More Related Content
What's hot
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Similar to PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
Similar to PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC (20)
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
- 1. 26th – 30th October 2015
Public Key Infrastructure (PKI) – In Depth
Telecommunications Authority ofTrinidad
andTobago (TATT)
Dr. Eng. Nizar Ben Neji
26th – 30th October 2015
Trinidad andTobago
TMG Consultancy Ltd, London
www.tmgconsultancy.co.uk / info@tmgconsultancy.co.uk ©TMG Consultancy Ltd
- 2. Content
1. Role of Cryptography in BuildingTrust in the Digital World
Security objectives (Authentication, Confidentiality, Integrity and non-
repudiation
Role of the modern cryptography in information security:
o Asymmetric cipher algorithms (RSA, DSA, ECDSA, …)
o Symmetric cipher algorithms (AES, DES, 3DES, …)
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
1
o Symmetric cipher algorithms (AES, DES, 3DES, …)
o Hash algorithms (SHA1, SHA2, …)
2. Elements of Public Key Infrastructure (PKI)
Certificate Policy (CP) and Certification Practice Statements (CPS)
PKI Architecture (Root CA, Subordinate CAs, Bridge CA, Cross-
certification, Mutual recognition between CAs, Certification Path, …)
Registration Authorities (RAs)
Digital Certificates (Structure, Basic fields, Extensions and Profiles)
- 3. Content
Certificate Revocation Lists (CRLs)
Recommended CryptographicAlgorithms and Key Lengths
Publishing Certificates and CRLs
Validation Authority (VA) and OCSP Responder
PKI Solutions (OpenSSL, EJBCA, Microsoft CA, …)
3. Trust Models in PKI
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
2
3. Trust Models in PKI
Rooted HierarchicalTrust Model
Network (Cross Certification)Trust Model
Bridge CA Model
Trust List Based Model
4. Hardware Protection of Cryptographic Secrets
Cryptographic Smartcard Card (for end users),
- 4. Content
Hardware Security Module (HSM) (for servers),
LongTerm Storage of Cryptographic Proofs
5. Relevant PKI Standards, Protocols and Standardization
Organizations
• ITUTelecommunication Standardization Sector
IETF PKIXWorking Group
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
3
• IETF PKIXWorking Group
• RSA Security Laboratories
• EuropeanTelecommunications Standards Institute (ETSI)
• National Institute of Standards andTechnology (NIST)
• American National Standard Institute (ANSI)
• CA/Browser Forum
• Relevant PKI Standards and Protocols
- 5. Content
6. Digital Signature Standards and Mechanisms
• Purpose, Forms and Groups
• Main Properties of Digital Signature
• Advanced Electronic Signature
• Necessity of a Legal Framework
Electronic Signature Policy
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
4
• Electronic Signature Policy
• Creation of a digital signature
• Digital Signature Formats
• CMS/PKCS#7 format (Cryptographic Message Syntax)
• CAdES (CMS Advanced Electronic Signature)
• S/MIME signature
• XMLDSig (XML Digital Signature)
• XAdES (XML Advanced Electronic Signature)
• PDF [ISO 32000-1]
• PAdES (PDF Advanced Electronic Signature)
- 6. Content
7. Time Stamping Service
• Importance ofTime Stamping (TS) Documents
• TS Standards
• Accurate Source ofTime and NTP
• Architecture of aTS Solution
Time StampingAuthority
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
5
• Time StampingAuthority
• Time Stamping Client'sTool
• TS Request
• TSToken
8. Transition to the ElectronicTransactions
E-Terms
Basic Electronic Services
- 7. Content
Security requirements in E-Government
Legal, Institutional andTechnical Preparation
Security requirements in E-Procurement
Security requirements in E-Banking
Security requirements in E-Commerce
Security Over the Internet
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
6
Security Over the Internet
SSL/TLS
VPN SSL
Cryptographic Programming Libraries
MS CAPI
JAVA IAIK
JAVA Bouncycastle
Oracle JCE/JCA
- 8. Practical Labs
1. Setting up an Enterprise PKI:
1. CertificationAuthority
2. Registration Authority
3. LDAP Repository to publish certificates and CRLs
4. OCSP Responder
Installing digital certificates in:
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
7
2. Installing digital certificates in:
1. MS Keystore
2. Mozilla Keystore
3. JAVA Keystore
4. Cryptographic Smartcard
3. Securing MS Office Documents
4. Securing Acrobat PDF Documents
- 9. Practical Labs
5. Setting up SSL on Apache Web Server
1. Simple SSL Authentication
2. Mutual SSL Authentication
6. Digitally sign source code (Secure JAVAWeb Applet)
7. Securing Messaging Systems (S/MIME, POPS, SMTPS and
©TMG Consultancy Ltd
Deployment, Management and Use of PKI – Trinidad and Tobago –
26-30 October 2015
8
7. Securing Messaging Systems (S/MIME, POPS, SMTPS and
IMAPS)
6. Digitally sign messages
7. Encrypt messages
8. Setting up an End to End VPN SSL Connection using
digital certificates for authentication