Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pki 201 Key Management


Published on

Published in: Technology, Education
  • Be the first to comment

Pki 201 Key Management

  1. 1. PKI 201 – Key Management By Aman Hardikar
  2. 2. Agenda • Basic Cryptosystem • Types of Keys • Key Life Cycle • Pre Operational • Creation • Distribution • Operation • Post Operational • Destruction • Storage • X509 Certificate Basics
  3. 3. An Example of a Basic Crypto System • Three keys • 1 symmetric key • 1 public key • 1 private key • Three algorithms • 1 symmetric cipher algorithm (block / stream) • 1 asymmetric cipher algorithm • 1 hashing algorithm • Optional • RNG (Random Number Generator)
  4. 4. Biggest Problem Key Management • Why? • Easier to steal the key than to break the lock. In general, majority of the attacks on a cryptosystem were on Key Management.
  5. 5. Types of Keys To mitigate key management issues, multiple keys were created according to its designated purpose. Private Signature Key Public Key Transport Key Public Signature Key Symmetric Key Agreement Key Symmetric Authentication Key Private Static Key Agreement Key Private Authentication Key Public Static Key Agreement Key Public Authentication Key Private Ephemeral Key Agreement Key Symmetric Data Encryption Key Public Ephemeral Key Agreement Key Symmetric Key Wrapping Key Symmetric Authorization Key Symmetric Master Key Public Authorization Key Private Key Transport Key Private Authorization Key
  6. 6. Cryptographic Strength & Key Size Comparable Key Strength Bits Symmetric Algorithm RSA ECC 80 2kTripleDEA 1024 160–223 112 3kTripleDEA 2048 224–255 128 AES-128 3072 256–383 192 AES-192 7680 384–511 256 AES-256 15360 512+ • Ephemeral or temporary keys • Long life keys OUP (Originator Usage Period) Time during which cryptographic protection may be applied to data
  7. 7. Key Lifecycle
  8. 8. Key Lifecycle - Preoperational • Installing key policies • Selecting algorithms • Registering attributes • Key parameters Keys are registered (binding them to subject’s identity). In PKI, it is implemented using x509 certificate. X.509 certificate binds a public key with subject name (user)
  9. 9. Key Lifecycle - Creation • Avoid weak keys • Avoid weak algorithms or weak implementations of algorithms • Process of key generation • Type, purpose and crypto applications of keys
  10. 10. Key Lifecycle – Creation (2) Random Number Generators (RNG) • Produce a sequence of 0s and 1s for use in cryptography • Combined into sub-sequences or blocks of random numbers • Types • Deterministic • Produces sequence based on a known value (seed) • Nondeterministic • Produces sequence based on an unpredictable source
  11. 11. Key Lifecycle - Distribution • Based on the type of the key • Requirements • Availability of the keys • Association of keys with intended use • Integrity – detection of change during transit • Confidentiality – split knowledge principle • Distribution • Private keys – split knowledge, trusted entities for distribution • Public keys – X509 certificate • Manual key distribution (encrypted using key wrapping keys) • Wrapping keys are generally public keys • If private keys are used, then a separate distribution channel should be established Keys used only for encrypting data in storage should not be distributed.
  12. 12. Key Lifecycle - Operation • Backup and recovery mechanisms • Compromised backups • Controls for detecting a compromise • Regeneration • Updates and changes • Crypto period expiration • Suspected or real key compromise • Rekeying • Needs redistribution • Updating the key • No redistribution required • Produced based on the old key • Known to all parties
  13. 13. Key Lifecycle – Post-operation • Key not operational • Access to keys needed • Decrypt data • Verify signature
  14. 14. Key Lifecycle - Destruction • Zeroization • Replacing key material with ‘0’ or ‘o’ or something meaning less • Not just the key material at rest, other places should also be considered
  15. 15. Key Storage • Provide Integrity • Provide Confidentiality • Association with application and objects • Assurance of domain parameters Keys are protected with additional level of access control. Destroying of key material using zeroization, if required.
  16. 16. Key Escrow • Multiple parties/agencies storing part of the key. • Generally operates with two components held with two independent agents. • Risks • Collusion • Failure of reassembling Ex: SKIPJACK and LEAF method.
  17. 17. Key States / Transitions
  18. 18. Digital Certificate An electronic identity issued to a person, system, or an organization by a competent authority after verifying the credentials of the entity. In PKI, all digital certificates were issued based on the X.509 standard.
  19. 19. X.509v3 Certificate
  20. 20. SSL Certificate: Version: 2 Serial Number: 4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=DigiCert Inc/ High Assurance CA-3 Not valid before: Dec 1 00:00:00 2010 GMT Not valid after: Dec 4 12:00:00 2013 GMT Subject: /C=GB/ST=Lancashire/L=Bolton/O=Bolton Metropolitan Borough Council/OU=Bolton/CN=* Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:84:24:fb:93:61:c4:3e:82:dc:6b:f0:d7:75: 7e:93:93:a3:fe:34:05:1b:f0:12:37:e0:b2:f1:0f: bd:b5:aa:57:ee:53:ac:67:af:62:48:15:21:c8:14: ………… 48:a5:46:07:77:07:c0:e5:ff:5c:b9:5c:72:27:e6: d6:e4:2c:a4:3d:55:3b:3c:aa:bf:71:69:af:c8:63: 66:1f Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7 X509v3 Subject Key Identifier: 08:BC:EF:1E:D5:0D:92:26:7B:6C:CA:E9:48:A9:ED:EB:AE:C0:B1:BC X509v3 Subject Alternative Name: DNS:*,, X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI: URI: X509v3 Certificate Policies: Policy: 2.16.840.1.114412. CPS: User Notice: Explicit Text: Authority Information Access: OCSP - URI: CA Issuers - URI: X509v3 Basic Constraints: critical CA:FALSE
  21. 21. X.509v3 Certificate Signing
  22. 22. Continued ….. PKI 202/203 • Trust Models • CRL Models • Working of SSL, SMIME • Walk through using software • Architectural Weaknesses • Auditing a PKI Infrastructure