  3. X.509v1 CERTIFICATE VERSION SERIAL NUMBER SIGNATURE ALGORIT ISSUER VALIDITY SUBJECT SUBJECT PUB KEY INFO SIGNATURE 1 1234567891011121314 RSA+MD5, 512 C=US, S=VA, O=GMU, OU=ISE 9/9/99-1/1/1 C=US, S=VA, O=GMU, OU=ISE, CN=Alice RSA, 1024, xxxxxx SIGNATURE

  4. PUBLIC-KEY CERTIFICATES • For public-key based encryption • sender needs public key of receiver • For public-key digital signatures • receiver needs public key of sender • To establish an agreement • both need each other’s public keys

  5. CERTIFICATE TRUST • Acquisition of public key of the issuer to verify the signature • Go to through a certificate chain • Whether or not to trust certificates signed by the issuer for this subject

  6. PEM CERTIFICATION GRAPH Internet Policy Registration Authority IPRA Policy Certification Authorities (PCAs) PERSONA RESIDENTIAL MID-LEVEL ASSURANCE HIGH ASSURANCE Anonymous MITRE GMU Virginia Certification Authorities (CAs) Abrams LEO Fairfax CS Subjects Grover Grover

  7. PUBLIC-KEY CERTIFICATES • What is a certificate?: • A statement claiming some binding of attribute values • Why do we need them? • Identifying entities outside of domain • Distributed access control • What do they do? • Propagate claims: • Certifier makes a claim that can be checked for authenticity and accepted if the recipient believe the claimant to be truthful • Manages trust – distributed trust management

  8. SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY Root Brand Brand Brand Geo-Political Bank Acquirer Customer Merchant

  9. Certificate Revocation • Sometimes, the issuer need to recant certificate • The subject’s attributes have changed • The subject misused the certificate • There are forged certificates • Published in a certificate revocation list

  10. CRL FORMAT SIGNATURE ALGORITHM ISSUER LAST UPDATE NEXT UPDATE REVOKED CERTIFICATES SIGNATURE SERIAL NUMBER REVOCATION DATE

  11. X.509 CERTIFICATES • X.509v1 • basic • X.509v2 • adds unique identifiers to prevent against reuse of X.500 names • X.509v3 • adds many extensions • can be further extended

  12. X.509v3 CERTIFICATE INNOVATIONS • distinguish various certificates • signature, encryption, key-agreement • identification info in addition to X.500 name • internet names: email addresses, host names, URLs • issuer can state policy and usage • good enough for casual email but not for signing checks • limits on use of signature keys for further certification • extensible • proprietary extensions can be defined and registered • attribute certificates • ongoing work

  13. X.509v2 CRL INNOVATIONS • CRL distribution points • indirect CRLs • delta CRLs • revocation reason • push CRLs

  14. HIERARCHICAL STRUCTURE Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  15. HIERARCHICAL STRUCTURE WITH ADDED LINKS Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  16. TOP-DOWN HIERARCHICAL STRUCTURE Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  17. FORREST OF HIERARCHIES

  18. MULTIPLE ROOT CA’s + INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  19. THE CERTIFICATE TRIANGLE user X.509 attribute certificate X.509 identity certificate attribute public-key SPKI certificate

  20. 2-WAY SSL HANDSHAKE WITH RSA Handshake Protocol Record Protocol

  21. SINGLE ROOT CA MODEL Root CA a b c d e f g h i j k l m n o p Root CA User

  22. User RA User RA User RA SINGLE ROOT CAMULTIPLE RA’s MODEL Root CA a b c d e f g h i j k l m n o p Root CA

  23. MULTIPLE ROOT CA’s MODEL Root CA Root CA Root CA a b c d e f g h i j k l m n o p Root CA User Root CA User Root CA User

  24. ROOT CA + INTERMEDIATE CA’s MODEL Z X Y Q R S T A C E G I K M O a b c d e f g h i j k l m n o p

  25. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  26. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  27. MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p

  28. MULTIPLE ROOT CA’s + INTERMEDIATE CA’s MODEL • Essentially the model on the web today • Deployed in server-side SSL mode • Client-side SSL mode yet to happen

  29. SERVER-SIDE MASQUERADING Bob Web browser www.host.com Web server Server-side SSL Ultratrust Security Services www.host.com

  30. SERVER-SIDE MASQUERADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL Mallory’s Web server www.host.com BIMM Corporation www.host.com

  31. SERVER-SIDE MASQUERADING Bob Web browser www.host.com Web server Ultratrust Security Services Server-side SSL Server-side SSL BIMM Corporation Mallory’s Web server www.host.com Ultratrust Security Services www.host.com

  32. MAN IN THE MIDDLEMASQUERADING PREVENTED Client Side SSL end-to-end Ultratrust Security Services Bob Web browser www.host.com Web server Bob Ultratrust Security Services Client-side SSL Client-side SSL BIMM Corporation BIMM Corporation www.host.com Mallory’s Web server Ultratrust Security Services Ultratrust Security Services www.host.com Bob

  33. ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Joe@anywhere Web browser BIMM.com Web server Client-side SSL Ultratrust Security Services Ultratrust Security Services Joe@anywhere BIMM.com

  34. ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services Alice@SRPC BIMM.com

  35. ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Bob@PPC Web browser BIMM.com Web server Client-side SSL PPC Ultratrust Security Services Bob@PPC BIMM.com

  36. ATTRIBUTE-BASED CLIENT SIDE MASQUERADING Alice@SRPC Web browser BIMM.com Web server Client-side SSL SRPC Ultratrust Security Services PPC BIMM.com Bob@PPC

More Related