Pki 201 Key Management
Upcoming SlideShare
Loading in...5
×
 

Pki 201 Key Management

on

  • 682 views

 

Statistics

Views

Total Views
682
Views on SlideShare
682
Embed Views
0

Actions

Likes
0
Downloads
33
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Pki 201 Key Management Pki 201 Key Management Presentation Transcript

  • PKI 201 – Key Management By Aman Hardikar
  • Agenda • Basic Cryptosystem • Types of Keys • Key Life Cycle • Pre Operational • Creation • Distribution • Operation • Post Operational • Destruction • Storage • X509 Certificate Basics
  • An Example of a Basic Crypto System • Three keys • 1 symmetric key • 1 public key • 1 private key • Three algorithms • 1 symmetric cipher algorithm (block / stream) • 1 asymmetric cipher algorithm • 1 hashing algorithm • Optional • RNG (Random Number Generator)
  • Biggest Problem Key Management • Why? • Easier to steal the key than to break the lock. In general, majority of the attacks on a cryptosystem were on Key Management.
  • Types of Keys To mitigate key management issues, multiple keys were created according to its designated purpose. Private Signature Key Public Key Transport Key Public Signature Key Symmetric Key Agreement Key Symmetric Authentication Key Private Static Key Agreement Key Private Authentication Key Public Static Key Agreement Key Public Authentication Key Private Ephemeral Key Agreement Key Symmetric Data Encryption Key Public Ephemeral Key Agreement Key Symmetric Key Wrapping Key Symmetric Authorization Key Symmetric Master Key Public Authorization Key Private Key Transport Key Private Authorization Key
  • Cryptographic Strength & Key Size Comparable Key Strength Bits Symmetric Algorithm RSA ECC 80 2kTripleDEA 1024 160–223 112 3kTripleDEA 2048 224–255 128 AES-128 3072 256–383 192 AES-192 7680 384–511 256 AES-256 15360 512+ • Ephemeral or temporary keys • Long life keys OUP (Originator Usage Period) Time during which cryptographic protection may be applied to data
  • Key Lifecycle
  • Key Lifecycle - Preoperational • Installing key policies • Selecting algorithms • Registering attributes • Key parameters Keys are registered (binding them to subject’s identity). In PKI, it is implemented using x509 certificate. X.509 certificate binds a public key with subject name (user)
  • Key Lifecycle - Creation • Avoid weak keys • Avoid weak algorithms or weak implementations of algorithms • Process of key generation • Type, purpose and crypto applications of keys
  • Key Lifecycle – Creation (2) Random Number Generators (RNG) • Produce a sequence of 0s and 1s for use in cryptography • Combined into sub-sequences or blocks of random numbers • Types • Deterministic • Produces sequence based on a known value (seed) • Nondeterministic • Produces sequence based on an unpredictable source
  • Key Lifecycle - Distribution • Based on the type of the key • Requirements • Availability of the keys • Association of keys with intended use • Integrity – detection of change during transit • Confidentiality – split knowledge principle • Distribution • Private keys – split knowledge, trusted entities for distribution • Public keys – X509 certificate • Manual key distribution (encrypted using key wrapping keys) • Wrapping keys are generally public keys • If private keys are used, then a separate distribution channel should be established Keys used only for encrypting data in storage should not be distributed.
  • Key Lifecycle - Operation • Backup and recovery mechanisms • Compromised backups • Controls for detecting a compromise • Regeneration • Updates and changes • Crypto period expiration • Suspected or real key compromise • Rekeying • Needs redistribution • Updating the key • No redistribution required • Produced based on the old key • Known to all parties
  • Key Lifecycle – Post-operation • Key not operational • Access to keys needed • Decrypt data • Verify signature
  • Key Lifecycle - Destruction • Zeroization • Replacing key material with ‘0’ or ‘o’ or something meaning less • Not just the key material at rest, other places should also be considered
  • Key Storage • Provide Integrity • Provide Confidentiality • Association with application and objects • Assurance of domain parameters Keys are protected with additional level of access control. Destroying of key material using zeroization, if required.
  • Key Escrow • Multiple parties/agencies storing part of the key. • Generally operates with two components held with two independent agents. • Risks • Collusion • Failure of reassembling Ex: SKIPJACK and LEAF method.
  • Key States / Transitions
  • Digital Certificate An electronic identity issued to a person, system, or an organization by a competent authority after verifying the credentials of the entity. In PKI, all digital certificates were issued based on the X.509 standard.
  • X.509v3 Certificate
  • SSL Certificate: Version: 2 Serial Number: 4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 Not valid before: Dec 1 00:00:00 2010 GMT Not valid after: Dec 4 12:00:00 2013 GMT Subject: /C=GB/ST=Lancashire/L=Bolton/O=Bolton Metropolitan Borough Council/OU=Bolton/CN=*.bolton.gov.uk Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:84:24:fb:93:61:c4:3e:82:dc:6b:f0:d7:75: 7e:93:93:a3:fe:34:05:1b:f0:12:37:e0:b2:f1:0f: bd:b5:aa:57:ee:53:ac:67:af:62:48:15:21:c8:14: ………… 48:a5:46:07:77:07:c0:e5:ff:5c:b9:5c:72:27:e6: d6:e4:2c:a4:3d:55:3b:3c:aa:bf:71:69:af:c8:63: 66:1f Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7 X509v3 Subject Key Identifier: 08:BC:EF:1E:D5:0D:92:26:7B:6C:CA:E9:48:A9:ED:EB:AE:C0:B1:BC X509v3 Subject Alternative Name: DNS:*.bolton.gov.uk, DNS:bolton.gov.uk, DNS:ebiz.bolton.gov.uk X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl3.digicert.com/ca3-g8.crl URI:http://crl4.digicert.com/ca3-g8.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.3.0.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt X509v3 Basic Constraints: critical CA:FALSE
  • X.509v3 Certificate Signing
  • Continued ….. PKI 202/203 • Trust Models • CRL Models • Working of SSL, SMIME • Walk through using software • Architectural Weaknesses • Auditing a PKI Infrastructure