Information system security wk5-1-pki

2,726 views

Published on

If you have question
Message me!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Information system security wk5-1-pki

  1. 1. IT346 Information System Security Week 5-1: PKI Faculty of Information Technology Page
  2. 2. Digital Certificate Secret Key  Key Distribution Center)  Public Key Authority (CA) Public Key Key  CA ‣ ‣ Faculty of Information Technology CA Key KDC (Key Certificate CA Public CA (Digital Certificate) Page 2
  3. 3. Digital Certificate  Digital Certificate Public Key Digital Certificate Digital Signature Owner’s Info CA Owner’s public key Issuer’s Info  Issuer’s signature Certificate Faculty of Information Technology Public Key Digital Certificate Digital Page 3
  4. 4. Public Key Infrastructure (PKI)  public key cryptosystem public/private key pair  certificate Trusted Third Party (TTP) public/private key pair identity certificate certificate public key certificate  TTP sign certificate Subjec Public Expiratio … TTP private key TTP Issuer t ID Faculty of Information Technology Key n Date (TTP ID) Certificate Structure Signature Page 4
  5. 5. Public Key Infrastructure (PKI)  Certificate Authority (CA) TTP certificate  CA 1 certificate CA verify certificate public key CA CA (hierarchy) Public Key Infrastructure (PKI) ‣ CA ‣ Faculty of Information Technology Root CA certificate public key Root Page 5
  6. 6. Public Key Infrastructure (PKI) Root CertC A1 CA PKC Sigr CA 1 A1 oot 1 CertAl ice Alic PKA Sig lice CA1 e CA CertC CA PKC Sigr CA A2 A2 oot 2 2 CertC CA2 CA2 A2.2 PKC SigC CA .1 Cert .2 A2 2.2 A2.2 ob Bob B PKB SigC ob A2.2  Alice  Bob: message || CertAlice || CertCA1  Bob  Alice: message || CertBob || CertCA2.2 || CertCA2  tree certificate CA certificate CA hash certificate Faculty of Information Technology copy CA certificate Page 6
  7. 7. Certificate Certificate  (Authentication) (Encryption) ‣ Web Site Certificate: secure connection Certificate Faculty of Information Technology Server Page
  8. 8. Certificates Windows  Internet Explorer (IE) Certificates Applications ‣ Microsoft Certificates IE Tools  Internet Options Faculty of Information Technology Page
  9. 9.  Certificates Windows Trusted Root CA Certificate Root CA ‣ Certificate Web Site Sign Web Site Root CA Web Site  CA ‣ Verisign ‣ GeoTrust ‣ Thawte Consulting Faculty of Information Technology Page 9
  10. 10. Certificates Windows Certificate IE  Certificate IE Certificate Web Site Certificate ‣ Certificate IE Certificate ‣ Faculty of Information Technology Certificate IE CA Page 10
  11. 11. Revocation List (CRL)  Certificate (Revoke) Certificate ‣ Certificate ‣ Certificate ‣  CA Faculty of Information Technology Private Key Certificate Private Key Private Key Certificate Certificate Revocation Page
  12. 12. X.509  X.509 ITU-T (International Telecommunication Union – Telecommunication Standardization Sector) Public Key Infrastructure (PKI) ‣ Certificate, Revocation List, Certificate Faculty of Information Technology PKI Certificate Page 12
  13. 13. X.509 Certificate X.509 Version 3 certificate CA Sign Certificate CA Certificate Sign Certificate Certificate Public Key Key Pubic Key CA Certificate Hash Private Key CA Certificate CA Hash Faculty of Information Technology Page 13
  14. 14. X.509 PKI Root CA Cert CA CA1 1 CA2 .1 Cert Alice Cert CA 2 CA2 CA2 CertC A2.2 .2 Cert  X.509 ‣ Faculty of Information Technology Root CA PKI Bob PKI Root CA Page 14
  15. 15. X.509 Certification Signature Chain Certificate  CA<<Subject>> CA Certificate Subject ‣ Cathy<<Alice>> Alice ‣ Dan<<Bob>> Dan Bob  Faculty of Information Technology CA 2 Cathy Certificate Certificate cross-certified CA Page 15
  16. 16. X.509 Certification Signature Chain  Certification Signature Chain trust cross-certified CA Alice Cathy Alice certificate signature chain Bob Cathy<<Dan>> Dan<<Bob>> ‣ • Alice Dan Alice Faculty of Information Technology Dan Certificate Cathy Cathy Bob Bob Certificate Page 16
  17. 17. X.509 Certification Signature Chain ‣ Bob Dan Bob certificate signature chain Alice Dan<<Cathy>> Cathy<<Alice>> • Bob Certificate Alice Cathy Certificate Cathy Dan Bob Dan Alice Faculty of Information Technology Page 17
  18. 18. (User Authentication) Faculty of Information Technology Page 18
  19. 19. (Authentication)  ‣ Authentication “authenticus (αὐθεντικός)”, , , ‣ Authentication ‣ Authentication Security Goal(s)  Faculty of Information Technology ? (User Page
  20. 20. Authentication Process  Authentication  Authentication (access control) (user accountability) Faculty of Information Technology Page 20
  21. 21. Authentication Process  Identification = ‣ ‣ Identity service : (identifier) access control security  Verification = ‣ (authentication information) Faculty of Information Technology Page 21
  22. 22. User VS Message Authentication  Message Authentication ‣  User Authentication ‣ identity Faculty of Information Technology Page 22
  23. 23. : User Authentication identity Faculty of Information Technology Page 23
  24. 24. Password Authentication  ‣ User password (multiuser systems), network-based servers, Web-based e-commerce sites) ‣ name/login password login password  User ID: ‣ Faculty of Information Technology Page 24
  25. 25. Password Vulnerabilities Offline diction ary attack Specific account attack Faculty of Information Technology Popula r passwo rd attack Passwo rd guessin g against single user Workst ation hijacki ng Exploiti ng multipl e passwo rd use Exploiti ng user mistak es Electro nic monito ring Page 25
  26. 26. Password Vulnerabilities  Offline dictionary attack: ‣ ‣ password file password hashes password match ID hash password  Specific account attack: ‣ account password password Faculty of Information Technology Page 26
  27. 27. Password Vulnerabilities  Password guessing against single user: ‣ Attacker password policies password.  Workstation hijacking: ‣ Attacker log-in  Exploiting multiple password use: ‣ Attack Faculty of Information Technology Page 27
  28. 28. Password Vulnerabilities  Exploiting user mistakes: password, ‣ password ‣ ‣ Attacker passwords user password social engineering account manager ‣ Faculty of Information Technology Page 28
  29. 29. Password Vulnerabilities  Electronic monitoring ‣ Password log on remote system (eavesdropping) ‣ Encryption encrypted password password Attacker Faculty of Information Technology Page 29
  30. 30. (Countermeasures)  authentication password-based password file user ID. password ‣ way hash function password  Against offline dictionary attack one- ‣ password file ‣ detection) ‣ Faculty of Information Technology (intrusion password compromised passwords Page 30
  31. 31. (Countermeasures)  Against popular password attack ‣ Policies password ‣ Scan IP addresses authentication requests cookies client pattern password  Against password guessing against single user ‣ ‣ policies , Faculty of Information Technology password policies password password, set , Page 31
  32. 32. (Countermeasures)  Against exploiting user mistakes ‣ , intrusion detection ‣ passwords authentication  Against exploiting multiple password use ‣ policies password network device  Against electronic monitoring ‣ Replay Attack Faculty of Information Technology Page 32

×